Closed craz3049 closed 6 years ago
Auditing time 1 day.
@yuriy77k assigned.
Auditing time: 1 day
@MrCrambo assigned
Auditing time: 2 days
@dieselc assigned.
Auditing time: 2 days
@rhyzome assigned.
Auditing time: 1 day
Auditing time 1 day.
Estimated auditing time is 1 day.
@RideSolo @alexo18 @gorbunovperm assigned.
@Dexaran My report is complete.
@gorbunovperm @yuriy77k @MrCrambo @dieselc @RideSolo @rhyzome @alexo18
I will ask you to send an email with the following information to dexaran@callisto.network:
I will revel reports in 3 days or as soon as I receive this information from each participant.
Revealing audit reports:
https://gist.github.com/alexo18/e804cf89a1eb39dc60928e24a771d99c https://gist.github.com/yuriy77k/e52201c4552b2b76cc70379c730d1e37 https://gist.github.com/RideSolo/8faa6fc13f5f659d78970829aaf0116f https://gist.github.com/gorbunovperm/5460648066ef74676ae34a077a7ab6af https://gist.github.com/dieselc/708393afeab17227d1a8584ab14b54c3 https://gist.github.com/MrCrambo/3f9b202aedc23a94bb91a0037488d976
The ETC dice game contract has critical issues. Therefore, deployment is prohibited and the contract should not be used. It is necessary to fix the contract.
Critical issues:
if
condition at FlipCoin() function. #L24Medium severity issues:
owner
variable@alexo18
Notes regarding the https://gist.github.com/alexo18/e804cf89a1eb39dc60928e24a771d99c report.
minor observation/not a security issue
severity should be assigned.The reported issues can not directly hurt the dice-game smart-contract. The dice-game smart-contract can satisfy the main goal and could be used for dice-game contract after completion aforementioned bugs list.
Contract can not satisfy the main goal since the results could be manipulated.
Your application for junior security auditor is approved. However, I strongly recommend that you review other audit reports and study the programming of contracts more thoroughly.
@yuriy77k
Notes regarding the https://gist.github.com/yuriy77k/e52201c4552b2b76cc70379c730d1e37 report.
Your audit report is fine.
One note about the conclusion:
One critical vulnerability was detected.
It is highly recommended to complete a bug bounty before use.
There is no need to run a bugbounty for a contract which has a critical vulnerability. Bugfixing is necessary.
Your application for medium security auditor is approved.
@RideSolo
Notes regarding the https://gist.github.com/RideSolo/8faa6fc13f5f659d78970829aaf0116f report.
Result precomputation make sense. However, this is an issue of block.timestamp
usage. A block timestamp can not serve as a source of entropy for a true random number generator.
Timestamp manipulation can directly harm the results of the game. It is better to assign it high
severity.
Your application for medium security auditor position is approved.
@gorbunovperm
Notes regarding the https://gist.github.com/gorbunovperm/5460648066ef74676ae34a077a7ab6af report.
medium
severity.Your application for junior security auditor is approved.
@dieselc
Notes regarding the https://gist.github.com/dieselc/708393afeab17227d1a8584ab14b54c3 report.
Transaction Ordering Dependence - definitely, this issue make sense, but this is not directly related to this smart-contract. This is more the issue of protocol-level.
#L24 condition can directly harm a player. Therefore, it is better to assign it medium
or high
severity.
Your application is approved. You will be assigned the role of a medium security auditor.
@MrCrambo
Notes regarding the https://gist.github.com/MrCrambo/3f9b202aedc23a94bb91a0037488d976 report.
It is better to describe issues separately. For example Old solidity version and not actual suicide function should be divided into "Old solidity version" (minor) and "No actual suicide function" (low) issues.
This recommendation is apparently copied from the previous item. selfdestruct
opcode implementation can not solve the CoinFlip
function.
Your application is approved. You will be assigned the role of a medium security auditor.
minor observation/ not a security issue
severity.
Audit request
basically we seek to develop traditional casino games by implementing decentralization using the blockchain of ethereum classic, in the future we will seek to improve the use and interaction of contracts
Source code
https://github.com/craz3049/etc-dice-game
Disclosure policy
rafa940325@gmail.com
Platform
was deployed on ethereum classic