bustabit – The original crash game

[JackpotRacer]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Chapeau! for the way you handle it

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

[1715311771]

1715311771

[JollyGood]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Chapeau! for the way you handle it

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

Excellent question. It would open up various legal issue right?

And those that are already using the software via a licence fee, would you contact them explaining them how to apply the fix/patch?

[Catmurs]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Do you can help to another busta sites, for solved that vulnerability too ?

I don't think all sites have this problem , I think a lot of it was fixed a long time ago , well that all went well with no losses !

[StackGambler]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Chapeau! for the way you handle it

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

bustabit v2 code is not available for licensing. v1 code is available, but it is not subject to the same vulnerability, which involves the betID parameter.

[JackpotRacer]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Chapeau! for the way you handle it

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

bustabit v2 code is not available for licensing. v1 code is available, but it is not subject to the same vulnerability, which involves the betID parameter.

thx but that does not answer my question

[StackGambler]

Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.

I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.

bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.

There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.

Chapeau! for the way you handle it

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

bustabit v2 code is not available for licensing. v1 code is available, but it is not subject to the same vulnerability, which involves the betID parameter.

thx but that does not answer my question

Only Daniel is qualified to answer this, but here's what I think he'd say. The main product you purchase is the license, which is your name on the license.txt file. You also get the code along with this, or you can use the public code which is posted on Github. Now, it's your site's responsbility to make sure the code doesn't have bugs. If, for some reason, the code causes your v1 clone to use money, I think Daniel would not reimburse you, because it's your responsibility to have thoroughly audited the code before implementation.

Also, keep in mind that there are 20-30 sites that are running on v1 code, and there have been no serious exploits or bugs thus far, so it's unlikely that one will crop up any time soon, unless people make heavy edits to the code before deployment.

[JollyGood]

I hope no other sites report having this vulnerability

[crashingcrypto]

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

I had it happen to one of our sites and they will just mark your license with a 'credible scam accusation'.  You're responsible for all the bullshit that happens. 

[StackGambler]

as I thought about licensing a bustabit version, how would it be handled if I got hacked with this kind of hack? who would pay for the damage?

I had it happen to one of our sites and they will just mark your license with a 'credible scam accusation'.  You're responsible for all the bullshit that happens. 

Your site has never been hacked. You blocked legitimate withdrawals from 3 players. Daniel has had fraudulent bets made via misuse of bustabit's public API. Where's evidence of your hack?

[JackpotRacer]

I hope no other sites report having this vulnerability

frankly I would like to see another licensed bustabit site be hacked and would like to see how it is handled. this would answer my question

[JollyGood]

I hope no other sites report having this vulnerability

frankly I would like to see another licensed bustabit site be hacked and would like to see how it is handled. this would answer my question

Oh that is a bit harsh 

TBH it is clear devans is an honest person and his word is his bond. Others have made loud noises about protecting investors but backed out leaving their projects dangling on the verge of closure but devans has not had a bad word said against him.

Just look at the way he handled this attack and covered nearly $500,000 worth of losses from his own pocket. That is the sign of somebody who is genuine and caring, approachable and has the right mindset to operate a business using other peoples BTC for bankroll to the tune of over $12 million dollars (if I am not mistaken).

I would prefer devans make his position clear about what would happen to other sites if they also get attacked while running licensed software, no need to see others getting hacked.

[crashingcrypto]

I hope no other sites report having this vulnerability

frankly I would like to see another licensed bustabit site be hacked and would like to see how it is handled. this would answer my question

Legit withdrawals?  Nah, they were canceled for KYC refusal and Snoop Dogg is currently smoking that money.  Bye sweetie. 

[StackGambler]

I hope no other sites report having this vulnerability

frankly I would like to see another licensed bustabit site be hacked and would like to see how it is handled. this would answer my question

Legit withdrawals?  Nah, they were canceled for KYC refusal and Snoop Dogg is currently smoking that money.  Bye sweetie. 

Don't come crying to me to bail you out of prison, Brett. Get off Daniel's thread.

[ProveMeWrong]

Why is it every time Ryan sells a site there is an alleged hack or win under mysterious circumstances?

[JackpotRacer]

Why is it every time Ryan sells a site there is an alleged hack or win under mysterious circumstances?

would you mind to give us some samples of those sites he sold? I don't know of any

[StackGambler]

Why is it every time Ryan sells a site there is an alleged hack or win under mysterious circumstances?

would you mind to give us some samples of those sites he sold? I don't know of any

I believe the person Ryan sold Monepot to scammed, which had nothing to do with Ryan. The person he sold bustabit to (devans) faced an exploit, which, again, had nothing to do with Ryan. It's not that Ryan is associated with bad things happening, it's just that gigantic bitcoin services are usually associated with bad things happening.

devans handled it like a champ, and thankfully, other than himself, there are no victims in this scenario.

[JollyGood]

A couple of newbies here in this thread are being a nuisance

[Stringer Bell]

Hi guys, Any idea when the Investors will be credited for those suspicious bets/losses yesterday?

As it stands, the Bankroll is in the same place still.

I'm going to have to pull my money from the BankRoll otherwise Way too risky if this sort of thing can just happen and we're left holding the bag.

[BillyBurns]

Hi guys, Any idea when the Investors will be credited for those suspicious bets/losses yesterday?

As it stands, the Bankroll is in the same place still.

I'm going to have to pull my money from the BankRoll otherwise Way too risky if this sort of thing can just happen and we're left holding the bag.

Read some post's next time the site owner said he will credit everyone + dilution fee in 1-2 days.

[Stringer Bell]

Thank you BillyBurns - Sorry I should have read a little further back before asking.

I was there when it happened. Witnessed the whole thing.

Actually, I managed to copy 1 of them for the last 2 rolls they did.. Should have bet it all

Wonder if I'll lose that? Don't mind tho, just Bankroll, very happy to hear it'll be reimbursed.