Bitcoin Forum

Player is up 66k XMR in 2 days these are the rolls that just happened.. I didn't see the others but this just doesn't seem right to me.


7908821   3000.000000000000   +3000.000000000000   <49.50   46.38   07:23   PolakPotrafi
7908820   3000.000000000000   +3000.000000000000   >50.50   57.52   07:22   PolakPotrafi
7908819   1400.000000000000   +5600.000000000000   >80.20   81.28   07:22   PolakPotrafi
7908818   789.600000000000   +7106.400000000000   <9.90   2.06   07:21   PolakPotrafi
7908817   1535.200000000000   +6140.800000000000   <19.80   13.15   07:21   PolakPotrafi
7908816   935.200000000000   +8416.800000000000   >90.10   94.58   07:20   PolakPotrafi
7908815   1.000000000000   -1.000000000000   >80.20   45.19   07:20   PolakPotrafi
7908814   1.000000000000   -1.000000000000   >80.20   51.31   07:20   PolakPotrafi
7908813   1.000000000000   -1.000000000000   >80.20   24.50   07:19   PolakPotrafi
7908812   1.000000000000   -1.000000000000   >80.20   42.30   07:19   PolakPotrafi
7908811   1.000000000000   -1.000000000000   >80.20   60.60   07:19   PolakPotrafi
7908810   1.000000000000   +4.000000000000   >80.20   84.71   07:19   PolakPotrafi
7908809   1.000000000000   +4.000000000000   >80.20   87.64   07:19   PolakPotrafi
7908808   1.000000000000   -1.000000000000   >80.20   28.28   07:19   PolakPotrafi
7908807   1.000000000000   -1.000000000000   >80.20   32.78   07:19   PolakPotrafi
7908806   1.000000000000   +4.000000000000   >80.20   87.45   07:19   PolakPotrafi
7908805   100.000000000000   +400.000000000000   <19.80   17.08   07:19   PolakPotrafi
7908804   100.000000000000   +200.000000000000   <33.00   28.76   07:19   PolakPotrafi
7908803   100.000000000000   +100.000000000000   <49.50   44.78   07:18   PolakPotrafi
7908802   100.000000000000   +100.000000000000   >50.50   51.85   07:18   PolakPotrafi
7908801   100.000000000000   +100.000000000000   <49.50   18.59   07:18   PolakPotrafi
7908800   100.000000000000   +100.000000000000   <49.50   37.56   07:18   PolakPotrafi
7908799   100.000000000000   +100.000000000000   >50.50   72.20   07:18   PolakPotrafi
7908798   100.000000000000   +100.000000000000   >50.50   57.99   07:18   PolakPotrafi
7908797   100.000000000000   +100.000000000000   >50.50   62.63   07:18   PolakPotrafi
7908796   938.800000000000   -938.800000000000   <9.90   90.87   07:17   PolakPotrafi
7908795   1.000000000000   +1.000000000000   >50.50   88.01   07:15   PolakPotrafi
7908794   1.000000000000   +1.000000000000   >50.50   99.63   07:13   PolakPotrafi

which dice site are this bets from? that is a tons of crazy wins, the guy is rich now :D

MoneroDice according to FLuffy they manually do cashouts but what I want to know is how they can prevent this from happening to someone who does it at level that is much less noticeable.

They do look unusual. Like he knew exactly what percentage to change to in order to win.

Edit: Looks like he did and FluffyPony is on to it (according to the monerodice chat)

Maybe the seed has been compromised a long time. The site has not been running at EV (although nothing particulary strange about that).

Yes, especially this few big bets

7908821   3000.000000000000   +3000.000000000000   <49.50   46.38   07:23   PolakPotrafi
7908820   3000.000000000000   +3000.000000000000   >50.50   57.52   07:22   PolakPotrafi
7908819   1400.000000000000   +5600.000000000000   >80.20   81.28   07:22   PolakPotrafi
7908818   789.600000000000   +7106.400000000000   <9.90   2.06   07:21   PolakPotrafi - looks most unusual
7908817   1535.200000000000   +6140.800000000000   <19.80   13.15   07:21   PolakPotrafi - looks most unusual
7908816   935.200000000000   +8416.800000000000   >90.10   94.58   07:20   PolakPotrafi - looks most unusual

As if he already knew the result and he does big bets, and looking at the bet ID 8816, 8817, 8818.

This shows he knew the result beforehand, 3 continuous roll with that percentage to win, the chance is 0.000000001% in real life to hit all 3 wins.

Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!

and:

If he only was less greedy he could make much bigger damage. Luckily he had idiotic betting strategy regarding being painfully obvious.

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.

#HackThatGotTrumpedByAPony
 :D

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

It's entirely possible, but one of the Monero Research Lab wrote a paper (for fun) a year ago establishing a way to analyse whether someone is cheating by determining whether they are massively changing the deviation of the site.

We run this analysis in the back all the time, so if someone was consistently cheating, even if they were using multiple accounts and small amounts, we'd see it show up because the site would (statistically speaking) be far out of the expected variance.

You can read the paper here: https://lab.getmonero.org/pubs/MRL_Monte_Carlo_Edition.pdf

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC (https://medium.com/@Stunna/breaking-the-house-63f1021a3e6d)) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.

I think that there's still a chance he didn't know the withdraw is processed manually and got greedy.

A white hat hacker would have told the owner, not like this.
Somebody who would try only to show off would mean that 66k XMR (over 400 000 $) means nothing to him, since he already stole more than that.

Yes we're taking a look at the API logs, and correlating it against recent betters. We'll weed out any other accounts he has;)

So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....

Just like a losing streak a  winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.

Yeah its not very weird for him to make all those 1Xmr bets and lose every single one of those and then win all of these huge bets with tiny win % over and over, the only big bet he lost was the first one where he made a mistake... ohh and on top of all those rolls be up another 33k xmr.

If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better.  I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins.


That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that

Look at his bet pattern and the outcomes of the bets, its extremely obvious he was intentionally showing he could cheat.

I've said it to the investors before (noticed FAQ used to say it but not now after re-enabling investments a long time ago) that if this happens (or any big mess up) the investors lose/pay for it. That's the risk they take investing in the site/me.

Fortunately this hasn't ever happened at BetKing anyway.

Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

You don't have any invested in the bankroll? Is your investment on another account?

I divested and withdrawal what was left right after I saw his rolls.

-16.660736590630 Xmr, ( Don't know if all loses were from him but I assume a large portion of it was) I was only invested on site for around 20 hours before I divested.

Deposit Hash
c7a2edb767827fb3d32d58150a7cfa3c1d855c83bf7a3e3a134b23abbcd1778a

Withdrawl Hash
c9cf4173c48e773ce85f84b0fb6a3a6e80e7a51a0665cbf00d1783ea20e1ddba

Ah - yeah, then you wouldn't have benefited from things being put right since you weren't part of the bankroll any longer, and didn't even have funds still on the site. In a situation like this we can't really compensate for people who have taken their funds out the site.

Your seed was someway hacked, some investor was losing a lot because of this ( and it is your fault just to state clearly how I see it) and tried to limit their losses.

Basically now they are the only one who suffered a loss because you have that great security measure for which you manually process every withdrawal.

From an external point of view it's kind of ridicolous... but if I was an investor I would be very disappointed.

It could be seen also as an inside job to keep some of investors money... but Am just putting it here as a provocation and not something I really think.

Nobody lost any money, you're confused.

Why do you even care ? If he is clever and can hack then shame for you. He found a way into the system so good for him. Ga!nbling sites mostly bitch so its good to see someone got them back.

I lost? I was invested in the roll for the entirety of that guys bets he did not make 1 bet that I wasn't apart of( From all the ones I pasted) the other 30k he won that I didn't see I may or not have been but we should be able to know since I know nearly what % of the roll i had invested before I deposited 20 hours ago. I'm not some dude trying to scam you if you look in the crypto-games thread, the support sent me a extra 81 ether 2 days ago  in 1 of my withdrawals and I sent it back.

How can you claim no investors lost when, I deposited 32 Xmr and 20 hours later my Xmr is worth 15 Xmr...... I only divested and cashed out because it was evident to me he was cheating after I looked at those rolls and I somehow get punished for alerting you guys and acting in a intelligent way. I'm assuming I alerted you since I posted in chat my suspicion, then emailed support with a title Seed been hacked. Then pmed Nico with my suspicion, then I requested a withdrawal that was sent while there were no indicators of anyone aware of the hacker other than the hacker and I, also I didn't see his rolls happening, I just opened a tab saw all those bets, no bets were made after I had noticed the seed was compromised.

If all his wins were re-added to the bankroll then my funds would have been re-added to the bankroll because he did in fact win my Xmr...  So since I can verify he did in fact win my Xmr and I can verify you guys did in fact add his wins back to the bankroll where does the extra Xmr he wins that were originally my investment end up?

That's a hell of will. Well it can be due to seed compromise. But I know a few players who can roll more greens than him in a row. So may be its 10% skills and 90% luck. Well if he knows exactly what's gonna come next he should not have those reds. I hope that he don't cheat. If he cheated bum his ass :)

Do you always comment without reading the threads first?
This is a 1.5 page thread, it doesn't take much of your time to read through it and get an idea of the situation, but it seems you stopped doing so right after OP.

Go read the thread, then read your comment and think for 3 seconds, please.

I'd be interested in this aswell, how did you determine which investor got which part of the secured funds back once you rolledback the clearly compromised bets?

I think probably it is added back to the investors at the time of adding back. So if someone divested, he won't get anything, but if someone invested, he would get a share of the added back amount ???

Yeah, that's how it sounds like. Actually when I designed the moneypot investment system, what I did was create a repayable log of all the investment/divestment/bet events for in a nightmare situation like this (or software bug) it could be replayed so investors wouldn't have made/lost money from the changes in the bankroll when a fake better (or software bug) was playing.

The situation is probably a big mess now, as some investors have lost more than they should've and others made more than they should've. And it's probably pretty likely the ones who unfairly made money have already withdrawn (?) or at the very least, will be unhappy if their balance gets put to the correct amount

His wins weren't re-added to the bankroll based on the prior state, they were re-added based on the state of the system at the time we were re-adding it. The state of your part of the bankroll at that time was 0, so you don't benefit from that.

Let me put it differently: you saw the errant bets and you divested and withdrew your money, in a panic and at a loss. What if the attacker had gotten away with his withdrawals, and we had to socialise the loss? Would you deposit your money back in to participate in that?

In a situation like this you, as a participant in the bankroll, have your funds invested at risk. Everyone takes the same risk, and gets the same reward. If you try and circumvent a scenario you are effectively cutting your losses, come what may, and it isn't reasonable to turn around afterwards and expect an outcome that is any different.

Look, if the $100 you lost in this scenario is completely untenable then we'll personally send you 15 XMR from the site profits.


Based on the investor roll at the time of the distribution out. Because there had been users created and withdrawals / deposits processed in the meantime, we couldn't simply roll the database back.


Yep exactly; there wasn't any other way to do that that wouldn't have added insane amounts of complexity to the process, and potentially left the data in an extremely broken state.


We already have a replayable log (that's the point of the MySQL log after all), but we couldn't rewind the entire system. Consider, for instance, a new user that created an account and deposited funds. If we roll the system state back we would have to manually allocate all of those and manually recreate the users. And, too, consider the exact issue we've got above, where a user divested and withdrew - how do you roll that back? You can't, so you have to move forward with the system in the current state.

I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.

But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.

That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.

You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.

EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.

BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors, nothing would have changed? He wouldn't need to deposit - he is already in loss.




edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.

That was the exact point of my previous post but seems like fluffpony missed it answering


Your site didn't lose a single monero, seedhacker didn't get any monero from your site (not this time at least but you should investigate the past if you already didn't) yet at least one of your investor had their investiment cut in half.

@fluffpony maybe you are the confused  one.

agree on all the line

We made a decision on how to handle it at the time, under pressure, to the best of our ability. You are welcome to disagree with that decision, but unless you're in that scenario running your own site your opinion is largely meaningless. It's easy to look at it after the fact and go "well I would have done X" - I can think of any one of 30 different ways we could have handled things.


So then you cut your losses and you get out, the end. There is no coming back later on to try reclaim imagined profit.

Perhaps a comparison will help: let's say that you have 10 BTC in Poloniex. You hear that Poloniex isn't processing BTC withdrawals, along with panic that they're hacked, and use your BTC to buy a bunch of WaffleCoin and withdraw it. You sell your WaffleCoin on ShapeShift, but now the market's tanked and you end up with 9 BTC. Later that day Poloniex put out a statement apologising for the issues and stating that they're now fixed. Would you insist that they roll the trades back? What about the shorters that took profit from you?

Or what if you invested in a startup, and then when it looked like things were going south you sold your investment at a loss. Two years later the startup is a huge, successful company. Do you insist on taking profit from the growth because you *used to be* an investor?


We thought about this, but we decided that it would be too dangerous for us to spend days and weeks trying to build a magical "undo" script, completely wrecking any auditability, and potentially ending up with a screwed up data set at the end.


With all respect to the affected investor, he took his $100 loss and walked away. He didn't contact us, he didn't ask for input on how we were going to handle things. He just assumed that it was the end, and he would have been the *only* investor to get out with his money had we not had safeguards and had the attacker been able to actually drain the wallet. What would have happened then?

You stated at the outset that you understand that the situation would have been different had the attacker managed to withdraw, but you're not actually following that thought through. Had that played out we'd have a total loss on the part of all the investors, and one investor who only incurred a $100 loss, and you can bet that investor wouldn't volunteer to divvy up his remaining funds among the affected investors.

Ultimately you're asking us to take up a morally hazardous position. What happens when someone "accidentally" places a large bet and loses? Should we undo their bet, and take the profits from the investors? An investor that divests and withdraws is no longer part of the bankroll. They bailed out with a profit or with a loss, and that's the end of that.

Nevertheless, I've already offered to send $100 to the affected investor, so I'm not sure what more you expect?

I think he is lucky only. how hack seed? it's impossible.

We found the bug he exploited that leaked the seed, and we've subsequently patched it.

Strange comparison.

Better comparison: a hacker steals a part of the balance from very specific accounts on Poloniex. In panic, I obviously withdraw the left-over money. Poloniex detects the vulnerability and refunds all money. I think it would be normal that Poloniex refunds the affected balances and not just anyone on Poloniex. I just cannot imagine Poloniex saying "well, I know you lost money because of that hacker, but you withdrew the rest, so we won't give your lost money back, instead we give it to others".

Of course if I gamble with the "left-over money" on a dice site and loss it all, then I don't expect them to pay that part back (which is your comparison.) But that has nothing to do with the hacked losses.

Strange comparison again. It has nothing to do with future profits. We are not talking about an investor who is complaining that you made huge profits after he divested. We are talking about investors who made a loss because of a cheater when he was invested and you are refunding the wrong people.

Better comparison: if one of your employees stole money directly from investors during the time I was an investor of that start-up and he would refund 2 years later, then yes, I would still expect him to pay me too.

What? Let's say the cheater would have won 50% of the BR, I divested to cut losses, and cheater continues to win rest of BR. Then yes, indeed, I would only have a 50% loss, while others would have a 100% loss. That's exactly right and that's why someone should divest/withdraw when he sees the site is hacked. I don't see why that investor with 50% loss would owe anything to the other investors?

Even then, you would have the decision to try to do the right thing and refund the losses (so 50% to the 50% loss dude and 100% to the rest). But in that situation I could have understand saying "sorry investors, but that was your risk too and I cannot pay you everything so we have to sort something out". That is why I say that it depends on the situation. Still I would expect any refund to go to affected investors who had a loss and not just to any investor after the cheater.

Why? You would do these calculations on a separate database and only calculating the refunds, not too much risk. Yes, it might take a few days (although a quick script for estimations should be possible in a few hours.) But I don't see why a little more delay would be a problem if it's doing the right thing.

Lol what? We are talking about a cheater who won money, what has that to do with someone losing money? Obviously when a player bets, it's final. No dice site ever refunds any normal bet.

It's not about the bets after he divested, it's about the bets during his investment. You refunded the bets that were during his investments. He was a part of the bankroll during that time, so he should be refunded.

I would expect you to understand why it's wrong to refund the current investors and not the affected investors. And I would hope you pay back the affected investors because it's the right thing to do as a gambling site owner - not because $100 is not much.





I am honestly surprised about the replies here. I have been following your site for months and had a pretty high opinion of it since you are a trusted XMR developer. But I really cannot imagine that you don't understand why you should refund investors who actually had a loss because of the cheater.

 Fluffy I agree with a lot of what Nico has said. I would like a refund because I do believe I should have received one, but I do not want the refund if you believe it to be out of charity. I want it because you believe its the right thing to do. If you change your mind could you credit it to  my account.

So you're of the position that other investors, who may be asleep due to timezones, should just suffer the 100% loss? So in that event the investor is just "lucky", and the rest are "unlucky"?

And yet in the reverse all investors should be "lucky"?

How do you not see the disconnect here?


lol sure, that's why we're listed on DiceSites, right? Don't patronise me.

We're always open to discussing things like this, and finding an amicable solution for everyone. That's why we have an email address that you can use. Having a messy ideological discussion on troll central is not a fantastic way to achieve that, especially given that we *are* responsive to support emails.

Yes, because of this:
Besides that, this is an extreme scenario because it assumes that you had the whole bankroll in a hot wallet. I don't see too much reason to consider extreme scenarios like that, better to just look at the facts. With the manual withdrawals in place, it would have been no problem to refund 100% to the most unlucky investors and 50% to those who lost 50% etc.


No, just the ones who had a loss and were in the bankroll during the time of the bets.

No, seems very rational to me.



That is exactly why I have been following your site indeed, to consider to add it on my site. For what it's worth: I am very transparent about that and I only add the most popular sites (which don't have a history of untrustworthy behavior.) Your site used to have plenty of days without any betting, so normally that wouldn't qualify. I have seen a rise in play since the XMR price rise, so I definitely was planning to add your site to the new version of my site. But I agree this is all not relevant to this situation.

::sigh::

That's just rolling back the database, and not what I meant at all. A replayable log is logging all the individual events (e.g. bets, investments and divestments), in such a way that if you found a mistake had occurred (or in this case, fraud) you could fix the mistake (in this case, delete the bets) then replay everything so the investors balance is exactly is if the fraud never occurred in the first place.

It's actually just a good practice to be in, when ever I mutate state I *always* store the cause of it. (e.g. if someone transfers money, I log an event of the transfer. If someone claims the faucet, I store the details of that, if someone invests I store a record of it (and things like how much the bankroll was before they invested) etc).

And probably the other mistake people make, is over-constraining their database to not allow negative values. e.g. While a user balance never should be negative, the system should support it as cases like this might cause some accounts to legitimately be negative (them withdrawing gains they shouldn't have) or even deposits reverting after a blockchain reorg etc.

It's great for a disaster recovery situation like this, and it's great from an audibility perspective. It's probably too late for this time around, but it might be worth designing around in the future.

Exactly, see http://martinfowler.com/eaaDev/EventSourcing.html

Note that even if you don't follow strict event sourcing best practices you should still have a log of everything anyway so that you can replay, just takes more effort. Surely each bet/invest/divest actoin must have a timestamp on his MySql rows?

Even with small amounts? imagine if he were doing 2 losses for every win, but, every win he bets 3~5 times the lose value.
statistically, this wouldnt be almost impossible to find and with small amount it would be even harder.. any way, everything on internet have vulnerabilities.

Guys, you don't know our system design, you don't know our architecture. Even if you did, you can't possibly have all the facts of the matter. The continuous string of commentary is entirely pointless - the decision is not going to be made again, we've already moved past it.

And yes, we have timestamped logs for every single action, every single bet, every single investor credit, every single investor debit.

You can say that, but it is still completely unacceptable. Just a TL;DR for those who didn't follow (simplified example but exactly what happened):




Imagine there are 4 investors with each 100 XMR, so total BR is 400 XMR. Cheater comes and wins 200 XMR, leaving all investors with 50 XMR each. 3 of the investors decide to divest to limit the amount the cheater can win (but the cheater doesn't bet anymore.) Owner luckily processes all withdrawals manually so is able to stop all the withdrawals including the one from the cheater (and from any investor, if temporarily needed.)

Now the owner has 2 refund options. Give 50 XMR back to each investor (who were invested at the time of the cheater.) This way, there is literally no loss for anyone. Or give all 200 XMR to the 1 investor that is left, so he can profit from the situation. The first option seems 100% obvious to me. And the second option is basically just scamming the other investors. You chose the second option and somehow still doesn't understand why it is wrong.





Don't even start about "what if", Poloniex or start-ups, the above is exactly what happened (with different numbers obviously.)

Am I the only one who thinks this is just unacceptable?

I don't have any skin in this game but imo the way FluffyPony/Monero is handling this is incorrect.

Someone tried to steal a bunch of money.  They were caught.  That money should be RETURNED TO THE PEOPLE WHO IT WAS STOLEN FROM!  Saying "We're not going to return the money that was stolen from you because" and then any reason is horrible and wrong.  So they divested?  Irrelevant.  They still had money stolen from them and keeping that money for yourself is a Very Bad Decision.  Who cares if figuring out who the money belongs to if a complex situation?  That's on you as the owner of the site, the person who allowed this money to be stolen, and the person who is making risk-free money.  This is your job.  Do it.

I was paid back in full and left with the impression they would  not handle the situation in this manner again.

No, and it is clear for what I already wrote in this thread. I understand that not being in their shoes and without the pressure of the moment to take a decision is easier but saw some bad attitude and thinking process here.

Anyway glad to see they decided to do what they should and fully refunded BillyBurns.

The log is a pretty good idea. I don't think there are many casinos here that have such a mechanism, probably just Moneypot. :D

https://bitcointalk.org/index.php?topic=1366689.msg13969066#msg13969066 did they use the log when they removed the duplicate bets, or did they just add or subtract it back to the latest balance pro rata? I assume the latter because it is much easier?





I disagree with almost all of the examples. You cannot consider all your investors as a single entity.


Well, if you can set the investor's balance as would have if this guy didn't make the bets, it will be the best thing to do, especially if the amount added back is of a significant amount to the bankroll.

If you cannot, however, well...

Anyway, did you make certain you could not add it back in a fairer way?



To be honest, I considered investing once I read ;D
(I didn't though) so I can't say the adding back was very   fair. Anyone paying attention could guess well in advance what was gonna happen and make a profit.



That is nice :)

Oh good to hear you fixed it.
Looked like some test bets then hits.

if you've sent an email to admin ?. maybe it is in the hack. because first there was gambling sites were hacked. but in my opinion this is not because the systems in which errors in hack ;D

Looks like its just a bug not a hack because the gambler is gamble in normal until the 3 result  from nearly end are bug..
It is a large amount of monero if this is true and i think they should contact the support and maybe they give some rewards to say that than withdrawing it because like other said its manually withdrawal..

Look at the bets, look at the bet sizings, looks at the results of the bets and the sizings together. If you cant see it let me know so I can face palm.

They cant really see it  , i could say  that theres  no dice seed  hacked with these  bettings   its jsut  pure  luck  though, We cant really believe  it  hence these are  huge  winnings with  low  winning rate  seems  not  too common for us  thats  why  we could really say   theres an exploit.

Well actually this gambling site seems quite fair.

I have few XMR invested on bankroll or however is it called. I invested over a year ago so quite soon after start and so far gained 4.5%. If i remember right half should go to casino and half to bankroll owners.
This shows how little players actually lose.


Oh and i had no ideas this happened :P  You can imagine how surprised i was reading it here.
Lucky me all went well and illegal bets was stornated and lucky me i had no ideas what was going on and I did nto do something stupid as withdraw XMR.

I am bookmarking this comment gold  :D

Best comment of 2017 so far easily.

Reminds me of Cryptsy's POINTS hack roll-back drama.
Seems the Monero guys who make a coin and RUN a GAMBLING SITE BUSINESS using said coin are smarter than everyone else.. except when they get hacked.. via "over confidence"  :D


Oh yeah ?
I guess just take your word for it huh ?
What makes you think there was an exploit in your API ?
..the result ?


Teach us how gambling sites are *suppose* to work. LOL
Does this involve SPECULATING a seed was compromised ?

And who exactly is "we" ?
Is King Risto involved with the site in any way ? Who is ?

What a fucking sleazy little bullshitter.

He has the god damn nerve to say bullshit like that and sell merch with the below printed on it..

http://i65.tinypic.com/20qmikg.jpg

These Monero guys and all their misc companies and associations are corrupt back stabbing deceitful lying & bullshitting little obnoxious fucking pigs.

Snake oil salesmen raking in large profits while selling you all this ANON gimmick bullshit
and the big dream of...... "One day"

Maybe these cocky stupid fucking assholes should should change the text on their hoodies ?

Maybe something like.. "Everything can and will be compromised" ?  :D

PS:
Know where he got that from ?
Me and my so called "FUD" i posted for damn near 3 years now.
But it's true when he says it and lying Troll FUD when i do huh ?

Fluffy you are a fucking greedy deceitful little crypto-rat in the shadows counting your cash like all the other profiteers with their gimmick coins.. and tell Risto you want a raise bud LOL
And yeah Risto did admit way back to paying the dev's so don't play that off as a joke either.

Of course my questions went unanswered earlier.. little pussies in hiding  ::)

Go fuck yourselves Morono's ..i told you 2017 was gonna be fun HAHHAHAHAHHA

WOW!!!!

looks like he exactly know which roll is going to come next. However, he tried to look it real with those few red bets. I am not sure but someone can't be that much lucky when it comes to probability.

The thing is, this guy who did this was an idiot and by betting like that he made it very obvious that there are security leaks somewhere.

But imagine how many BTC were lost by small gamblers who made less obvious bets for the past couple of months prior, they must of cleared out thousands of dollars before it was caught on.

Not really running a gambling site these days with all these security issues.