Golden Grid · Smart Contract Security AssessmentGolden Grid Client Hub

Golden Grid Smart Contract Audit

Zealynx audited the Golden Grid smart contract implementation, a decentralized pixel-based lottery protocol with Chainlink VRF randomness, mathematical pixel-to-bitmap conversions, and a multi-shareholder reward distribution system. Over a 2-week engagement, the team identified 10 issues including 1 Critical (VRF callback deadlock), 3 High (shareholder accounting corruption and biased randomness), 1 Medium, 4 Low and 1 Informational. All Critical, High, Medium and Low findings were fixed; the Informational was acknowledged.

ApechainSoliditySmart Contract Code Review2025-11-17Zealynx methodology
Total findings
10
9 fixed · 1 acknowledged
Critical
01
High
03
Medium
01
Low + Info
05
02

Scope

3 files · 770 SLOC
Initial commit
dae05f0a1746
Platform
Apechain · Solidity
Methodology
Zealynx audit methodology
File
PixelLotteryAPE.sol
DPLTeam.sol
PixelToBitmapAPELib.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
criticalF-2025-0001Missing VRF callback failure recovery mechanism leads to permanent protocol deadlockFixedhighF-2025-0002First shareholder allocation bypasses totalUnclaimedProceeds tracking leading to systematic contract insolvencyFixedhighF-2025-0003Incremental totalUnclaimedProceeds funding mechanism leads to systematic accounting corruption and withdrawal failuresFixedhighF-2025-0004Identical modulo operations in both branches of transformRandomToPixel leads to biased lottery drawsFixedmediumF-2025-0005Missing fund distribution when totalShares is zero leads to permanent fund loss and wrong allocationFixedlowF-2025-0006Missing input validation in config parameter enqueuing leads to silent configuration failuresFixedlowF-2025-0007Unnecessary cycle timing restriction on redemptions leads to unfair user experienceFixedlowF-2025-0008Single owner as sole point of failure enables protocol compromiseFixedlowF-2025-0009Use of Ownable instead of Ownable2Step enables accidental permanent loss of admin controlFixedinfoF-2025-0010Missing input validation in pixelToBits() leads to undefined behavior and invalid bitmap generationAck
04

Key Findings

  • VRF callback failure deadlock. The protocol lacks a recovery mechanism for failed VRF callbacks, causing permanent deadlock where isPending stays locked. If callbacks revert, all future draws become impossible and user funds are permanently locked.
  • Biased lottery distribution. The transformRandomToPixel function executes identical modulo operations in both branches, negating the rejection-sampling bias correction. Pixel numbers 0-57,895 have ~0.059% higher winning probability, compromising lottery fairness.
  • Systematic accounting corruption in totalUnclaimedProceeds. The mechanism tracks only new rewards but subtracts complete liabilities during withdrawals, causing systematic corruption that enables over-allocation and prevents legitimate withdrawals.
  • Fund loss during zero-shareholder periods. When totalShares = 0, incoming funds are marked "accounted for" without being distributed, causing approximately 50% permanent loss and unfair allocation when shareholders are re-added.
05

Team & approval

Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (26p)
ZEALYNX SECURITY · published 2025-11-17
10 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx