Nodes have a rule against creating dust outputs, you're breaking it.

You know the Description is stored in your wallet only, right? Nobody else will ever see the text "are you alive", it is not broadcasted, it is not included into any blocks, it will never be shown to anybody (well, it's shown to us in the screenshot you created, but that's simply because you created a screenshot)

If i follow the link you posted, this is what i see:


This sounds about right... But yeah, some explorers might have trouble with the 50 BTC reward funding this address... It's possible some have flaws when converting btc to fiat... I wouldn't care to much tough...

What do you mean, is this bugged? No, it is not... Why would it be bugged?
People can fund whatever address they want for whatever reason. The people funding 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa are probably doing so to beg (since it's an address that's looked up pretty often, so they "advertise" their address) or maybe to boast, or to pay homage to satoshi...

Well, your wallet holds private keys, the public keys of those private keys are hashed. These hashes are your addresses.
In the past, somebody funded your addresses: somebody else created a transaction, and one or more of the outputs of said transaction were funding an address whose private key belonged to your wallet. You have one or more unspent outputs funding one or more addresses, the sum of the value of these unspent outputs is seen as the balance of your wallet.

When you click "send", you wallet will combine one or more of those unspent outputs with a total value equal or greater to the amount you want to transfer PLUS the mining fee. If the sum of the values of the used unspent outputs is bigger than the amount you want to transfer plus the fee, a change address is used. This change addres also belongs to your wallet, and it's funded with the leftover value.
In the meantime, while selecting unspent outputs to use, and finding out wether a change address is needed, your wallet also calculates the optimal fee. Sometimes you can pick your own fee, sometimes a slider is used, sometimes the fee calculation is hidden altogether, but your wallet calculates the weight of your transaction and adjusts the fee accordingly.

After the unsigned transaction is created (unspent outputs are used as an input, new unspent outputs are created as output), the transaction is signed with the private key(s) belonging to the addresses whose unspent outputs are being used as an input.

The signed transaction is now broadcasted to the nodes. Each node checks if all unspent outputs used as input are available in their utxo db (db with all valid unspent outputs), they also check the signatures. Invalid transactions get rejected, valid ones get broadcasted to other nodes.

In the end, the transaction ends up in the mempool of about all the nodes of the network. Some of these nodes belong to miners. Miners sort the transactions from highest fee/Wu to lowest fee/Wu. They take the top tx's (untill the block is full), calculate a merkle tree, put the merkle root in the block header they're trying to solve (together with the sha256d hash of the previous block header) and try to find a nonce for which the sha256d of the new header is under the current target.

If they succeed, they found a valid block, and they can broadcast it to the network.

As soon as a signed transaction is broadcasted, the receiver usually sees an incoming, unconfirmed transaction. Once a transaction ended up in a valid block, the receiver will see the transaction is confirmed.
When new blocks get mined on top of the block containing a transaction, the receiver will see +1 confirmation...

As long as a transaction remains unconfirmed, it'll stay in the node's mempool. Each node can truncate their mempool, so if a transaction remains unconfirmed for to long, most nodes will have dropped it from their mempool. This is one of the reasons why it's a bad idear to accept 0 conf transaction.

Screenshots and video chats aren't guarantees for a safe, provably fair platform. Screenshots can be faked, video chats might show fake random number generators.
A community vetted escrow and a provably fair method of drawing are hard guarantees (for example of a provably fair method: use the blockhash of block with a blockheight in the future as ticket numbers).

Sorry, you might mean well, but in the end you're just an unknown person who pinky promises not to run away and to be honest when drawing a lotto pot.

This is the real-life equivalent of somebody you don't know standing on the corner of a big street in a big city that asks you to give him $100 and your phone number, promising he'll organise a fair lottery from his basement, using all the $100 bills he received that day, promising he'll personally call the winner afterwards.
Don't worry, after you gave him your $100, he'll video call you when he organises the draw in his basement, offcourse he can use a flawed drawing method... Or he might just run away and never call...

Where's the proof? You say you've run lottery's in the past, so maybe you can actually proof this?

As for running a lottery on bitcointalk: find a trusted escrow, let him handle all the funds, focus on promoting your project instead... As a newbie, there's a ~0% chance anybody would send you the equivalent of $90 without anything holding you back to just run away as soon as you've collected our funds.
You have a total investment in your bitcointalkaccount of 5? minutes, defenately not enough to earn my trust.

Thanks

Don't worry about the merit, i mainly wrote this post because i was getting sick and tired of the discussion with mixer operators. I wanted to write a big, complete writeup, so i could refer them to this post the next time i got into a discussion with one of them.

As for the cloudflare ssl, it's pretty easy:






Google analytics is a little bit harder:
open the developer tools of your browser, go to source (layout and wording might differ between several browsers)

I realise this picture show my own site, and i'm far from perfect... I also use google analytics on mocacinno.com, because it's basically a site hosting some free tools and a blog... I don't handle anything "sensitive", so i decided to take the "easy" road.

The main reason people use cloudflare and google analytics is convenience... Cloudflare gives you easy tools for managing your dns records, it helps you setup your nameservers with your registrar, it holds your hand while setting up SSL (if you use the flexible option, they even hide the fact that in reality you're a non-https site, and make it look like you're an ssl site), it gives you all these plug and play tools, it's cache saves you bandwith, to a certain degree they offer some DDos protection,...

Google analytics on the other hand, is one of those cloudflare plugins... Just enter your id in cloudflare, and GA will be enabled on each and every page... You get insight in your data in just a couple of clicks, you don't even need "real" analytic knowledge, everything is spoonfed to you.


On the other hand, if you want to do things "right", you'll have to use letsencrypt to get an X3 certificate, you have to setup cronjobs, you have to make sure your setup is done properly (or the letsencrypt bot won't work). You'll have to set up matomo (previously piwik), you have to enable privacy plugins, you have to clean up your database, you have to truncate logs, you have to find your own way in DNS zone management, you have to purchase DDos mitigation (if needed). It's hard work, it's defenately more expensive than the one-click-sollution cloudflare offers, but if you run a privacy-centered service, i don't think you should trade in your user's privacy for your own convenience... As a matter of fact: the mixing fee you charge is the payment you get for NOT making a tradeoff.

Part 4: A fictional example of somebody in a country where crypto is banned, using a cloudflare-ssl-using mixer with google analytics included,  and some general conclusions

Meet Bob, Bob is an IT expert that lives in Algeria. Bitcoin is illegal in his country, but it seems Algeria has strong relations with the US.
Source: https://www.state.gov/u-s-relations-with-algeria/

Bob's family is poor, he has no money to buy food or medicine. One day, Bob has the opportunity to do some legal work online, but the only requirement is that the job will be payed in bitcoin.
Reluctantly, bob creates address 1BobDirtyXXX offline and receives enough bitcoin to buy half a year off food (let's say 0.5 BTC) . However, he's paranoid cause bitcoin is illegal in his country and he's afraid of ending up in jail. Offcourse he doesn't want to throw away such a huge amount of money, maybe one day the rulers of his country will revisit their laws and change bitcoin's status in his country, and on that day he has enough money to buy food for his family.

Bob decides to mix his coins for safekeeping, and creates address 1TotallyAnonymousxxx to hold his mixed funds. Nobody should be able to tie this address to him, if his governement finds out he's in big trouble. He goes to bitcointalk and find mixer i-am-a-mixer-that-uses-cloudflare-ssl.com (perfect tld isn't it). The mixer has moving images, bright flashy colours, an affiliate program, ajax, jquery, using the laravel framework, has naked pictures of his favorite celebrity,... you know, the works.

Bob opens i-am-a-mixer-that-uses-cloudflare-ssl.com in his browser. In the background, a handshake between him and cloudflare is initiated, a symetric key is generated and everything looks perfect to him (mind you, he's an it expert, not a security expert). The index page is served to him from cloudflare's very own cache. Speedy as a bullet and supposedly DDos protected (altough cloudflare doesn't offer guaranteed DDos protection to their free tier   ). Luckily the owner of i-am-a-mixer-that-uses-cloudflare-ssl.com was smart enough to include google analytics (how can you live without those stats) and a remotely hosted jquery aswell... Maybe he trew in some other remotely hosted scripts, who will tell?

Bob gets a rendered version of the data he received from cloudflare, sees the form to start a mixing session, and enters address 1TotallyAnonymousxxx as an address where he wants to received his mixed coins, and posts this data back (to the mixer's server, at least that's what he believes... In reality, the data is sent to cloudflare).

The package including address 1TotallyAnonymousxxx is encrypted with the key shared between his browser and cloudflare. Cloudflare decrypts the package and stores it in it's cache (hooray). Cloudflare then contacts the server that's actually hosting the mixer and creates a new symetric key with him, the package containing 1TotallyAnonymousxxx is re-encrypted with this second key and sent to the mixer.
The mixer replies with data containing address 1DepositYourDirtyFundsHereXXX. This package is encrypted with the symetric key shared between the mixer's server and cloudflare. Cloudflare decrypts the package, stores its content in it's cache (in case they need the data), re-encrypts the package with the key shared between cloudflare and Bob and sends the re-encrypted data to Bob's browser.
Bob funds address 1DepositYourDirtyFundsHereXXX with the unspent output funding 1BobDirtyXXX. After an hour he receives 0.49 BTC (mixers are not free ) on 1TotallyAnonymousxxx.
Offcourse, the pages opening in his browser also request content from google analytic's server and the servers hosting jquery. So google now has his ip, timestamp, the pages that are illegal in his country that he visited, his browsers fingerprint, the site he visited before visiting i-am-a-mixer-that-uses-cloudflare-ssl.com, the site he visited afterwards,... You know, everything.

One day, Algeria's secret police decide they don't like Bob. An IT expert is not good for national security, maybe they can find something they can use to arrest and torture him and his family? They turn to uncle Trump and ask him if he has some juicy inside info on Bob. They have already demanded Bob's ISP to turn over at which timestamps which ip leases were given to Bob's modem, and they pass this ip info over to an unnamed US 3 letter agency.
This 3 letter agency asks google and cloudflare if they can do some digging in their caches. Since it's a 3 letter agency, both companies answer within the hour..
Cloudflare is able to tell the 3 letter agency that Bob's ip was used to create a session on i-am-a-mixer-that-uses-cloudflare-ssl.com. In their cache they find that i-am-a-mixer-that-uses-cloudflare-ssl.com created deposit address 1DepositYourDirtyFundsHereXXX and that the mixed coins should go to 1TotallyAnonymousxxx. On blockchair they find that 1DepositYourDirtyFundsHereXXX was funded with an unspent output funding 1BobDirtyXXX.
Google is able to tell them exactly which timestamp, which browser, which pages, some clicktracking, which pages he visited before visting i-am-a-mixer-that-uses-cloudflare-ssl.com and which ones afterwards,...
The 3 letter agencie give this data to Algeria's secret police, they torture and kill Bob's complete family... Ooops.

Conclusion: i-am-a-mixer-that-uses-cloudflare-ssl.com has royally screwed Bob. They taught that because everybody was making the mistake of implementing a MITM and including outside scripts, they could make the same mistake, but by doing so they actually, literally killed their client. As a matter of fact, the client would have been much safer if he didn't mix his hard-earned coins.
Ethically, Bob did nothing wrong... He didn't use his due diligence and figured out a MITM is a bad idear, he followed advice he found on bitcointalk and the naked pictures of his favorite celeb.

Mixers: use a free x3 certificate, and locally host matomo WITH privacy plugin and regular truncates for your tracking needs... Buy DDos mitigation hardware if you can't live without this, but don't kill your customers by exchanging the convenience of a one-click-sollution for the privacy of your customers.

Part 3: A https site behind cloudflare (where security goes wrong)
1) you contact your DNS and resolve mixer.tld. Instead of getting the ip of the mixer's server, you get the ip of cloudflare... Tricky isn't it?
2) you send unencrypted data to the CLOUDFLARE server, this data includes some random data, some (more or less) boilerplate stuff and a list of cyphers your browser supports

3) the CLOUDFLARE server sends unencrypted data back, this data includes some random data, some (more or less) boilerplate stuff and his public key

3.a) you can verify if this CLOUDFLARE key was issued by a CA you trust, and the browser can show a warning message (which you can disregard) if this isn't the case
4) a symetric key is generated between you and cloudflare
5) if you actually request a page, or post data, it is encrypted with the key from step 4. CLOUDFLARE decrypts your data and looks if he can reply with content from it's cache (yup, cache). If not, cloudflare acts as a client and requests data from the mixer's server. semi-ideally, they run in full or strict mode and they repeat step 2-4 to generate a new, symetric encryption key between their server and the mixer's server. In flexibel mode, they even request data over non-https!!!
So, semi-ideally, it would look more or less like this:


You see what's wrong with this picture? Even in the best-case scenario (cloudflare-wise), cloudflare decrypts EVERY package that's meanth for the mixer's server, it caches everything and it re-encrypts the request if it cannot reply with data from it's cache. Eventough the node operators cannot decrypt your packages, cloudflare has a big datacenter filled with UNENCRYPTED data that can link "dirty" and "clean" wallet together. This data was meanth to be seen only by you and the mixer, but because the mixer chose convenience over security, your most intimate and private financial data is now stored somewhere in the datacenter of a big, us-based company.
Even worse, eventough the network node operators cannot decrypt your packages, they can still capture them. Cloudflare has the symetric keys, so if they get their hands on those keys (due to law enforcement getting involved, hacking, social engineering,...) they can still decrypt any historical packages they captured.

Cloudflare is a US based company, the US is known to be very lenient in privacy-matters when 3 letter agencies get involved. Cloudflare is also a big company, with many employees and many attack vectors... Social hacking, stealing employees, security flaws,...?

Part 2: A https site using it's own certificate (aka, best case scenario)
1) you contact your DNS and resolve mixer.tld
2) you send unencrypted data to the server, this data includes some random data, some (more or less) boilerplate stuff and a list of cyphers your browser supports

3) the server sends unencrypted data back, this data includes some random data, some (more or less) boilerplate stuff and his public key

3.a) you can verify if this key was issued by a CA you trust, and the browser can show a warning message (which you can disregard) if this isn't the case
4) i'm going to omit some technical data... But the client and server now exchanged random data, the client has the server's public key and the server has his private/public keypair. With this data, a symetric encryption key is generated, the server's public key is used to encrypt the communication from client to server, so this symetric key is not sent in cleartext
5) from now on, every package sent between the client and the server is encrypted with the key from step 4. Once again, this symetric key (generated in step 4) was NEVER sent in plaintext. It was encrypted with the server's public key before it was transmitted from the client to the server. If a node operator captured these packages, there was no way for him to extract the symetric encryption key from the packages he captured. (Once again: grossly oversimplified)

6-x) analogue steps as in part 1 (non-https)... BUT, the big difference between part 1 and this part is that every package that's being routed over all those different nodes is now encrypted, and can only be decrypted by YOU or by the mixer's server. You'll request pages, get pages containing deposit addresses, post your withdrawal address,... But every package going over all those network nodes is encrypted using a symetric key only known by you and the mixer.

You see why this is better? Eventough law enforcement or datacenter operators can still capture the packages containing the deposit or withdrawal addresses, these packages are now encrypted. They cannot read their content. Only you and the mixer know which wallets are linked together. As long as the mixer is honest, you're relatively secure. This does NOT mean your ISP doesn't know you visited a mixer tough! They can still track your surfing habits, they just don't know the actual data being exchanged between your computer and the mixer's server. If you want to hide this from your ISP, i'd probably start looking for reliable VPN providers, start to use the tor bundle, or a combination.

Part 1: A non-https site
In the olden days, you'd see a lot of non-https sites... If you visited them, this is what happened on a deeper level (some steps happen in the background, so you don't notice them... Once again: oversimplified).
1) you contact your DNS and resolve mixer.tld
2)You send a request to the mixer, it goes trough a lot of network nodes to reach the server hosting the mixer. This request is an unencrypted piece of "text" requesting the index page of the mixer

3) The mixer sends you their index page, as an unencrypted piece of text. This piece of text goes trough a lot of network nodes to reach you. The index page contains a form where you can enter your address where you want to receive the mixed coins

4) you fill in your address, and post the result back to the mixer's server. The data you send back to the mixer is packaged in an unencrypted text and it goes trough a lot of nodes to reach the mixer

5) The mixer send a page to you that contains the address where you need to deposit your "dirty" coins for them to mix. The page also contains a link to their letter of guarantee. Once again, the page is basically sent as a long piece of text, completely unencrypted, and it passes trough a lot of nodes

6) you request the letter of guarantee. Once again: piece of text, unencrypted, lots of nodes.

7) you receive the letter of guarantee. Once again: piece of text, unencrypted, lots of nodes.


Does anybody see the problem? No?
Well, any network node can capture these packages and can read, in clear text, what you've requested from the mixer, and what the mixer replied. If you'd use a mixer over a non-https connection, everybody between you and the mixer knows that funds deposited to the deposit address will be sent to the withdrawal address and can now link your "dirty" and "clean" wallet together. If you ever spend funds out of your "clean" wallet, and it contains even one input that can be linked to your "dirty" wallet, your privacy is gone... Multiple inputs can be used together, change addresses get generated, and every law enforcement agent, many data center operators and loads of hackers now know your complete wallet's content.

Do you think i'm paranoid? Read this and wheep: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

This post was written with a couple encounters with new mixer operators in mind... I won't point fingers, since i had several of these encounters over the last couple of years, so names don't really matter. It serves as a reference post i can point new mixers to when they implement a MITM in their workflow and show no intrest in fixing this.

In my experience dealing with new mixer operators, a discussion between the mixing operator and myself usually falls in this pattern:

• Mixing owner: Look what a nice mixer i have, look at the nice pictures, look at all the bells and wistles, look at the fancy colors.... I even have moving images to keep you entertained while using my perfect service that is 100% anonymous in every way imaginable!
• Me: hey OP, your mixer uses cloudflare's SSL certificates as a MITM and google analytics
• Mixing owner: everybody is doing it, just have a look at our competitors
• Me: It's not because everybody else is wrong, you have to be too
• Mixing owner: some other lame excuse
• Me: That's a lame excuse (but worded politely)
• Mixing owner: we have a hidden service on tor
• Me: most users wouldn't even know you're using cloudflare, so they won't switch to the tor mirror (if they even know how to do this)
• Mixing owner: I'll put it on my todo list (under the section: "things to do when hell freezes over")

These discussions are defenately not limited to mixers, but should extend to any site that handles information you're not willing to share with law enforcement. It's perfectly fine to use cloudflare on your blog, your forum or on your site selling mouth masks.
It's not fine to use cloudflare on banking apps, ammo stores, mixers,...
I realise the irony that my own site is using cloudflare's ssl, but i don't handle any sensitive materials...

The following posts are grossly simplified. I tried to explain what's happening in terms so simple everybody could follow them. This, offcourse, means that if a tech-savvy person looks at the following posts, he'll say: "that's not completely correct, hey dude, you missed an important step". This is by design...

In order to show you what a bad idear implementing an MITM is, i'm going to work my way up from:
Part 1: A non-https site
to
Part 2: A https site using it's own certificate (aka, best case scenario)
to
Part 3: A https site behind cloudflare (where security goes wrong)

Last but not least
Part 4: A fictional example of somebody in a country where crypto is banned, using a cloudflare-ssl-using mixer with google analytics included,  and some general conclusions

You're probably best off if you read the parts in their correct sequence part 1 => part 2 => part 3 => part 4. This is because i sometimes skipped steps i already explained in a previous part.

I'll be splitting this post into 5 different posts, so i have some wiggle room for editing the content later on. If a mod thinks these posts should be joined, he/she is completely free to do so

Disclaimer: don't use mixers for mixing coins you received for providing illegal goods or services. That's not what the crypto ecosphere is all about. As a matter of fact, if you got your coins in an unethical way, i honestly hope you get caught...

In my country, we have a relatively popular saying, which roughly translates to:
"if all your friends jump into a well, would you follow them?", it basically means: do you think the fact everybody else is making a mistake is an acceptable excuses to make the mistake yourself?

You are providing a service: you are breaking the link between 2 addresses (and by extension wallets), so nobody can connect funds in one wallet to funds in another wallet. This is handy when you try to have some privacy, to protect you against thieves, against beggers, against your family, against (corrupt) governements. When you use cloudflare, you are giving all cloudflare employees, potential hackers and several 3 letter agencies the "key" to your service. You're allowing them to link your customer's wallets together, and that's not acceptable. Sure, you have a hidden service, but be realistic: how many newbies will actually know the dangers behind cloudflare AND have the technical knowhow to install the tor proxy and use the tor browser?

It doesn't matter if the primary reason for using cloudflare is DDos protection, you're still using cloudflares SSL certificates... If DDos attacks are problematic for you, there are other sollutions (altough, they are commercial, so they're not free... Remember: "if something is free, you are the product")

Every time i see a mixer using cloudflare (and you are right, many of them are using cloudflare) i point this out, and 90% of the time i get the exact same answer as you're giving me... Sure, most mixers make the mistake of including a MITM in their workflow, that still doesn't make this right...

Great mixers don't use cloudflare's ssl or include thirth party scripts. Mixers that do use cloudflare's SSL are good enough to hide how much BTC you own for common thieves, beggers and nosy relatives... But NOT for cybercriminals, cloudflare employees or (corrupt) governements.

I'm going to stop posting here... I've given you enough advise, advise i've given many mixers... It's up to you if you want to say "i use cloudflare, live with it, case closed" or if you want to investigate why using cloudflare and thirth party scripts is actually a bad thing, and make your mixer safer for your customers.

Good luck with your business!

For non privacy-centric sites, you are correct. However, if you use cloudflare's SSL certificates, cloudflare will be able to decrypt every package sent between your user and your server, since they're a MITM. They decrypt every package, and re-encrypt it with your server's certificate.
Cloudflare is located in the US, a country where any agency can gain access to these logs in a matter of hours.

If you switch to an x3 certificate, your users are immediately safe. letsencrypt is providing these certificates for free...

True, but you're trading convenience for privacy...

True, but in this case you shouldn't indicate you're sending your visitors to the play store... If the link clearly said you were locally hosting the apk, things would have been ok...

Sure, but privacy-centered services like mixers shouldn't... I've use matomo in the past, coupled with anonimised server logs they should do the trick.


Basically, your site sends all information about all visitors to a US based company. If they wanted to track one of your users, they could request all data sent between your user and your server from cloudflare, and all other statistics from google statics. They would end up knowing the funding transactions, the withdrawal transactions, the letter of guarantee, the ip's, the browser fingerprint, where your visitor came from, where your visitor went to

I had a quick look, and at first glance i noticed following issues:

• Cloudflare's SSL is acting as a MITM
• The link to the google play store is just linking to an apk outside of the play store. That's very deceptive
• Missing security headers: Content-Security-Policy, Feature-Policy
• Loads of thirth party scripts, including but not limited to google analytics

I know, i'm wearing a competitor's signature... That being said, i do use other services for mixing my coins, but none that are using cloudflare's ssl, are incorrectly labelling links as going to the playstore or mixers that send all my data to google in any way.

Don't get me wrong, i have no idear wether you're a scam or not... But you defenately have a lot of homework to do before you can open your service for business

This one is pretty tricky... Do you want to risk not getting credits because you don't want to give a virtual tour, or because you decide to run inside a sandbox, or use tor?

I realize that, as a human, you have the right to privacy... But i'm not confident a university will give you credits if they have the slightest idear you might have cheated. Eventough i graduated ages ago, i still think i'd put my grades before my privacy and "sell out", comply with their demands and just get it over with.

I know in my country, universities are switching to oral exams over the webcam, open book exams, and physical exams with respect to social distancing rules.

I'm a big fan of electrum, but i wouldn't store 44 BTC on a desktop wallet. It's a big step up from a web wallet, but still not good enough to store the fiat equivalent of a house in the city. Those kinds of funds require a hardware wallet, paper wallet or airgapped wallet imho.

In this case, i'd probably go for an airgapped setup... You'll need an old laptop or desktop and one or two usb sticks (one to transfer signed/unsigned transactions and potentially one to keep a backup of your wallet... The backup-usb should never touch an online machine tough!). I'm pretty sure there are no countries (except north korea) that are suspicious of somebody buying an laptop and a usb stick

If Bitcoin was illegal in my country, i'd be more worried about my isp logging my actions, and i'd worry about cashing out my coins... I'd probably start using a watch-only wallet on tails and  use openwrt to configure a vlan that was always routed over a VPN. Then i'd setup my airgapped wallet on a device that'll never touch the internet ever again (which is basically the standard setup for an airgapped wallet).

Sounds like a plan:

• Have an weight you're not happy with
• Bet >$4000 with a stranger
• Go to the doctor, get your stomach stapled, undergo lipo, hire a personal trainer or get prescribed (good) diet pills => lose the weight you want to lose
• Let the stranger pay for your treatment, earn a little extra

I do applaud your quest to get healthy, but like it's been said before: it's something personal. The person taking this bet would have no control over your actions, so he'd be in a disadvantage straight from the start.
There are other forms of motivations...

Good luck tough!

And as soon as you exchange more than a couple hundred bucks, freewallet will arbitrarily lock your account and make you jump trough loads and loads of hoops to unlock the money that was yours in the first place.

They'll ask scans of your id, they'll force you to contact them for a video chat, they'll force you to prove where your funds came from... Freewallet isn't a wallet, it's an exchange disguised as a wallet. I wouldn't touch them with a 10 foot pole.