This document is a security audit report performed by RideSolo, where LuckyStrike has been reviewed.
- LuckyStrikeTokens_v2.sol github gist 0dd00c458d10ecc40dc553eafe4c7a18.
- LuckyStrike_v2.sol github gist 769fc987f0e7680c70255ff999aa2945.
7 issues were reported:
- 1 High Severity issue/
- 3 medium severity issues
- 2 low severity issues.
- 1 minor severity issue.
Following the name takeDividends this function suggest that dividends are computed for every investor and can be withdrawn by them, by definition dividends are a sum of money paid regularly by the contract to its token holders out of the profit made by the game contract,
- However the function is a sell function where tokens are sold against ether and there isn't any sort of dividends to be taken from the game contract incomes or at least just a small part. investors are at risk and can be deceived.
- Also adding the initial token distibution: 70 million tokens are initially distributed to four different addresses reducing the internal token sell price for investors since there is already 70m tokens not backed by ether into circulation.
Please note that the game contract income are sent to the token contract through this function.
-
Once the
hardCaporsalePeriodreached the sale will be closed and all token minting will stop, therefore if everyone sells its tokens which is a possible case, onlywithdrawAllByOwnerwill be able to withdraw all the game contract income meaning that the contrarct owners will get all the game contract returns. -
If
hardCapis set low enough compared to the 70M tokens distrubuted initialy the contract owners or the four addresses first set by the owner will be garanteed a minimum retun percentage, following the actual contract, the production hard cap will be equal to 4500 ether and the token price will be 0.00015 ether meaning that only 30M tokens will be sold which will gauranteee 70% of the contract returns to the four addresses set by the owner.
https://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L188
As described previously here, and even as explained by the developers the remaining ether is not sent back because of gas optimization, the issue is still applicable.
The ticket price is set to be equal to 0.02 ether:
uint256 public ticketPriceInWei = 20000000000000000; // 0.02 ETH
equivalent to 2.7702 USD at the moment of writting, , knowing that a transfer function consume 2100 gas and supposing gas price to be set to 20gwei the amount to be saved will be 0.00000276 USD at the moment of writting. The described issue expose any user to a loss of an amount lower than 2.7702 USD, the optimization is not worth the risk since 2.7702 >> 0.00000276.
Please note that the truncated ether will be lost in the contract itself.
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1404
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1733
Lucky strike token decimals value is equal to zero, which means that no value after the decimal point is saved. As a similar issue to 3.2 when computing the token to mint for an investor, the fifth of the sent value when calling investAndPlay function is used to compute the investment and the other part is used to buy tickets, the fifth of the value is divided by tokenPriceInWei meaning that any value that is not a multiple of tokenPriceInWei will be truncated and the remaining value given to the marketing fund without compensation.
-
Knowing that the token price in usd at the moment of writting is 0.0207, the described issue will be expose any user to a loss of value lower than 0.0207 USD and same as described before the gas optimization is not worth it.
-
Since 1/5 of the value sent through
investAndPlayis used to buy token and 4/5 is used to place a bet, therefor there will be a smaller part of ether that will be lost in the contract or taken without giving token or a fraction of it to back the full investment since0.00015 * 5 != n tokenPriceInWei + ticketPriceInWei. -
The cumulitave value of issue 3.2 and 3.3 can be significant.
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1782
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1797
adjustAllocationfunction member ofLuckyStrikeallow the owner to reset the rates of the different jackpots and income rate, combined with issue 3.1 the risk for investors can be clear.
The ether sent through init member of LuckyStrike game contract will be lost in the contract since it is not placed in sum array in any way.
Depending the amount to be sent the severity can vary from low to medium.
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1499
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1506
Since the bet is placed, the users cannot wait more than 256 blocks to play it otherwise the blockhash used as seed will be zero, however the maximum number of block allowed since the last bet is set to 250 which is reducing the playing time of the users by 6 blocks, This logic is penalizing the users with no direct reason.
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1906
The condition should be changed to be less than 256.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );
The audited contracts are highly insafe for investors, all the highlited issues should be fixed before deployment.