LuckyStrike.md

Summary

This is the report from a security audit performed on LuckyStrike by MrCrambo.

The audit focused primarily on the security of LuckyStrike smart contracts.

In scope

1. https://gist.github.com/yuriy77k/8111757d30637066b3b4bdb60b3525d0
2. https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305

Findings

In total, 5 issue were reported including:

• 1 high severity issues.

• 1 medium severity issues.

• 3 low severity issues.

Security issues

1. Wrong require

Severity: high

Description

After each investment team address wil get 25% of tokens as bonus. Also, there is possibility, that team will get more tokens, then investor will get. Line 338.

2. Wrong require

Severity: medium

Description

In function withdrawAllByOwner there should be check that msg.sender is owner, but there is checking that msg.sender is team.

Recommendation

Add correct checking

3. Zero address checking required

Severity: low

Description

No zero address checking in functions transferFrom, init

Recommendation

Add zero address checking

require(to != address(0));

4. Known vulnerabilities of ERC-20 token

Severity: low

Description

1. It is possible to double withdrawal attack. More details here
2. Lack of transaction handling mechanism issue. More details here

5. Wrong event names

Severity: low

Description

Event names should start with uppercase letter, but it start with lowercase. Lines 1415, 1454, etc.

Conclusion

Smart contracts have high severity issues, which should be fixed.