Security and Transparency

8. Security and Transparency

Smart Contract Security

Audited Implementation

The LUCK Jetton contract is built on the tact-lang/jetton reference implementation by TON Studio, the most widely used and community-reviewed Jetton standard in the TON ecosystem. The contract is written in Tact, a high-level language designed for safe smart contract development on TON.

Key Security Features:

• Fixed Supply -- After initial minting, the closeMinting() function permanently disables new token creation at the contract level.

• Burn Support -- Tokens can be provably burned, reducing total supply permanently.

• Standard Compliance -- Full TEP-74 (Jetton Standard) compliance ensures compatibility with all TON wallets, DEXs, and explorers.

• Bounce Handling -- Failed transfers automatically revert balance changes, preventing token loss.

• Ownership Controls -- Admin functions (minting, content updates, ownership transfer) are restricted to the contract owner address.

Verifiability

All contract source code is available for public review. The minter contract address (EQACnReWc17Bd6WqAm6OOB00aZcLKhMgj8s0Yrhooz11yFZ3) can be inspected on any TON explorer to verify:

• Current total supply

• Minting status (open/closed)

• Admin address

• All historical transactions

Anti-Cheat Infrastructure

Since LUCK rewards are tied to Arena performance, maintaining competitive integrity is critical. Lucky Day employs a multi-layered anti-cheat system:

• Server-Side Session Management -- Every game session is initiated and validated server-side. Sessions are one-time-use, time-bound, and tied to authenticated users.

• Physics-Based Score Validation -- Each game has mathematically derived maximum performance thresholds. Scores exceeding physical limits (e.g., distance traveled faster than maximum game speed) are automatically flagged and rejected.

• Cross-Metric Verification -- Game metadata (play duration, input counts, obstacle interactions) is cross-validated against the reported score. Inconsistencies trigger fraud flags.

• Rate Limiting -- Minimum cooldowns between game sessions prevent automated replay attacks.

• Ban System -- Players caught cheating are permanently banned from earning rewards.

Financial Transparency

• On-Chain Treasury -- All LUCK token holdings are visible on the TON blockchain.

• Real-Time Pricing -- LUCK/USD pricing for in-app purchases is fetched from STON.fi's API in real time, with fallback to database-stored rates, ensuring fair and current pricing.

• Public DEX Pool -- The LUCK/TON liquidity pool on STON.fi is publicly accessible, allowing anyone to verify liquidity depth and trading history.

Operational Security

• Telegram Authentication -- All API requests are authenticated using Telegram's initData cryptographic signature, preventing unauthorized access.

• Server-Side Logic -- All reward calculations, balance updates, and token distributions are performed server-side. The client never determines reward amounts.

• Wallet Uniqueness -- Each TON wallet address can only be linked to one Lucky Day account, preventing multi-account abuse.