I think probably it is added back to the investors at the time of adding back. So if someone divested, he won't get anything, but if someone invested, he would get a share of the added back amount
Yeah, that's how it sounds like. Actually when I designed the moneypot investment system, what I did was create a repayable log of all the investment/divestment/bet events for in a nightmare situation like this (or software bug) it could be replayed so investors wouldn't have made/lost money from the changes in the bankroll when a fake better (or software bug) was playing.
The situation is probably a big mess now, as some investors have lost more than they should've and others made more than they should've. And it's probably pretty likely the ones who unfairly made money have already withdrawn (?) or at the very least, will be unhappy if their balance gets put to the correct amount
Reminds me of Cryptsy's POINTS hack roll-back drama.
Seems the Monero guys who make a coin and RUN a GAMBLING SITE BUSINESS
using said coin are smarter than everyone else..
except when they get hacked.. via "
over confidence"
I think he is lucky only. how hack seed? it's impossible.
We found the bug he exploited that leaked the seed, and we've subsequently patched it.
Oh yeah ?
I guess just take your word for it huh ?
What makes you think there was an exploit in your API ?
..the result ?
I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.
But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.
We made a decision on how to handle it at the time, under pressure, to the best of our ability. You are welcome to disagree with that decision, but unless you're in that scenario running your own site your opinion is largely meaningless. It's easy to look at it after the fact and go "well I would have done X" - I can think of any one of 30 different ways we could have handled things.
That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.
So then you cut your losses and you get out, the end. There is no coming back later on to try reclaim imagined profit.
Perhaps a comparison will help: let's say that you have 10 BTC in Poloniex. You hear that Poloniex isn't processing BTC withdrawals, along with panic that they're hacked, and use your BTC to buy a bunch of WaffleCoin and withdraw it. You sell your WaffleCoin on ShapeShift, but now the market's tanked and you end up with 9 BTC. Later that day Poloniex put out a statement apologising for the issues and stating that they're now fixed. Would you insist that they roll the trades back? What about the shorters that took profit from you?
Or what if you invested in a startup, and then when it looked like things were going south you sold your investment at a loss. Two years later the startup is a huge, successful company. Do you insist on taking profit from the growth because you *used to be* an investor?
You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.
EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.
We thought about this, but we decided that it would be too dangerous for us to spend days and weeks trying to build a magical "undo" script, completely wrecking any auditability, and potentially ending up with a screwed up data set at the end.
BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors, nothing would have changed? He wouldn't need to deposit - he is already in loss.
edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.
With all respect to the affected investor, he took his $100 loss and walked away. He didn't contact us, he didn't ask for input on how we were going to handle things. He just assumed that it was the end, and he would have been the *only* investor to get out with his money had we not had safeguards and had the attacker been able to actually drain the wallet. What would have happened then?
You stated at the outset that you understand that the situation would have been different had the attacker managed to withdraw, but you're not actually following that thought through. Had that played out we'd have a total loss on the part of all the investors, and one investor who only incurred a $100 loss, and you can bet that investor wouldn't volunteer to divvy up his remaining funds among the affected investors.
Ultimately you're asking us to take up a morally hazardous position. What happens when someone "accidentally" places a large bet and loses? Should we undo their bet, and take the profits from the investors? An investor that divests and withdraws is no longer part of the bankroll. They bailed out with a profit or with a loss, and that's the end of that.
Nevertheless, I've already offered to send $100 to the affected investor, so I'm not sure what more you expect?
Teach us how gambling sites are *suppose* to work. LOL
Does this involve SPECULATING a seed was compromised ?
And who exactly is "we" ?
Is King Risto involved with the site in any way ? Who is ?
