Crap. What an awful day to sleep in. It was a pretty basic DoS on the site, triggering a case that I haven't hardened for.  I have the game back up and running, with the offending ips banned. I'm working on preventative measure to stop that being able to happening again, and to automatically pause the game when things are going haywire instead of marching on creating a awful mess.

Right now there's 27 unterminated games, and several dozens of cashouts that were not able to be applied. Please no one worry, over the next couple of hours I'll get to restoring everything and making sure no one was disadvantaged by this.

Poker and moneypot are the main two games that I know of that make +EV bitcoin gambling possible. If you want any strategy (and not just a fancy skin on top of a RNG) you will need to play something with a player-vs-player aspect, as no casino is going to wittingly accept -EV play.

I've finally completely ripped out the coinbase dependency and all deposits and withdrawals are directly using bitcoin core. I've watched the last dozens of transactions and the migration seems to have gone rather seemlessly without interrupts or delays. If anyone has any problems or issues, please let me know.

I guess this would be you?

I do not believe it was stealing, as many times I've openly offered bounties of that order of magnitude. He merely pulled it from me, rather than wait on me to push it to him. And that's fine by me, what he found was clearly worth a lot more than that.


I'm not sure what motivates him, but if he ever wants to claim credit and add it to his list of achievements, I wanted to be clear that I bear no ill will, nor do I feel wronged (but rather the contrary).

Yes. He had used the exploit to get somewhere in the order of over 30 BTC in profit. He did withdraw his original deposit, plus 5 BTC as a bounty for finding the exploit. Had he wanted, he would have been allowed to withdraw up to 25 BTC which was the contents of the hot wallet. But being a decent guy he didn't even make an attempt to do so, something that I am very grateful for.

Great explanation, as always, Dooglus. The only thing missing is the adding that one reason for the complexity in the exploit was that the game ticks are scheduled using a setTimeout after the last game tick, as opposed to on fixed intervals or at particular game multipliers. When enough people cash out at a particular point in time, it actually makes an extremely large (~50ms?) impact on the game tick. Since it's using non-blocking IO, I'm not quite sure why this is. But regardless there's quite a bit of work involved in just figuring out when the game ticks will run to be able to abuse the exploit.

I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

Foo has provided me with his exploit code:

http://privatepaste.com/164b29a720
http://privatepaste.com/9c14190b93
http://privatepaste.com/f4ebeb9b19


Highly impressive stuff! Hats off to you foo!

Yeah, he said he was willing to put the code available online as a lot of work went into it. I'd be extremely interested in seeing it. Some of the timing stuff would be rather challenging to pull off

Had it been the same scenario, it wouldn't have been a big issue: I'd obviously cover such expenses out of my own pocket first. Had the person been less honorable and slowly bleed the site and investors, it'd truly be a nightmare situation. I shudder just thinking about it. But I guess ultimately the price one has to pay to be +EV.

On the plus side, the code is on github for anyone to review and critique, and possibly even pay someone to audit it. If you read how his exploit works, I would argue it a very clever exploit that wasn't the result of shoddy coding, but using a non-obvious and clever way to leak information. Either way, I will slow things down and do a more comprehensive security audit and hardening of everything, including adding some non-public alarms and triggers for suspicious behavior.

Sorry guys, I was asleep! Thanks for letting me know. Foo did find an exploit, and was kind enough to reveal it. I have quickly pushed up a fix, and purged Foo's games from the database to preserve meaningful stats.

Foo used quite a clever exploit in some what should be dead code: http://privatepaste.com/354dae40cd

I'd like to thank him for not abusing the bug further, or slowly bleeding me over time. I'm extremely thankful for that, that would have been a nightmare situation. Thanks Foo!

Sorry about all the drama people, please enjoy the game.

I wasn't aware there was any hate? Glad you enjoyed the game too!

Big thanks to CSM for his contribution to MP, bringing the goodness of 2FA, which is now live!

In the chat we were discussing different chART, here's my favorite:



the reverse martingale!

Interesting. A message with the same language was sent to MoneyPot.com, but asking for 5 BTC (and doubling to 10) and with an attack said to last 4 days. I guess the guy is A/B testing his extortions.

You should consider getting a blog or twitter account for these picks. It'll make it a lot easier to follower your picks, and less noisy for people who aren't. Or if you insist on using the forums, the "Game and rounds" is much more suitable for this sort of thing.

Did you claim that 50% deposit bonus, which appears to be opt-in and says:


or did they apply the restriction to your account, without you claiming that bonus?

Check out our latest release, with a totally rewritten strategy tab that also supports easy bet progressions. All custom strategies will need to be modified from using  .onGameCrash  to  .on('game_crash', ...)  and a few other mechanical 1:1 changes. This is to allow far more compossible strategies (e.g. using an autobet, while sniping)

Nailed it, and why I discontinued the MoneyPot.com signature program. MP will get less visibility now for sure, but at least it should do so for the right reasons.