It's explained by math. All the bets are public. You can do statistical analysis on it if you'd like.
You can do statistical analysis all you want, and it still cannot protect anyone "investing" in the house against an inside player or someone who has cracked the server seed from ripping you off. Chances are, this player was just pretty lucky. And that's what makes it such an easy thing to pull off, done properly, you can rob the investors blind without even being suspected of any wrongdoing, and certainly not provable. |
|
|
|
Meanwhile, 30,000 BTC still saying 'I trust dooglus'.
I suspect those who understand math and only have as much invested as they can afford to lose, will stay invested.
I suspect that those who understand how easy it would be to have an unexplained lucky streak given the server seed will keep their BTC off of the site as well. |
|
|
|
I looked at the way the rolls are generated and it seems that someone who knows the server seed can easily cheat the system and even in a way that looks legitimate. I haven't looked too long at it, so forgive me if there are mistakes.
From my understanding, there are three things used to generate a roll:
1) Server seed
2) Client seed
3) Roll #.
The server has its seed determined ahead of time. It publishes the hash so you know it isn't changing it out from under you. The client seed is something you can choose. The roll number is the sequence of rolls.
If I have all of this information, I can roll 10 times ahead of time with a client seed, see if I have an advantage, then bet as needed. I can also choose to bet on winning payout values since there is a winning value at almost any level. To keep it simple, you might just want to pick one high-odds payout, and run 100 rolls, then see which client seed pays out the best, then run that seed.
Hopefully I am just overlooking something, but if the server seed has been compromised in any way, its incredibly easy to pick a client seed and bet amount that pays out +EV over time. This could be an insider, someone who has somehow gotten access that shouldn't have, etc...
Maybe someone can explain why I'm wrong, though.
As far as I understand you're absolutely right. But that requires, as you already said, that the attacker indeed has access to the server seed. The question is if its easier for an attacker to just try to access the site wallet directly and steal that way, or to figure out how to get the server seed and then have to hassle with predicting his own rolls etc. Edit: Or maybe he figured out how to generate the server seed from the client seed? There could be many reasons. Perhaps the wallet isn't as easily as accessible. Perhaps he could figure out the seeds on his own. Perhaps it was an inside job and it's easier to have plausible deniability when just some guy gets lucky. Or someone could have just been lucky! That being said, if it's this simple to cheat, why anyone would "invest" in this site seems a bit crazy to me. It's also equally easy to just walk away with the investments, although perhaps the threat of prosecution or retaliation is great enough that it's easier to just do it subtly. That being said, if someone wanted to do it subtly, why create a single account that exploits this? But people have done dumber things in the past. For example, POTRIPPER: http://www.youtube.com/watch?v=FczbS7FiWSM |
|
|
|
|
I looked at the way the rolls are generated and it seems that someone who knows the server seed can easily cheat the system and even in a way that looks legitimate. I haven't looked too long at it, so forgive me if there are mistakes.
From my understanding, there are three things used to generate a roll:
1) Server seed
2) Client seed
3) Roll #.
The server has its seed determined ahead of time. It publishes the hash so you know it isn't changing it out from under you. The client seed is something you can choose. The roll number is the sequence of rolls.
If I have all of this information, I can roll 10 times ahead of time with a client seed, see if I have an advantage, then bet as needed. I can also choose to bet on winning payout values since there is a winning value at almost any level. To keep it simple, you might just want to pick one high-odds payout, and run 100 rolls, then see which client seed pays out the best, then run that seed.
Hopefully I am just overlooking something, but if the server seed has been compromised in any way, its incredibly easy to pick a client seed and bet amount that pays out +EV over time. This could be an insider, someone who has somehow gotten access that shouldn't have, etc...
Maybe someone can explain why I'm wrong, though.
|
|
|
|
I agree, and I have a solution for that issue. It basically requires the capital to be locked up. And I can do with a transaction that gets put on the block chain that can only be unlocked by the "winning" party once the difficulty adjusts. It can proportionally pay out with a little bit of logic different (or even some other calculation other than linear), but right now I'm focusing on all-or-nothing.
Forget "difficulty insurance" and pursue the lockup idea. You're on to something important. Come up with a way to do distributed escrow as a two-phase cryptographic protocol. Something that works like this: - A sends N locked bitcoins to B to buy something. A cannot spend those Bitcoins again, but B can't spend them yet. - A gets whatever B was supposed to send them. - A unlocks the N locked Bitcoins. B can now spend them. That's enough for little transactions, up to maybe $10 or so. This is better than "escrow services"; there's no escrow service which can run off with the money. (It happens. Big problem on eBay.) Both sides can lose, with un-spendable Bitcoins in limbo. Since neither side has the money, both sides will probably try to come to some agreement. Make that work and hook it into some popular shopping cart program. There's a fancier version, with an arbitrator. - A sends N locked Bitcoins to B, with an arbitration service listed in the transaction. - A doesn't get whatever B was supposed to send them. - A sends a token to the arbitration service requesting arbitration. - Cases: - B sends their token, accepting arbitration. - A wins. The arbitration service unlocks the Bitcoins in favor of A. - B wins. The arbitration service unlocks the Bitcoins in favor of B. - B does nothing, and after some period of time, loses by default. - or - A fails to unlock the locked Bitcoins they owe to B - B sends a token to the arbitration service requesting arbitration. - cases as above. A solution has to have the following properties: - The transaction is anonymous unless submitted to arbitration. - The unlocking operation is a 2 out of 3 cryptographic protocol. A and B can unlock, or A and the arbitrator can unlock, or B and the arbitrator can unlock. - Operations involving an arbitrator have a delay (days to weeks) That may be overkill, but it would be useful to have it available for larger transactions. (Like "pre-orders" from Butterfly Labs, perhaps.) This would make Bitcoin ripoffs much harder, and make the sale of goods using Bitcoins much safer. The lockup idea is actually fairly trivially from a technical perspective. The hard part is the arbitration service actually being able to be trusted and unlocking things. They need a way to be able to judge. This likely isn't straightforward, and it's hard to know if that entity can be trusted. That entity may conspire with the parties to hijack the coins, etc... Judging these things is also going to be expensive. That being said, I certainly wouldn't be opposed to doing this. In the end, it's something I'd like to get more into, and it's a bit more general purpose than I envisioned (I wanted to stick to arbitrating things that are easy to judge, such as difficulty), but it's not impossible. You may want to see my external state posts for more information on this. Escrow is one key thing that it can be used for. I've already gotten the lock-up functionality to work on testnet, so it's just a matter of building it. |
|
|
|
The idea is no one really knows what the difficulty will be in December.
So you have various levels of X, and they require different contribution shares from each party.
To define those levels you gave in the example you would need to know the probabilities to start out with. But as you say no one knows those probabilities. And the different contracts would become (un)interesting as new information becomes available and so the community estimate goes up or down. The icbit Dec contract started out at 300M and it last trade was at 484M. This free trading of these future contracts allows the community to bet on the future difficulty without anyone having to guess the probability upfront. It allows the price to reflect news as they become available from the ASIC vendors. And if enough people participate, the efficient market hypothesis predicts that the market value should be a good estimate for the December price. In that case it would not only help miners to hedge but also give them this good estimate as free information. Right now the estimate is probably not very accurate because the volume is low. On the upside, this gives a good opportunity to anyone interested to bet on the difficulty and who think the difficulty will be lower or higher than currently traded. The market can define those probabilities just like the icbit contract. . . etc. anyone? Intrade is long gone, and would be something Bitcoin could easily be used to replace it. RIP Intrade. |
|
|
|
VISA, Mastercard, and Capital One have dominated the public sphere for too long. Imagine a smart bitcoin ad that could introduce people to the idea that there's an alternative to all the bull.
A 30 second TV spot would reach 100-120 million (mostly American) viewers. This would likely cost 24,000 BTC (3 million USD) at current exchange rates.
A competition could be held within the BTC community to vote on whichever ad they think is most worthy for the spot. It would be good idea to get an escrow system set up so that if the donation threshold is not met, then the donations are refunded. It would be even CRAZIER if there was some kind of implementation to run a faucet that starts when the commercial airs, billing it as "the only commercial ad that pays YOU to watch it!"
If we can't get to it for this year's superbowl then I'm optimistic, it will likely be even more feasible in the years to come if Bitcoin sticks around and grows in value.
That would be awesome! Doesn't the foundation have 1,000,000 BTC or something? They could fund it. The foundation could also flush the private key for 24,000 coins down a toilet too, and it would be equally as productive. |
|
|
|
Scam.
Nobody starts a business to lose money, unless they are a complete moron. Anyone thinking they will actually get a significant payout is wrong.
LOL @ you. Reduction of variance is worth taking a -EV bet sometimes. That's why people buy insurance. The goal is not to get a payout. The goal is to hedge your investment in case something unforeseen happens. The market prices things to a fair level based on current knowledge, and profit can be made by having better knowledge than the rest. The economy is not zero-sum. Almost always you have win-win scenarios, even when there is profit. |
|
|
|
Bitcoin is gold, silver, and bronze. Something is either radically superior and replaces Bitcoin completely or it targets a niche where Bitcoin is less than optimal and coexists. The silver to gold analogy is just wishful thinking. Dead on. There is a possibility that something comes along and solves a particular problem better than Bitcoin, and Bitcoin cannot solve it without also making the vast majority use cases worse in the process, thus the niche can be served by the alt-coin. namecoin seems like a good example of this, it has a niche case, and there's no reason to extend Bitcoin to service namecoin use cases. |
|
|
|
Since most people here are interested in mining it would be more interesting to have calls on the difficulty and not puts.
Yes. It would be interesting to see the opposite. I'm tempted to offer both calls and puts for a small amount, so you may be able to free roll for a small amount of Bitcoins just to see if there is interest. What would anyone pay to get paid 1 BTC if difficulty is over: 1) 140M 2) 145M 3) 150M 4) 155M On the put side: 1) BTC 0.85 2) BTC 0.5 3) BTC 0.2 4) BTC 0.05 On the call side: 1) BTC 0.05 2) BTC 0.1 3) BTC 0.25 4) BTC 0.5 I for one would love a real BTC futures market that will allow you to hedge the investment in hardware. It's kind'a tricky how you would create a covered short though without the ability to directly trade the hashrate. We first need a hashrate index fund and then an option market on top of that. How to arbitrage the index fund against actual hashrate though? I'm not sure you really need to have an index to the hashrate, instead, you could have a 1/x payout, which has a fixed downside. Miners only need a fixed payout (recover their investment) to hedge, they don't need unlimited upside. Once the difficulty raises past the point of profitability, they are done. I'd like to set up a futures market for this kind of thing, although it will be pretty manual and small stakes at first. If there's sufficient interest, I can build it to be more automated market. I think for the next increase, I'll throw out some small bets on this, likely with a .1BTC payout, in the 20-40% increase ranges, and let people bid on the contracts. If they get a great price, good for them! |
|
|
|
I'm aware of the zero-liquidity prediction sites no one uses. |
|
|
|
Since most people here are interested in mining it would be more interesting to have calls on the difficulty and not puts.
Yes. It would be interesting to see the opposite. I'm tempted to offer both calls and puts for a small amount, so you may be able to free roll for a small amount of Bitcoins just to see if there is interest. What would anyone pay to get paid 1 BTC if difficulty is over: 1) 140M 2) 145M 3) 150M 4) 155M |
|
|
|
I'd be willing to go as high as .0001 BTC.
We have a winning bid so far! |
|
|
|
|
I'm considering taking action on this. Right now it's a hypothetical. I would pay you 1 BTC if difficulty is under 145M, but you have to may me X BTC now.
1) What is the most you'd spend on this action?
2) What is the most you'd pay for the same contract, except it pays out 1 BTC if the difficulty is under 140M?
3) What is the most you'd pay for the same contract, except it pays out 1 BTC if the difficulty is under 150M?
4) What is the most you'd pay for the same contract, except it pays out 1 BTC if the difficulty is under 155M?
|
|
|
|
The idea is no one really knows what the difficulty will be in December.
So you have various levels of X, and they require different contribution shares from each party.
To define those levels you gave in the example you would need to know the probabilities to start out with. But as you say no one knows those probabilities. And the different contracts would become (un)interesting as new information becomes available and so the community estimate goes up or down. The icbit Dec contract started out at 300M and it last trade was at 484M. This free trading of these future contracts allows the community to bet on the future difficulty without anyone having to guess the probability upfront. It allows the price to reflect news as they become available from the ASIC vendors. And if enough people participate, the efficient market hypothesis predicts that the market value should be a good estimate for the December price. In that case it would not only help miners to hedge but also give them this good estimate as free information. Right now the estimate is probably not very accurate because the volume is low. On the upside, this gives a good opportunity to anyone interested to bet on the difficulty and who think the difficulty will be lower or higher than currently traded. The market can define those probabilities just like the icbit contract. It's just a different payout structure with the same concept. To figure out the true value of the icbit contract, you need to factor in those probabilities just the same. A single binary contract actually requires less calculations than a variable contract and is something that can more easily be guessed. Since the payout is variable based on how far it is off, you could think it is more likely to be below the trading value, but still have a +EV trade by buying the contract rather than selling, if the payout is high enough with the upside, and the payout on the more likely end is lower. |
|
|
|
For ECC multiplication there's Python code for it here: https://github.com/richardkiss/pycoin (look at the BIP32 support) There's probably some BIP32 support written for bitcoinj as well; ask around. I believe I've seen some branches of bitcoinJ related to BIP32, so that sounds like the place to look. |
|
|
|
You know, I just realized something: for every one of these cases it's better if the oracle reveals a seckey to a pubkey than if the oracle reveals a nonce. First of all, it means the oracle can prove they really do have the seckey by just signing a message, and secondly the two participants can take the oracles pubkey, and do an ECC multiplication with another pubkey that the two participants jointly agree on. Now they have a pubkey for which the seckey can only be found if the oracle reveals the oracles seckey, but looking at the blockchain there's no way to know what pubkey from what oracle was used to create the missing seckey, or even to know if the oracle had anything to do with it at all.
For instance, Alice and Bob are placing their bet on the 2013 superbowl. Oscar the oracle says if the Giants win, he will reveal seckey A' which corresponds to pubkey A, and if they lose, he'll reveal seckey B', which corresponds to pubkey B.
Now Alice and Bob jointly agree on a pubkey with a seckey that they both know, C. Then they pay their funds to the following scriptPubKey:
IF
<A*C> CHECKSIGVERIFY
<Alice's pubkey> CHECKSIG
ELSE
<B*C> CHECKSIGVERIFY
<Bob's pubkey> CHECKSIG
ENDIF
All the other steps are pretty much as above. Note how you don't even need to bother with any privacy stuff. You can also do it with 100% standard transactions with multisig:
2 <alice*A> <alice> <bob*B> <bob> 4 CHECKMULTISIG
Note that while only x-of-3 CHECKMULTISIG is valid as a bare scriptPubKey, you can have more pubkeys if you enclose it in a P2SH scriptPubKey. The only restriction is you have to be able to spend it with a scriptSig of no more than 500 bytes.
Sorry, I should have figured this out earlier!
Thanks for the update. I've been chugging away, but this kind of change seems reasonable. There's another else case I have which is a 2 of 2 Multisig "Oracle disappear" clause, but the same idea applies. I'll need to look up more on ECC Multiplication. There was a presentation someone recommended a while back (I'll have to dig through this thread), where a guy basically was able to do some kind of transform on signatures to basically create an invoice at order time as part of the transaction, that seems like it might have some application here as well. The only downside with this nonce approach is it's an all-or-nothing payout. For a lot of contracts, that makes a lot of sense, but you also have some cases where you have a proportional payout (say you have something that pays out at a linear value, such as you get 1/435th of the value of the contract for each seat in the House the Republicans win, or you have a formula to try to offset difficulty increases where every time the difficulty doubles, you get 50% more payout out of the contract, etc...). Mike was somewhat concerned in having a lack of flexibility in the payouts early on, and while this use case works very well in a huge number of cases, I think there will be a place for both in the end. But I need to start somewhere and this seems simpler, so I start here. I really like this idea, just need to research a bit more on implementation. Thanks again for your contributions, I am making far more progress with help than I would have been able to do alone. |
|
|
|
Because, it loses value very slowly and predictably on its own and, as long as you keep it invested, supporting efforts to increase the efficiency of the economy, it earns value long-term.
However, if you want to get rich with absolutely no effort from you to contribute to other people's lives, then obviously Bitcoin is your thing.
Fiat money does not have any value, it is just a unit of counting, and was created out of nothing. But the reason it still hold some value is because that all the people's salary/income are all paid with fiat, which is borrowed from banks to its root Employees earn fiat money through working, but for big employers, they borrow money from banks and give them out as salary (and earn them back through spending of employees) The man who get rich with absolutely no effort are federal reserve bankers, they create and claim the ownership of every fiat money Bitcoin will let people get rich with little effort, but there are two main differences: First, you have to accumulate enough coins, so you have to mine or exchange your work/valuable assets for bitcoin, you can not create it out of nothing like central bankers. Second, everyone can do the same, it is a fair play Just like a pension fund, you first invest your labor/assets in bitcoin for some years, and then enjoy the return It doesn't have value? Then send me all of yours, since it is clearly worthless. |
|
|
|
yes this seems to be the major drawback of bitcoin as a transactional currency as far as I can tell.
And even if you just wait for 1 confirmation, it takes awhile. And if you don't wait for any, you are risking getting scammed by "double spend" so not sure there is a way around it.
What is the risk? What is the cost of scamming a small transaction on a double spend? What does it cost to execute a double spend? If you answer those questions, you'll realize how ridiculous your point is. My guess is you don't know the answers, otherwise you wouldn't say such things. |
|
|
|
|
Show Posts
