Can you please demonstrate how you were able to generate that deck of cards given that game seed?
The client-side Javascript function that verifies the deck shuffle has been purposely disabled. The function is called check_game(), and it is supposed to check that the deck that was actually played is the same as what the server committed to when it initially sent the server seed. However, after this function shuffles the deck, it then just cheats and manually sets the generated deck of cards to what the server dealt:
Excellent catch. Thanks for reporting that. You are correct, the check logic in the JS is disabled, this seems to be a missed relic from testing. The code is being corrected today.
As for how we calculate the deck from the game seed:
It's pretty straight forward
We take the final game seed + the game seed hash, convert this to a string (which is a byte stream in PHP) and use it as the seed for the mt_srand function in PHP. This will seed the Mersenne Twister algorithm. We then perform a Fisher Yates shuffle on the shuffled deck, using the mt_rand function as the RNG. This adds two levels of randomness to the shuffle and provides a reproducible result after the fact.
In the essence of transparency we've decided to add a feature to the site which will allow anyone to download a public game history file each day which will show all games played, the server, client and game seed as well as the complete shuffled deck. This can be used to perform analysis on the dataset, or simply to verify a particular game again after the fact.
We are also in the processes of having our game engine externally audited which will add a further level of trust to our engine.
While I am happy that a developer let this test get into production, I can assure you that the games are random. Anyone that has a particular concern about the outcome of a game or the randomness of a shuffle, please contact any of us directly and we will provide the complete audit history of any game.
Thanks again for the great bug catch.
