The article provides an audit of the ICO on the gamb.io. Analyzed fees, the work of a smart contract and transactions in the blockchain. Only technical aspects of the process are analyzed. The audit was conducted by analysts and programmers CryptoB2B on July 25, 2018. Unfortunately, there are many signs of fraud. Moreover, this is done at a very primitive level, programmers with extremely low experience, which causes a separate censure. In short, all the fees are a lie, and at the time of writing the audit, $ 1 million of fees were drawn from the air and the hardcap suddenly changed from 30 to 15 million. Unfortunately, this company collected $ 74,000 real money in a detachment with trusted investors. The overall result of the technical audit: 0 out of 10, extremely bad.
Something strange…
Left screenshot from 07/25/2018 00:00. On the right – after 10 hours. During night they changed Hardcap ($30M -> $15M) and drew $1,1 million. During these 10 hours in the blockchain there was only 1 money transaction for 2,9 ETH. It was also “Presale ends”, it became “bonus ends”.
Do your own conclusions…
These 2.9 ETH are equal to 1.1 million dollars.
10 hours ago, the real fees were $74,000 (where it came from – the chapter below), and on the site $11.5 million.
This morning, the fees are $75,646.22, and the site is already $12.8M.
If we divide 11.5M by 74K and 12.8M by 75.6K, then we deduce a new indicator. The rate of lie GAMB ~ = 169. It is in so many times they lied with the fees. Try for the sake of laughter to send them 0,01 ETH ($5). Then their total collection will increase by +$760.
The fee of $ 11.5M is a lie
The project claims to have collected ~ 30% hardcap or $ 11.5M. This money could not be found.
Smart contract GAMB for the collection of money in ETH (other currencies in their office was not found) is located at:
- Crowdsale – https://etherscan.io/address/0x66323324b77d72c65ea76caa918464836498ebd6#readContract
- Token – https://etherscan.io/address/0xa0008f510fe9ee696e7e320c9e5cbf61e27791ee#readContract
- Beneficiary – https://etherscan.io/address/0x01e0c66def9faca90b2664378dd8aa9755b31270#readContract
We will check the contract Crowdsale or the wallet of the Beneficiary (the variable wallet in Crowdsale) how much money has passed through them, for this, from the Crowdsale address click on the “Read Contract” tab, then on the wallet:
The opened window shows the current amount of the fee:
As you can see, there is collected ~ $ 74,000. And the site says $ 11,500,000. Is it possible that money was withdrawn from this account? No, it’s easy to verify by downloading all 83 transactions from investors to this address: https://etherscan.io/txsinternal?ps=100&zero=false&a=0x01e0c66def9faca90b2664378dd8aa9755b31270&valid=all
Total:
- The company GAMB conducts ICO and declares that the fees go through a smart contract
- Charges are made only in ETH (it was not possible to find other information)
- The address of the smart contract is hidden, not published, it was required to search independently
- Publicly in words collected $ 11.5M
- In fact, only $ 74K is confirmed
Why is that? We do not know. The following scenarios are possible:
- These are swindlers, deliberately deceiving investors. Judging by the modest sum of $ 74K – it did not work out.
- They take money not only in ETH, for example in a suitcase, by cashless transfer, in Bitcoins (these methods are not announced). Perhaps they collected on a closed presale of $ 11.5M. Judging by the site, it is not advertised. There it is written that the fees go to ETH and that $ 11.5M is collected, which is wrong.
- 0x66323324b77d72c65ea76caa918464836498ebd6 – not their smart contract, but there is still some … We carefully checked this version. The probability of errors is small. This contract has a lot of signs that this is their code: active fees, copying Whitelist, the amount of Hardcap is the same, decent money for the functioning of the smart contract (no one would have done such expensive tests).
Meaningless waste of money
This is not a vulnerability, but the wasteful stupidity of the smart contract architecture (due to KYC problems that are described below). All numbers are valid on July 24, at the time when their charges were allegedly $ 11.5M.
https://etherscan.io/address/0xe2a0e69b0f21f1afcd5ab93ecd892fbf0f2ed2e1
This is the wallet of the programmer GAMB, from which the smart contract is managed. When another client is registered in the Personal Area and KYC passes successfully, the programmer reports a new ETH wallet to the smart contract. Pay attention – the investor has just registered, has not paid anything (and should not), but the programmer (due to GAMB) has already spent money to copy this information into the blockchain. Obviously, at least ~ 95% of investors will never pay. But the information is already in the Ethereum detachment. GAMB intentionally pours into the locker no one needs the garbage. Remember CryptoKitties and the hang of the Ethereum network? This is the same thing, only meaningless.
Calculations showed that GAMB brought about 13,000 crypto wallets of investors and $ 2,079 was spent for this! $ 2K is a payment for gas to carry out transactions on registration of a personal wallet in a smart contract. Investors have not yet paid, and the founders have already spent money. Of course, against the background of supposedly collected $ 11.5M this is insignificant. But GAMB is an extremely bad example of extravagance, everything can be done differently, for free, not to generate garbage transactions.
You can double-check the calculations by exporting data to this address:
https://etherscan.io/exportData?type=address&a=0xe2a0e69b0f21f1afcd5ab93ecd892fbf0f2ed2e1
Because they allegedly collected about 30% HardCap, then just for ICO on such parasitic operations will spend ~ $6000 (rough estimate). For this money, you could order a normal smart contract in CryptoB2B, which does not require you to throw money into the air.
Based on the previous chapter, GAMB earned $74,000, spent $2,000 on technical losses (gas), the site registered about 13,000 potential investors, but only 83 people actually paid.
Openness of the Personal Cabinet for the sale of tokens
This chapter is not relevant to the analysis of vulnerabilities, but shows a small ignorance of the founders of the project. As if advising everyone else: do not do, like GAMB, to increase your fees. GABM has collected a good amount – but this is not a reason to do the same to everyone.
When you enter the site of the Personal Cabinet for ICO – you immediately come across a registration form. Then do not go through without registering. This reduces some conversion among potential customers. Tip: Do not do this. Show maximum information to the client. Try to lure them first, show a cool and professionally made Personal Cabinet to sell tokens. But do not let a little bit – pay. It’s only after payment. A potential customer may just want to walk around the Personal Cabinet to get information that was not on other Landing pages. The client may want to simply assess the quality and availability of the Cabinet. After all, everyone heard about scam. An expensive and professional product would prove ICO’s solidity. But the client does not let anywhere else the registration forms.
Too stringent KYC procedures
This chapter, as above, is also with advice, not vulnerability. Do not do it like it did in GAMB.
The client after registration can not pay until the KYC procedure passes. Why do they do this? Obviously, lawyers said so. We spend a lot of ICO (more than 350 for 2 years) and we all know it. But lawyers go too far. If the customer has passed the first non-complicated barrier (in the form of registration) and stumbles directly to the second (in the form of KYC) – you kill the person’s desire to give you money. It is difficult to guess how much the conversion decreases and how rich those customers are. Probably, if a person went to register and did not pass KYC, then this is the person who was not completely sure whether to pay or not (otherwise he would have gone through the KYC). It is also likely that this is not a person with a small amount of payment (not exactly a fund or a large investor). It’s very difficult to guess (ICO is still on), but let there be 1000 lost people with a modest sum of 5 ETH, this is $ 2.5M of unassembled fees.
The idea is that lawyers and lawyers should not press on the funder and complicate the life of collecting money, but vice versa, lawyers and accountants should serve as the founder (in reality, the founder of the project “serves” lawyers). If you are absolutely sure of the correctness of this method – your right, ignore this chapter.
So, the obvious advice is that first you need to call the user to pay (without KYC) and immediately give him frozen tokens. Immediately answer the criticism:
- Judging by our practice, about 50% of users fill themselves about themselves all documents from the first time. Those. who wants to pass KYC – passes before payment. At the same time, among the documents on KYC there is a very low percentage of fakes, when instead of the passport flowers are uploaded (2-5%).
- The second half of users in 50% become your users by clicking “SKIP” during KYC.
- From the start of the ICO to the end of the last round, if you have 2 rounds, it usually takes 4-7 months. You also after the ICO quietly take a break (it is announced in advance) in 1-2 months for all kinds of checks on KYC. In total, you have a minimum of whole years, to influence those who shy away from KYC.
- If someone maliciously shies away from KYC you within a month after ICO simply roll back the deal, returning that user his money and never defrosting the tokens. Tokens all this time were frozen in the client’s wallet, he saw them there, but could not do anything with them. In addition tokens can be selected (burned). If you do not burn them, they will forever be frozen on the balance of your smart contract. When burning, when you return the money, they physically disappear.
- There are no legal contradictions. Those frozen tokens are not tokens. Tokens are an asset that can be disposed of. Frozen token is not an asset, because the investor can not do anything with him. From a legal point of view, you can call it a preliminary application. After all, no one forbids sending out messages, seals or just confirmation that you received their money.
- From the moral point of view, the token is visible to the user in his personal wallet, which stimulates KYC to pass at last.
If readers follow the path of GAMB, then by the end of the ICO they will be in a situation – ideally done from a legal point of view, only there is no money. Of course, we do not call for violating the law. To this end, the ICO platform Crypto B2B offers five different scenarios for conducting KYC, from the hardest (in the spirit of GAMB) to the most optimal, golden mean between two goals: not to break the law + not to reduce the conversion of collection of money.
Hardcap – wickedness
Despite the fact that Hardcap is present in the smart contract, however, it can be circumvented and deceived by the investor:
A pawnbroker can extend the ICO for as long as desired until HardCap is typed. Or until the contract is finalized.
function delayIcoEnd(uint256 newDate) public onlyOwner { require(newDate != 0); require(newDate > now); require(!hasEnded()); require(newDate > endTime); endTime = newDate; }
Extend to the endlessly ICO, until we collect the necessary tokens.
HardCap is defined in both the smart sales contract and the smart token contract, a limited number of tokens can be issued. Of course, in our ICO platform everything is fair. Absolutely every item described in this article is done differently and respects the rights of investors.
Softcap – a lie, a deception
SoftCap in a smart contract is not defined. There is no code on this subject. All investments immediately go to the wallet of the beneficiary. On the site softcap = $ 5M and it is assumed that if this amount is not collected, then a smart contract will allow investors to withdraw money. In fact, no, they are already in the company’s account.
It’s not clear why they chose only $ 5M for a deceitful Softcap? After all, they have fees of more than $ 11.5! You could declare Softcap at $ 11,499,499 to ensure that it is overcome.
Counter charges in ETH – lies, fraud
In a smart contract, there is a standard variable that counts how much money (ETH) is collected. But the founders of GAMB directly changed it, at the very same $ 11.5M. This variable can be changed by real charges, and not arbitrary.
Founders have laid themselves as much as 2 mechanisms to change this number.
First, during the initialization of a smart contract in its constructor:
constructor( uint256 _startTime, uint256 _endTime, uint256 _icoHardCapWei, uint256 _referralPercentage, uint256 _rate, address _wallet, uint256 _privateWeiRaised, uint256 _individualCap, address _utilityAccount, uint256 _tokenCap, uint256[] _vestingData )
the following data were transmitted:
-----Decoded View---------------
Found 15 constructor arguments :
Arg [0] : 000000000000000000000000000000000000000000000000000000005b3ce0f0
Arg [1] : 000000000000000000000000000000000000000000000000000000005b607970
Arg [2] : 000000000000000000000000000000000000000000000e7289f37328e8c80000
Arg [3] : 0000000000000000000000000000000000000000000000000000000000000005
Arg [4] : 0000000000000000000000000000000000000000000000000000000000001388
Arg [5] : 00000000000000000000000001e0c66def9faca90b2664378dd8aa9755b31270
Arg [6] : 00000000000000000000000000000000000000000000052bcf94094b7f100000
Arg [7] : 000000000000000000000000000000000000000000000000016345785d8a0000
Arg [8] : 000000000000000000000000e2a0e69b0f21f1afcd5ab93ecd892fbf0f2ed2e1
Arg [9] : 00000000000000000000000000000000000000001027e72f1f12813088000000
Arg [10] : 0000000000000000000000000000000000000000000000000000000000000160
Arg [11] : 0000000000000000000000000000000000000000000000000000000000000003
Arg [12] : 0000000000000000000000000000000000000000021ed657c8e0d427f8400000
Arg [13] : 0000000000000000000000000000000000000000000000000000000003b53800
Arg [14] : 000000000000000000000000000000000000000000000000000000000003f480
0x52bcf94094b7f100000 / 10^18 * 450 = $10 989 000 (the very $ 11.5M, the error on the course)
The number 0x52bcf94094b7f100000 (highlighted in red) can be found at https://etherscan.io/address/0x66323324b77d72c65ea76caa918464836498ebd6#code at the very bottom.
Next, the second mechanism. This number before the beginning of the round the founder could change as you like (uncontrollably), thanks to the following code:
function increaseWeiRaised(uint256 amount) public onlyOwner { require(now < startTime); require(amount > 0); require(weiRaised.add(amount) <= hardCap); weiRaised = weiRaised.add(amount); } function decreaseWeiRaised(uint256 amount) public onlyOwner { require(now < startTime); require(amount > 0); require(weiRaised > 0); require(weiRaised >= amount); weiRaised = weiRaised.sub(amount); }
Incidentally, note that this is 12 lines of code for changing 1 variable – this is bust and weak code. Enough and 4 lines, in one function. A lot of code needs to be written when the code does something, here it does not restrict the founder in any way, except for double checking by date.
Bonus accrual – violation of investors’ rights
The founder has a method for SAMPLE charging of tokens to his investors. As a result of processing a separate entry, the investor will receive tokens at the base price in accordance with the size of the investment, plus bonus tokens in the amount clearly indicated by the founder.
For example, one investor can make a smaller bonus. And if the founder himself buys his own tokens, then a bonus to such a “buyer” can be done more. In theory, the founder can, thanks to the bonus, free pick up all the not-to-be-read tokens.
Miscellaneous
On the project site, there are no links to GitHub or another repository where you could get acquainted with the project code. For the purpose of auditing the fund-raising contract and the token contract.
In fact, the requirement to spread code on GitHub is very stupid and archaic. The bottom line is that the code needs to be shown. But it’s better not to GitHub, but to Etherescan. The latter confirms that the code laid out corresponds to the binary code in the blockchain. GitHub, obviously, does not confirm anything and you can lay out 2 different versions, and because of the natural laziness of a person no one will check and compile the code, which leads to potential fraud (on GitHub honest code, and in the case of any other). We mentioned GitHub only because the code was intentionally hidden, not because we are calling for GitHub. On the contrary. Once again, GitHub is NOT for publicly opening the source of a smart contract for the purpose of conducting its audit. This is a very convenient project, for another type of code, for example, for own development of blockchain projects.
Also on the site is hidden the fundraising address for users who did not pass KYC. Which is pretty strange. Require the investor to transfer their personal data without providing him with information on how to raise funds, it is not logical, if there is nothing to hide.
White paper analysis
Due to the glaring details of the collection of money, White Paper analysis was not conducted. It makes no sense to spend time programmers Crypto B2B on the search for a technical component of the project. Perhaps, it will be done later. For now we will assume that from the point of view of the idea – the project is magnificent and we wish it success.
Who advertises GAMB
On July 25th, this fraudulent ICO still hangs on ICOdrops.com. Why are they doing this?
Way out
First, the founders need to prove the availability of $ 11.5M. And also advertise that they are other millions, and not those that are going through a public smart contract.
The second. It is necessary to completely replace the entire ICO platform. All these drawbacks are missing in the ICO platform from CryptoB2B. But it, unfortunately, would not allow the founder to manipulate fees and otherwise infringe upon the protection of the interests of investors. Judging by the fact that since the opening of the public ICO the company has collected only $ 74,000, probably more than GAMB will not collect anything. Therefore, it is probably late to change the platform because of the obvious failure of the public gathering. Whether there are 11 million or not is not for us to decide. However, we emphasize that all vulnerabilities can be eliminated if the system for collecting money is written by experienced developers.
Technical rating of the GAMB project
Description of the main technical idea? Not rated: +0.
[-10 = no, 0 = neutral, + 5 = present]
Have you discovered obvious technical lies (fraud)? Found. -5.
[-10 = found, 0 = not evaluated, + 3 = positive]
Does the main functions of the project have anything to do with the blockchain? Not rated, +0.
[-10 = does not, 0 = has, + 10 = ecosystem]
Adequacy of the sale of tokens, protection of the interests of investors? Terribly (negatively), -10.
[-10 = violations, 0 = not evaluated, + 5 = honest ICO]
The quality of the code, the errors in the smart contract? Low quality (negatively). -2.
[-10 = errors found, 0 = not evaluated and / or no errors, + 5 = good quality]
The team’s openness to the audit and answers to uncomfortable questions? Hide (negatively), -5.
[-10 = hostility, 0 = not conducted, + 2 = open to cooperation]
Interim assessment by the formula: -5-10-2-5 = -22 points. Numbers less than zero or more than 10 are rounded to the range [0 … 10]. Total: “-22” is rounded to “0”.
Evaluation grades:
-50 … -21 = Extremely bad
-20 .. -10 = very bad
-9 … +0 = bad
+1 … +3 = so yourself
+4 … +9 = positive
+10 .. +20 = excellent
+21 or more = excellent
The final technical rating of cryptob2b for the sum of the indicators: 0 of 10, the rating is extremely bad.