Published on May 10, 2026

Crypto lotteries promise something a traditional lottery cannot: math you can audit yourself. The whole pitch is that you do not have to trust a private operator. You can read the code, watch the prize pool grow, and verify the draw on a public blockchain. The catch is that most players never run any of those checks. They land on a slick site, see "provably fair" in the marketing copy, and assume the rest works.

It does not always work. In 2025, rug-pull scams cost crypto users an estimated $1.8 billion across the broader market, and gambling-flavored projects were a heavy share of that. Knowing how to verify a crypto lottery is fair is the difference between playing a transparent on-chain jackpot and funding someone's exit. This guide walks through seven concrete checks you can run before you mint a ticket. None of them require coding skill. All you need is a block explorer like BscScan or Etherscan, a few documentation links, and roughly ten minutes per platform.

How we picked these checks

The seven checks below were filtered against three sources: post-mortems on real crypto-gambling rug pulls, the public checklists used by smart-contract audit firms like CertiK, Trail of Bits, and PeckShield, and the academic literature on on-chain randomness. We also tested every check on platforms we already knew were legitimate to make sure the bar was achievable, not theoretical.

One disclosure up front. We work for Bitpotz, an on-chain NFT jackpot platform. Bitpotz appears once in this post as a worked example, in a clearly labeled section near the end. The seven checks themselves are platform-agnostic. They will work just as well on a competitor.

How to verify a crypto lottery is fair: the 7 checks at a glance

• The smart contract address is public, posted on the official site, and shows verified source code on the block explorer.
• The randomness source is named, documented, and ideally a battle-tested oracle like Chainlink VRF.
• An audit report exists, was performed by a recognized firm, and matches the deployed contract.
• The prize pool wallet is visible on chain and balance grows in line with ticket sales.
• There are no hidden admin functions that let the team drain the pool or pause payouts.
• The team has a track record, the communication channels are alive, and any project token has its liquidity locked for a meaningful period.
• The platform is offered in your jurisdiction, with a clear position on KYC, age limits, and applicable rules like MiCA in the EU.

1. Confirm the smart contract address is public and verified

Every legitimate on-chain jackpot publishes its contract addresses somewhere public. That might be a dedicated page, the whitepaper, the FAQ, or a footer link. If the platform refuses to surface its contracts, treat that as a stop sign. There is no way to verify anything else if you cannot find the contract.

Once you have the address, paste it into BscScan for BNB Chain or Etherscan for Ethereum. Look for the green checkmark labeled "Contract Source Code Verified". A verified contract means the source code published to the explorer matches the bytecode that actually runs on chain. Without verification, the platform is asking you to trust a black box.

Click through to the "Read Contract" tab. Anyone can call the read functions for free. You do not need a wallet to query state, total tickets minted, prize pool balance, or current round. If those numbers line up with what the front end shows, that is the first piece of evidence the platform is being honest.

2. Check the randomness source

This is the single most important check on a crypto lottery. The whole game rests on how the winning ticket is selected. There are three categories of randomness, and they are not equal.

The strongest option is a verifiable random function, or VRF. Chainlink VRF is the most widely used. As of November 2024 it runs version 2.5 on Arbitrum, Avalanche, BNB Chain, Ethereum, and Polygon mainnets. Chainlink reports that VRF has fulfilled more than 20 million randomness requests across thousands of contracts. The mechanism combines a private oracle key with on-chain block data to produce both a number and a cryptographic proof, and the proof is verified on chain before the contract can use the result. Even a compromised oracle node cannot bias the output. It can only refuse to respond, and that refusal is itself visible to anyone watching the contract.

A second category is randomness beacons like drand, run by the League of Entropy. Drand uses threshold cryptography across roughly a dozen independent nodes to publish a fresh random number every 30 seconds. No single node can predict or influence the output.

The third category is custom on-chain RNG built from block hashes, timestamps, or commit-reveal schemes like RANDAO. These can be made fair, but they are easier to get wrong. Last-mover attacks (where the final participant decides whether to reveal based on the outcome they would prefer), miner manipulation on lower-validator-count chains, and predictable seeds have all caused real losses in production. If a platform brags about a clever in-house RNG with no audit and no oracle, slow down.

Look for a sentence in the platform documentation that says, in plain language, where the randomness comes from. If the answer is vague, that is your answer.

3. Read the audit report

An audit is not a rubber stamp. It is a written report by a security firm that reviewed the source code and listed every issue they found, fixed or unfixed. The recognized names in 2026 include CertiK, Trail of Bits, PeckShield, OpenZeppelin, ConsenSys Diligence, and Hacken. There are smaller reputable firms too, but if you have never heard of the auditor, search their public report archive before assuming the badge means anything.

What to actually check inside an audit report:

• The contract address listed in the report matches the deployed contract you are about to play on.
• The commit hash or version reviewed is recent and not an older version that no longer matches what is live.
• Any "high" or "critical" findings have a remediation note explaining how they were fixed, or a written acknowledgment from the team if they were left in.
• The audit was performed within the last 12 to 18 months. Older audits do not cover newer code.

An audit logo on a website with no clickable PDF behind it is marketing decoration, not security.

4. Watch the prize pool on chain

One of the genuine advantages of an on-chain lottery is that you can see the prize pool grow in real time. The platform should publish the prize pool wallet address, or the contract that holds the prize, and you should be able to see the balance climb as tickets are minted.

Open the wallet on the block explorer. Compare the displayed balance to the prize pool number on the platform's homepage. If an HourPot or DayPot is showing one figure on the front end and a meaningfully different figure on chain, that is a red flag worth questioning before you mint.

Most platforms also publish past payout transactions. Click through one. The transaction should be a single payment from the prize pool wallet to the winning ticket holder, with the full prize amount visible. Multiple intermediate hops, partial payouts to unidentified wallets, or "hold" periods that never resolve are problems.

5. Look for admin functions and backdoors

This check is harder for non-developers, but a basic version is doable. On the verified contract page, scroll the "Read Contract" and "Write Contract" tabs and look for function names like owner, setOwner, pause, unpause, withdraw, drain, migrateFunds, or setRecipient. Most contracts will have some admin functions for legitimate reasons, like rotating an oracle key. The question is what those functions can actually do.

Specifically, look for any function that lets a single address transfer the prize pool out to an arbitrary destination without a draw being completed. If the contract has one, and the owner is a single externally owned wallet, the platform is one signature away from an exit. Multi-signature owners, time-locked admin actions, or fully renounced ownership are all stronger.

If you cannot make sense of the function list yourself, paste the contract source into a free analyzer or ask a developer friend to skim it. You do not need to read Solidity to spot a function called emergencyWithdraw.

6. Check the team, comms, and liquidity

The on-chain pieces matter most, but the human signals around them still count. Industry trackers consistently flag anonymous-team rug pulls as the largest category of losses, and almost every one leaves social-media warnings before the funds disappear.

What good looks like:

• The team is named, with public profiles you can verify on LinkedIn or a related project.
• Communication channels (X, Telegram, Reddit, Discord) are live, with replies from the team and not just hype-bait posts.
• If the project has a token, the liquidity is locked for at least 6 to 12 months on a recognized locker like UNCX or PinkLock. Locks under 30 days are a warning. No lock at all is a stop sign.
• Roadmap promises are dated and tracked. Quiet failures are a sign the team has lost interest before the player did.

None of these by themselves prove a project is legit. Their absence is what should worry you.

7. Match the platform to your jurisdiction

Crypto lotteries are not legal everywhere, and even where they are legal the rules vary. If you are in the European Union, the Markets in Crypto-Assets regulation, MiCA, sets a hard deadline of July 1, 2026 for crypto-asset service providers operating in the EU to be authorized. Crypto-gambling platforms also intersect with national gambling laws, which sit outside MiCA. In the United States, online lottery and gambling rules are state-level and very different in, say, New York compared to New Jersey. In the United Kingdom, the Gambling Commission regulates remote gambling and has explicit guidance on crypto.

What to look for: a clear "regional availability" or "restricted jurisdictions" statement on the platform's terms page, an age verification step (or a public policy stating the minimum age), and a sensible position on KYC and AML where the jurisdiction requires it. Platforms that claim no rules apply to them anywhere are not a contrarian win for the user. They are an unmanaged risk for the user.

How Bitpotz approaches each of these checks

Bitpotz is a multi-chain on-chain jackpot platform. BNB Chain is the active deployment today, with additional chains on the public roadmap at /roadmap. The architecture is EVM-native, so the same set of contracts can ship to any compatible chain when each currency goes live.

For the seven checks above, here is how the platform is set up. Contract addresses are published on /potz for the $POTZ utility token and surfaced on the relevant pot pages for each jackpot. Prize pool wallets are visible on BscScan, and historical winners are listed at /winners with the payout transactions linked through. NFT tickets are ERC-721, and the owner of the ticket NFT receives the prize, which means tickets remain verifiable property even if they change hands before a draw. Tickets are also "never wasted": a ticket that does not win its current round remains eligible for Lucky Ticket draws and the GrandPot indefinitely, which is a property you can verify on chain by watching ticket eligibility across rounds.

For the live numbers that move (ticket price, the $POTZ threshold for VIP, current prize pool sizes), trust the figures shown on bitpotz.com over any number quoted in this article. Those values are deliberately CMS-driven and can change without notice, which is why this guide is built around verifiable on-chain mechanics rather than today's specific dollar figures.

FAQ

What does "provably fair" actually mean for a crypto lottery?

Provably fair means the result of a draw can be cryptographically verified after the fact, not just trusted because the platform said so. In a strong implementation, the platform either uses a verifiable random function like Chainlink VRF, where every output ships with an on-chain proof, or a commit-reveal scheme where the platform locks in a hashed seed before the round and reveals the original seed afterward. Either way, you should be able to re-derive the result yourself with no help from the operator. If the only "proof" is the platform's word, the lottery is not provably fair in any technical sense.

Can a smart contract lottery still be hacked?

Yes. A smart contract is software, and software has bugs. The reason audits matter is precisely that smart contracts are public and immutable once deployed. A bug in a centralized lottery is fixable overnight by the operator. A bug in a deployed contract usually requires a migration, an emergency pause, or a redeployment to a new address. The strongest projects audit before launch, monitor on chain, and design upgrade paths that are themselves transparent.

Is Chainlink VRF the only safe randomness source?

It is the most widely adopted and the easiest to verify, but it is not the only one. Drand, used through the League of Entropy, is a strong alternative based on threshold cryptography. Custom commit-reveal schemes can be safe if implemented carefully and audited. The honest version of the answer is that any RNG that survives a serious audit and publishes a verifiable proof is acceptable. Anything that asks you to trust the operator's word for randomness is not.

Do I need to know Solidity to check these things?

No. Six of the seven checks above are doable by anyone who can read a webpage and click through to a block explorer. The only one that benefits from technical reading is admin functions, and even there, the function names are usually descriptive enough that an English reader can flag the obvious red flags. If you want to go deeper, pasting the contract source into a free analyzer or asking a developer friend to skim it is a reasonable next step.

What is the single biggest red flag in a crypto lottery?

The contract address is not published anywhere on the official site, or the published address is not verified on the block explorer. Every other check builds on the contract being readable. If you cannot find or verify the contract, you are playing a centralized lottery with a crypto skin, not a transparent on-chain jackpot.

Final thoughts

The first time you run these checks on a platform, it takes about ten minutes. The second time, three. After a few rounds, you stop trusting "provably fair" as a phrase and start treating it as a claim to verify. That habit is most of what separates players who get burned from players who do not. If this is your first walk-through, our beginner tutorial at /blog/how-to-buy-a-crypto-lottery-ticket covers the actual mint flow once a platform passes these checks, and our explainer at /blog/what-is-a-crypto-lottery goes deeper on the underlying mechanics. The full Bitpotz FAQ lives at /faq.