Security

Lotto Balls is designed with security as a core principle. This page outlines the security measures and considerations.

Smart Contract Security

Reentrancy Protection

The contract inherits from OpenZeppelin's ReentrancyGuard:

function play(...) external payable nonReentrant whenNotPaused onlyWhitelisted

All state changes occur before external calls, following the checks-effects-interactions pattern.

Pausability

The contract can be paused in emergencies:

function pause() external onlyOwner
function unpause() external onlyOwner

When paused:

No new bets can be placed
Pending VRF callbacks can still complete
Admin functions remain accessible

Access Control

Multiple layers of access control:

Function

Protection

play()

onlyWhitelisted (requires LAZER token)

Admin functions

onlyOwner

VRF callback

Only VRF Coordinator can call

External caller

Must be whitelisted via setExternalCaller

Single Pending Bet

Players can only have one pending bet:

require(!hasBet[user], GamePending());
hasBet[user] = true;
// ... VRF request ...
// After resolution:
hasBet[player] = false;

This prevents:

Bet flooding attacks
Complex multi-bet exploits
VRF callback confusion

Randomness Security

Chainlink VRF

VRF (Verifiable Random Function) ensures:

Unpredictability: Numbers cannot be predicted before reveal
Verifiability: Cryptographic proof of fairness
Tamper resistance: Cannot be manipulated by any party

Number Derivation

Four numbers are derived from a single VRF word:

for (uint256 i; i < 4; ++i) {
    drawnNumbers[i] = uint8(
        uint256(keccak256(abi.encodePacked(randomWords[0], i))) % 10
    );
}

This ensures:

Uniform distribution (0-9 for each position)
Deterministic derivation (verifiable)
No correlation between positions

Financial Security

Fee Distribution

USDC fees are immediately transferred to the owner:

uint256 distFee = (usdcCost * feePercent) / DIVISOR;
usdc.transfer(owner(), distFee);

Jackpot Protection

Multiple safeguards for the prize pool:

Buffer Rate (30%): Reserved funds never paid out
Jackpot Cap: Maximum single payout limit
No negative balances: Transfers check balances

function jackpot() public view returns (uint256) {
    uint256 pool = usdc.balanceOf(address(this));
    if (pool == 0) return 0;

    uint256 buffer = (pool * BUFFER_RATE) / DIVISOR;
    uint256 available = pool - buffer;
    uint256 calculated = (available * JACKPOT_RATE) / DIVISOR;

    return calculated > jackpotCap ? jackpotCap : calculated;
}

LTB Transfer Safety

LTB transfers check balance before sending:

function _transferLTB(address to, uint256 amt) internal {
    if (amt > 0 && ltbToken.balanceOf(address(this)) >= amt) {
        ltbToken.transfer(to, amt);
    }
}

Emergency Procedures

Manual Game Override

If a VRF callback fails (extremely rare):

function manualOverrideGame(uint256 id) external onlyOwner {
    Bet storage bet = bets[id];
    require(!bet.resolved, NoGamePending());
    bet.resolved = true;
    hasBet[bet.player] = false;
    emit ManualGameOverride(bet.player, id);
}

This:

Unlocks the stuck player
Does NOT award any prizes
Logs the override for transparency

Fund Withdrawal

Owner can withdraw funds if needed:

function withdrawUSDC(uint256 amount) external onlyOwner
function withdrawLTB(uint256 amount) external onlyOwner

Known Considerations

Token Approval Requirements

Players must approve tokens before playing. The contract does not implement permit() - standard approve() is required.

VRF Callback Gas

The callback has a gas limit (800,000). Complex operations could theoretically exceed this, though the current implementation is well within limits.

Centralization Points

The owner address has significant control:

Pause/unpause the contract
Modify payout amounts
Withdraw funds
Override stuck games

Users should be aware of this trust assumption.

Audit Status

Users should verify the audit status of the contracts before depositing significant funds. Look for:

Third-party security audits
Bug bounty programs
Time the contracts have been live without issues

Reporting Vulnerabilities

If you discover a security vulnerability:

Do NOT disclose publicly
Contact the team through official channels
Allow reasonable time for a fix
Responsible disclosure is appreciated and may be rewarded

PreviousSmart Contracts

Last updated 1 month ago

Good morning

hashtagSmart Contract Security

hashtagReentrancy Protection

hashtagPausability

hashtagAccess Control

hashtagSingle Pending Bet

hashtagRandomness Security

hashtagChainlink VRF

hashtagNumber Derivation

hashtagFinancial Security

hashtagFee Distribution

hashtagJackpot Protection

hashtagLTB Transfer Safety

hashtagEmergency Procedures

hashtagManual Game Override

hashtagFund Withdrawal

hashtagKnown Considerations

hashtagToken Approval Requirements

hashtagVRF Callback Gas

hashtagCentralization Points

hashtagAudit Status

hashtagReporting Vulnerabilities