Prophecy Pool - Smart Contract Audit Report
The Prophecy's Pool is a new contract where users can enter into a lottery.
We reviewed Prophecy's Pool contract at commit 56372238a446dba4d9c6e18f3cf12cf79dfc2597 on the team's private GitHub.
Notes on the Contract:
- Users can enter into the lottery by depositing ETH or an ERC20 token. The asset used in the lottery will be set by the team.
- Once a sufficient number of players have entered the lottery, a winner can be selected.
- Chainlink is used to generate random numbers to select lottery winners. This is the gold standard and is resistant to manipulation.
- Upon selection of the winner, the winner will be able to claim the proceeds from the lottery.
- A portion of the proceeds will also be sent to the project team.
- A for loop is used to check if participants are winners. The team must ensure the maximum participants are no more than a few hunded addresses to prevent this loop from hitting the block gas limit.
- Once the lottery is completed and winner proceeds have been distributed, the contract will be reset and a new round will begin.
- Contract-based wallets are not allowed to use the system.
- The owner of the contract can update the lottery entry price, the token used in the lottery, number of allowed participants, and the number winners from each pool round.
- SafeMath is utilized to prevent overflows.
Audit Findings Summary:
- No security issues from outside attackers were identified.
- Ensure trust in the team as they have notable control in the ecosystem.
- Date: June 1st, 2021.
External Threat Results
Vulnerability Category Notes Result Arbitrary Storage Write N/A PASS Arbitrary Jump N/A PASS Delegate Call to Untrusted Contract N/A PASS Dependence on Predictable Variables N/A PASS Deprecated Opcodes N/A PASS Ether Thief N/A PASS Exceptions N/A PASS External Calls N/A PASS Integer Over/Underflow N/A PASS Multiple Sends N/A PASS Suicide N/A PASS State Change External Calls N/A Pass Unchecked Retval N/A PASS User Supplied Assertion N/A PASS Critical Solidity Compiler N/A PASS Overall Contract Safety PASS
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + [Lib] SafeMathChainlink - [Int] add - [Int] sub - [Int] mul - [Int] div - [Int] mod + [Int] LinkTokenInterface - [Ext] allowance - [Ext] approve # - [Ext] balanceOf - [Ext] decimals - [Ext] decreaseApproval # - [Ext] increaseApproval # - [Ext] name - [Ext] symbol - [Ext] totalSupply - [Ext] transfer # - [Ext] transferAndCall # - [Ext] transferFrom # + VRFRequestIDBase - [Int] makeVRFInputSeed - [Int] makeRequestId + VRFConsumerBase (VRFRequestIDBase) - [Int] fulfillRandomness # - [Int] requestRandomness # - [Pub]
# - [Ext] rawFulfillRandomness # + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] Address - [Int] isContract - [Int] sendValue # - [Int] functionCall # - [Int] functionCall # - [Int] functionCallWithValue # - [Int] functionCallWithValue # - [Prv] _functionCallWithValue # + ReentrancyGuard - [Int] # + Context - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int] # - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner + [Lib] Uint256ArrayUtils - [Int] indexOf - [Int] contains - [Int] hasDuplicate - [Int] remove - [Int] removeStorage # - [Int] pop - [Int] extend - [Int] _validateLengthAndUniqueness + [Lib] AddressArrayUtils - [Int] indexOf - [Int] contains - [Int] hasDuplicate - [Int] remove - [Int] removeStorage # - [Int] pop - [Int] extend - [Int] validatePairsWithArray - [Int] validatePairsWithArray - [Int] validatePairsWithArray - [Int] validatePairsWithArray - [Int] validatePairsWithArray - [Int] _validateLengthAndUniqueness + [Int] IWETH (IERC20) - [Ext] deposit ($) - [Ext] withdraw # + [Int] IProphetPoolFactory - [Ext] create # - [Ext] getWeth - [Ext] getVrfKeyHash - [Ext] getVrfFee - [Ext] getLinkToken - [Ext] getVrfCoordinator - [Ext] getAllPools + ProphetPool (VRFConsumerBase, ReentrancyGuard, Ownable) - [Pub] # - modifiers: VRFConsumerBase - [Ext] setPoolRules # - modifiers: onlyOwner - [Ext] setFeeRecipient # - modifiers: onlyOwner - [Ext] enterPoolEth ($) - modifiers: onlyValidPool,onlyEOA - [Ext] enterPool # - modifiers: onlyValidPool,onlyEOA - [Ext] settlePool # - [Ext] collectRewards # - modifiers: nonReentrant - [Ext] ($) - [Ext] getFactory - [Ext] getFeeRecipient - [Ext] getPoolName - [Ext] getEnterToken - [Ext] getPoolStatus - [Ext] getPoolConfig - [Ext] getTotalEnteredAmount - [Ext] getRewardPerParticipant - [Ext] getParticipants - [Ext] getParticipant - [Ext] getWinnerIndexes - [Ext] isWinner - [Int] _enterPool # - [Int] _resetPool # - [Int] _transferEnterToken # - [Int] _isEthPool - [Int] _getRandomNumberBlockchain - [Int] _getRandomNumber # - [Int] fulfillRandomness #