An internal security review of the Muse Markets Horse Race Betting was done by 0xanmol, with a focus on the security aspects of the application's smart contracts implementation.
A smart contract security review can never verify the complete absence of vulnerabilities. This is a time, resource, and expertise-bound effort where I try to find as many vulnerabilities as possible. I can not guarantee 100% security after the review or even if the review will find any problems with your smart contracts. Subsequent security reviews, bug bounty programs, and on-chain monitoring are strongly recommended.
Anmol Pokhrel, or 0xanmol, is an independent smart contract security researcher. Having a deep interest in Web 3 security, he does his best to contribute to the blockchain ecosystem and its protocols by putting time and effort into security research & reviews.
Muse Market horse race is a decentralized horse racing betting platform built on Ethereum (Base Mainnet) that uses Chainlink's Verifiable Random Function (VRF) for provably fair race outcomes. The smart contract operates in 60-block rounds (30 for betting, 30 for settlement) and allows users to bet on eight horses with varying odds, from 250:1 (0.39% chance) to 3:1 (32.75% chance). The system includes safety features like maximum win limits per horse, bet size restrictions, and an emergency pause function. The contract automatically handles payouts based on Chainlink's random race outcomes, ensuring transparency and fairness in the betting process.
Repo: https://github.com/inedibleX/muse-contracts
Commit Hash: 1b76820cce8a554b8b80932010f03f13bbf38c0d
| ID | Title | Severity | Status |
|---|---|---|---|
| [M-01] | 60 blocks provide an insufficient time window on the Base L2. | Medium | - |
| [M-02] | The ownerWithdraw function can be used to steal user funds and break the race. |
Medium | - |
| [M-03] | maxWinPotential can be higher than contract balance, causing the withdrawal to revert. |
Medium | - |
| [M-04] | Chainlink VRF can return 0 as a random number causing, incorrect winner selection and unintended 1x withdrawals. | Medium | - |
| [L-01] | Initial betting time can be less than 30 blocks. | Low | - |
| [L-02] | Race immediately starts when the contract is deployed without checking the available funds | Low | - |
| [L-03] | Hardcoded requestConfirmations value causes deployment failures on chains with higher minimum confirmation requirements |
Low | - |
| [L-04] | Late settlement prevents currentWinPotential reset despite valid chainlink response |
Low | - |