Can you sign 14iS2UvcLK33xkC1K1qL1dhEbp49aiNfNp?

If that's you, your description of the exploit doesn't match up with the official version published by the casino.

Take a look at this post: https://bitcointalk.org/index.php?topic=5466258.msg62993162#msg62993162. There's no formal scam accusation in that subforum, but the issue is laid out pretty clearly.

See ff0f3368-d64e-44b6-bafc-877c648f3a56. Should probably fix that.

After a month and a half, it seems likely that your developers have had a chance to look in to this. Can you provide an update?

I'm glad you're looking in to this, though I wish my original post had been answered so that maybe the flag and negative trust could have been avoided. In a PM, you asked for additional information. I don't think there is much else that I can provide other than what is in this thread. I hope you are able to find and correct this problem, and I expect that correcting this problem will include paying out all won bets incorrectly reported as lost.

The result of bet id 869601854 is as follows:

The first value of the data array is 26, and this is the value recorded as having been the result of this Roulette game.

At https://cryptoplay.io/help/fairness, the following code is available to check your provably fair implementation:

I wrote the following Node.js adpation of the PHP code:

This code indicates the result of the game should have been 21, which would have been a winning result for this particular game.

The results of the next bet in this series, bet id 869601961, follows:


We see here that the reported result of this bet is 8 and can confirm that result with the code written above.

Lastly, it's noted that this behavior disappears once below a certain bet threshold. For instance, the bets in this post are all around $90 and a winning bet was never seen in a sequence of 10 bets that should have had about a 25% chance of having some return. Of course 4/10 bets actually did return, the casino just misreported the actual outcome. This behavior was not seen at bets closer to $10.

I assert that this casino is fraudulently marking winning bets as losses in a very obvious and easily confirmable way. For that reason, I am leaving a flag.

Would you mind explaining the results of the following bets?

869601854
869602054
869602352
869602473

37 please.

It's probably illegal for a casino to discuss the exact values that trigger their AML procedures.

I do agree that KYC should be done up front and if a casino does not want to take a user's action for any reason, the bet should be refunded and allowed to be withdrawn. That said, I believe Stake is saying that they've had real losses from the match fixing action by this particular user and is holding the balance to recoup some of their losses. That seems reasonable.

If Stake has it wrong, Baskin198 should start arbitration. See https://stake.com/policies/terms#17._Arbitration.


You make a good point here. Casinos do seem to like to double dip with these unusual situations, keeping losses and refusing to pay out wins. I don't see any indication that this happened at Stake for these particular events. If someone could show evidence that they placed a losing bet that was not refunded on any of the events that Stake is saying were fixed, then maybe Stake would deserve some criticism. I think that they should codify how fixed matches will be handled in their terms of service to avoid any future confusion.

Can you elaborate on this any? What event did you bet on, how much did you want to bet, was the bet accepted and then cancelled or was the bet not allowed to be placed at all?

If you tried to bet 100% of your deposit and the casino turned away your action, then I'd argue you met any wagering obligation. If you can prove that happened, I'd support a flag.

That said, the only reference to a wagering obligation I see on the duelbits.com site is the following:


Did they ask you for KYC documents and did you cooperate? I would ask them to point out the specific part of their agreement that they are trying to enforce. If it is this section, ask them to define "minimum percentage" and consider trying to meet that obligation. If you have provided KYC documents, then I'm having trouble seeing their position. I would consider supporting a flag based on this interpretation of their terms of service if you wanted to make that argument.

That's what I thought would happen, but it didn't. The ink was definitely degraded but legible. This was a 1 BTC brass Casascius.


I think this is the most obvious and likely exploit.

There's some more information here: https://www.reddit.com/r/Bitcoin/comments/1jouqt/casascius_physical_bitcoins_cracked_at_defcon/. Note the top comment and the statement that the ring didn't affect the exploit.

I tried this around that time with dielectric solvent rather than non-polar solvent and it worked okay. I set the coin in a bath of solvent instead of using a needle. The sticker had a lot of residue that would have needed to be cleaned up if I wanted to reuse it, while it looks like the non-polar solvent left the adhesive useable. I didn't have the patience to try to clean the sticker and reapply it, but I think it could have been done.

If this was happening, I think we probably would see some indication in the near decade since the exploit was publicly demonstrated. Still, good to be cautious.

I had the following input on their original topic:

Lol, well nice pull, todayiwin. If you want to put your skills to use without the potential of going to jail, send me an email at cwil0290@gmail.com.

This is a fun topic. I'm a security researcher and actively look for exploits in casinos and other crypto spaces daily. I can't give nonpublic details, but I can talk about some of the more common things I find.

The BitMillions exploit detailed here (https://bitcointalk.org/index.php?topic=386711.0) was publicly known for a few days before the site operator fixed it. Keno, lottery, and bingo games tend to be vulnerable to similar exploits.

Craps games from various operators are often vulnerable to two different but similar attacks sometimes seen in physical casinos. A large pass bet is placed on the come out roll and then picked up or significantly reduced if a point is set. Alternatively, a small don't pass bet is placed and then increased and odds laid depending on the point. For example, if the point is 4 you might increase your bet 100x while if it's 8 you might leave the bet alone. These types of slightly +EV rather than instant win exploits are among the most sought after for bad actors as they generally look like normal gameplay.

Games in which multiple bets are placed on a board like roulette or sicbo can often be exploited. A developer will perform a sanity check to see if a bet falls within its limits and this prevents a person from placing negative losing bets. The proper way to do this is the check that each individual bet falls within limits, but sometimes a developer will take the sum of all bets and make sure it's above some minimum. This means you could place a bet of -90 on 0, 50 on red, and 50 on black to usually make 90 units per bet. You might also lose 3340 units if the ball hits 0. There may be ways to mitigate or eliminate that downside, such as betting a negative on -1 instead of 0. Various casinos and development studios have been vulnerable to this.

Sports betting sites are not immune to exploits either. Odds on single events can sometimes be manipulated in favor of the operator, so not very useful, but parlays can sometimes be made with the same event multiple times.

The most dangerous exploits I've found are pf seed leaks. These come in a few flavors. In the early days of bitcoin, dice sites would often generate a file with multiple years worth of daily seeds which were used site wide. The scheme here was hash(server seed + client seed + global bet number) to find the winning number. A popular dice site was vulnerable to a directory traversal attack which allowed the seed file to be read. As another example, there is a crash script available now that leaks the server seed whenever a player does a cash out. To exploit, a person sets up two accounts, once places the minimum bet and cashes out immediately, while the other places a large bet, waits for the cashout message of the first player, finds the outcome of the game from the leaked seed, and cashes out immediately before that point.

I've modified the first post in this thread to make the update more prominent.

I do not dispute the possibility of another account, but I sincerely do not know if I ever made one prior to the account in question. I can't go in to much detail about my tooling much like I suspect Cloudbet won't want to go in to much detail about how their risk detection system works, but I can say that with high confidence, regardless of how much telemetry Cloudbet collects, the machine and individual Cloudbet saw that day were brand new. It's very likely that the only thing that triggered the KYC request was the use of the VPN. We're getting a bit off topic here, but if that's wrong and Cloudbet did not see that visit as unique, I would happily take that data in lieu of the 0.005 BTC refund mentioned upthread. To be clear, that's not a challenge or taunt, I truly am interested and would love the opportunity to improve my methods. Cloudbet, please PM me if you want to pass that info along instead of the refund.


Cloudbet has processed a refund as discussed upthread. I've withdrawn my flag and revised feedback as agreed.

The phrase "one of my accounts" should be interpreted as an account opened at Cloudbet. I can not say if I have opened an account at Cloudbet before the day in question prior to 2018. I began keeping better records and can say that I have not opened an account since March of 2018.

I do not concede that I have ever placed bets from a restricted location as defined by Cloudbet's TOS.


I accept terms 7.1.4 and 7.1.6. These terms state that a user will not be physically located in the listed countries and that Cloudbet may use any means necessary to collect my information in order to enforce 7.1.4. These terms do not compel me to provide information. Even if you do think they compel me to provide information, the remedy for a violation of their TOS is found in section 11, specifically 11.1 and 11.3. The only part of the agreement in which fund confiscation or the freezing of funds appears is in reference to opening multiple accounts, discussed above, or by placing a bet from a prohibited jurisdiction, which didn't happen and Cloudbet does not seem to be arguing otherwise. Absent that criteria, per the TOS, account closures include a refund of deposited funds.


I used a VPN located in Canada, this is not a restricted country per the Cloudbet TOS.


I do not frequent this part of the forum and was unaware of activity in this thread until today. My goal was and still remains to warn others about what I feel to be Cloudbet's poor customer service and inability to abide by their TOS, not the return of the deposit, as I indicated in the reference thread in the first post of this thread.


Yeah, you have a good handle on the situation as I see it. Cloudbet wants information that I don't want to provide. I will quote the reference thread:


I've been pretty up front in that my goal is to report my experience.


I believe that they have the right to request KYC from anyone they like, and anyone has the right to refuse that request.


Cloudbet did reach out to me in a PM, which is what brought me here. That message is as follows:


I've not yet received this email but I am agreeable to the terms stated in the PM.

That's easy enough, see: https://www.bustabit.com/license.txt.

This site is not processing withdrawals, no surprise there.

Manual cashouts over 10x are not handled correctly. If a player manually cashes out at 10.5x, they will receive 0.5x resulting in a net loss. This problem does not seem to exist with the auto payout feature. I have not tested 3 or 4 digit multipliers.

The game leaks the server seed before the completion of the game. Normally I would discuss this problem with the owner of the site, but I do not think the owner of the site is acting in good faith. Some code follows to exploit this leaky server seed problem. It can run with a single account labeled account 2 in code, but will run better with two accounts.

---

I've removed the exploit poc. Apparently their crash game script is used at other casinos.