https://github.com/coinables/Bitcoin-Faucet-Dice-Faucet-Box/issues/1I've sent the white hat a donation to his address, even though he found it necessary to insult me. That aside, this is a perfect example of how open sourced projects improve. Someone finds a flaw and share it openly to the community so it can be improved upon.
"The algorithm claims to be 'provably fair', but I have a feeling that the author didn't fully grok the theory behind it because there's no way to input client-side random into the roll so the server can still manipulate which numbers it picks..."
This is unnecessary. Maybe if it were a real gambling site it would help users feel more comfortable, but not for a simple faucet game. The server displays the hash BEFORE the user sets their target or places their bet. This would imply that the server would have to know what bet the user places ahead of time, which is not possible.
"Yup, the search space contains about 22 billion entries with a known starting seed, at 250 chrono-ticks per second (equivalent to 2.5m SHA-1 digests) it can take several hours to brute force the hash with a single thread, which is a lot of spare time to be looking at the computer doing nothing, so during that time I wrote a work distributor that allowed me to spread the load across an arbitrary number of servers over SSH in addition to my local machine.
Now with a few more servers I can reduce the brute force time from 3 hours to 30 minutes, and with a few more it can be done in a handful of minutes. However, given the miniscule amount you can win from these sites by guessing the right number, the CPU power required to get anywhere quickly is cost-prohibitive."
A simple fix to the salt brute-forcing would just be widening the space from where the salt is generated, as it already takes dozens of machines to brute-force my existing simple algorithm. I will be updating the github repo with the new algorithm shortly.