Jackpot Wallet Behavior and Statistical Improbability of Wins

A special focus of our audit was an alleged jackpot incident: a single player wallet that hit two major jackpots in a short timeframe. We analyzed on-chain data for that wallet and the associated transactions to assess whether this could be a coincidence or if it suggests exploitation or insider activity.

Wallet Profile: The wallet in question (address beginning 5or7BFp...) exhibits atypical behavior for a casual player[16]: - It was funded by two large deposits from a centralized exchange (Kraken), each >600 SOL (worth $60k+), shortly before the jackpot wins[17]. This indicates a deliberate funding event, possibly for the purpose of high-rolling. - The wallet engages almost exclusively in gambling dApp transactions – not just on Luck.io but also very small micro-transactions to other Solana casinos like flip.gg and solwheel.vip[18]. It sent 10–30 rapid micro transfers (0.000005 SOL each) in batch sequences, which could be testing interactions or manipulating on-chain state (though the amounts are tiny). - There is no typical user activity: it holds virtually no other tokens (only 0.001 USDC, no NFTs) and never did staking or DeFi trades[19]. This suggests it’s a throwaway wallet, used solely for short-term betting[16]. - The timing of bets is concentrated. We observed the large SOL inflows, then heavy betting activity around the time of the known jackpot wins, and afterwards, large outflows (200–230 SOL in single transactions) to other wallets[20]. It appears the wallet was emptied not long after hitting wins.

These patterns are red flags. As noted in our investigation: the wallet “appears ephemeral (created for short use)... shows two large Kraken deposits, followed by two publicized jackpot wins... bulk plays seem focused around the jackpot hit window”[13]. Such behavior is consistent with either: - a “sniper” strategy – a user (or bot) that specifically targets jackpot conditions, possibly by exploiting knowledge of how to trigger them (if any weakness is known in RNG or game logic), or - a privileged/assisted account – potentially controlled or aided by insiders with knowledge of when a jackpot might payout or with the ability to influence outcomes.

Luck.io’s team advertised these jackpot wins publicly as proof of big payouts, but without further transparency, the circumstances are suspicious. A normal player hitting two jackpots by chance in short order is extraordinarily unlikely.

Statistical Improbability: We calculated the probability of this event assuming the game was fair. If the true odds of a jackpot on each play are, say, 1 in 1,000,000 (0.0001%), and the wallet made roughly 5,000 bets, the chance of hitting two jackpots in that span is astronomically low: - Probability of exactly 2 jackpots in 5,000 tries ≈ 0.00124%[22]. - Probability of 2 or more jackpots (at least 2) ≈ 0.00125%[22]. This equates to roughly 1 in 80,000 odds of such an event[22]. In other terms, even among 80,000 players each doing 5,000 spins, you’d expect only one player to achieve two jackpots on pure luck. The observed wallet did just that, which sits “deep in the tail – an extremely rare event if the game is truly random”.

While rare events do happen, in a provably fair system one should be able to audit that each win was legitimate. However, Luck.io provides no public way to verify those jackpot outcomes. For each jackpot, an ideal system would allow anyone to see the random seed that led to the win and confirm it was generated without manipulation. In this case: - We could not find on-chain evidence clearly linking the jackpot outcomes to specific VRF outputs or game states, because such linking information isn’t published in an accessible way (the transaction logs are not easily decoded to outcomes without the game server data). - The payouts themselves did not come directly from an identifiable jackpot smart contract; as mentioned, “who paid the jackpot? Not visible in the transaction logs. Likely from a Vault or admin wallet”[22], indicating an opaque payout process. - Luck.io does not publish a jackpot transparency report. There’s no dashboard or block explorer hint that “Jackpot of X paid from reserve Y on date Z,” which would help clear the doubt[18].

Given the combination of improbable luck and lack of verifiable data, we conclude that the fairness of the repeated jackpot wins cannot be confirmed. As our report states: “Without VRF pre-commitment proofs, public RNG inputs, and payout traceability, the fairness of repeated jackpot wins cannot be verified.”[23] In a trustless system, the casino would not ask us to take their word for it – every user should be able to audit such outcomes.

Recommendation: To address this, Luck.io should improve transparency around big wins. Publishing detailed jackpot logs including: the exact VRF output and oracle signatures for the win, the game state (bet parameters), and which reserve wallet paid out the prize, would allow independent parties to verify that the win was genuine and not an internal payout. Additionally, implementing preventative measures from the RNG side (as discussed, binding randomness to bets so it can’t be tampered) would mitigate suspicion. If the event was fair, proving it via on-chain data would greatly boost user confidence.