Executive Summary

Luck.io, a crypto casino built on the Solana-based Proov Protocol, purports to be a “provably fair” and decentralized gambling platform. Our security audit finds that while some components are on-chain (e.g. random number generation and vault-based payouts), critical aspects remain centrally controlled, undermining full trustlessness.

Key findings include:

• Randomness Generation (RNG) – Luck.io uses a VRF-based oracle network (Proov) to generate random outcomes on-chain, but all VRF oracles are team-operated, allowing potential cherry-picking of favorable outcomes before publishing[36][44]. There is no on-chain commit-reveal scheme binding randomness to bets, meaning the operator could re-roll random seeds off-chain until a desired result is obtained[2][3].

• Game Logic & Fairness – The mapping of random outputs to game results (slot reels, card draws, etc.) is executed off-chain in Luck.io’s backend. Game logic and payout rules are not enforced by smart contracts or publicly verifiable code, so players must trust the operator on house edge and win calculations[10][11]. The platform does not publish return-to-player (RTP) or odds on-chain, and Halborn’s audit confirmed reliance on off-chain critical logic** for outcomes[10][13].

• Jackpot Anomalies – An investigation into a recent jackpot winner’s wallet uncovered red-flag behavior: a fresh wallet funded by large exchange deposits that hit two large jackpots in a short span. The odds of two jackpot wins in ~5,000 plays are ~0.00125% (∼1 in 80,000) under fair conditions[22], raising concerns of potential backend manipulation or insider advantage. The wallet showed ephemeral usage (no DeFi/NFT activity, only rapid micro-bets across casinos) consistent with a “sniper” bot or aided account[16][17].

• Smart Contracts & Admin Controls – Luck.io employs on-chain programs (Vault and Slot) to custody funds and automate payouts, providing non-custodial player deposits and instant settlement in principle[12][13]. However, administrative privileges remain with the team: the Proov contracts are upgradeable and/or pausable by a central authority (no evidence of DAO governance or multisig protection)[31][32]. This means the operator could alter game contracts or freeze payouts unilaterally, contrary to full decentralization.

• Payout Mechanics & Liquidity – Routine win payouts are handled by on-chain vault logic, and Luck.io claims even large wins (e.g. $500K) are auto-paid from an on-chain “cold bankroll” reserve[16]. In practice, jackpot payouts were not traceable to the public bankroll contracts, suggesting they may be settled via internal wallets off-chain[24][25]. While players can see casino wallet balances on Solana, there is no cryptographic proof of reserves or liabilities – balances can be moved by the team at will (albeit transparently on-chain)[25][26].

Overall, our assessment concludes that Luck.io’s architecture is a hybrid of on-chain and off-chain components. It offers better transparency than a traditional casino (on-chain RNG proofs and fund custody), but falls short of a fully trustless system. Critical trust points – centralized RNG oracles, closed-source game code, team-controlled wallets, and an unpublished code audit – mean users must ultimately trust Luck.io’s operators. We outline below the technical architecture, identified risks, and recommendations to strengthen the platform’s security and fairness.