Payout System and Liquidity Transparency

In a gambling platform, honest and timely payouts are as important as fair odds. We reviewed how Luck.io manages payouts, the transparency of its bankroll, and whether users can trust that sufficient liquidity is locked for big wins.

On-Chain Vaults and Automated Payouts: Luck.io uses an on-chain Vault to handle player funds, which is a positive security feature. When a bet is resolved, the outcome (win or loss) is settled by the smart contract: - If the player wins, the Vault transfers the winnings to the player’s wallet (or credits their balance) instantly and without needing manual approval[12]. - If the player loses, their wager is already in the Vault and simply remains there (becoming part of the house funds).

For typical wins, this system is trust-minimized – the code itself releases funds, and it won’t refuse a valid win as long as the Vault has funds. Indeed, during normal operations we saw that withdrawals and small wins were processed on-chain to user addresses promptly, indicating the automated flow works.

“Cold Bankroll” Reserve: Luck.io has mentioned a secondary reserve (often called a cold wallet or cold bankroll) used for very large payouts[25][26]. This is essentially an overflow pool of liquidity controlled by the team. If a win exceeds the funds currently in the active Vault, the idea is the reserve wallet would supply the difference. This reserve’s address is known (Luck.io has at times shared it), and players can observe its balance on-chain. However: - It’s not a smart contract, just a Solana wallet (team-controlled). So while you can see its SOL balance, the usage of those funds is manual. - There is no on-chain linkage indicating when or how the reserve is tapped. An operator would have to transfer funds from the cold wallet into the Vault or directly to a winner when needed, which would be a normal Solana transaction but not automatically tied to the bet. Hence, tracking if a jackpot was paid from the reserve is non-trivial unless the team discloses it.

In the jackpot case we analyzed, the payout to the winner’s wallet did not clearly come from the main Vault program, implying it may have been paid out of band (perhaps the team sent it from a cold wallet or a fresh funding source)[16]. This reduces the provability of payouts – an ideal design would use a smart contract escrow for jackpots as well, or at least route all payouts through known on-chain addresses.

Proof of Reserves (PoR) Claims: Luck.io claims to have “proof of reserves” because all bankroll funds are on the blockchain that players can inspect[24]. It’s true that one can look up the Vault account and cold wallet balances to see the casino’s funds. However, this is a limited form of transparency: - There is no published schedule or guarantee of reserve levels (unlike a true PoR with liabilities, we don’t know how much is owed to players vs house capital). - The team can move funds in and out at will (e.g., refill the bankroll from another wallet, or withdraw profits). We saw that there are no enforced reserve ratios or locks – “no on-chain contract enforcement of reserve ratios or maximum exposure”. - No multi-signature protection on the reserve wallets was evident[49]. A single key loss or compromise could drain funds, which is a security risk for players. - If Luck.io wanted to silently remove funds (for example, take a portion of the bankroll), they could, and the only recourse is user vigilance in watching the blockchain. There’s no automated alert or smart-contract constraint to prevent it.

Transparency Grade: We rate the payout and reserve transparency as partial at best: - Visible Balances: Yes – Users can see the addresses and their token balances on Solana[25]. - Custody of Funds: No – Players do not hold custody during betting; funds are in team-controlled contracts/wallets (though governed by code to some extent)[40]. - Use of Funds Restricted by Code: No – The code does not restrict moving reserves or changing limits; this is all off-chain policy[24][25]. - Real-time Audit of Liquidity: No – There is no dashboard or oracle that tells players that, for example, X amount is locked for jackpots or Y is the current liability. It’s up to the user to manually parse blockchain data.

This means counterparty risk remains. If Luck.io faced a liquidity crunch or decided to pause withdrawals, nothing in the smart contracts would stop them from doing so (aside from reputational damage and users noticing on-chain movements). Our investigation explicitly notes: “The team controls the reserves and most smart contracts… This means the team can move funds at any time, though it would be publicly visible. This exposes players to counterparty risk, especially if high-value withdrawals are delayed or paused ‘for review.’ In a truly trustless casino, no human could interfere with payouts at all, and funds would be secured by code until legitimately won or lost.

Incident Consideration: It’s worth noting that during the jackpot scenario, after the wins, the player’s wallet received a large inflow (the winnings). We could not definitively trace that inflow to the official Vault or reserve account. It’s possible the team temporarily pulled funds from elsewhere (e.g., an exchange or another wallet) to pay it, then later reconciled their reserves. This is speculation, but the lack of clear on-chain traceability is exactly the issue – “no wallet disclosures, no smart contract vault with audit access [specifically for jackpots]”[16] means we can’t be sure where the money came from. A best practice for transparency would be to have a dedicated on-chain jackpot treasury or an event log linking payouts to a reserve transaction.

Recommendations: To bolster user confidence, we recommend: - Automating Large Payout Funding: Use a programmatic mechanism to draw from the cold reserve when needed. For example, the Vault program could be extended or complemented with a treasury contract that automatically loans funds to the Vault for a large win, all in one atomic transaction. This would leave an on-chain footprint tying the reserve to the payout event. - Multisig & Time-lock on Reserves: The main bankroll and reserve wallets should be secured by a multisignature scheme (e.g., 2-of-3 or more) including perhaps an independent party. Also, consider time-locking large withdrawals from the reserve (e.g., require 24h notice)[28]– this can prevent a single rogue actor from emptying funds and give users a warning if funds are moved abnormally. - Regular Proof-of-Reserve Audits: Periodically (or in real-time via an oracle), publish a proof that the on-chain reserves match or exceed user balances. Since user balances are actually in the Vault, an equivalent concept is proof that the Vault is solvent relative to active player funds. This could be done via a view function or snapshot, increasing transparency. - Publish Payout Logs: As mentioned earlier, for major wins, publish a transaction breakdown. If Luck.io wants to maintain trust, being forthcoming with exactly how a 1000 SOL jackpot was paid (which addresses and when) and linking it to the VRF result would dispel a lot of doubt.