This is the report from a security audit performed on FCK by gorbunovperm.
FCK is a decentralized game platform based on the blockchain technology, with fairness, equality, transparency, openness and complete anonymousness.
Description of the contract: https://dice2.win/faq
Commit hash: a7fd48b135db2f4828cbc8e5e694b4a9627cd323
In total, 4 issues were reported including:
-
2 high severity issue.
-
1 medium severity issues.
-
1 low severity issues.
-
0 minor observations.
Owner can close contract at any moment and withdraw all funds including jackpot.
The owner controls the croupier and he may know the secret number because the number is generated in the backend and backend is fully controlled by the owner. The owner can play the lottery and make himself a winner and also win a jackpot.
A player's bet comes into the contract at the same time as a random number. In this case it is possible to generate the number(on fronted for example ) after the bet made. Possible manipulation of the lottery result from the owner.
Commits of random numbers should comes to contract before bets. For example, you can store an array of commits in storage. And after making a bet, use the first available commit.
The bet will not be played if the croupier does not call settleBet
function within an hour(250 blocks) of betting. The croupier is a server-side mechanism. And if there are problems with the server - the work of the dealer will stop. Players can lose their bets.
Also, this restriction can be used by the contract owner maliciously, for example, when the user can win the jackpot or makes a very large bet and it can become a winning one.
There are some serious vulnerabilities were discovered in this contract.