Bitcoin Forum

Hello everybody. There has been a lot of speculation going around, especially since we decided to stop forum announcements/communications and locked our official topic. Threfore, we decided to come straight and give all the explanations people wanted/demanded.


Due to the massive and fast growth of DiceBitcoin, we decided to hire one more coder, who would help us with the load (new features, various fixes, etc) we were dealing with. If you were following DB from the start, you would notice that every few days we were fixing / upgrading / implementing new features non stop. We had and still have tons of ideas and things we want to deploy, so we decided that hiring one more guy would be a good idea. We first assigned him some simple tasks and he was quickly adapting to the demanding environment that we have. The payment agreement was a simple one that we thought it would give extra motivation to work harder: 20% of our cut, per month. So far so good.


However,  thats where the problem apparently begun. On 27th of August, we merged some of his changes without proper review of the code. We made sure that the build is not broken - that all tests were passing. There are no excuses for that. We didn’t review it like we should, and thats how we ended up in this shitty situation. The code, which went live, was allowing the skipping of winning bets when the bet met some criteria (e.g. the bet wins X amount of btc with odd higher than Y). This was not active by default, he had to chose manually which player to ‘cheat’ and this is why not all users were affected. That was a totally stupid way to implement it, since if you do that, the bets will not be verifiable since the nonce sequence would be broken. But we will return to that in awhile.


On the 7th of September, one of our players (finnile) noticed that something was wrong on his rolls. All his rolls were skipping winning nonces. When we confirmed it, we halted betting for everyone immediately (made all accounts invest-only, so betting was prohibited). It took us a lot of time to find out WTF was happening and just winning bets were skipped. Our first thought was that our database was having issues but then again why only the winning bets?. When we found out that in fact this was deliberate we looked for malicious code. We wrote some failing tests, due to non verifiability of the bets, then rolled back the commit that introduced this and having tests passing we deployed the fix and we re enabled betting.In addition, we refunded EVERY PLAYER who lost his coins due to this malicious code, from our own stash of bitcoins, leaving both the website's and investors' coins completely untouched. We took full responsibility for the mistake and we paid for it.


However, what followed was chaos(or shall i say, bank run).A lot of trolls, both on chat and on the forum didnt lose a chance and went apeshit on us, scaring everyone away and warming users to pull their coins immediately because we would steal them - disappear them - abracadabra them. What we did though, was non stop refunds on accounts that got negatively affected by this, processing thousand coins withdrawals and refilling the hot wallet. Betting resumed since the incident was fixed on the spot, and all refunds were carried by our stash, leaving investors intact, giving them zero reason to worry about their coins. Although, they were free to act at will. Not to mention investors were the only ones that got massive profit out of this!


In around 24hrs past the incident, the bankroll shrinked from 7500 coins to ~1700. Then,we had one user, mateo, which was hitting the bankroll non stop for almost 12hrs more, eating almost 600 BTC of profit (site was ~288 BTC profit prior to the 7th of September and around -320 BTC when mateo stopped playing).. Lot of speculation exists as well around that user, so please allow me to elaborate. User mateo was registered on 2014-08-06 18:22:05 and before the incident of 7th of September was -33 BTC in total. The date he registered the other developer was not hired yet, so it is impossible that it was him. The new hire had no access to the database (or to the production server) which means that it is impossible for him to know other users’ seeds. On top of that, mateo did randomize his rolls before he goes on with his crazy streak (my guess would be to verify if he got affected by the malicious code - btw he was not affected). Given all those facts there is 0% chance it could be someone that knew the server seed and played against it. When he asked for a withdrawal when done, we are left astonished with that run (like we didn’t have enough shit already to deal with). We postponed his withdrawal for several hours. We went through his rolls again and again, we searched every possible way of ”cheating”. Everything was legit, so we paid him out.

Story doesn’t finish here though! Bankroll was left ”bleeding” and nearly dead at around ~500 BTC, when people started investing little by little again. Finally two days ago, when we touched ~1k BTC bankroll again (and ~1700 BTC invested, exactly as it was before he started his crazy run), mateo returned. He made a massive deposit of 650 BTC, and after near half day of betting plus lot of fluctuations (we was winning up to 140 BTC at one point again - that sure made us shit our pants) he ended up losing everything he won on his previous lucky run plus some more. So what that means? That means that everyone who did not divest when mateo won, didn’t lose a single satoshi and made a very nice return on top (let alone those that invested after mateos’ huge win and stayed invested until his bust).

So does this make it right for everyone? Has our behavior been correct?
The answer is "No".

We did 3 mistakes. I will get to all 3 of them in detail among with solution.
   
1   We put code live on our site, without testing. No excuses for that. Its no others' fault apart from ours, and we took full responsibility for it (that is why we paid from our own stash of bitcoins, and not from   investors' or sites' coins). Our fault, our bill. We decided from now on that only we will work on this project, even if it means that future features will be delayed.
2   When shit hit the fan, we said that we will not refund people who didn’t lose from that (i.e. ended up with profit). That was wrong. Some users(with best example user marie_lemke ) even if he got his initial deposit refunded, he should end up with much higher profit if the skipped nonces were not in place.. So what we decided to do is simple: We credited all winning nonces that got skipped. That creates three types of users affected :
    a)    User had negative profit but he would end up with negative profit anyways. We refund the initial deposit anyways (favors user)   
    b)    User had negative profit but he would end up with positive profit if it wasnt for the skipped nonces. Initial deposit is already refunded and we are crediting all the positive skipped rolls as well.   
    c)    User had positive balance despite the malicious code. We are crediting all the winning skipped rolls as well.   
3        We abandoned forum / closed chat / locked our topic because we got so fed up with trolls and flaming.We allowed it to go under our skin, and that was our mistake. Communication is crucial, and absence of it is what they wanted and allows them to shrine. We wont do them the favor anymore! Effective immediately we are back on forum, back on twitter (will post a link to this topic so everyone can be aware of what happened) and unlocking our original topic. Chat also will be re-activated but we want first to think some way to limit spam there. One idea is to allow chat to active members (x amount of BTC wagered OR x amount invested OR x amount in balance). Please allow us a few days or best case tomorrow.


To sum it up:
-We made a major mistake and 2 smaller ones. We took everything we could to make it right for everyone and make sure they wont happen again.
-Rolls ARE provably fair. That was patched the same moment we became aware of It.
-All accounts that were affected by skipped nonces have been refunded, to their best interest. List of usernames among with voucher code (tied to their account) is posted here. The list is here publicly available and we have emailed all the users who were affected and had email in their profile.
-All refunds are made from our own stash, and not investors' or sites' money.
-All withdrawals / divests honoured. Never missed even one.

Bottom line, BankRoll was 7500BTC, which means we COULD HAVE STOLEN 3m$, but we didn't. Those BTCs missing are from investors who pulled out their own coins. Not only we never stole one btc, but we did return ~6k btc to date back to whoever requested it. Some people try very hard to take DB down, but we wont do them the favour!

I would like also to grab this opportunity again, and re-invite dooglus to co-sign the cold wallet with us. I think we proved ourselves that we didn’t run with 7500 coins when we could, but it would relax a lot of people if a co-sign was a possibility (especially now that it starts growing again and passed 1600 coins). Also, we have no problem if there is a way to take the roll server. For the story, we did discuss that in the past but we couldn’t find an efficient way to do it. That to answer to a lot of people who wondered ”why you didn’t take up dooglus offer?”. We never said no to dooglus. We just haven’t found a way to make it possible yet.


P.S Our sister site, DiceLiteco.in was not affected by this, since we didnt push any fix on that site for the last 2months+(we were waiting to finish with all the addons on the BitCoin version first, to pass it on the LTC site)


P.S.2 If possible please bitcoininformation and dooglus inform me about the signature campaign (who got paid, who is crossed out etc.) so I can finalize the payments at end of the month. Having said that, we are back and I do apologize for 10 days bsence.

P.S. 3 The reason we are making this post self-moderated, is simply to avoid troll posts like this one : https://bitcointalk.org/index.php?topic=774828.msg8878492#msg8878492  . That doesn’t mean you can’t address your concerns here/mention our fuckup/ criticize us. Thats why we reopen our original topic as well. However since this is our official statement, we would like to keep it clear and on topic as much as possible.

I want to thank all users who send support tickets wishing us good luck and to hopes to stand again in our feet, even if they cannot express it on the forum, because they are afraid of ”negative trust” from alt accounts. Again thank you for your support. We will return stronger than ever!

Thank you all.

Regards




The list with affected users and vouchers follows:



ID          USERNAME     TOTAL AFFECTED         ALREADY REFUNDED           WE OWE                 VOUCHER
---------------------------------------------------------------------------------------------------------------------------
861       cuwirebeard          7.1556                     5.90107777                 1.25452223            DICE-OOMZ-RHAO-VVJM-NADM-VPID
4153    chris.jakubowski    0.17653184                       0                          0.17653184            DICE-WRER-RGQN-WBQK-SAKG-YVCY
4433    presto                 0.92611544                       0                           0.92611544            DICE-SGXP-HDOH-NQIJ-OBHR-BSNH
12599    RNG                   6.93989901                2.62806461                 4.3118344              DICE-IQPB-VQHY-KRQN-NJLW-LLRQ
13835    Altitude             0.51368555                       0                          0.51368555            DICE-YVKB-WGVS-LROH-QUHU-QKNT
16189    andyazz            1.49798912                       0                          1.49798912            DICE-KTAW-CVNY-QCTR-BSBT-POYV
16511   marcellus_hand   1.23665803                        0                          1.23665803            DICE-GLXJ-BGHY-DNHT-JPXB-UKCD
16657   kinki                   1.234375                          0                          1.234375               DICE-POMK-UXEH-EACC-IYDC-YHHK
18541   coty_predovic     27.64702008                     20                        7.64702008             DICE-IEZN-HFKV-OEUX-RTXE-WPBD
18544   Degenerate            0.4                                0                            0.4                    DICE-RVYD-WUQQ-NTPH-YIEJ-TJKH
19864   marie_lemke         55.18                            35.1                         20.08                  DICE-WFQT-YWBJ-JFSC-KLLM-LROU
19914  lewis.aufderhar     1.781328                          0                           1.781328              DICE-CIFJ-FTUE-OSIP-MYIU-RPWD
20178  esperanza.ritchie  1.74797619                       0                        1.74797619             DICE-HHWZ-LVKF-ZVMM-HRLK-UJQD
10637  themikego           1.50665557                 2.85665558                       0 
18165  Focus                   7.5                          8.00258683                       0
6769    finnile                  1.47746763                     2                               0
16416  James                       7                       14.3792809                        0

Note vouchers are bind to account, meaning only the spesific userid/username can claim it!

Will you publish mateo's rolls, seeds, etc?

Yes, i am sure it will be an interesting study! I will post seeds though when/if he randomizes(he hasnt randomized yet)

For the Nth time : YOUR ACCOUNT WAS NOT AFFECTED. Check for yourself as well.

P.S. YOu havent even randomized your last run yet(current nonce 1102!!!)

By all means, please do get your verifier and post your results. And yes the issue is fixed. Its easy to see if its fixed: Verify your bets!!!

Did you read the whole post..?

Will you be allowing people to verify each other's rolls (after they have randomized, of course)?

Apparently this used to be possible but was disabled shortly before mateo's big win.

Any comment on why the ability to look at the client seed, nonce, etc. for arbitrary roll numbers was disabled?

Yes we will re-enable it in the near future. We first have to have some quota limitations because after the issue fouind our server got under heavy load since everyone was hitting the server.

So i won as mateo 600 coins, and lost them back...?


?

????


Paying BTCs out of my own pocket for refunds and investors profit ~329 BTC atm...? Does that make sense to you?

  that i did what exactly?

Thats the last troll post im answering on this topic btw. You can use our original topic and troll all you wish -->  https://bitcointalk.org/index.php?topic=716312.0

Don't see why on Earth anyone would deal with you from this point onwards.

Good luck trying to regain people's trust after potentially scamming over a thousand coins.

Pm'd you Stunna.

This thread is fun to read and Dicebitcoin is ALL RED.  ;D

hope this site doesn't get to much invested soon.

I appreciate you laying all this out.  I said so  then (https://bitcointalk.org/index.php?topic=716312.msg8721867#msg8721867), and I'll say so now, I don't think you're a scammer but in addition to making a serious mistake (which you've acknowledged) you really did make it easy for the people who wanted to paint you as one.

Stunna has a good point, but clearly people are starting to trust you again.  Full explanations like you've given here help.

I don't think you should put some kind of minimum activity level on chat, just have some moderators to keep things orderly.

Given what has happened you are going to take a lot of grief, good luck.

Bankroll is up to 1600 again so people are beginning to trust the site again.  The best way to restore trust is to run it without any incidents for a long time.  Hopefully operations are smooth from here on.

did i have any bonus??
id: bank
thanks :o

A little disappointed in this response.

I would have thought you of all people would actually look at the facts instead of demonizing an innocent person for the sake of competition (not to mention the false remark about scamming a "thousand coins")

1. They've proven themselves to be trustworthy with $2m+
2. Nobody has profited from this, especially them
3. They've been open about everything from the beginning

WOOHOOOOOOO

I knew dicebitco.in wasn't a scam site ;D ;D ;D ;D ;D

Is the information on the alleged scamming new programmer going to be given? Is he a member of the BTC community that people would know and should look out for in the future?

I'm sure all rational arguments against this website will be plucked from this thread. I think it's really unfortunate that people are so unbelievably naive to even contemplate for a second that this website is "innocent". I'm shocked someone even noticed they were nonce-skipping, all I know is this could have gone on for another year+ without anyone figuring it out.

Investments are inherently non-provably fair and dangerous, I wouldn't trust anyone with an investment of this type it is absolutely negative expected value. All I have to say is anyone who chooses to continue to play or invest in this PROVEN fraudulent website doesn't deserve whatever coins they have. This scam was pre-meditated, dicebitco.in made it near impossible to verify the bets of others or view their bet info/seeds for this very reason.

I was right 1-2 months ago when I spoke out against them and I'm sure I'll be right again 1-2 months from now.



I've broken down these arguments in the past, the crux of it is dicebitco.in isn't anonymous and doesn't want to go to jail or be hunted after. I stand by everything I said including the part about the 1000 coins.

Even IF it wasn't one big scam, why would people trust you with money again after such big mistakes?
I lost 85% of my investment in this website, and the owner won't refund me because i was ""positively affected""...
Mateo was still playing with my invested money when i divested the little bit i had left. So i don't see how i wouldn't be refunded, if this security issue is the cause of it.
The responses i got from their ticket system were VERY shady to say the least.

That is the most stupid thing i ever heared in the whole DB saga. You really believe im not anonymous, and "i am afraid of been hunted or go to jail"? lol. At this point i really dont know if you do believe this, or you simply try to use this argument because you still cant accept the fact we are refunding.

tl;dr you are trully stupid if you think FEAR is the reason im doing this. Only thing scares me is human stupidity, and you man take it in another level. Like seriously, bring it on.


Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

Crazy situation  :-\

You are wrong. The gambling WAS HAULTED when the incident found(all accounts turned into invest-only) and reinstated betting only when we made sure the malicious code is not in place. Also, mateo didnt play that particular day, but almost 24h~ after the inicdent. It was your choice to leave your coins invested or divest them when you were losing(invest/divest was never haulted, same as withdrawals).

You had a bug in Your primedice and people was deceived. Wait how many was it ?


https://bitcointalk.org/index.php?topic=208986.msg8441727#msg8441727

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

Get your facts right. He didnt win almost all his bets, plus he ended up busting big time(lost all he won + more). Against a negative bankroll..? What is negative bankroll? mateos' first withdrawal wasnt done automatically. We went though all his bets and they were legit. He also had randomzied his server seed, so it was impossible for him to cheat. Simple as that. As far as the"continued gambling" we did only after we inspected the code, isolated the malicious code and made 1000% sure it works as it should. Calling the site STILL RIGGED will just get you a negative trust next time you post, without facts. And thats the last time i answer to you. I am sorry you divested when in loss, but the gambler did NOT win unfairly against your investment, since he had no access to server seeds. You miss the point that from this whole fiasco, the OJLY people that had a profit out of this were investors. Neither we or users with known server seeds.

Great. So where is YOUR proof of not being Mateo then?
Also, you went through all his bets, which skipped nonces, and somehow you considered those to be legit? If he skips nonces then he is cheating and you shouldn't have paid him his "winnings". You're not implying he wasn't cheating, right?
Go ahead and give me negative feedback. Threatening other people on here won't improve your trust at all. If this is how you work then i honestly don't see how anyone would ever trust you with a single bitcent ever again. You have proven to be completely incompetent of running this website responsibly. Tell me, what is the emergency address for?? Was there even any source code in place that would send to those addresses in case of an emergency?
Go ahead and give an honest man negative feedback. Go right ahead.

Also, a negative bankroll is a bankroll where there is a minus-sign in front of it...

BR can't be negative. Once it's zero, there's nothing to bet against. Profit was negative, not bankroll.

Can we lock this thread and direct all comments to the longer thread already dealing with this topic? There doesn't need to be two discussions about the same topic going on, that just leads to confusion and missing information and people saying the same things in two different places.

I think your own facts are not quite right. As was posted in the other thread, even if investors didn't divest they wouldn't have gained their coins back, let alone "extra".

Why don't you post a list of investors from before the shitstorm, and exactly how much each of them divested/invested/lost/gained since then.

The thing I'm most curious about is who were these investors who saw the shitstorm that was DBC and still decided to go and invest new coins during it, just in time to catch Mateo dumping back what he had won before. That's the problem here, the owner could easily be Mateo and also be most of the investment on the site right now. So he sacrificed some BTC to the few legit investors still in on the site in order to gain back trust for an even bigger Mateo (or likely some new account) win in the future.

I don't think I understand. What 1000 coins are you talking about here?

I see two ways to interpret your "potentially" here:

1) Are you saying they had the potential to steal 1000 BTC? If so, the number is more like 7000, since that's what was in the bankroll that they could have stolen (but instead they allowed investors to withdraw almost all of it).

2) Or are you saying that you think they actually stole 1000 BTC? If so, how? Even if "Mateo" was a site player, he lost more than he won, and it was less than 1000 BTC.

Neither way makes much sense to me. Could you be clearer about what you're actually accusing them of?

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

I imagine anyone with access and ability to upload unchecked code can do the following:

• Read out the authentication details used to connect to the database/wallet
• Run a query to look up seeds
• Intercept passwords before they are hashed and checked against database
• Forge tokens/cookies and log into another's account
• Change/delete entire tables of the database
• Increase or decrease balances of any user

Why are you guys even assuming that seeds, passwords, and server are safe? Isn't it time for a full system seed and password change?

Are you guys just making up this whole "employee" story? Are you guys this inexperienced?

They've addressed this before.

He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.

While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.

I think that's how it goes, anyway.

We cannot assume this is the case, he may have randomized his own seed, but we're ignoring the true danger here. He may know the seeds to many whales or to even other accounts he has that DB doesn't know about. And the seed isn't the only vector here for such a disastrous situation.

I wasn't assuming anything. I was repeating what I think is the "official story".

I had 0.01 invested in DiceBitco.in and was fortunate enough to immediately withdraw that Sunday after hearing about the skipped nonce incident. My observation of the events:

1. Skipped nonces (https://bitcointalk.org/index.php?topic=716312.msg8714251#msg8714251) -  A high roller (finnile) discovered he was losing due to skipped nonces that targeted only winning bets.

2. More high rollers noticed the cheat (https://bitcointalk.org/index.php?topic=716312.msg8715892#msg8715892) - The skipped nonce bug targeted high rollers.

3. Site owner's response (https://bitcointalk.org/index.php?topic=716312.msg8717496#msg8717496) - They claimed that the code was implemented by a new employee.
However, the statement manl put out a day earlier (https://bitcointalk.org/index.php?topic=716312.msg8717538#msg8717538) contradicted this: there was no new employee.
Didn't GHash.io blame a new employee (https://bitcointalk.org/index.php?topic=327767.0) for their double-spending incident as well?

4. Investors are alarmed. Bankroll plummeted from 7000 BTC down to less than 2000 BTC. I divested and withdrew at this point.

5. Owners disable DiceBitco.in's peer bet verification and chat lobby.
There is absolutely no reason to hide betting verification other than to cheat.

6. Enter "mateo".

7. Using a few thousand 49.5% bets, mateo turned a +300 positive bankroll into -300. Nobody can verify his rolls.
What is the probability that a high roller shows up out of nowhere and sweep the bankroll shortly after betting verification is disabled?

8. The site owner then goes completely silent for two weeks.

Everyone can come to their own conclusions at this point.

There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

Good point.

The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.

If he was watching the live bets then the rogue employee could get a good idea as to who had a lot of money in their account, or he could have looked at the "high rollers" section to see who where larger betters.

He could have just picked "x" number of random users to have nonces skipped for, and it just so happened that the first one to notice was a whale and the rest didn't actually bet until it was discovered and simply never bet anything while the code was in effect.

By "not having DB access" they could mean that the employee did not have the ability to write/make changes to the DB but could "read" the DB. If this was the case he could simply pick "x" number of users who would bet large amounts.

He could have used the bet verifier to check how much was wagered on random bets by each user and picked users who had made large bets. (I have not actually used the bet verifier prior to when they disabled it so I don't know if this would actually make sense)

The above is nothing more then speculation but all would fit the story that Dicebitco.in gave.

refund my 2btc that was stolen from me

1K8iVACToB2a1rxcTRedPRgs6h4C54u3Yv

 >:( >:( >:( >:(

All this could explain how he decided which users were best to target.

None of this explains how he then *manually* targeted those users.

To answer your question there was no backdoor on the UI. Besides the "main" website we also have an application in place that we use to do simple day-to-day operations (such as reseting users password, process manual withdraws etc), an 'admin' application if you like.

In this application the are only stuff that anyone can view (no secret stuff lying around) and do. One of those is that one could view / edit a JSON field on the user that we use primarily for storing meta information (for you techies take a look here: http://www.postgresql.org/docs/9.4/static/datatype-json.html) such as last-login, how much time he is active etc, nothing important. He used this schemaless column to store the data he wanted in order to persist the conditions that when met the skipping happened.

Doog, as for the diff I will post it later :)

It could be something along the lines of "this code only applies to users "X" "Y" and "Z" (I am not very familiar with the specific code used so I don't know the exactly language).

There's a crucial problem with this explanation, even if one swallows the low odds of Mateo winning the way he did it (was it something around 1:500?). If the developer had access to the seeds of the players at one point, he could potentially contact some players privately and organize to serve them with their individual seeds for the part of the profit. Investors money would not ever be safe this way, a group can drain profits slowly from the site continuously.

I have no idea why people are even speculating on how the rogue employee could have sabotaged high rollers when we should be speculating on the plausibility of the rogue employee's existence in the first place.

Note that this was on the night of September 6th, 2014. This was the night before the scandal broke loose.
https://i.imgur.com/SJvuc1Q.png
manl stated that there were no other person working on the site than him and Gerry.

Remember that skipped nonces were found all the way back to August 28th, 2014. So why are some of you debating what the rogue employee could have done rather than the existence of such a rogue employee?

The site claims 122,000 coins have been wagered, 300 coins have been delivered to investors and I'd imagine that half of the invested funds if not the majority during the mateo incident were the site's own money.

What likely happened:
1. Mateo appears and chews up a massive chunk of investors funds so dicebitco.in can repay those that were scammed (Think about all the people who divested after finding out the news and already taking substantial losses)
2. Dicebitco.in invests their own funds or has mateo lose to the website after they have a strong % of bankroll.
3. Appear more legitimate/turn a profit

 Obviously variance can occur but given their track record my theory is that they were trying to steal from investors with fake whales and then rig rolls to make up the difference and keep the edge around 1%. It's really a classic scam, they use fraud to keep their profit up which in effect attracts investments which they can scam.

I'm sure they were doing this, what I'm curious is to what extent this was occurring. Is there proof going further back that rolls were being rigged or did dicebitco.in disable their verification so they could tidy up their DB?

There's no way to 100% prove any of this which is exactly why investments is a joke, but I still firmly think there is a significant chance this occurred given that they were 100% found to be intentionally rigging rolls. This could have been a massive and long term undetected scam if nobody detected it and it was only used on large whales.

Draw your own conclusions, I have mine. You probably think I'm biased as they were competition, but I have friends that were personally scammed by dicebitco.in to the rigging and I will never trust them again nor should anyone else. I'd be willing to help Dooglus relaunch his website if we can think up a more provably fair investment scheme just so people have a safe place to invest.

It took me a while to understand the relevance of those numbers. I now think you mean the following:

Since 122k coins were wagered, the expected profit is 1220 BTC. The actual profit is just 300 BTC of which half were earned by the site itself. So the profit is 820 short because the site stole it, and they also earned 150 from Mateo's loss, so that's a total of 970 BTC they've taken.

Is that it?

Just-Dice only earned 0.35% of turnover even though the house edge was 1%. The shortfall was something like 34k BTC. I hope you don't think we stole that too. As you've no doubt noticed on PrimeDice the variance is huge when the house edge is just 1%.

Everyone knows gambling is rigged, just stop.

Do you think that they would tell us that they didn't make the site themselves and instead hired another coder? I run an altcoin creation service and none of my customers prefer their communities to know that I created their coin for them.

How DB allowed withdrawals for big ammounts from COLD STORAGE without verify???

This is what I think Stunna wanted to say but it was not clear enough.

You should not trust anyone except him and Primedice.

Dice sites with invest option are dangerous because max profit easily can go above 20BTC and that's the max on primedice. This makes them more interesting then PD and they attract more whales while PD is left with faucet players.

All Stunna cares and wants is Primedice to be largest dice site and he will do everything he can to trash his competition.

One thing I don't understand, why there is a such need to come to competitors site and write anything in their thread? Especially trash talk and your own negative opinion and theories.

I'm not defending DB, I personably think they F*****UP and I would never invest or play there.

As for Primedice and Stunna honesty, here are some facts I did notice, you make your own decisions.

1. Primedice 2
 - highest paid signature campaign
 - ton of money thrown away on signatures, faucet etc.
 - A few if any users with positive account
 - People complaining of PD being rigged because server hash was changing all the time, overall shady provably fair where you had to wait 24h for secret seed.

2. Primedice 3 released
 - new provably fair introduced (proper one)
 - faucet reduced
 - signature campaign reduced totally, members dropped...suddenly there is no extra money for this
 - a LOT more people start to win, more people with positive accounts
 - overall cutting costs wherever they can

To me this means that they stole shit load of BTC on PD2 and now playing to be honest people helping others not to get scammed.

This is the most illogical string of thoughts I've seen on this thread. I think it's safe to say that primedice is the biggest bitcoin gambling site at the moment and isn't struggling financially.
1. Faucet was reduced as our userbase has increased by 5x which has attracted the attention of more people looking to exploit it. Faucet is still higher than PD2 faucet on average (our PD2 faucet was 250 for non-whitelisted users, now anyone can get to a 10,000+sat faucet by wagering).
2. Signature campaign was supposed to close several months ago, it hasn't been very effective in many months and has contributed to forum spam while being a major hassle to run.
3. There are more winners and more losers given that the our userbase has increased significantly
4. If I had bad intentions couldn't I just launch an investment site myself and undetectably scam millions?

If you want to debate me do it from your main account, I'm well aware that you are either the founder of luckynumber or an admin and have used that account for ill actions: https://bitcointalk.org/index.php?topic=621659.0 . I know that you are just trying to dodge negative trust on your other account and are farming trusts right now to launch your new scammy investment site. I felt extremely deceived when I talked to you via PM and gave you my reasons for why I felt the way I did about LN and it turned out that you were proven to be giftcoins/luckynumber. I'm not surprised that you choose to blast me at any possible opportunity granted that I did the same with your website, but please grow a pair of balls and do it properly.

http://puu.sh/bHO4w/0b2d2147c1.png




I wasn't implying that was the case with JD, obviously there is a chance of that being the case although I personally lean against that belief. That's how ridiculous these types of investments are, you're a trustworthy person but we ultimately have to take you at your word for 10k-20k coins. Even you'd agree that level of trust is ridiculous, now imagine doing the same with someone completely brand new in the community who has a proven scam record.

I think the possibility is rather high of this being the case on DB given their track record. Basically what I alleged is Dicebitco.in is a proven scam and had the opportunity to discretely steal ~1000 coins and given the fact that they are indeed proven scammers that possibility seems rather likely. If you had nonce-skipped on JD I probably would have accused you of the same thing. After all if someone is going to detectably scam wouldn't you think they would also undetectably do so? The point I'm trying to make it someone who has committed a proven scam should not be given benefit of the doubt, if you think they still deserve that then I think you're naive.

My opinions with regards to investments aren't very popular and I stand in an extremely biased position, but ultimately so many people in this community lack common sense and I'm just trying to provide some balanced argument. The idea that I'm trashing investment sites because I'm greedy or can't stand competition is a recurring argument. I'm pretty sure I'd stand to make much more if I allowed investment on primedice, the risk to investors is too high though and I don't think I'm worthy of that level of trust & responsibility nor can I figure out a way to make it provably fair.

Stunna, again you are showing what kind of person you are lol

You should get banned for abusing trust system so often, someone writes something you don't like and BAM you are giving them negative trust...this shows a nice picture about it...And I did expect this form you to be honest.

I'm no alt of giftcoins, you are so wrong about it, I had money there but not any more, seems you missed my empty signature space. I'm not planing to launch any dice site so you are again wrong.

If I ever launch any site related to gambling feel free to give me negative trust as much as you want, let it all be red but until then you should remove it from my account as this is pure abuse.  You don't give someone negative trust based on your assumptions.

I'm not the only one that feels this way, I was actually just invited to an ongoing PM thread moments ago where people you had done deals with were suspicious that you were farming trust.

First message is from Sept 1:
http://puu.sh/bHQgm/16bbedd5a7.png

Also this isn't exactly gut instinct or abuse, if you review the reference there is actual proof. I hope you get solid use out of all the giftcards you bought.



Also this was just sent via that PM thread, I've withheld names but they are free to chime in themselves:

http://puu.sh/bHQFa/527cc12321.png

^ That's a pretty solid point right there.


Anyways this isn't a thread about you and your fraud aspirations, let's try and stay on topic.

that user that gave you this info above is "goose20", no need for him to hide...he already removed his positive trust and this is fine, others can do the same if they wish

Sorry for highjacking this post....dicebitcoin you can delete our rubbish talk now :)

That's what they say it goes, but did we see any proof that is actually how it played out ?

This is very concerning. It is never appropriate to respond to criticism (valid or not) with negative trust. You are essentially saying that anyone that does not agree with you automatically gets fugitive trust. I am not sure if your accusation is true or not, however I am almost certain that your accusation is motivated by the criticism that was given to you.

I think you were quick to jump to conclusions regarding the DB scandal as well. I would personally conclude that your problem with DB is the fact that they had previously posed a serious threat to competition with PD and you do not wish to compete. This is evidenced by the fact that you are continuing to make fact-less accusations against them that are based on nothing but speculation. IIRC you had put your negative trust on the DB forum account while the scandal was still unfolding, which likely fed the trolls that caused them to wish to abandon their project temporarily. I personally think they f'ed up and would not trust them with my money, but as a community I think we should give them the benefit of the doubt.

I would say that you appear to be trustworthy and that you appear to run your site on the "up and up" however I also think you are involved in some very sketchy business

lol, 'I wasn't implying that with JD, but I'm still totally implying that with JD.'

You don't even realize what you're saying.

Also, I agree with the post directly above this. You're abusing the trust system by leaving negative trust based on your suspicion on an issue that doesn't even concern you. Your motivations have been made clear here, and everywhere else you post. You continue to bash JD in a passive-aggressive manner, even though you say you're not implying certain things while continuing to imply them in the same sentence. You bash ever other site or site owner that is competition, and even if every single one of them is a legit point, your paranoia has led you to abuse the trust system to preemptively trash people who you think might start a competing site in the future.

Dude, get a hold of yourself. You're not being an asset to the community when you act this way.

Here is the diff for the malicious code commit, for what it's worth http://pastebin.com/anXZmNM6

AHAHAHAHHA MaNteoL was LEGIT !!!

Can't wait to see BR go poof tomorrow! Only this time someone will finally have the guts of tracking your sorry ass down in a shithole, say like Israel, Ukraine or Russia. (no offense to the nice people of these countries).

MantL I am just begging to be bashed by you, nothing would please me more than you wasting time for me =)

Epic


edit: ManLoL, you'll get my FULL trust when 1000btc land here (https://blockchain.info/address/1BQE9mfiMwok7hXuemiueRoyurMuuzfb6T). You've set a new standard for assuming how people can be stupid. So I'm not ashamed at all to beg ;P

Thanks. I'm surprised how small it is. All it does it changes a couple of <title> tags and adds the cheat code. I was thinking the cheat code would be buried deep among a bunch of complex unrelated changes but apparently not.

This way  it was rly hard to miss it. (or NOT) .

Or the question is , why would u hide ur own code ?

So basically, the commit was blindly accepted? Seems quite irresponsible...
Where's my refund?

He's always maintained the commit was blindly accepted. The only question to my mind is if this whole 3rd developer thing is concocted or true. Manl's refusal to name the developer is troubling, especially since if he exists, he attempted to steal coins from the players Manl promised to treat fairly by running his site. Protecting this guy (if he exists) does not make you a trustworthy individual.

When Stunna talked about the potential of investment sites to sc.am thought he was implying it may be the case for JD

But Stunna's post is true : when you are talking about the possibility for someone to sca.m under the radar and on internet on a 20k figure, there is always a risk

Or maybe EveryDice.

 I never saw him say anything about justdice scamming like that .

I believe that we should still give those guys credit for not running with an entire bankroll worth houndreads of thousands of dollars.

12 hours later, and a thought popped unbidden into my head:

"Hey, I know why I thought the changes would be bigger... because manl SAID they were bigger!

Remember this?


Rolling back the update resulted in "lesser features and more PITA for us to do things". But the patch that was presented here did nothing other than change the <title> tags and make the site skip some winning nonces.

Funny how the brain works isn't it?

Burn!

It's said to be much easier to live an honest life; less lies you have to constantly keep up with and build around.

Lol , that is so true. They didn't need to roll back update this short code was so easy to spot and remove.

I guess there is argument coming: "We didn't know if he changed some other code or added more malicious code so we rolled back whole update" .

There are so many contradictions in theirs story , like when they stated on chat that he and gary are the only 2 devs , i mean why would u hide the fact that u got a new employee . 

Its just rly shady story with no proofs whatsoever.

WOW, hand in the cookie jar

Sorry I had to be clearer about the diff. This diff is from the commit that introduced the malicious code. It was part of a feature branch (https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow) that he was working on about some frontend and SEO stuff. Actually the changes that the whole branch introduced are a lot more than the changes depicted in this diff.

Yeah, that's the only reasonable explanation I could think of too. :)

Not sure what happened but I've made over 160,000 rolls and I've only had one bad 21 loss streak.....

On JD and DD I would've had a 21 loss streak every 25k bets.

I can check that for you if you like.

Can you tell me your userids on JD and DD?

Seeing a 21 loss streak in just 25k bets sounds pretty unlikely. At 49.5% you should see a 21 loss streak every 1.7 million bets or so on average.

I did a profile on Manl over multiple accounts when Dicebitcoin started, and he exhibits signs of a classic con man.

The senarios below sum up the testing I did on Dicebitcoin (I also did these same tests on Dooglus, Dean and Stunna. These 3 passed the test)
1. account has over 20btc deposited, manl is very freindly. Even when I ask stupid questions
2. Account has a flakes deposited, manl is very rude, even when I ask legit questions
3. Account has nothing in it. Manl is trolling me hard.

Con men will always get their victims through gaining trust. They gain trust in 3 ways:
1. trust by association
2. trust by acting like a trustworthy figure. Like dressing like a pilot or doctor etc (not possible online)
3. trust by explaining what great deeds they did in the past. <-- this is the biggest sign of a conman.

Dicebitcoin is guilty of 1 & 3. By gaining Dooglus's trust in the beginning they obtained trust by association. This was massive for them and gained the entire community trust which meant they now had everyone's trust (except mine). Doog is not to blame here, he trusted them and they used that to gain more trust in the community.

Dicebitcoin then proceeded to do the long con. They know, gamblers don't usually verify, because most gamblers believe that because it is verifiable then they wont be cheated. Investors trust the owners and cannot verify if they are being cheated. So a dice site like dicebitcoin would play on their own accounts to get income from investors. They would then reduce the payout amount on the player accounts by skipping a few bets here and there to make up for it. It seemed that the amount of this reducing player accounts was indeed buggy, as finnile's account would never have been intended for a setting of 90% bets losing. Then use trust to create a story, since now you got caught stealing.
One would pay out the people who lost because you need to keep the trust levels up. You would then proceed to do the impossible with mateo account (I watched it live for hours). Then to con people into false trust again, you lose all the gains to the bank once everyone has already divested. You then try for new trust by saying it was variance and mateo just got lucky. We actually talked about this while it was happening. We predicted Mateo would lose to the bank at some point to show the betting was legit. And that's what happened.. Mateo's winning was impossible in terms of variance, and hit just so happened that the worlds luckiest guy was around on Dicebitcoin when they got caught stealing.

The entire thing is classic con man. You couldn't write a better psychological example of how con men operate.

The argument of "I didn't run with 7000 btc so i must be trusted" is not a good one, because most con men will run a long term con to make the most profit and keep trust in the community. No good con men works like a petty thief, they are sophisticated in the art of social engineering.

Also, keep in mind we do not know who dicebitcoin are. Whois lookup is false, your names are fake... there is nothing tracing you back to who you are. Dooglus is traceable, and when I tested his character on JD, a year go, he didn't change his personality if i had no money or a lot of money.

Casino investors and players, please do not fall for social engineered scams. People question Stunna at PD all the time, but the fact is, he can't scam investors, because he has none. and he can't scam players, because he has a provably fair algorithm. If you don't like his algorithm, then don't play there. And always verify your bets on all sites!

I made a point of trying not to know how much people had because I wanted to treat all customers equally.

I remember one Sunday afternoon when LiKaShing got upset that I didn't have 24/7 support in place and he had to wait 3 hours for the hot wallet to be refilled. That's the only time I can think of that a player seemed to expect special treatment because he was a "good customer".

Very good analysis bodgybrothers (https://bitcointalk.org/index.php?topic=789339.msg8962471#msg8962471).
Time to find the man(L)Gerr and their families, and offer them a one way ticket to ISIS-recreation park.

You sir are the king of suckpuppets :)

We were ALWAYs friendly, and helpful, WITH EVERYONE. If you have evidence of the opposite, i ask you kindly to provide it here

We already had 2k BTCs invested, before dooglus starts playing/investing/showing his support.


That is beyond stupid. We never expect the BR to reach those numbers again, tbh im quite suprized it even stayed around 2k.


That is SO WRONG. If i was a gambler, and i lost, FIRST thing i would do is VERIFY my rolls. Simple as that. Also, if you really were in chat(that i highly doubt), you would see, everytime some big bust was going on, we and mods would say everytime: VERIFY YOUR ROLLS.


There is NO IMPOSSIBLE in variance. Highly unlikely yes, impossible no. So, you predicted that mateo will lose? Then you should invest when profit was -330 BTC! Imagine how much coins you would have made! If mateo lost --> you predicted it --> scam. If mateo didnt lose --> we stole them --> scam. I like your logic


Dooglus is not traceable. Wake up. Please give me example of how you"tested" my character, im really curious on your claims! Oh yes, its been a long time/you didnt save the logs/you lost your screenshot?


Our algorithm is a provably fair as well, and ANYONE can verify it. Check your facts, and come again.


As for you, i put you a negative trust, because i had enough of your shit. You can leave me back, as you could possibly check, the trust system is not my no1 priority.

Regards

Locking down the announcement, since it served its purpose ! You are free to continue addressing any issues/further dialogue in our official topic here -->  https://bitcointalk.org/index.php?topic=716312.0

Thank you all once again.

Regards