Bitcoin Forum

https://bitcoinbetgames.com/img/logo.png (https://bitcoinbetgames.com/)

After months of hard work, we are very happy to introduce BitcoinBetGames.com (https://bitcoinbetgames.com/)

BitcoinBetGames (https://bitcoinbetgames.com/) advantage is:
1. Instant play, no need to register                                      
2. No need to personal informations                                      
3. Unique game Quincunx (Bitcoin community know it mostly from luckybit)
4. Smooth gameplay, easy and enjoyable                                    
5. Real time CHAT                                    
6. Real time RESULTS                                
7. Player rankings
8. Provably Fair
9. Play both games at once
10. Free bitcoins to everyone (100 renewable satoshi) to try our games

Video Poker
https://bitcoinbetgames.com/img/forumpoker.png

Quincunx
https://bitcoinbetgames.com/img/forumquin.png


We will monitor this topic on daily basis to resolve any problems. You can report them here or through page contact form.
There are plans for more games, so if you have some game in mind please share, maybe it will be our next focus.

First 50 users providing their username will receive additional 400 satoshi on top of basic 100 satoshi

To do list:
+ automated betting
+ achievements
+ form to quickly verify games
+ expanded ranking
+ auto detection of user time zone
+ add your idea here

Requirements:
+ browser with HTML5 support
+ you can have problem to display page on Windows XP, old android OS and old mobile browsers (This requirement is only temporary)

Try it yourself! (https://bitcoinbetgames.com/)

17.06.2015
+ rework of our provably fair system is now complete
+ upgraded real time chat

Few comments after try the quincunx several times.

1. I bet on the red table with max payout x990, as listed under the name "Quincunx" the max bet is 0.05btc but what I see the max winning under the "bet" tab is only 0.00019980. Hope this is only visual bug..
http://prntscr.com/7c79cv
2. After several bets,now I cant place bet. Getting notification "minimum bet is 10satoshi" but in fact I try to bet more than 10 satoshi.

3. Regarding to the faucet, how many times a user can claim the faucet?

Thanks.

Thanks for your post
Ad. 1
Max win tab is not updating properly, it should update after every bet value change but its only updating after you make bet and then reresh page
Easy to fix, will be fixed in next hours
Ad 2.
We will try to reproduce this behaviour and fix it as soon as possible
Ad 3.
There is no limit :)

Are you serious there is no limit on the faucet? So a user can claim anytime when his balance is under 10satoshi, I think it can be abused easily.
Player bet on red table just from the faucet till he hit x990...then withdraw it..is it good for you?Is it a kind of promotions? :)

WiseHammer is my nickname on there :)

This is fixed now, if you have page loaded, ctrl + F5 (refresh) to see change.

There is no problem since its hard to hit 999. Someone would need to write special software (bot) to spam bets + refill FREE BTC, spam bets + refill FREE BTC, spam bets + refill FREE BTC etc.
We are monitoring our systems to prevent such spam. Its ok for now, if we will see too much abuse of this, we will consider change :). Maybe place refill captcha (but bot software can also handle that).
We will see.

Hello :), just added 400 satoshi to your account

Review of the secondary game: When I click the first time the coin falls. after the game, if I bet again it doesn't works. Tried on Firefox and Chrome :/
I don't want to hard refresh after every bet.

Thanks for post
There is some message when you bet again (clicking bet button)? Or button is disabled (you clicking but nothing happens)?
You do something while coin is falling? Im trying to reproduce this, but without success yet.

Suggestion for the video poker game : its better to change your card, I mean the color of the number should be the same color with the image. Just make it  like real cards, and wont make some players confuse..

https://i.imgur.com/xAHhLX6.png

We missed it, thank you! Fixed :)

We are aware of 'out of sync' and bug that require you to refresh page to continue play. Its most important thing to fix now.
If you encounter it, and you know how to reproduce it, it will help.

the movement of coins fall seems to be abit slow & the Bet & Start sometimes dun work (no respond) need to keep refresh page .

Thank you for your post
Yup we noticed on not new hardware it work too slow.
We will work on quincunx speed optimizations and second problem also.

thats odd my pc is really old but it works normally for me maybe it was just a browser problem he had there, well its just my guess

Fixed security design flaw in Quincunx (thx to you hacker, even if you not reported this :P)
Fixed bet adjusting in Quincunx could lead to disabled button (inability to play)

Thanks for this, could help

Well once again a new site comes along and screws you.

First, I cannot withdraw. Some weird "error aasssssdgggg124" pops up at the top of the screen. (I'm not joking, it literally looked like the programmer slammed on the asdf keys a lot)

Now, I log back in to try again, and my balance is zeroed out.

No response in chat or to my email.

My recommendation: Don't play here if you think you might win. When you go up, your balance is zeroed out.

Theives.

Dont you think that its to early to say like that? perhaps they still have some bugs that affect to your withdrawal.
Anyway, did you make a deposit to this site? How much your lost?
Lets wait for OP explanation regarding this issue.

Affected my withdrawal, sure, but also then later zeroed out my balance?

I'm guessing that because I won, they had a "hack" and the "hacker" was caught, and his balance zeroed out. Isn't that conveinent for them.


If you're referring to me as a "hacker" because I won, and using some security flaw bullshit excuse to zero out my winnings, you're just as big a worthless pile of trash as the rest of the theives that take off with players deposits.

I had 134 wins and 96 losses. Yes, I obviously "hacked" you.

I wonder how many more "bugs" they find when other people win.

@rollinbones i know you are zxvxzv ;) which used design flaw of quincunx which provided server seed and player seed so you could predict result before bettting.
If it was loosing bet, you changed client seed and checked again, if it was good bet you went through with it.
You are impudent/insolent not sure which word is better here, to come here and claim we own you something.
You didn't report this (then we would owe you bug bounty) and used it to your advantage, so we resetted your balance to 0. Thank you for security audit.
You deposited nothing, you gained nothing.
We salted Server seed now for quincunx, and will publish it after X days, similiar to luckybit.

End of story "hacker".

Well since I've been busy today busting provably fair nonsense, I figured I'd check out the new guys on the block.

Your "provably fair" system is a laughable JOKE. None of it makes any sense. Let's list the absolute absurdity:

1: The server seed you show after a bet does NOT hash out to the hash you say it is before you bet

2: In fact, the hash you say it IS isn't even a hash of anything. You're showing a 40 character hash. Which is sha-1. But you claim sha256. But then even when I try hashing it with sha1, it's not right. So it's all completely fabricated.

3: My client seed? I'm not allowed to use it. It's randomly turned into a not-SHA1 40 character hash that I cannot reproduce.

4: Your verification method for the coin dropping game makes no sense whatsoever. You're concat'ing the server and client seeds, but you're not even using my client seed.

5: Oh, let's look at the poker one, this one is the best. It deserves it's own subsection:

5a: It also uses the not-SHA1 hashing "algorithm".
5b: You show the "initial" deck but it's cut off with ellipses. So the entire initial deck is unknown.
5c: On one page you say the deck is shuffled via: seed the twister with ServerSeed.ClientSeed (see #4 above, also NOT using my client seed), and then FisherYates the mystery deck mentioned in 5b above.
5d: EVEN BETTER - On the verification page, the page mentioned in 5c references, the ENTIRE PROCESS is COMPLETELY different! You say the state of the initial deck is hashed via sha256 (but it's not, again, it's mystery-SHA1) and presented. And it uses a Server Seed as 'extra security'.
5d.1: You then claim it's twister'ed by the player seed. Again, the player seed that is not my player seed, mystery hashed. And is in direct contradiction to how you claim it's seeded in 5c.
5d.2: Now it's FisherYates shuffled, and the initial deck is:
5d.2 subsection A) NOT even REMOTELY close to what you claim it is in 5b above AND...
5d.2 subsection B) Shown what it is, even though just 2 steps above on the SAME page you claim (via inference, because it's protected by a hash) it's ALREADY been shuffled.
5e: And lastly, you claim after the game you reveal the deck, the initDeck, and the server seed, of which 2/3rds of that is a blatant lie!

I've never seen such a horribly poor setup before.

This is one of two things:
A scammer who is too stupid to pull it off

or

An honest site admin who's head is screwed on so backwards he cannot even decide on which verification system he wants to use, NEITHER OF WHICH, by the way, ACTUALLY hash out to the results of the game! I played a few, and for the life of me, and believe me, I've become an expert in verification of betting sites after the 999dice bullshit, could not get a single hand to verify to EITHER of the two systems claimed.

My recommendation: Avoid it like the plague.

rollinbones: If he did zero out your balance, I'm firmly in the "scammer" camp and I'm sorry you got taken before I had a chance to post this and warn you and others away.

Future gambling site admins: Just stop. Please. Stop. You cannot claim provably fair, then not be. And for the love of all that is holy, make up your mind before you choose to rip people off!

Way to lay that hammer down! lol

Ive seen you busting around in forum today. Good job!

Hahahahahaha. hahaha ok you're funny!

"If it was a loosing bet, you changed client seed and checked again, if it was good bet I went through with it"

If it's a losing bet I HAVE to change the client seed anyway! You change it on me every roll! It's how your game works!!!

I lost almost as many rolls as I won! How can that be 'changing it to win again'?! And 70% of my rolls I did wiuthout ever changing the seed at all you asshole. The times I did change it I lost just as many as I won!

If you were honest you'd show more than 20 bets in the 'all bets' so people could see my loss after loss after loss, that you claim never happened! Liar and a theif.

These are my last bets on the site. Every single one i changed the seed for. Yes, very clear that i just kept winning and winning. liar. theif.

https://i.imgur.com/HK58fzw.png

@keepinquiet please calm down, there is nothing to be nervous about

We are not using SHA1 anywhere on site. We are using only SHA256.
Quincunx
We salted server seed of quincunx and will show it after X days to validate all previous bets. (hacker above used this to gain advantage, so its quick fix which could lead you to wrong assumptions)
Same systems is used on luckybit.
You can't validate quincunx currently, you will be able after couple days. Nothing to hide here.

Poker
About poker, initial deck is just wrapped to not exceed set amount of pixels. You can read it from left to right and again from left to right.
Simple as that, if it causing trouble we will change initial deck to one full line.

We know its not described good, but it works. You just need to ask first, we will tell you how and where.
We agree that it need polishing to be understandable easier. Its 1-st day of website.

So to sum this up, we will explain you how to verify games, it will be easier and faster on PM.
We hope you will cooperate and corrent your harsh opinion.

update:
just put @rollinbones on ignore list, since there is nothing more to tell here, he abused our design flawed quincunx and we reacted to this. Couple users made withdraws with starting 100 satoshis, but they won it without hacking.
@keepinquiet we are eager to contact you and explain our provably fair system, please respond to our PM

Over all looks good and another interesting site which is simple to use.There are many things to be fixed as I read above so I am just going to have an eye on this site as soon as have feed back from other respected members about deposit/withdraw and miner bugs.This site is very new so we need to indicate if we find something wrong or error.

Which, by the way, IF it actually worked the way you say it does, everyone could figure out every roll before they make it, because as it is written, you're providing all of that information before the roll is even made. Luckily for you, you're the only one in possession of this mystery-SHA1, so you're safe. So even in your bullshit, you're failing.

Please, scammers, can we try harder next time? Although I do admit, I get a bit of a righteous indignation when I find and bust this crap. So, in a way, go for it. I'll expose it.

i just checked that newly launched gambling site i would like to play Quincunx with 5 different payout lines it is  more similar to very famous unique site, as i think there is something wrong with the provably fair system and it need to get fixed if admin want to make succeed his business, at the moment i am unable to put bet there and that is out of order.

Thank you for admiting the truth. As i wrote before, we made terrible design flaw which we fixed quicky by adding constant salt to server seed. Thats why you currently can't verify quincunx bet, because you don't know the salt, which we will reveal soon (its quick fix to this hacker above, we must add this informations to verification page)

We are waiting to response on PM we send you, so we could explain how our provably system work so you can verify all your previous and current bets.

update: added to quincunx verificaton page informations about serverSeed salt and that it will be revealed each Sunday

BULLSHIT

Sha256 does not result in a 40 character hash. But please, tell me I'm wrong. Obviously.


HAHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHA.

Oh. My. God.

Please, pick me up off the floor.

"We are provably fair. Trust us. You can validate it "in a few days". In the meantime, bet all you want, you can trust us. Oh, and by the way, ignore all the contradictory 'this is how you verify' on the website, because in a forum thread we posted the real method. Which, you know, you can use in "a few days"".


Oh, ok, left to right. Got it. You know, because 'left to right and right to left' clears it all up and it's absolutely verifiable.

Again, nevermind that pesky contradicting information which I VERY CLEARLY pointed out and you VERY OBVIOUSLY decided to not address.

And of course, it's all verified with 40 character SHA256 hashes. I dont know why I havent been using them myself, they save so much space.


A) It does NOT work

B) NO ONE should have to ask on an unrelated forum.

C) You do not fix GLARING problems with the CORE of your system "later" after you launch and people lose money.

and D) I will under no circumstances have a private discussion with you. You are either moronic scammers trying to talk your way out of it, or vastly underqualified amateur site operators who are going to lose a LOT of people's money.

I am completely unsurprised by your ignoring of rollingbones. You make a claim there was a hack, which, if it would by some MIRACLE work like you said (because, again, your hashes are not hashes and could not possibly ever actually validate), you'd have no proof whatsoever, other than "oh shit we're losing money!" that anyone used it against you.

Based on the screenshot above, yes, it's quite clear that he was abusing the shit out of it. Very obviously changing the seed so that he never lost and just kept winning.

I'm still leaning on scammer bullshit. No legitimate site operator would need or want to discuss something this important over PMs and leave everyone else reading this to wonder. No, sorry, I won't be entertaining those PMs.

Rollingbones, send me a PM. I'd like to know exactly what happened.

OMFG! You quote me where it "agrees" with you, but cut off the part where I say it'd actually be impossible because your hashes don't actually hash out and I've yet to make ANY bet actually verify on your site?? And way to go with the excuse why I cannot verify. Let me guess, you'll let us know "in a few days"? News flash, jackass, I was unable to verify a bet hours ago when I started looking into your crap. In part because YOU ARE USING IMAGINARY HASHES. It's a 40 character "sha1" but the numbers don't hash out with sha1!

Even with the BS with 999dice I was not this completely blown away with the smell of bullcrap. I'm done. I'm not reading this thread any longer.

Anyone who bets at your site deserves to lose every satoshi. If they can't see though the bullshit, they don't deserve the bitcoin.

Edit: I just noticed as I was scrolling up to PM rollingbones... you're revealing the salt each SUNDAY?!

Hey, everyone, go bet at this site, it's probably not a scam, and you'll be able to validate all of that in only 5 days!

Jesus fucking christ. I'm out.

Im suspecting you don't want to explain anything here, since you don't respond to our PM.

Of course not, read carefully Quincunx verification page:
hash = substr(sha256(playerSeed.serverSeed),0,40);

You laugh same way on luckyb.it? They are doing same thing. Revealing salt after X period of time.

Noone deposited even 1 satoshi

You are making contradiction to yourself, if it would hash we made design flaw. It was like this until my post BEFORE yours stating that we discover crictical security flaw which fix included salting server seed, no wonder it won't hash anymore if you don't know server seed.

Well im questioning your intentions here then, you don't want detailed explaination how to verify hand? So you will not listen to us and keep bad PR coming. Not cool.


update:
We are reworking our provably fair system to be easy to understand.
We admit we didn't put enough effort to make it as good and easy as it should be.

Looks like a nice site and nice to see another site offering Plinko. However the current version doesn't let me drop more than 2 coins in subsequent clicks. Would be nice to have it fast . Will test the provably fair and other parts of the site tonight.

It allows me to drop 10 plinkos at a time. But yeah it appears to be slow. I see lot of bugs on site right now.

For some reason I also couldn't bet after I got a straight in Video poker. It just froze and didn't allow me to bet or do anything on the page.
Then it just went down on refresh(which possibly could be something you guys are working on) .


Yeah just realized that. For some reason didn't allow more than 2 for me . But now can drop 10 in a row .

We are searching independent and willing person to verify our reworked Quincunx provably fair system.
PM me for details, thanks (https://bitcointalk.org/index.php?action=pm;sa=send;u=503204)

We are aware of the quincunx speed issue in some cases and will address it asap.

It could relate to our reworks, but could also be "unresponsive bet button syndrome". We are working on it also. First priority is to finish rework of provably fair system now.

This looks like a cool site, I will keep an eye to see if the bugs are fixed and the provably fair is fixed.  If so I might give it a try.  I like your free satoshi so I can try it for free.  I hope no one abuses this and forces you to take it off of the site.

Its actually pretty cool. Had fun playing it for a while. However there are a few bugs right now. But its nice to see a site that's not another dice site.

I agree.  It's always good to get a fresh view in this realm of gaming, entertainment, math, security, and... oh yeah, gambling!  The more the merrier, in my opinion.  Dice clones just gets old after a while I guess.  It's good to have a variety of game that appeal to different genres and age groups.

how would we verify its a fair system?

is it based on a secret seed we can see later?

So in Quincunx you will know secret key of all today bets after midnight (server time).
You can browse all Quincunx bets currently by (while on page), putting in address bar this:
This number 1227020 is bet number, which you can modify. Our reworked provably fair system starts from this ID and you can verify after midnight of given day all bets from that day.

Thank you, we worked really hard for months on this so great to hear some positive feedback :)

One person is withdrawing 3rd time now from free 100 satoshi. One withdraw is  0.012 BTC. So we will not take it off site, but add captcha and minimum wait time of 1 minute for example to refill FREE BTC

A daily secret should be only used in blockchain games - because they cannot have user-specific serverseeds (most don't require any account.) Luckyb.it is a blockchain game. Your site is not a blockchain game. Therefor it should be very easy to just let players reset/reveal the serverseed on their convenience - and not let them wait.

I didn't look much into your provably fair method yet, but basically you should use the "serverseed, clientseed, nonce" method used by all popular dice sites since this is considered the technically most solid implementation and is most easy for the user to verify their results.

edit: had a quick look at Quincunx thing and couldn't change client seed + was serverside made. So yeh this site is not provably fair AT ALL and the site can generate all results of a player. So definitely agree with "keepinquiet" and people shouldn't be playing here at least until the provably fair implementation is fixed. I see you are working on it, so GL.

So from what i understand, correct me if im wrong, diffirence between our current secret_key and nonce is that user don't need to wait until midnight to verify bet.

Yes I suppose thats what he meant. When I visit a dice site, the most important thing for me would be to verify bets immediately. Another thing that comes to my mind is the fact that the "My Bets" tab on the site shows only around 20 recent bets. I suppose you would show the rest being archived. But unless I am recording the session it would be difficult for me to actually verify that the archived bets were actually what happened.

he is asking to put simple verification method that are mostly gambling sites are using at the moment like Primedice, Dadice and many more like "serverseed, clientseed, nonce" that provably fair system is easy to understand to most players and easy to understand because of nonce we can know there is no skip to manipulate the bet result, i hope you can understand what verification he is talking about.

Yes and no. I guess you can have:

- serverseed, clientseed, secret (you have this now?)
- serverseed, clientseed
- serverseed, clientseed, nonce

The first one is bad because people need to wait. The second one is bad because it requires the seeds to be different each roll you make, which makes verifying much more difficult and time consuming - even though it is instant. The third one is the most popular and best way, the same seeds are used over many many rolls until the player decides to reset the serverseed and see the revealed unhashed seed to verify _all_ the previous rolls in 1 time.

So first one (which we have currently) is bad (can be better). We will change it again after midnight (to give users ability to verify bets from current day).
Second one we had before, but both client seed and server was revealed (critical design flaw) before the game began. Server seed should be revealed after game, to not be able predict game results.
Third one, i can't wrap head around how it is faster to verify this than second method. After thinking a while its because you need to only copy one value from game (nonced client seed) while you always have (untill you change it) nonced server seed in script already.

If i got above correctly, we are ready to put third method live after midnight.

There will be added "Bet browser in Provably Fair tab". But you would need to know bet ID to pull out older game. How current popular sites do that? I would think of maybe option to pull out in simple text form list of last 200 bets for example with data <bet id>|<server seed>|<client seed - nonce> to be able to verify in quick way many bets quickly.

Yes. Let's do 10 bets w/o and w/ nonce:

Serverseed per roll without nonce
1. Click to see serverseed hash & copy it, change clientseed, make bet.
2. Verify if hash was really correct and check bet result.
3. Click to see serverseed hash & copy it, change clientseed, make bet.
4. Verify if hash was really correct and check bet result.
5. Click to see serverseed hash & copy it, change clientseed, make bet.
6. Verify if hash was really correct and check bet result.
7. Click to see serverseed hash & copy it, change clientseed, make bet.
8. Verify if hash was really correct and check bet result.
9. Click to see serverseed hash & copy it, change clientseed, make bet.
10. Verify if hash was really correct and check bet result.
11. Click to see serverseed hash & copy it, change clientseed, make bet.
12. Verify if hash was really correct and check bet result.
13. Click to see serverseed hash & copy it, change clientseed, make bet.
14. Verify if hash was really correct and check bet result.
15. Click to see serverseed hash & copy it, change clientseed, make bet.
16. Verify if hash was really correct and check bet result.
17. Click to see serverseed hash & copy it, change clientseed, make bet.
18. Verify if hash was really correct and check bet result.
19. Click to see serverseed hash & copy it, change clientseed, make bet.
20. Verify if hash was really correct and check bet result.

Serverseed with nonce
1. Click to see serverseed hash & copy it, change clientseed, make bet.
2. Make bet.
3. Make bet.
4. Make bet.
5. Make bet.
6. Make bet.
7. Make bet.
8. Make bet.
9. Make bet.
10. Make bet.
11. Get new serverseed hash to reveal old serverseed, verify hash and check bet results.

NLNico is spot on. One extra benefit of going nonceless is that it is hugely easier to verify each bet with a script (or verify the script) as there's no history (bet direction, bet size, result) to accumulate, you can just on-demand verify each bet.

Or if you're planning on releasing something like a userscript or a browser plugin that automatically verifies bets, I'd definitely go nonceless (it can check immediately, as you play). Or if you're expecting people to verify batches themselves by hand, I'd go with a JD-style nonce.

After consideration we will implement 3rd mehod with nonce as NLNico suggested.
NLNico will you verify our implementation of 3rd method tommorow? (will write here as soon it will be ready)
RHavar from what you are writing i predict you also have tech knowledge to verify our implementation. Hope you can do it also.

Not sure if you're talking about the 2nd method here (nonceless), but i would find this system provably, but not fair.  As, it could be possible that the user does not update his client seed while the serverseed will update after every bet.  If the operator is unscrupulous, he could take advantage of the users that don't change their client seed as often, and find a serverseed pair that will have an advantage, assuming that the user does not change his betting % or hi/lo option.

of course this would require some work on the operator's part as well as some added technical knowhow, but i could see something like this being done.

Well, the client-seed should be changed each roll to something random either manually (which is crazy tedious) or by a client you trust/verify (ideally a browser plugin, or third-party)

But even with the same client seed it's really not as easy for an operator to cheat, as you'd imagine. That's because the nash for a casino is to not cheat, because if someone knew you were cheating they could do the opposite bet, and *destroy* you. I don't imagine many site operators would be insane enough to cheat this way.

(Although, no sites ever sign an indisputable proof of hashes so any provably fair disputes quickly degrades into a he-said-she-said fight)

So its really just best if the client uses a different random seed each bet to avoid any doubts.

I personally think the simplicity of verification is one of the most important properties of any provably fair scheme. And generally, I think that actually means not using a nonce. I'd rather just audit them by verify a few big bets, than trying to keep a big history history of my bets and follow a convoluted scheme. By far preferable to this, would be userscript that does it for me, in real time.

Even with nonce schemes, which do make it easy to generate a list of bet outcomes (which is of limited use, if you don't keep track of your bet amounts/direction/target) it's amazing how few people actually do verify bets. Some very successful sites have operated for months (accidentally) not being provably fair before anyone even noticed. Or just last week, I spent about ~30 minutes writing a verifier for 64blocks and gave up due to the complexity (e.g. every new game, scrape 64 bitcoin blocks(?!) and verify a complex chain that works both forward and backwards). I have no doubt that's completely fair, with nice properties but when even I, the person who implemented the original scheme it's based on (in bustabit) (which was originally largely Dooglus/Eric's idea) can't be bothered to finish writing the code it's unlikely many people in the world have.

That said, I do think these guys should just go with a nonce scheme unless they're going to build an easy to check browser plugin that set a random client seed, and verifies each bet

After over 4 hours of non-stop programming Quincunx provably fair system with nonce is finished.
Please verify our implementation (only Quincunx game), its based on primedice system.

If verification will be positive, we will implement it also in poker.

Cool game.  I donated 0.03 BTC.  8)

Thank you for kind words, we have just started so its great motivation to continue.
We have big plans so stay tuned :)

It seems like the idea is good now. But unfortunately there is still a mistake and the site is still not provably fair :P

When a player changes the clientseed, you give a new serverseed. This means you could calculate bad results based on these seeds. The idea of a clientseed is that there is a variable in the calculation which the site doesn't know in advance and therefor cannot predict the results in advance. 2 options:

1.  When someone sets the clientseed, you should keep the same hash (and don't reset the nonce or else player can cheat.) And then there should be a separate button to "request new serverseed" that also resets the nonce.

2. OR show the "next serverseed hash" already when setting the new clientseed (that is actually what PD does.)




Truthfully I didn't fully test the provably fair method but this is what I saw already.

I think we already do have this second method. Player know in advance next server seed hash (below SET button, need to click Next server seed (hash) to reveal it).

Ah you are correct. Although that link is very small lol, I would probably display it slightly different. Anyway, seems technically okay then, although I didn't actually calculate the results and didn't check the details (just had quick look only.) But yeh, nice job improving it already.

Any impressions from the provably fair system?

Thank you. I moved this link to bottom of Provably Fair tab, underlined it, bigger font. Hope it will fit better there :)
Also removed couple bugs that could affect verification process, maybe its good that you have waited with full verification.

Better from impression will be full verification of Quincunx provably fair system on real bet examples :).

We got info on site chat, that there is still critical bug in quincunx that lets you predict coin path before betting.
While we are working hard to verify this information, it would be helpfull to also someone else give it a look. Like they say, four pair of eyes are better than two.
This can be bogus report, but reports like this must be checked carefully.

One indication that it could be true is one user, that hit on quincunx red table 130x in first real bet, then again between ~20 bets... chance for x130 on red table is around 1 to 25000.

If you're asking for help, it probably would help if you tell us the report details, otherwise we're flying blind  =)

If the report is along the lines of: "Hey, your entropy is bad. I can "feel" it." just ignore them, I get them on a weekly basis. People mean well, and often do believe they can predict the outcome but unless your sole source of entropy is a 301 page on random.org, it's basically impossible for a human regardless how weak it is.


I plugged your red pay-table into the MoneyPot plinko API to generate this bet:
https://www.moneypot.com/bets/4244628

As you can see, it shows a house edge of 1.76% with the chance of landing on 130x to be 1 in 2048 (and even more often, if you consider 130 or greater!). Which makes it rare, but not exceedingly so.

Not to say your site doesn't have security holes, but be extremely careful in your analysis of "1 of 25000" to not fall into the trap of implicitly searching for thousands of possible patterns that would trigger your "omg" alarms. It's a weekly occurrence that someone brings up a really unusual streak on bustabit, like   1.23x followed by 4.56x followed by 7.89x and then claim the game is clearly rigged as that particular occurrence has a one in a billion chance of happening, but they're searching for a billion patterns over that time.

For what it's worth, I know the feeling of losing money and dealing with the uncertainty if it was real or legitimate, it's really the whole reason I created MoneyPot. The hardest was once paying a 90 BTC loss in one single day, without knowing if I got cheated or not. Both players that won that day never came, but the site has remained profitable ever since so I'm pretty sure it was the bitch named variance  =)

(and Dooglus has a similar story but on a far, far more epic scale)

 
If you're worried, I'd highly recommend paying for a professional security review. I saw earlier you had a max win of almost 50 BTC. Doing a rough estimate, my maths tells me you should have roughly a 2778 BTC bankroll to safely back that up, that's a non-trivial amount of money. (I can figure out the exact required according to the generalized kelly if you like)

RHavar thank you for this post, many usefull informations
There was not many details, thats the problem, since this user wanted serious BTC for disclosure of this information. He said there are two security flaws. One severe and one very very severe.
After some talk he gave couple hints. First that this very very severe one is about quincunx predicting coin path. Second one after further talk turned out to be hard to exploit CSRF in one function. We found it right away and its already fixed.
Giving that his one bug report was true, second could be also.

Anyway, only possible way of cheating in quincunx i could think of, would be to know current server seed in non hashed way. For example trivial mistake after reworking provably fair system, one place could be showing current server seed in non hashed way that should be hashed now. Finishing checking this.

It is hard, even more since first day design flaw which allowed user to calculate result before game. Ended without any harm, but we check everything twice now.

Yeah statistics is like that, you can have 50% chance for either 1 or 0, and get 1 for twenty times straight. Because of that very often people conclusion is that site is rigged, seen that many times on dice sites.

Max bet was 0.05 and it was lowered around ~14 hours ago to 0.01 temporary. Our provably fair system need 3rd party verification first, for safety of players and site itself.
It will be raised when we will be 100% sure of our provably fair system.

Sorry for my English . You do not even give me 0.5 BTC for responsible disclosure , and would only pay 0.1 BTC . I even gave a serious problem for free , and this is my job to eat.

Now you say you can pay 50 BTC winners per game , but you can not pay me 1 / 100th of it to help your security.

My time is too valueable to be wasted in this and has made it clear for the next person to find it more profitable to abuse your site getting insulted by your tiny bounties

Your english is fine. We don't have official bug bounty, but your messages on chat sounded dangerously close to extortion or even blackmail. Give me 1.5 BTC or someone will abuse this bug and you will loose more.
Well how you could treat someone serious after something like that.

I just want things to get paid for my work. I am the security researcher it is job not nothing. All other sites gave me money if I found a serious problem. I tell you , several times I will no been abusing it or no will to .

If you can not have 0.5 BTC, then you should say so, I can sell you cheap. But you should not pretend that you can pay 50 BTC to give winners then because it is a lie to offer a prize you will not pay

:) Blackmail failed, we found this bug. In quincunx ajax response. There was commented out not hashed server seed.
We have it documented. Only one user exploited this.
Hackers vs BitcoinBetGames 0:2

Rework of provably fair system is now complete
It would be nice to be verified by third party.
We also upgraded our real time chat.

Happy playing!

...
Address lookup

canonical name   bitcoinvanitygen.com.
aliases   
addresses   104.27.129.8
104.27.128.8
Domain Whois record

Queried whois.internic.net with "dom BitcoinVanityGen.com"...

   Domain Name: BITCOINVANITYGEN.COM
   Registrar: OVH
   Sponsoring Registrar IANA ID: 433
   Whois Server: whois.ovh.com
   Referral URL: http://www.ovh.com
   Name Server: BRAD.NS.CLOUDFLARE.COM
   Name Server: SANDY.NS.CLOUDFLARE.COM
   Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Updated Date: 29-apr-2015
   Creation Date: 26-mar-2014
   Expiration Date: 26-mar-2016

>>> Last update of whois database: Tue, 28 Jul 2015 07:26:43 GMT <<<
Queried whois.ovh.com with "BitcoinVanityGen.com"...

Domain Name: bitcoinvanitygen.com
Registry Domain ID: 1852143808_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-29T19:48:18.0Z
Creation Date: 2014-03-26T21:38:13.0Z
Registrar Registration Expiration Date: 2016-03-26T21:38:13.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization:
Registrant Street: bitcoinvanitygen.com, office #6917528, c/o OwO, BP80157
Registrant City: 59053
Registrant State/Province:
Registrant Postal Code: Roubaix Cedex 1
Registrant Country:  FR
Registrant Phone: +33.899498765
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 1pwjyznfxd4rhcmij32q@e.o-w-o.info
Registry Admin ID:


Domain Name: bitcoinbetgames.com
Registry Domain ID: 1917404004_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-09T21:27:11.0Z
Creation Date: 2015-04-07T19:42:12.0Z
Registrar Registration Expiration Date: 2016-04-07T19:42:12.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization: VERSERO
Registrant Street: Opolska 14/11
Registrant City: Jastrzębie Zdrój
Registrant State/Province:
Registrant Postal Code: 44-335
Registrant Country: PL
Registrant Phone: +48.607495744
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ynmawox4ddhtcgwrorpf@c.o-w-o.info
Registry Admin ID:
Admin Name: Nosalik Remigiusz
Admin Organization: VERSERO
Admin Street: Opolska 14/11
Admin City: Jastrzębie Zdrój
Admin State/Province:
Admin Postal Code: 44-335
Admin Country: PL
Admin Phone: +48.607495744
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 7oazbns44x9ywqn87agu@k.o-w-o.info
Registry Tech ID:
Tech Name: Nosalik Remigiusz
Tech Organization: VERSERO
Tech Street: Opolska 14/11
Tech City: Jastrzębie Zdrój
Tech State/Province:
Tech Postal Code: 44-335
Tech Country: PL
Tech Phone: +48.607495744
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 7oazbns44x9ywqn87agu@k.o-w-o.info
Name Server: ns3.bitcoinbetgames.com
Name Server: ns4.bitcoinbetgames.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-04-09T23:33:43.0Z


Seems he is also the owner/operator of the shady ass site Bitcoinvanitygen.com that steals peoples coins