LuckyBuy
Identified risky by Red Alarm
The First Lucky-to-earn Web3 Marketplace.
Risk Detail
Transparency Issues
Anonymous to public.
Backdoor Functions
For the onlyowner claim() method of the main contract LuckyBuy https://www.bscscan.com/address/0x816ea5B7B6D339FCC8B97465A2e8698C010C4d95#contracts, the winCode parameter is passed in by the owner. It's calculated with two numbers. After all codes of a current round are sold out, all data of this round LuckyBuy will be translated to HASH and recorded on the blockchain, and the Random Number 1 is the decimal number of the last 8 digits of the hash according to SHA256. But th HASH can be manipulated by changing the data. So the generation of the winCode is untransparent. So there is a possibility of cheating by the owner here.
Backdoor Functions
The process of buying and selling lucky boxes by users and the distribution of rewards is not achieved through contracts and the flow of funds is not transparent.
Centralization Risk
The owner of the main contract LuckyBuy is an EOA.
Audit
DappBay Red Alarm
Risk Level
High Risk
List Time
Oct, 21, 2022
Chain
BNB Smart Chain