Rating
Summary
This smart contract has been reviewed by George Stamp. This is a gambling game made into a smart contract. Players can bet on a bullish or bearish price action on BNB's USDT price, and winners get a share of the total amount deposited proportional to what they have deposited. Losers lose their funds that are made available for withdrawal by the owner / the house.
George Stamp did not find any vulnerability, but the contract has many owner privilege functions that may or may not be considered threats knowing that this is not a contract made for investments or staking.
This is a side project for automatedusdt.capital
Contract Details
Blockchain: BNB Smart Chain.
Application type: gambling game.
Currency: BNB coin.
Minimum bet (modifiable by owner): 0.001 BNB.
Maximum bet (modifiable by owner): 0.5 BNB.
Rounds:
- can only play once per round,
- locks after 300 seconds,
- closes after 600 seconds: a new round may then be triggered by the owner,
- owner must execute n-2 epoch to reward,
- a minimum of 90% of the reward may be rewarded to users,
- a losing position receives nothing, the lost funds goes to the owner / the house,
- player can claim refund if the round has not closed while it should be for at least 30 seconds,
- a round canceled by the owner can be eligible for refunds, it is up to the owner’s wish.
The house wins if both bull & bear loses, or if the difference between bull / bears are too great. If the later event happens, the house can either do nothing and let players refund themselves or the owner can take the funds for themselves. It’s a casino after all.
It is up to the owner to execute a round which will start the new round if all conditions are met. Even then the owner has external functions to do so.
Function signatures: https://pastebin.com/X9i68FcF
Backdoors
As this is not a decentralization application with staking features but a gambling game, the following backdoors are not as impactful as they should be.
Due to its nature, users are aware of the financial loss risks anyway.
Centralized & traditional casino games are no better, except anyone from anywhere in the world can interact with it here.
Owner / the house can enter in position with no limit, no penalty and no funds spent.
Price is arbitrarily defined by the owner, therefore the owner has the possibility to cheat on prices to make the house win.
The owner / the house can change its position at will during a round.
Owner can drain all liquidity at all times. But this is the only way for the owner to collect profits from losers. This allows the owner to steal from active rounds. But this is not a stake contract so the impact is limited.
Other backdoors found are irrelevant since the owner has full control of the contract balance anyway.
However, we did not find any vulnerability that gives unwanted privileges to non owner wallets.
Owner Privileges
SetOperator - changes operator address.
SetDev - changes developer address.
SetMkt - changes marketing address.
SetRoundBufferAndInterval - modifies duration of a round and the additional time for a round to be refundable.
SetHousePlayMinRation - modifies bear / bull ratio for the round to be considered as lost to the house, from 0 excluded to 100 excluded.
SetRewardRate - changes fees from 0% to 10%.
SetMinPlayAmount - changes the minimum BNB required to bet.
SetMaxPlayAmount - changes the maximum BNB required to bet.
FundsInject - injects funds into the contract balance.
FundsExtract - takes from the contract balance, split between developer & marketing addresses.
RewardUser - takes from the contract balance to any wallet.
ChangePriceSource - changes price source for external views.
HousePlay - play from the contract itself.
Pause - makes a few functions unusable as long as they are paused: RoundStart, RoundLock, Execute, user_PlayBull, user_PlayBear.
Unpause - makes the above functions usable again.
RoundStart - starts a new round.
RoundLock - locks the current round with a given delta on price.
Execute - executes n - 2 rounds, to allocate rewards given a delta on price, start a new round and play as the house.
RoundCancel - Cancels a round. Owner can use it to cancel a round and make it refundable.
Fees
Claim fees: 6% (modifiable by owner from 0 to 10%).
Complexity
This is a complex and very well built smart contract, even though it has centralization risks it was very well done:
safeTransferBNB is vulnerable to reentrancy attacks up to 23000 wei, however the developer masterfully used it so a reentrancy attack would not have any impact to the contract’s state, but instead can add interesting interactions with contracts making use of the callback, like monitoring rewards. Developers should not use call{} to transfer ether unless they know what they do, and this developer does know.
Team Trust
Team is known and is behind Automated USDT Capital, they claim to send some profits from the house to Automated USDT Capital TVL to help sustain it.
Other Risk
This is a gambling game that comes with financial loss risks. It enables users to win or lose big.
