# Executive Summary Luck.io, a crypto casino built on the Solana-based **Proov Protocol**, purports to be a “provably fair” and decentralized gambling platform. Our security audit finds that **while some components are on-chain (e.g. random number generation and vault-based payouts), critical aspects remain centrally controlled**, undermining full trustlessness. Key findings include: * **Randomness Generation (RNG)** – Luck.io uses a VRF-based oracle network (Proov) to generate random outcomes on-chain, but **all VRF oracles are team-operated**, allowing potential cherry-picking of favorable outcomes before publishing\[[36](https://dev-koold.gitbook.io/crypto/evidence#id-36-halborn-scope-omits-rng-oracles-game-logic)]\[[44](https://dev-koold.gitbook.io/crypto/evidence#id-44-explorer-shows-logs-not-pre-commit-proofs)]. There is no on-chain commit-reveal scheme binding randomness to bets, meaning the operator could re-roll random seeds off-chain until a desired result is obtained\[[2](https://dev-koold.gitbook.io/crypto/evidence#id-2-same-signer-used-across-multiple-users-games)]\[[3](https://dev-koold.gitbook.io/crypto/evidence#id-3-no-public-instructions-to-run-an-oracle-node)]. * **Game Logic & Fairness** – The mapping of random outputs to game results (slot reels, card draws, etc.) is executed off-chain in Luck.io’s backend. **Game logic and payout rules** are not enforced by smart contracts or publicly verifiable code, **so players must trust the operator on house edge and win calculations**\[10]\[11]**. The platform does not publish return-to-player (RTP) or odds on-chain, and** Halborn’s audit confirmed reliance on off-chain critical logic\*\* for outcomes\[[10](https://dev-koold.gitbook.io/crypto/evidence#id-10-halborn-reliance-on-off-chain-logic)]\[[13](https://dev-koold.gitbook.io/crypto/evidence#id-13-no-published-rtp-odds-per-game-on-chain)]. * **Jackpot Anomalies** – An investigation into a recent jackpot winner’s wallet uncovered red-flag behavior: a fresh wallet funded by large exchange deposits that hit two large jackpots in a short span. The odds of two jackpot wins in \~5,000 plays are **\~0.00125% (∼1 in 80,000)** under fair conditions\[[22](https://dev-koold.gitbook.io/crypto/evidence#id-22-probability-graph-poisson-for-2-in-5-000)], raising concerns of **potential backend manipulation or insider advantage**. The wallet showed ephemeral usage (no DeFi/NFT activity, only rapid micro-bets across casinos) consistent with a “sniper” bot or aided account\[16]\[17]. * **Smart Contracts & Admin Controls** – Luck.io employs on-chain programs (Vault and Slot) to custody funds and automate payouts, providing non-custodial player deposits and instant settlement in principle\[[12](https://dev-koold.gitbook.io/crypto/evidence#id-12-data-flow-rng-off-chain-payout)]\[[13](https://dev-koold.gitbook.io/crypto/evidence#id-13-no-published-rtp-odds-per-game-on-chain)]. However, **administrative privileges remain with the team**: the Proov contracts are upgradeable and/or pausable by a central authority (no evidence of DAO governance or multisig protection)\[[31](https://dev-koold.gitbook.io/crypto/evidence#id-31-upgrade-authority-is-team-controlled)]\[[32](https://dev-koold.gitbook.io/crypto/evidence#id-32-no-public-dao-governance-no-spl-governance-links)]. This means the operator could alter game contracts or freeze payouts unilaterally, contrary to full decentralization. * **Payout Mechanics & Liquidity** – Routine win payouts are handled by on-chain vault logic, and Luck.io claims even large wins (e.g. $500K) are auto-paid from an on-chain “cold bankroll” reserve\[16]. In practice, **jackpot payouts were not traceable to the public bankroll contracts**, suggesting they may be settled via internal wallets off-chain\[[24](https://dev-koold.gitbook.io/crypto/evidence#id-24-vault-settlement-log-typical-small-win-auto-settled)]\[[25](https://dev-koold.gitbook.io/crypto/evidence#id-25-cold-reserve-described-marketing)]. While players can see casino wallet balances on Solana, there is **no cryptographic proof of reserves or liabilities** – balances can be moved by the team at will (albeit transparently on-chain)\[[25](https://dev-koold.gitbook.io/crypto/evidence#id-25-cold-reserve-described-marketing)]\[[26](https://dev-koold.gitbook.io/crypto/evidence#id-26-cold-reserve-is-a-wallet-not-a-contract)]. Overall, our assessment concludes that **Luck.io’s architecture is a hybrid of on-chain and off-chain components**. It offers better transparency than a traditional casino (on-chain RNG proofs and fund custody), but **falls short of a fully trustless system**. Critical trust points – centralized RNG oracles, closed-source game code, team-controlled wallets, and an unpublished code audit – mean users must ultimately trust Luck.io’s operators. We outline below the technical architecture, identified risks, and recommendations to strengthen the platform’s security and fairness.