Bitcoin Forum
October 26, 2021, 08:03:01 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Monero dice seed hacked?  (Read 3994 times)
BillyBurns
Sr. Member
****
Offline Offline

Activity: 430
Merit: 263


View Profile WWW
October 18, 2016, 07:19:27 AM
Last edit: October 18, 2016, 07:35:05 AM by BillyBurns
 #1

Player is up 66k XMR in 2 days these are the rolls that just happened.. I didn't see the others but this just doesn't seem right to me.


7908821   3000.000000000000   +3000.000000000000   <49.50   46.38   07:23   PolakPotrafi
7908820   3000.000000000000   +3000.000000000000   >50.50   57.52   07:22   PolakPotrafi
7908819   1400.000000000000   +5600.000000000000   >80.20   81.28   07:22   PolakPotrafi
7908818   789.600000000000   +7106.400000000000   <9.90   2.06   07:21   PolakPotrafi
7908817   1535.200000000000   +6140.800000000000   <19.80   13.15   07:21   PolakPotrafi
7908816   935.200000000000   +8416.800000000000   >90.10   94.58   07:20   PolakPotrafi
7908815   1.000000000000   -1.000000000000   >80.20   45.19   07:20   PolakPotrafi
7908814   1.000000000000   -1.000000000000   >80.20   51.31   07:20   PolakPotrafi
7908813   1.000000000000   -1.000000000000   >80.20   24.50   07:19   PolakPotrafi
7908812   1.000000000000   -1.000000000000   >80.20   42.30   07:19   PolakPotrafi
7908811   1.000000000000   -1.000000000000   >80.20   60.60   07:19   PolakPotrafi
7908810   1.000000000000   +4.000000000000   >80.20   84.71   07:19   PolakPotrafi
7908809   1.000000000000   +4.000000000000   >80.20   87.64   07:19   PolakPotrafi
7908808   1.000000000000   -1.000000000000   >80.20   28.28   07:19   PolakPotrafi
7908807   1.000000000000   -1.000000000000   >80.20   32.78   07:19   PolakPotrafi
7908806   1.000000000000   +4.000000000000   >80.20   87.45   07:19   PolakPotrafi
7908805   100.000000000000   +400.000000000000   <19.80   17.08   07:19   PolakPotrafi
7908804   100.000000000000   +200.000000000000   <33.00   28.76   07:19   PolakPotrafi
7908803   100.000000000000   +100.000000000000   <49.50   44.78   07:18   PolakPotrafi
7908802   100.000000000000   +100.000000000000   >50.50   51.85   07:18   PolakPotrafi
7908801   100.000000000000   +100.000000000000   <49.50   18.59   07:18   PolakPotrafi
7908800   100.000000000000   +100.000000000000   <49.50   37.56   07:18   PolakPotrafi
7908799   100.000000000000   +100.000000000000   >50.50   72.20   07:18   PolakPotrafi
7908798   100.000000000000   +100.000000000000   >50.50   57.99   07:18   PolakPotrafi
7908797   100.000000000000   +100.000000000000   >50.50   62.63   07:18   PolakPotrafi
7908796   938.800000000000   -938.800000000000   <9.90   90.87   07:17   PolakPotrafi
7908795   1.000000000000   +1.000000000000   >50.50   88.01   07:15   PolakPotrafi
7908794   1.000000000000   +1.000000000000   >50.50   99.63   07:13   PolakPotrafi

 *Image Removed*
1635235381
Hero Member
*
Offline Offline

Posts: 1635235381

View Profile Personal Message (Offline)

Ignore
1635235381
Reply with quote  #2

1635235381
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1635235381
Hero Member
*
Offline Offline

Posts: 1635235381

View Profile Personal Message (Offline)

Ignore
1635235381
Reply with quote  #2

1635235381
Report to moderator
1635235381
Hero Member
*
Offline Offline

Posts: 1635235381

View Profile Personal Message (Offline)

Ignore
1635235381
Reply with quote  #2

1635235381
Report to moderator
oxygen88
Sr. Member
****
Offline Offline

Activity: 307
Merit: 250


View Profile
October 18, 2016, 08:08:52 AM
 #2

which dice site are this bets from? that is a tons of crazy wins, the guy is rich now Cheesy
BillyBurns
Sr. Member
****
Offline Offline

Activity: 430
Merit: 263


View Profile WWW
October 18, 2016, 08:12:46 AM
 #3

which dice site are this bets from? that is a tons of crazy wins, the guy is rich now Cheesy

MoneroDice according to FLuffy they manually do cashouts but what I want to know is how they can prevent this from happening to someone who does it at level that is much less noticeable.

 *Image Removed*
Jungian
Legendary
*
Offline Offline

Activity: 930
Merit: 1010


View Profile
October 18, 2016, 08:29:14 AM
 #4

They do look unusual. Like he knew exactly what percentage to change to in order to win.

Edit: Looks like he did and FluffyPony is on to it (according to the monerodice chat)

Maybe the seed has been compromised a long time. The site has not been running at EV (although nothing particulary strange about that).

I think Monero (XMR) is very interesting.
https://moneroeconomy.com/faq/why-monero-matters
oxygen88
Sr. Member
****
Offline Offline

Activity: 307
Merit: 250


View Profile
October 18, 2016, 08:35:00 AM
 #5

Yes, especially this few big bets

7908821   3000.000000000000   +3000.000000000000   <49.50   46.38   07:23   PolakPotrafi
7908820   3000.000000000000   +3000.000000000000   >50.50   57.52   07:22   PolakPotrafi
7908819   1400.000000000000   +5600.000000000000   >80.20   81.28   07:22   PolakPotrafi
7908818   789.600000000000   +7106.400000000000   <9.90   2.06   07:21   PolakPotrafi - looks most unusual
7908817   1535.200000000000   +6140.800000000000   <19.80   13.15   07:21   PolakPotrafi - looks most unusual
7908816   935.200000000000   +8416.800000000000   >90.10   94.58   07:20   PolakPotrafi - looks most unusual

As if he already knew the result and he does big bets, and looking at the bet ID 8816, 8817, 8818.

This shows he knew the result beforehand, 3 continuous roll with that percentage to win, the chance is 0.000000001% in real life to hit all 3 wins.
fluffypony
Donator
Legendary
*
Offline Offline

Activity: 1274
Merit: 1057


GetMonero.org / MyMonero.com


View Profile WWW
October 18, 2016, 09:11:47 AM
 #6

Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!

itod
Legendary
*
Offline Offline

Activity: 1750
Merit: 1034


^ Will code for Bitcoins


View Profile
October 18, 2016, 09:19:18 AM
 #7

Quote
5 biggest win in the last 24h
22000.000000000000   PolakPotrafi
12000.000000000000   PolakPotrafi
10000.000000000000   PolakPotrafi
9352.000000000000   PolakPotrafi
8000.000000000000   PolakPotrafi
and:
Quote
5 biggest win alltime
22000.000000000000   PolakPotrafi
12000.000000000000   PolakPotrafi
10000.000000000000   PolakPotrafi
10000.000000000000   othe
10000.000000000000   othe

If he only was less greedy he could make much bigger damage. Luckily he had idiotic betting strategy regarding being painfully obvious.
NeuroticFish
Legendary
*
Offline Offline

Activity: 2744
Merit: 2818


Powerful promotion strategy https://bit.ly/3cRVjFi


View Profile
October 18, 2016, 09:23:41 AM
 #8

Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.

smoothie
Legendary
*
Offline Offline

Activity: 2226
Merit: 1137


KIZEKRA COMICS & LEALANA Silver Monero


View Profile
October 18, 2016, 09:24:25 AM
 #9

#HackThatGotTrumpedByAPony
 Cheesy

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
fluffypony
Donator
Legendary
*
Offline Offline

Activity: 1274
Merit: 1057


GetMonero.org / MyMonero.com


View Profile WWW
October 18, 2016, 09:33:22 AM
 #10

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.


Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Jungian
Legendary
*
Offline Offline

Activity: 930
Merit: 1010


View Profile
October 18, 2016, 09:42:57 AM
 #11

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.


Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

I think Monero (XMR) is very interesting.
https://moneroeconomy.com/faq/why-monero-matters
fluffypony
Donator
Legendary
*
Offline Offline

Activity: 1274
Merit: 1057


GetMonero.org / MyMonero.com


View Profile WWW
October 18, 2016, 09:49:09 AM
 #12

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

It's entirely possible, but one of the Monero Research Lab wrote a paper (for fun) a year ago establishing a way to analyse whether someone is cheating by determining whether they are massively changing the deviation of the site.

We run this analysis in the back all the time, so if someone was consistently cheating, even if they were using multiple accounts and small amounts, we'd see it show up because the site would (statistically speaking) be far out of the expected variance.

You can read the paper here: https://lab.getmonero.org/pubs/MRL_Monte_Carlo_Edition.pdf

NLNico
Legendary
*
hacker
Offline Offline

Activity: 1876
Merit: 1264


DiceSites.com owner


View Profile WWW
October 18, 2016, 01:22:46 PM
 #13

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

hubballi
Sr. Member
****
Offline Offline

Activity: 882
Merit: 297


View Profile
October 18, 2016, 01:49:12 PM
 #14

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.

NeuroticFish
Legendary
*
Offline Offline

Activity: 2744
Merit: 2818


Powerful promotion strategy https://bit.ly/3cRVjFi


View Profile
October 18, 2016, 01:54:09 PM
 #15

What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.

I think that there's still a chance he didn't know the withdraw is processed manually and got greedy.

A white hat hacker would have told the owner, not like this.
Somebody who would try only to show off would mean that 66k XMR (over 400 000 $) means nothing to him, since he already stole more than that.

fluffypony
Donator
Legendary
*
Offline Offline

Activity: 1274
Merit: 1057


GetMonero.org / MyMonero.com


View Profile WWW
October 18, 2016, 02:17:51 PM
 #16

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

Yes we're taking a look at the API logs, and correlating it against recent betters. We'll weed out any other accounts he has;)

Daffadile
Hero Member
*****
Offline Offline

Activity: 1162
Merit: 500

CryptoTalk.Org - Get Paid for every Post!


View Profile WWW
October 18, 2016, 04:23:48 PM
 #17

So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....

Just like a losing streak a  winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.YoBit AirDrop $.|.Get 700 YoDollars for Free!.🏆
BillyBurns
Sr. Member
****
Offline Offline

Activity: 430
Merit: 263


View Profile WWW
October 18, 2016, 04:27:46 PM
 #18

So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....

Just like a losing streak a  winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.

Yeah its not very weird for him to make all those 1Xmr bets and lose every single one of those and then win all of these huge bets with tiny win % over and over, the only big bet he lost was the first one where he made a mistake... ohh and on top of all those rolls be up another 33k xmr.

 *Image Removed*
RHavar
Legendary
*
Offline Offline

Activity: 2478
Merit: 1857



View Profile
October 18, 2016, 04:41:06 PM
 #19

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better.  I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins.


That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that

Check out gamblingsitefinder.com for a decent list/rankings of crypto casinos. Note: I have no affiliation or interest in it, and don't even agree with all the rankings ... but it's the only uncorrupted review site I'm aware of.
BillyBurns
Sr. Member
****
Offline Offline

Activity: 430
Merit: 263


View Profile WWW
October 18, 2016, 05:05:37 PM
 #20

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better.  I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins.


That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that

Look at his bet pattern and the outcomes of the bets, its extremely obvious he was intentionally showing he could cheat.

 *Image Removed*
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!