> For the complete documentation index, see [llms.txt](https://provablyfair.org/luckio-audit/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://provablyfair.org/luckio-audit/readme/executive-summary.md). # Executive Summary Luck.io, a crypto casino built on the Solana-based **Proov Protocol**, purports to be a “provably fair” and decentralized gambling platform. Our security audit finds that **while some components are on-chain (e.g. random number generation and vault-based payouts), critical aspects remain centrally controlled**, undermining full trustlessness. Key findings include: * **Randomness Generation (RNG)** – Luck.io uses a VRF-based oracle network (Proov) to generate random outcomes on-chain, but **all VRF oracles are team-operated**, allowing potential cherry-picking of favorable outcomes before publishing\[[36](/luckio-audit/readme/evidence.md#id-36-halborn-scope-omits-rng-oracles-game-logic)]\[[44](/luckio-audit/readme/evidence.md#id-44-explorer-shows-logs-not-pre-commit-proofs)]. There is no on-chain commit-reveal scheme binding randomness to bets, meaning the operator could re-roll random seeds off-chain until a desired result is obtained\[[2](/luckio-audit/readme/evidence.md#id-2-same-signer-used-across-multiple-users-games)]\[[3](/luckio-audit/readme/evidence.md#id-3-no-public-instructions-to-run-an-oracle-node)]. * **Game Logic & Fairness** – The mapping of random outputs to game results (slot reels, card draws, etc.) is executed off-chain in Luck.io’s backend. **Game logic and payout rules** are not enforced by smart contracts or publicly verifiable code, **so players must trust the operator on house edge and win calculations**\[[10](/luckio-audit/readme/evidence.md#id-10-halborn-reliance-on-off-chain-logic)]\[[11](/luckio-audit/readme/evidence.md#id-11-slot-vault-contract-extracts-show-no-outcome-logic)]**. The platform does not publish return-to-player (RTP) or odds on-chain, and** Halborn’s audit confirmed reliance on off-chain critical logic\*\* for outcomes\[[10](/luckio-audit/readme/evidence.md#id-10-halborn-reliance-on-off-chain-logic)]\[[13](/luckio-audit/readme/evidence.md#id-13-no-published-rtp-odds-per-game-on-chain)]. * **Jackpot Anomalies** – An investigation into a recent jackpot winner’s wallet uncovered red-flag behavior: a fresh wallet funded by large exchange deposits that hit two large jackpots in a short span. The odds of two jackpot wins in \~5,000 plays are **\~0.00125% (∼1 in 80,000)** under fair conditions\[[22](/luckio-audit/readme/evidence.md#id-22-probability-graph-poisson-for-2-in-5-000)], raising concerns of **potential backend manipulation or insider advantage**. The wallet showed ephemeral usage (no DeFi/NFT activity, only rapid micro-bets across casinos) consistent with a “sniper” bot or aided account\[[16](https://provablyfair.org/luckio-audit/readme/pages/Yn5jshCSg0q1alp8JaXb#id-16-winner-wallet-page-5or7bf...-full-tx-history)]\[[17](/luckio-audit/readme/evidence.md#id-17-kraken-funded-deposits-2-greater-than-600-sol)]. * **Smart Contracts & Admin Controls** – Luck.io employs on-chain programs (Vault and Slot) to custody funds and automate payouts, providing non-custodial player deposits and instant settlement in principle\[[12](/luckio-audit/readme/evidence.md#id-12-data-flow-rng-off-chain-payout)]\[[13](/luckio-audit/readme/evidence.md#id-13-no-published-rtp-odds-per-game-on-chain)]. However, **administrative privileges remain with the team**: the Proov contracts are upgradeable and/or pausable by a central authority (no evidence of DAO governance or multisig protection)\[[31](/luckio-audit/readme/evidence.md#id-31-upgrade-authority-is-team-controlled)]\[[32](/luckio-audit/readme/evidence.md#id-32-no-public-dao-governance-no-spl-governance-links)]. This means the operator could alter game contracts or freeze payouts unilaterally, contrary to full decentralization. * **Payout Mechanics & Liquidity** – Routine win payouts are handled by on-chain vault logic, and Luck.io claims even large wins (e.g. $500K) are auto-paid from an on-chain “cold bankroll” reserve\[[16](https://provablyfair.org/luckio-audit/readme/pages/Yn5jshCSg0q1alp8JaXb#id-16-winner-wallet-page-5or7bf...-full-tx-history)]. In practice, **jackpot payouts were not traceable to the public bankroll contracts**, suggesting they may be settled via internal wallets off-chain\[[24](/luckio-audit/readme/evidence.md#id-24-vault-settlement-log-typical-small-win-auto-settled)]\[[25](/luckio-audit/readme/evidence.md#id-25-cold-reserve-described-marketing)]. While players can see casino wallet balances on Solana, there is **no cryptographic proof of reserves or liabilities** – balances can be moved by the team at will (albeit transparently on-chain)\[[25](/luckio-audit/readme/evidence.md#id-25-cold-reserve-described-marketing)]\[[26](/luckio-audit/readme/evidence.md#id-26-cold-reserve-is-a-wallet-not-a-contract)]. Overall, our assessment concludes that **Luck.io’s architecture is a hybrid of on-chain and off-chain components**. It offers better transparency than a traditional casino (on-chain RNG proofs and fund custody), but **falls short of a fully trustless system**. Critical trust points – centralized RNG oracles, closed-source game code, team-controlled wallets, and an unpublished code audit – mean users must ultimately trust Luck.io’s operators. We outline below the technical architecture, identified risks, and recommendations to strengthen the platform’s security and fairness. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://provablyfair.org/luckio-audit/readme/executive-summary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.