Greetings.
So you want to make some money?
Well— people on IRC have been circulating links to
https://ragecoin.appspot.com/ (there is also a thread here about it:
https://bitcointalk.org/index.php?topic=63081.0 )
The site has two substantial security vulnerabilities. One potentially in the sites favor, one in the users favor.
The site is totally anonymously run, so I can't report the vulnerabilities to the site: Their loss, your gain. My IRC logs strongly indicate that the site run by "Joric" but he outright denies this. I also reported the vulnerabilities to him but he's clueless and just argued with me. Then again, he also denies running another site which I think mostly exists to part fools and their money (brainwallet) and which I have pretty much conclusive proof that he runs. Danger will Robinson Danger.
In any case here we go:
The site sends you a cryptographic commitment to the next spin... E.g. it tells you "57b12eb121a742b1cd0454408d1b38ec" then you deposit funds and spin .... then it tells you MD5("0,1,0:W6Wv4t3x") with the 0,1,0 being the slot positions you just got, and you can then see that this matches the commitment so that the site didn't change what it was going to spin for you based on your deposits.
There are two problems with this, first the one potentially against your favor: The site is doing nothing to prove that its RNG used to come up with the spins is fair. E.g. it may be the case that it will _never_ produce results with big winnings, thus giving lower payout than advertised and screwing over the player. This could trivially be avoided using the pick-and-split cryptography I came up with for bitjack21: The server commits to a random value, the user provides a random value (by default based on JS RNG, but modifiable)— the draw is based on the hash of the committed random (not the commitment itself) and the user random. Thus proving that the site's RNG is unbiased.
The next is the one is in your favor, or at least in the favor of hackers with gpu farms: The secret salt values, the part after the : in the value its committing to, only have log2(62^8) = 47 bits of entropy. You could construct a rainbow table of all values that start with 0,0,0:. Then you keep spinning until it gives you a "next hash" which is in your table. You know that hand will give you a 256x winning. Bet like hell on that one. If you want you can build a larger table that has additional winning combinations in it so you don't have to respin as much. Alternatively, you don't even have to cover all the 0,0,0 values... even a 'small' table will let you win if you don't mind spinning a whole bunch of times.
Building a table for all values for a single spin result is the same computational complexity as building an md5 rainbow table for 8character passwords from the A-Za-z0-9 set, and many such tables (and larger) already exist... so the computational work is high, but totally doable. If anyone does this… I want a cut of your winnings.
(PM for deposit address, thanks!)
(Also, since you don't need to know the full preimage of the hash you could save a ton of space with some small chance of incorrect results by simply using a very large bloom filter: Figuring out the size needed in order to maximize profitability is an exercise left for the reader)
Keep in mind that this is a glaringly obvious vulnerability. The operator of the site may have expected someone to figure this out, build the table, then drop 1000 BTC on a 0,0,0 win, and if you do that they may just vanish with the funds. A lot of scams are powered by making you think you're the one scamming them.
In any case, enjoy and keep safe!
Edit: I dropped this in the speculation subforum because while gambing may be gambling, compromising a gambling site is a lot more like speculation than a lot of things people here consider speculation
plus the site I'm talking about was previously discussed in this forum. Another cute thing: my vanity address probably took more computation than rainbow table for a single slot value would take.
