This is the report from a security audit performed on Lucky Strike V2 by MrCrambo.
The audit focused primarily on the security of Lucky Strike V2 smart contracts.
- https://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18
- https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945
In total, 7 issues was reported including:
-
0 critical severity issues.
-
0 high severity issues.
-
2 medium severity issues.
-
5 low severity issues.
In functions init
and init
there are no zero address checking for luckyStrikeContractAddress
.
Add zero address checking.
require(luckyStrikeContractAddress != address(0));
There are TODO
comments left.
https://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L138 https://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L145 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1401 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1525
In function withdrawAllByOwner
there is wrong checking and sending to wrong address.
As mentioned in function name only owner should withdraw this balance, but team address will withdraw.
Change checking to right one
require(msg.sender == owner);
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
In function mint
there is possibility of minting more than hardCap
.
Function transferDividends
is empty and payable, so users can spend their money by calling this function.
If the amount of ether sent to the contract through invest
, investAndPlay
or placeABet
is lower than ticketPriceInWei or not equal to the exact multiple of ticketPriceInWei
the ether or part of it will be lost by the user since if its value is lower than ticketPriceInWei
he won't get a ticket to play or a token as investment, msg.value
is directly divided by ticketPriceInWei
.
Smart contracts contain only medium and low severity issues.