The blockchain community is abuzz about MetaWin Lottery, a blockchain-based lottery system. However, a deep dive into its smart contract reveals several red flags that potential users should be aware of.
Centralization and Control Concerns
The OPERATOR_ROLE in MetaWin’s contract introduces a central point of control, contrasting the blockchain ethos of decentralization. This role could potentially manipulate lottery outcomes or access funds, raising trust issues.
bytes32 public constant OPERATOR_ROLE = keccak256(“OPERATOR”);
Dependence on External Oracle
MetaWin relies heavily on Chainlink’s VRF for randomness, making it vulnerable to external failures or manipulation. This dependence is akin to putting all your eggs in one basket, which can be risky in blockchain’s unpredictable environment.
/// @param _entriesSize length of the entries array of that raffle
/// @return requestId Id generated by chainlink
function getRandomNumber(uint256 _id, uint256 _entriesSize)
internal
returns (bytes32 requestId)
{
require(
LINK.balanceOf(address(this)) > fee,
“Not enough LINK – fill contract with faucet”
);
bytes32 result = requestRandomness(keyHash, fee);
// result is the requestId generated by chainlink. It is saved in a map linked to the param id
chainlinkRaffleInfo[result] = RaffleInfo({id: _id, size: _entriesSize});
return result;
}
Complex Winner Selection Mechanism
The contract’s winner selection uses a complex algorithm, which, if flawed, could lead to incorrect or unfair outcomes. Such complexity in critical functions like winner determination is a potential vulnerability.
) public view returns (address) {
uint256 position = findUpperBound(entriesList[_raffleId], _normalizedRandomNumber);
return entriesList[_raffleId][position].player;
}/// @param array sorted array of EntriesBought. CurrentEntriesLength is the numeric field used to sort
/// @param element uint256 to find. Goes from 1 to entriesLength
/// @dev based on openzeppelin code (v4.0), modified to use an array of EntriesBought
/// Searches a sorted array and returns the first index that contains a value greater or equal to element.
/// If no such index exists (i.e. all values in the array are strictly less than element), the array length is returned. Time complexity O(log n).
/// array is expected to be sorted in ascending order, and to contain no repeated elements.
/// https://docs.openzeppelin.com/contracts/3.x/api/utils#Arrays-findUpperBound-uint256—uint256-
function findUpperBound(EntriesBought[] storage array, uint256 element) internal view returns (uint256) {
if (array.length == 0) {
return 0;
}uint256 low = 0;
uint256 high = array.length;while (low < high) {
uint256 mid = Math.average(low, high);// Note that mid will always be strictly less than high (i.e. it will be a valid array index)
// because Math.average rounds down (it does integer division with truncation).
if (array[mid].currentEntriesLength > element) {
high = mid;
} else {
low = mid + 1;
}
}// At this point `low` is the exclusive upper bound. We will return the inclusive upper bound.
if (low > 0 && array[low – 1].currentEntriesLength == element) {
return low – 1;
} else {
return low;
}
}
Financial Management and High Commissions
With a commission rate up to 50%, the contract’s financial management and distribution mechanisms need scrutiny. High commission rates and the handling of funds and NFTs require transparency to ensure user trust.
require(_commissionInBasicPoints <= 5000, “commission too high”);
Technical and Security Shortcomings
Despite employing Reentrancy Guard, the contract’s gas optimization and error handling appear lacking. In blockchain, where security is paramount, such oversights could lead to vulnerabilities, including potential financial losses for users.
In Conclusion
MetaWin Lottery’s smart contract presents several issues that should not be taken lightly. Users interested in participating should proceed with caution, conduct thorough research, and consult blockchain experts. As the blockchain world evolves, staying informed and vigilant is key to navigating its complexities safely.