is it true about smartbillions who got hacked in status in twitter if true as bounty participant we grieve. but hopefully that status is not true.
The smart contract is now improved and new hackathon was announced:
SmartBillions smart contract improved: Hackathon 2.0 starts!
SmartBillions smart contract is improved and now we are pleased to announce the hackathon second round.
1500 ETH was put in the smart contract address to validate the contract security after the improvements were made.
Contract address:
https://etherscan.io/address/0x103c2c150a2dbcc277ee084c59881978060c8c22The list of contract improvements:
1. transferFrom function: You can only send owned Tokens.
2. addHashes function: the database initiation is now safer.
3. hotStore function: Anyone can deposit funds in the contact.
4. coldStore function: In case of emergency the admin Is allowed to withdraw the whole surplus over the contract liabilities only when over 50 % of Tokens are redeemed.
5. won function: will not return the bet value in case of database error
6. play function: players are required to store more information in the database.
The Hackathon prize was deposited in the smart contract using the hotStore function by 6 different ETH addresses. The hotStore function allows any address to store funds anytime in the smart contract and then withdraw the prior stored amount using the won function. However the Jackpot management rules apply to these withdraws. One address cannot withdraw more than 50 % of the contract value and withdraws can be made every (4*60*24*30) blocks
1500 ETH Hackathon prize will be withdrawn in 2 cases:
1. If there’s another bug found in the contract and Hacker will not withdraw all the funds, the remaining funds will be withdrawn by the same addresses that deposited the funds using the won function.
2. If the funds will remain intact before the ICO the same addresses that deposited the funds will be able to withdraw exactly the same amounts as deposited (Hackathon prizes) in the later phase.
The funds from the first Hackathon were withdrawn by the Admin using the coldStore function.
The withdraw was possible because there weren’t any liabilities on the contract such as Token redeem and win payouts. There weren’t any wins to pay out because the players were able to claim the wins after a given time period, they weren’t the lottery winners right after the lottery draw. At the moment of the Admin withdraw there were no wins to pay.
The funds raised during an ICO are protected within the smart contract.
Withdrawals by the admin are possible in the coldStore function only under certain conditions.
function coldStore(uint _amount) external onlyOwner
{
houseKeeping();
require(_amount > 0 && this.balance >= (investBalance * 9 / 10) + walletBalance + _amount);
if(investBalance >= investBalanceGot / 2){ // additional jackpot protection
require((_amount <= this.balance / 400) && coldStoreLast + 4 60 24 * 7 <= block.number);
}
msg.sender.transfer(_amount);
coldStoreLast = block.number;
}
This line:
require(_amount > 0 && this.balance >= (investBalance * 9 / 10) + walletBalance + _amount);
guarantees that the admin can never withdraw funds that are protected: the 90% of the funds invested during the ICO plus the funds in wallets waiting to be withdrawn (these includes unpaid prizes due to lack of funds in the contract; however these prizes must have been claimed with the won() function before, otherwise the prizes are not known to the contract).
There is also an additional important limit that the withdraw amount must be smaller than 0.25% of the jackpot and this fraction cannot be withdrawn more often than every 7 days (4*60*24*7 blocks).
This additional limit is waived if 50% of investors decide to disinvest.
This additional limit means that if there is a large lottery win waiting but the winner did not collect his winnings yet, then the admin can run away with 0.25% of the current jackpot , leaving 99.75% of the jackpot still in the contract. Thus this risk has a negligible effect on the collected funds by the winner. The regular withdraw of 0.25% per week by the admin to promote the lottery is an expected behavior.