MrCrambo
commented
5 years ago Auditing time 2 days
Closed carlossampol closed 5 years ago
MrCrambo
commented
5 years ago Auditing time 2 days
yuriy77k
commented
5 years ago @MrCrambo assigned
danbogd
commented
5 years ago Auditing time: 3 days.
yuriy77k
commented
5 years ago @danbogd assigned
MrCrambo
commented
5 years ago My report is finished
danbogd
commented
5 years ago My report is finished.
gorbunovperm
commented
5 years ago Estimated auditing time is 2 days.
yuriy77k
commented
5 years ago @gorbunovperm assigned
gorbunovperm
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago The contract contains high and critical severity security issues. The developer informed about it.
yuriy77k
commented
5 years ago Roulette.tech smart contract security audit report performed by Callisto Security Audit Department
A smart contract of Roulette game deployed on Callisto network. User can place multi bet at the same time, the maximum unique bets per time is 64 and maximum 64 credit on one bet. By default, each credit is 20 CLO. If user places under 200 CLO then they have a chance to win Jackpot. The system will deduct 1% value for jackpot
Commit hash: c63e338983878924c266e54d07412d3be3842aff
In total, 2 issues were reported including:
1 Critical severity issues.
1 high severity issue.
The calculation of a random number to determine the fallen number on the roulette depends on: bet block hash, player address, hash of block before the settle block. Settle block is the block when the owner(or operator) has called the settleBet(uint256) function. Thus, the owner knows all the variables and can influence the result of the draw by calling the function in the block which will lead to the player's loss.
Don't use blockhash(settleBlock - 1) variable to calculate a random number.
An attacker may not pay for losing bets. Two possibilities of the contract allow to do it: refund of unsettled bets and using the transfer function upon payment of the winnings to the winner. Let's look at an example of a possible attack.
The attacker makes the following bets: 0, red, black. He spends 3 Сredit(3 * 20 = 60 CLO) for this.
This way covers all the variants of the number drawn on the roulette. That is, the attacker in any case will receive a prize. If red or black number appears on the roulette wheel, the attacker will get x2 (40 CLO). If zero appears then an attacker will get x36 (720 CLO). In both cases an attacker will get a reward by transfer function. The peculiarity of this function is that in the case of throw on the recipient's side the entire transaction will be rollback. throw can be done intentionally by an attacker, if the recipient is another smart contract. Thus, if the attacker receives a payment of 40 CLO(black or red bet), he can cancel it and the owner will not be able to make this draw. And after 256 blocks after the bet, he will be able to request a refund. Thus, in case of loss, the attacker will not lose anything, and in case of winning will receive a x12 win — 60 CLO spend and get 720 CLO.
Also, the attacker can increase the probability and reduce the gain, such as a bet:
Use send method instead a transfer.
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/b559cc63f98c146e6815c3695d72b8fd
https://gist.github.com/yuriy77k/85713086fdbe6de2b392a8e152729f53
https://gist.github.com/yuriy77k/f5d40a9bb9c74707f8ed352d03db7f5b
Audit request
A smartcontract of Roulette game deployed on Callisto network. User can place multi bet at the same time, the maximum unique bets per time is 64 and maximum 64 credit on one bet. By default, each credit is 20 CLO. If user places under 200 CLO then they have a chance to win Jackpot. The system will deduct 1% value for jackpot
Source code
https://github.com/smartgametech/callistoroulette/tree/master/contract
Disclosure policy
Yes, please public the report so people can trust the application. Please send to roulette.tech@gmail.com if there is any issue.
Platform
Callisto Network
Number of lines:
492