Extra reason to use 2FA (tipping requires 2FA.)

Just be transparent, fair and nice to players. IMO in the end what counts most is history that shows real players have played on your website without any problem. So in the end, only time (months/years of running a legitimate gambling site) will gain you trust. But even after a long history, I would stay away from sites with an inactive admin/support - so that's another important thing.

Lol, yeh, I have no question that PD is very popular, but 3621 unique users online at this moment? Nah Even /r/bitcoin just has 438 users online atm (logged-in last 15 mins.) Bitcointalk has 818 users online atm. But PD more than 3000+?

Actually the "polling transport" says 412. Then "websocket transport" says 3807. Then now it's all of the sudden 1549. So definitely something is broken.

In the end I never care much about "online user" statistic though (highly depends on technical details.) But seems like PD should double-check how they count it.

So you were cheated, then you went looking through the source code to secure proof for your claims and during that process they hacked your computer to ensure all your proof (files) will be corrupted.

Damn, never realized the JPR developers were such skilled hackers. Hacks like that go for $50k-$100k on the grey/black markets. But I guess the evil developers rather use it for this MP app to steal dust money from you.





Seriously though, the (client-side) source code of the JPR site is pretty messy, but that isn't as serious as what you claim here lol.

RHavar actually shared some interesting data about that from one of the biggest gambling sites, see: https://www.reddit.com/r/Bitcoin/comments/580zf0/actual_bitcoin_transaction_fees_costs/

His avg fee for withdrawals is 0.00044 - so not too far from 0.0005. It's mostly relatively high because players deposit more often than withdraw (= more inputs = bigger sizes = more fees.) I guess sometimes gambling sites don't charge the whole fee to the player though.

Yes, referred bit over 500 players here. Most didn't wager any money though, lol (eg: I only referred around 25 players where I earned at least a dollar lol.)

It all depends if you get lucky referring a highroller. I didn't really refer any whale yet, but some medium players can still add up to some decent profits hehe

I got an affiliate account, but I wouldn't know, because my account is old and I cannot access it ("old hash account".) No one ever replied to my e-mail 2+ weeks ago either. Typical SatoshiDice support unfortunately

Not sure what to do with them. I kinda feel bad "advertising" for them while their support is this bad

I personally think most people just trust a site owner with a X amount of coins. Then they would just put it on the highest kelly as possible.

For sites with a smaller BR, this means a high kelly is probably great to allow slightly bigger players. If a big player wins, personally I would still add some extra funds back to the site in that situation.

For sites with a bigger BR, this means a high kelly is just gonna make insane high max profits and potentially risky situations (because investor probably trusts the site with a bigger % of his own personal BR - making max profit bets more risky for that investor.) Also those risk situations should "almost never" happen (because max profit is so high), making it more appealing for investors.




Don't know if that makes sense and is different per person, but def true for me. Statistically almost everyone put their coins on highest kelly too.

You can say that, but it is still completely unacceptable. Just a TL;DR for those who didn't follow (simplified example but exactly what happened):




Imagine there are 4 investors with each 100 XMR, so total BR is 400 XMR. Cheater comes and wins 200 XMR, leaving all investors with 50 XMR each. 3 of the investors decide to divest to limit the amount the cheater can win (but the cheater doesn't bet anymore.) Owner luckily processes all withdrawals manually so is able to stop all the withdrawals including the one from the cheater (and from any investor, if temporarily needed.)

Now the owner has 2 refund options. Give 50 XMR back to each investor (who were invested at the time of the cheater.) This way, there is literally no loss for anyone. Or give all 200 XMR to the 1 investor that is left, so he can profit from the situation. The first option seems 100% obvious to me. And the second option is basically just scamming the other investors. You chose the second option and somehow still doesn't understand why it is wrong.





Don't even start about "what if", Poloniex or start-ups, the above is exactly what happened (with different numbers obviously.)

Am I the only one who thinks this is just unacceptable?

Yes, because of this:
Besides that, this is an extreme scenario because it assumes that you had the whole bankroll in a hot wallet. I don't see too much reason to consider extreme scenarios like that, better to just look at the facts. With the manual withdrawals in place, it would have been no problem to refund 100% to the most unlucky investors and 50% to those who lost 50% etc.


No, just the ones who had a loss and were in the bankroll during the time of the bets.

No, seems very rational to me.



That is exactly why I have been following your site indeed, to consider to add it on my site. For what it's worth: I am very transparent about that and I only add the most popular sites (which don't have a history of untrustworthy behavior.) Your site used to have plenty of days without any betting, so normally that wouldn't qualify. I have seen a rise in play since the XMR price rise, so I definitely was planning to add your site to the new version of my site. But I agree this is all not relevant to this situation.

Strange comparison.

Better comparison: a hacker steals a part of the balance from very specific accounts on Poloniex. In panic, I obviously withdraw the left-over money. Poloniex detects the vulnerability and refunds all money. I think it would be normal that Poloniex refunds the affected balances and not just anyone on Poloniex. I just cannot imagine Poloniex saying "well, I know you lost money because of that hacker, but you withdrew the rest, so we won't give your lost money back, instead we give it to others".

Of course if I gamble with the "left-over money" on a dice site and loss it all, then I don't expect them to pay that part back (which is your comparison.) But that has nothing to do with the hacked losses.

Strange comparison again. It has nothing to do with future profits. We are not talking about an investor who is complaining that you made huge profits after he divested. We are talking about investors who made a loss because of a cheater when he was invested and you are refunding the wrong people.

Better comparison: if one of your employees stole money directly from investors during the time I was an investor of that start-up and he would refund 2 years later, then yes, I would still expect him to pay me too.

What? Let's say the cheater would have won 50% of the BR, I divested to cut losses, and cheater continues to win rest of BR. Then yes, indeed, I would only have a 50% loss, while others would have a 100% loss. That's exactly right and that's why someone should divest/withdraw when he sees the site is hacked. I don't see why that investor with 50% loss would owe anything to the other investors?

Even then, you would have the decision to try to do the right thing and refund the losses (so 50% to the 50% loss dude and 100% to the rest). But in that situation I could have understand saying "sorry investors, but that was your risk too and I cannot pay you everything so we have to sort something out". That is why I say that it depends on the situation. Still I would expect any refund to go to affected investors who had a loss and not just to any investor after the cheater.

Why? You would do these calculations on a separate database and only calculating the refunds, not too much risk. Yes, it might take a few days (although a quick script for estimations should be possible in a few hours.) But I don't see why a little more delay would be a problem if it's doing the right thing.

Lol what? We are talking about a cheater who won money, what has that to do with someone losing money? Obviously when a player bets, it's final. No dice site ever refunds any normal bet.

It's not about the bets after he divested, it's about the bets during his investment. You refunded the bets that were during his investments. He was a part of the bankroll during that time, so he should be refunded.

I would expect you to understand why it's wrong to refund the current investors and not the affected investors. And I would hope you pay back the affected investors because it's the right thing to do as a gambling site owner - not because $100 is not much.





I am honestly surprised about the replies here. I have been following your site for months and had a pretty high opinion of it since you are a trusted XMR developer. But I really cannot imagine that you don't understand why you should refund investors who actually had a loss because of the cheater.

I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.

But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.

That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.

You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.

EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.

BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors, nothing would have changed? He wouldn't need to deposit - he is already in loss.




edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.

Which site is this? The HMAC hash is indeed a1fa2bd2f8..

I assume something goes wrong because of all the special characters in their serverseed. Or they are just cheating you (: If you share some more context, I can have a look.



PS, for anyone who wants to read a generic article about how the provably fair mechanism works, I made a simple tutorial here: https://dicesites.com/provably-fair

That would be really bad If you only have 10x max profit, you are basically expected to lose all your bankroll.

I actually don't know the theory behind the Kelly criterion, but the practical side is:

Safe BRM: 0.5 - 1x kelly * house edge = max profit. So if your game has a 1% HE, you should have around 100-200x the max profit. If the game has a 2% HE this would be 50-100x the BR. This "max profit" definitely should be dynamic too, so adjust upon losses (and wins.)

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

Ah, I missed the "Referer" part. In that specific case GET is worse then yeh.

Is this really true though?

First of all there is barely a difference between GET and POST. If there is a CSRF vulnerability, an attacker can abuse it. Although GET might make the attacks slightly more practical, one could still make a simple HTML form on another domain/site (auto-submit with JS) and just send the parameters through there.. equally vulnerable (can be all in hidden iframe on legitimate looking page too.) I always use the following code for proof of concepts:

This makes a POST request to another domain automatically upon loading that page, so pretty much the same as a GET CSRF.

The real fix is using CSRF tokens. However, I am getting the impression that they are still verifying the request by the header "X-Requested-With: XMLHttpRequest" (as seen in your screenshot too.) This can only be made from an AJAX request on the same domain. Therefor it wouldn't be possible as clickable link on same domain, nor any link/form/etc on another domain. Did you try making a request without that request header?

The reason why CSRF tokens are superior is because there has been some browser/Flash vulnerabilities where they didn't fully respect CORS (and allowed to make request with those X- headers.) But still if they verify that "X-Requested-With" header properly, I don't think it's fair to call it a vulnerability.





Overall it seems like the PDF is a bit exaggerated IMO The 0.2 BTC bounty does seem very low though. I understand that an open-redirect vulnerability isn't very crucial, but for a site like Poloniex it does seem very important. The "toString" thing is a very nice trick, I never realized that so thanks for sharing that.

You could add the following filter in adblock plugin:

primedice.com##.index__home__header__balance__btc__change

Mm the provably fair mechanism doesn't make much sense.

If you have at least 1000 tickets (which is probably guaranteed with the $1k min), you are looping 4 characters of the hash (= 0 - 65535), SHA256 is 64 characters, so a (1-1000/(16^4))^(64/4) = 78% chance the outcome is ticket #1

Anyway, even besides that, you cannot use a "clientseed" with a lottery like this. Because if you are trying to cheat, you would be the biggest player and you would be the one to "draw" = make the clientseed. Obviously since you know the serverseed, you can make any preferred outcome you like. Timestamp is useless since there is no way for others to verify you choose this fair and random. You must be using something like the blockhash..

You should be looking at how PevPot used to draw their lottery.





PS, I do like a lottery so GL. Although it seems like this is more focused on freerollers, "ponzi players" (with those 10 levels) and probably has a terrible HE for real players. Although I didn't do the math.

All of the sites combined are pretty much nothing compared to JD BTC times :X https://dicesites.com/jdstats.txt

Once JD had 1,553,357 BTC wagered in a day. That's almost equal to PD's lifetime wagered....... IN ONE DAY.

Sure, price was only around $128 that time, but it's still pretty crazy :p