A 10 minute check turns up a couple major issues. First, the random function relies only on the following numbers:
- A custom integer used as a random factor, hardcoded into the contract.
- The prior block's hash.
- The length of the list of eligible donkeys This random number is used to choose which of the donkeys is paid out. Ethereum blocks come about every 45 seconds; therefore, there is plenty of time for an attacker to calculate out if they would be the paid-out donkey and only trigger the contract with a payment if they are the recipient.
This qualifies as a severe bug to my mind. It is not mitigated by the contract's popularity -- more people playing increase your chances of being lucky -- but when the contract is not used often, there is a guaranteed way to prod it and get paid out.