I don't think the 4960x bets are a problem:

>>> 100 - 4960 * 0.02
0.8

That's a 0.8% edge as advertised.

The 200x bets have a 2% edge:

>>> 100 - 200 * (99.99 - 99.5)
2

I recommend both, but for viewing transactions khashier is better.

Compare khashier and presstab on the same transaction and you'll see. khashier shows more information in less space, more clearly. Presstab doesn't tell me which outputs are spent and wastes lots of space writing out txids when a simple short link would be better. Presstab doesn't tell me the fee, or the amount transferred, the transaction size, etc.

That's cashflow and proves nothing.

It's possible to calculate the CLAM address that has the same private key as any given BTC address. So I can 'send CLAMs to a BTC address' in the same way that the initial CLAM distribution was done.

But people should update their emergency address to a CLAM address.

Seems Joter learned nothing from this:


The lesson should be when people smarter than you try to help you, shut up and listen!

I think you missed my point.

The bolded points:

95% of the network was claiming to be mining v3 blocks,
50% of the network was SPV mining,
but only 50% of the SPV miners were claiming to be mining v3 blocks?

Doesn't that mean that 50% of the SPV miners, and so 25% of the network wasn't claiming to be mining v3 blocks?

If so, how did we reach the 95% trigger?

>>> 1 / ((99.946 / 100) ** 25000)
732080.9049554196

That's a 1-in-732k chance?

Also, "The video you have requested is not available." - what's up with that?

Exactly this. There are 10k different possible rolls (or 100k, for now, etc.) so have the roll target and the stake be the things which define the bet, and have the payout multiplier be derived from that (and calculated to enough places that the rounding doesn't matter).

I think the issue I found would go away as soon as they fixed the bug that you found to be honest. They're pretty related.

I've been offline most of the day so haven't been able to keep up with this thread. I'll edit this with replies to later posts as I read them.


I told you that I verified that he is able to get a 30% edge over the house.

Do you think I'm lying to try to scam 1.5 BTC out of you? Really?


Not only that, but it's other people's money they're risking here. They take 'investments'. I wonder if they have any idea who came up with that idea...  


I don't think I will. The site has the old-fashioned kind of provable fairness where they change the server seed every roll, and so you need to do an awful lot of work to verify the fairness. You would need to note the server seed hash before every roll, change the client seed unpredictably before every roll, then verify that the revealed server seed really hashes to the provided hash and that the two seeds together give the correct roll. Every roll. It's just too much work to expect anyone to do.

No modern dice site uses this kind of provable fairness any more. Even Prime Dice finally switched to using the static server seed + nonce method that Just-Dice pioneered about a year ago after many requests from players.


Yes! Players expect to win the 0.03% bet once in 3000 rolls. When they do, they are paid 3968 units. If you have a greater than 1/3968 chance of winning 3968 units, that's +EV. In this case it's a 19.04% edge for the player.

It beggars belief you don't recognise the problem even after having it spelled out to you.


Is there a grown-up anywhere near you? Maybe get them to help you. For fuck sake man, this is insane.


Your math is a little wrong, and overly complicated. The player's edge is 32.26%, not 32.44%:


You used 0.002 when you should have used 0.0002:

>>> 0.0002 * 6612 + (1-0.0002)*-1
0.3226

But it's easier just to calculate the payout. It's 0 when the player loses, and 6613 when they win, so return to player per 100 bet is:

>>> 6613 * 0.02
132.26

ie. a 32.26% edge.


Has it occurred to you that it is possible that you might be wrong? The alternative is that everybody else is wrong, since they all seem to be telling you the same thing.


Since you don't seem to believe in math, I wrote a simple simulation of the 3968x at 0.03% bet:


When you run it, the profit is up and down at first, but it settles down after a while:


The math predicts a player profit of 19.04%. The simulation shows a player profit of 21% after 10 million rolls. If you ran the simulation for longer, it would settle down at 19.04%. So I guess you either didn't run your simulation for long enough or made an error coding it.


When subSTRATA came to me with this and I confirmed it was a real issue, he asked for my advice on how to proceed. I told him I have had mostly bad experiences with bug bounties. Most site operators will stiff you on the bounty if they think they can get away with it. We had a discussion about the morality of making the +EV bets just enough to earn what the feel the bounty is worth, and then reporting it "for free". subSTRATA was very much of the opinion that that would be wrong, and that he would just approach the site directly. I think he assumed that they take his message seriously since I was vouching for the fact that it was real. I think we were both shocked by the arrogance of their response.


You missed a zero. It's 0.03% at 3968x. At 0.3% the profit should be huge, since that's an edge of 0.3 * 3968 - 100 = 1090.4% for the player.


That's different. He called you an idiot because you were being an idiot.

You called him an idiot because you were butthurt.


I think the biggest issue in this thread is the horrible way you dealt with the whole situation. I can't imagine how you could have been any less professional. I don't have any reason to believe that you will react any differently to future bug reports. Do you?


You should stop coding. If you don't understand the math underlying the algorithms that you are coding you end up with horrible errors like we have seen here. You are lucky that subSTRATA took the approach he did rather than slowly bleeding your bankroll dry. It seems like there is very little chance you would have ever found out how it was happening considering how hard it was to pound the understanding into you in this thread.


I had a similar experience yesterday. I had horrible losing streaks, but put it down to variance. I didn't keep logs at all, and didn't have any kind of seed logging in place either.

The site claims to be provably fair, but for all intents and purposes the amount of work the player needs to put in to verify the fairness means it may as well not be.

They should change to use a system like Just-Dice uses, where the player can make a million rolls at <0.02% and then at the end reveal their server seed and easily check how many times they should have won by running the provably fair algorithm in a loop with a single seed pair and an ever-changing nonce. Lots of sites have adopted that system - it's free for anyone to use.


1JtD6uG43feZrUqgxTYsQAPTmgmq8hogCt is an address for me. But don't feel the need to tip me - I didn't do anything other than vouch for subSTRATA's find.


No, here's how I do it: I email the site and disclose the bug report up front. Then they try to find excuses not to pay me. Sometimes they end up paying something, but most often I get nothing.

In this case I was merely vouching for subSTRATA. He didn't want to get ripped off by the site and so wanted to get paid up front. They wouldn't believe him if I didn't vouch for him. And didn't believe him that I did. Ho hum.

I don't think anyone was threatening to release or sell the exploit, but maybe I'm wrong.


Exactly. It is common practice for gambling sites NOT to reward people who help them fix security holes, and so it doesn't seem unreasonable to withhold information until the reward is paid. Their site contains text claiming that the DO reward people who report bugs, and so it doesn't seem unreasonable to use what is effectively an escrow to hold knowledge of the bug in exchange for the reward.

Or, in other words: They say "we pay for bugs". There is a history of sites breaking that promise, and so using a "bug escrow" (like me) seems reasonable. And not like blackmail at all.


No need to skip nonces. The site doesn't use them. It makes up a new server seed for each roll.

I contacted poloniex and bittrex immediately.

Poloniex very quickly told me it wasn't their address.

Bittrex were very unhelpful and eventually told me:


I think when they say it "has been solved" they mean it "hasn't been solved but please go away". They never would even tell me whether they owned the address the stolen coins were sent to or not.

I hadn't tried their customer support until then, but this was all the experience I needed to know that I should withdraw my balances ASAP.

Maybe you misunderstood. Staking destroyed age, setting it back to zero. So it's not like old coins keep getting old and staking at the same time. You choose: stake, or gather age. The idea seemed to be that you could load up your wallet once a month and collect all the built up staking that had accumulated due to the age. But when staking is meant to secure the network surely you don't want people only doing it once a month. Hence the abolishment of 'age'...


All the inputs are fixed. You can't increase your chances of finding a 'good' hash by throwing more CPU at it. You could calculate hashes somewhat in advance (though I think some of the inputs depend on recent blocks, so not too far in advance) but hashing doesn't take long anyway. The JD staking wallet checks something like 30k outputs in 4 seconds.

src/kernel.cpp says this:


and this:


I've never tried to understand it fully, but it looks like the author went to some lengths to make it hard or impossible to game.


I did? I didn't mean to. It checks each *output*. You can have multiple unspent outputs per address. JD keeps most of its value split into 30k separate outputs at a single address. The wallet loops through all the unspent outputs it controls, does a hash for each of them, trying to find one that hashes low enough to stake a block.

Yeah, you don't just leave dead links like that. I'm sure it's just an oversight.

Is this the right place? https://www.altquick.co/ ?

I tried clicking 'sell' at the bottom. Got this:



It's not entirely clear what the site is. Is it only for converting between altcoins and US dollars?

OK, you're talking about splitting outputs into optimal sizes for staking. I see. I do that too...

I guess I see things differently. I use satellite Internet and have a hard cap on monthly data transfers. I don't want to be downloading a relatively large bootstrap.dat if I know that I only need the last 2% of it. The fact that the CLAM client will take a few minutes to skip through the 98% I already have isn't that big a deal. The wasted file transfer is. (Chopping the big bootstrap.dat into little parts happened on remote servers with proper Internet connections and didn't involve my having to upload or download anything other than a few command lines over the satellite connection).


The problem with that is that you're trusting me to provide the true longest chain. It adds another kind of centralisation to CLAM. Of course, the client validates every block it reads from the bootstrap file, and only adds it if it is valid, but I still don't like the idea of having the client know about my particular copy of it.

Having said that, what do people think about updating the checkpoints in the CLAM client? I bet that hasn't been done for quite a while now:


So we have checkpoints up to block 250k, staked on Sat Dec 13 15:14:24 2014, but nothing since. I think that means that theoretically MtGox (say) could dig up a whole load of CLAMs tomorrow, and use them to completely rewrite the chain from last December, wiping out all the transactions and blocks that have happened since.

The "reasonable timestamps" isn't an issue any more I don't think, since we no longer accept timestamps out of order.

Block 530000 was staked 5 days ago, has no weird times around it and contains only a simple staking transaction:

529995 Sat Jun 27 17:35:12 UTC 2015
529996 Sat Jun 27 17:36:00 UTC 2015
529997 Sat Jun 27 17:36:32 UTC 2015
529998 Sat Jun 27 17:36:48 UTC 2015
529999 Sat Jun 27 17:37:04 UTC 2015
530000 Sat Jun 27 17:37:20 UTC 2015
530001 Sat Jun 27 17:37:36 UTC 2015
530002 Sat Jun 27 17:39:12 UTC 2015
530003 Sat Jun 27 17:39:28 UTC 2015
530004 Sat Jun 27 17:40:00 UTC 2015
530005 Sat Jun 27 17:40:16 UTC 2015

I guess I'll add a checkpoint for it.

Edit: note those 11 timestamps just above, and how they are all exact multiples of 16 seconds apart from each other. That's the 16 second window I keep going on about. As far as CLAM staking is concerned, there is no point of time between 17:40:00 and 17:40:16. Time passes in 16 second lumps.

JD has a 75% chance of finding the next block because JD has 75% of the total staking weight on the network. I don't know how much effect network connectivity has. JD's wallet isn't connected to many peers most of the time - and I don't know if that helps or hinders it. I figure the 16 second length of the time windows means network latency isn't a big deal for the most part but I could be wrong there.

If the solo staker has 5% of the staking weight and JD has 75% then there's 20% elsewhere. We don't know whether they'll be working on JD's block or the solo-staker's block - it would depend which of the two they saw first. So the 75% chance for JD is a minimum.

The situation is further complicated by the fact that we don't know with any accuracy what the total network staking weight is. People who are trying to stake with small amounts but failing are effectively invisible. There's no way of knowing how many CLAMs are trying to stake other than trying to infer it from the network difficulty and the rate at which blocks are found. But the difficulty swings up and down quite drastically many times per day, making such calculations tricky.

It's not particularly easy to find out.

When I first discovered CLAM, I couldn't find out how staking worked, so I read the source code and summarised it like this:


It has changed since then. There is no longer the concept of "age" - the weight of an output is simply its size (once it has matured and not been involved in a transaction for 4 hours). And the "every second" changed to "every 16 seconds". And the difficulty became about a million times easier.

But basically, every 16 seconds your client looks at each of your unspent outputs, finds the ones which are mature and haven't moved in the last 4 hours, and hashes a bunch of information together (including the current time, the txid, etc.). If the hash is smaller than the current network-wide target times the value of the output then that output gets to stake a block. Multiplying the target by the size of the output makes the ease of staking proportional to the size of the output.

It's "random" in the same way that Just-Dice rolls are random: it isn't, but it appears to be due to the nature of hashing. Imagine hashing "abc123"+current_time_in_seconds with sha256 until you got a number less than a million as the hash result. There's a particular time in the future when that will happen, but without trying it for every current_time_in_seconds you can't predict when it will happen.

There's not really any comparison. In scrypt the assholes get imaginary "KHS". In the moths-for-assholes site they at least get a few moths. Do you have a link? It sounds kind of interesting. I'm wondering how it compares to my new site, butterflies-for-dingbats.com

Define "good at staking"? Is it a game of skill?