Bitcoin Forum

Hi everyone!

Today we'd like to talk about double-spending.

We've had a player named yakuza699 – he's got the same username on bitcointalk and is actually a Hero member here, which means he's a respected part of the community. Here is a link to his profile here: https://bitcointalk.org/index.php?action=profile;u=136722.

He's been playing Pocket Dice for a while now using the same strategy over and over: he makes a large deposit, places a couple of low-risk ALL IN bets, and then withdraws. All his game sessions have been profitable for him though yesterday he returned to Pocket Dice, deposited 71.38 BTC and lost them all. This happens sometimes as this is the game of chance. What happened next was he double-spent his deposit transaction.

So why are we writing all this? Just to say you all should beware of any kind of cooperation with yakuza699. Moreover, you should never seriously rely on user's rating at Bitcointalk.

Has anyone of you ever had any cooperation with yakuza699? did he also double spend in your web services?
Any ideas on how to solve this will be aprreciated.

Simple. Do not provide services that are vulnerable to double-spending.

How did he double spend? Your system is vulnerable?

Post this on the scam accusations section with your evidence.

Yakuza699 also tried sending a double-spend to repay his loan..                                               

1st question, why do you accept double spend transactions? Secondly, could you provide the txid's of the transactions in question, and other evidence to link that profile to the person you are claiming scammed you?

my guess is that he sent a 0 fee deposit to pocket dice then broadcast a second transaction with a fee to get the network to forget about the first transaction.


question is, why do they accept 0 fee deposits? accepting them is ok, but they should wait for 1 confirmation in the case the deposit transaction has no fee as those are vulnerable to double spending. other than that, we do need proof the account on your site that initiated this double spend is indeed yakuza699, 71+ BTC is not a small amount.

why such a gambling site accepts instant deposit since double spend attacks isn't new in the BTC world? can you give more proof that yakuza699 in your site is the same yakuza699 here at BCTalk?

I`m pretty new to spotting a double spent address or how it works.

Any chance to screen cap how it looks like? since anyone can get pm`d by him or does future business w. that person.

I sent 0.001 BTC with 0 fee and I was able to gamble it right after the transactions was sent. Confirmations are needed only for withdrawal. If I lost my 0.001 BTC I could easily double spent it, because there's not waiting time between deposit and bets.
Just one yolo bet on 90% takes few seconds so you have a plenty of time to double spend it. I really like that we can use our money instantly after the deposit is done, but you should do something with double spends.

Im impressed by everyone here attacking the site and why the allow such things instead of attacking the user that is actually CHEATING this site and seems like he tried to cheat others yet he has no negative trust, not even by op?

that would be because there is no sure proof provided that the person who abused the deposit system on pocketdice and initiated the double spend attack is the yakuza699 here on the forum. until such evidence is provided, leaving negative feedback on the user's profile would be on the hasty side.

I never understood this doublespend thing but thats not very fair to exploit in on the other hand why your system does not need at least 1 confirmation before the coins can be used.

because people like to be able to play when they want to, which is usually as soon as possible. to prevent this, usually casinos require 1 confirmation before being allowed to withdraw, but clearly that didnt work here.

Hello this morning I received a PM by BuyAreaCoins and he gave me this link https://www.reddit.com/r/Bitcoin/comments/3dygn9/double_spend_on_pocket_dice/ (https://www.reddit.com/r/Bitcoin/comments/3dygn9/double_spend_on_pocket_dice/).I was pretty shocked after reading it because who wouldn't when he is innocent.I am going to quote my self what I wrote on reddit.
Regarding that check this:
It was an accident and I re-sent it.

The best way to avoid that problem is asking for 1 confirmation on all the depos, before any withdraw.  ;)

Don't accept unconfirmed 0-fee transactions. If you want to accept unconfirmed transactions, do not accept them with 0 fee, and/or immediately revoke the balance if a double spend attempt is detected and return it only if the original transaction is confirmed first (unlikely if a purposeful double spend has been made). The former is more preferable than the latter, as you can still gamble it all away and THEN double spend.

this exactly, requiring 1 conformation on 0 fee transactions would be a possible fix to this issue.

also, you guys are practically advertising that your site has a vulnerability, and have not taken the site down to fix the issue. people will try to abuse this, guaranteed. of course, i could be wrong and youve already patched this problem up, but if you havent, taking the site down for a bit would be a good idea. in fact, it would be a fantastic idea.

I would point out 2 comments from Reddit, it's 100% true.

---

#1: Easy: Don't accept 0-conf. transactions.
    #2: Easy! Just wait up to 1 hour for your internet money of the future to go through!

---

It's really complicated to do it. Maybe require 1 confirmation on TX without fee like DiamondCardz said, but I don't know if it's possible..

Big amount, sorry for your lost.

thats how the site works but the cheater is doing something to the coins when he was supposed to lost it all, double spending so the site wont recieve the lost coins like there is no deposit happened

No, you could start rolling with 0 confirmations, or did i miss something here? This is why almost EVERY dice site requires at least 1 confirmation before you can play.

I see there is also a mistake on the pocketdice side. Many bitcoin users know how to double spend zero confirmations with no fee transactions.

We're glad this thread appears to be so important and relevant for you. We appreciate all your feedbacks and solutions you've offered. Some of them were really helpful and effective. Right now we updated our system to make it more secure from any future attempts of hacking.

Of course we understand that the most effective way to fight double-spends is to require confirmation of EACH deposit. Though we always have to balance between providing world-class user experience on one side and security on another.

Once again, many thanks for your support!

This issue and thread is pretty cloudy. Im not sure what you are trying to get in this thread since you put an example of yakuza attempted a double spend on your site and thus this thread was placed on scam accusation.

However no proof / data is presented about this and it appears you are more into looking for a suggestion on how this issue wont be repeated in the future ( if this is so then this thread should not be in scam accusation )
If truly yakuza attempted a double spend on your site then you should present the proof to back what you claimed ( this is a form of scamming as well since he supposed to lose the 71.38 BTC )

Dude, it could not be more clear that you are behind this double spend attack. You should give back the BTC that you stole from pocket dice and give back the BTC that you stole from other casinos that similarly (stupidly) accept 0/unconfirmed deposits.

I have it on good authority that you were double spending against luckyb.it if you were not double spending against pocket dice. Furthermore there is a look of evidence that you were creating transactions designed to never confirm on their own.

Here (https://bitcointalk.org/index.php?topic=947568.msg10429704#msg10429704) you posted the address 12ZMT7Qn2rysM3XKxkSBrVfzdXXufoS13t and looking at the transaction history, you split up a single output of .4994BTC into over 90 outputs all to the same address, and all of roughly .0055BTC (in a single transaction with 0 fees attached to the transaction), and this would never have confirmed on it's own. You later consolidated these outputs to three outputs via 205d6967349a64d8f7c99deacfb5f37e733f5ec9a497f53d42afd03df48678c1 and then proceeded to make at least one bet with those new outputs that would never confirm on it's own. (there are other examples of this, however I think one should suffice)

In This (https://bitcointalk.org/index.php?topic=952340.0) thread, you were offering a 1 BTC bounty to pools who were willing to include transactions you give them in their found blocks. (this is somewhat circumstantial evidence against you, however it should certainly be taken info consideration). What you were asking for was essentially a way to be able to get double spend transactions confirmed and to get other low fee transactions confirmed when they shouldn't.

Here (https://bitcointalk.org/index.php?topic=908192.msg11328820#msg11328820), you post about depositing 10 BTC to a site that accepts 0/unconfirmed deposits, gamble with that 10 BTC, and proceed to make over 4 BTC, all before the transaction confirms (you even say that it should confirm "in a few minutes" when you post that you will be withdrawing). People in that thread were suspicious of you, however there was little risk to you because if you lost then you would have simply double spent the transactions.

In this (https://bitcointalk.org/index.php?topic=876314.5) thread, you were told that creating a number of chained transactions will sometimes result in transactions that will be rejected by nodes other then blockchain.info (this is not exactly what you were doing above, however it did set the basis for your actions).

I have additional evidence against you, however I am going to keep that private for now.

tl;dr - do not accept a 0/unconfirmed transaction from yakuza699 and it is a bad idea to accept these kinds of transactions in general

No hacking took place here. Scamming - yeah, but no hacking took place. Yakuza exploited the ability to double-spend unconfirmed transactions and it hit you for a decent amount of money. I suggest you test double-spending against yourself so that you are 100% sure your system can't be double-spended against.

It might be a good idea for others to be warned about both yakuza699 and amaclin who both have a history of executing double spend attacks on gambling websites.......

Probably the best thing to do (like most other casinos here) is to only allow deposit once it hits 1 confirmation.