GHash.IO and double-spending against BetCoin Dice

[mmitech]

Transalating my post from russian subforum
https://bitcointalk.org/index.php?topic=321444.0

Like a month ago, in September I witnessed a lot of double-spending against BetCoin Dice. It happened between 25th and 27th Sept.

The mechanism was simple: send betcoin a tx wit 0 fee, then wait for a result tx, if your bet is a win, then confirm your tx, otherwise double-spend it.

1. Here I'll give you a bunch of transactions which you can examine. Note this is a chain of transactions, so just click on outputs to see.
https://blockchain.info/tx/4d731074447f02609c3110a187f9c6976f2bf255288ec5666ee270f09679619d
https://blockchain.info/tx/e0b44f68441ea0bad0f7694f735f496ce05238862534c6fea737b8903921185a

The double-spending of losing bets was performed by someone mining to https://blockchain.info/address/1MA7CKbWMyKdPkmsbnwmfeLh1hYy5A3gy8 , you can check it yourself.

2. I tracked coins down to the origin
https://blockchain.info/tx/154ecb1eb72c933bc0707fa70deceb688361554ab81b901673d308aa84d9cfe9
The most interesting address here is 12PcHjajFJmDqz28yv4PEvBF4aJiFMuTFD
It's been involved in similar actions, look at this chain of win-only tx's
https://blockchain.info/tx/0c1a08d035862b01d075e8044b1e9ce52a8ad951b57d876a2a9a0e3502c41eb0
And the most interesting fact is that these zero-fee tx's inbetween winning ones were mined by ghash.io exclusively. Possibly this was a test attack.

3. Going further, I found the address the earnings from attack were sent to: 12e8322A9YqPbGBzFU6zXqn7KuBEHrpAAv
https://blockchain.info/tx/292e7354fbca1847f0cbdc87a7d62bc37e58e8b6fa773ef4846b959f28c42910
And then part of these funds (125 BTC) was sent to ghash.io's mining address:
https://blockchain.info/tx/48168cf655d0ac0c7c2733288ca72e69ecd515a9a0ab2821087eb33deb7c6962

4. Furthermore, I checked the funds mined to 1MA7CKbWMyKdPkmsbnwmfeLh1hYy5A3gy8
In these 2 succeeding tx's they were moved to 199kVcHrLdouz9k9iW3jh1kpL7j9nLg7pn
https://blockchain.info/tx/e567ad6232de5285e0dc211d3f1c489b1e00e509118ba98a4825529d0a9197d9
https://blockchain.info/tx/faa7bc8b99376efa774045e79b42771fe668341b00290a61cd416992571c590d

This address is interesting, because it contains 6000 BTC and ~30% of funds come from ghash.io mining address.
https://blockchain.info/taint/199kVcHrLdouz9k9iW3jh1kpL7j9nLg7pn

5. And the last thing to spot:
GHash.io, being about 25% of network back then, didn't find a single block to its address between 25th and 27th of september!
https://blockchain.info/address/1CjPR7Z5ZSyWk6WtXvSFgkptmpoi4UM9BC?offset=1350&filter=2


I'm not jumping on conclusions, but these actions require public attention.
Comment here if you have anything to say.

I thought every body has to see this post. credit goes to RoadTrain  original post https://bitcointalk.org/index.php?topic=321630.0

[1714118696]

1714118696

[1714118696]

1714118696

[1714118696]

1714118696

[1714118696]

1714118696

[PatMan]

I second this. This MUST be looked into immediately,and if found to be true & legitimate, an explanation demanded from ghash.io/cex.io

[pajak666]

Oh shit this look so serious if true...

[CobaltBlueD]

It is interesting how you buy & sell from cex.io. They keep all the bitcoin and control all the Gh. You have to 'withdrawl' BTC.  One interesting quirk, you can setup your workers to autopayout in 0.1BTC increments based on a 'shareholder' concept.

I agree.  Very well worth investigating.

[oakpacific]

Whether the accusation could be proven or not, I second that it deserves an investigation.

[freedomno1]

Investigation recommended as well

[realitycheck]

cex.iohave recently registered as a UK company - could this action (if them) be down to an employee taking advantage?  Seems like the cex.io buiness plan looks profitable - not worth messing with gambling perhaps?

Thoughts?

[gmaxwell]

Taking irreversible actions on unconfirmed transactions is not safe. This is not news.  Big hashpower consolidations are not safe. This is not news.

While I'm sympathetic about losses and don't support theft— it appears that many Bitcoin gambling services are run from places where their legality is probably questionable, and as a result getting help from the courts may not be an option— and even if it is, it's very expensive and takes a long time. Your best bet is to protect yourself by not transacting in a way which is insecure relative to the network that exists today.

The operators of high transaction inefficient gambling services (the ones with two transactions per tiny bet) have many times responded to the Bitcoin community members concerned about their services abusing our common network resources and costing money node operators saying that we should all be thankful for the valuable "test" they are performing and the encouragement it provides to improve the infrastructure. Some parallels could be drawn from people exploiting insecure unconfirmed transaction behavior …

[Luke-Jr]

Indeed, a Dice site setup properly wouldn't be vulnerable to this.

(this is not an endorsement of the double spending)

[helmax]

this is serious research required

[MTBmanTT]

Can someone explain this to me like a 5yr old please

[dbbit]

Can someone explain this to me like a 5yr old please

Sure. Imagine 3 sisters (let's call them the Potters).

Annie owns 1 doll.  Sally owns 1 doll.  Jane owns no dolls.

Now of course, doll ownership in the Potter household is only as good as to when Annie, Sally, Jane, Mom and Dad agrees to who owns what. Annie can't just take Sally's doll, as everyone knows it's not hers and will just restore rightful ownership.


However, Annie comes up with a plan. She makes a bet with Sally at school. She rolls a dice, with the terms that if Sally wins Sally would get Annie's doll when they get home. If Annie wins, she would get Sally's doll.

Let's say Sally is honest but Annie is not. The roll the dice. If Annie happens to win, Sally gives her the doll. They're both happy... well, except for Sally - but they're in agreement at least.

However, if Annie happens to lose, she quickly goes running to Jane and say: "Hey Jane, remember that doll that I have, I can trade it to you for your bottle of Corona". Jane says ok, so then they phone up mom and dad, and say: "Hey mom, Annie's doll now belongs to Jane, and Jane's Corona now belongs to Annie".  Mom and Dad says ok, so now Annie's doll now belongs to Jane, and Annie starts her long journey of Corona addiction that ends with her turning tricks on Hollywood Boulevard until one very unfortunate night with Gary Busey... but more about that at another time.

Meanwhile, Sally gets home and finds that she's not getting Annie's doll. Since everybody else now thinks that Annie doesn't have a doll anymore, and it now belongs to Jane. Sally can complain like she wants, but mom and dad doesn't understand why Sally would make a bet with Annie against a doll that really belongs to Jane. Of course, in real life Sally would now beat up Annie with a baseball bet, which is why a stunt like this works better in BitCoin land than in Vegas (well, except if you cross DPR.).

[mmitech]

Can someone explain this to me like a 5yr old please

Sure. Imagine 3 sisters (let's call them the Potters).

Annie owns 1 doll.  Sally owns 1 doll.  Jane owns no dolls.

Now of course, doll ownership in the Potter household is only as good as to when Annie, Sally, Jane, Mom and Dad agrees to who owns what. Annie can't just take Sally's doll, as everyone knows it's not hers and will just restore rightful ownership.


However, Annie comes up with a plan. She makes a bet with Sally at school. She rolls a dice, with the terms that if Sally wins Sally would get Annie's doll when they get home. If Annie wins, she would get Sally's doll.

Let's say Sally is honest but Annie is not. The roll the dice. If Annie happens to win, Sally gives her the doll. They're both happy... well, except for Sally - but they're in agreement at least.

However, if Annie happens to lose, she quickly goes running to Jane and say: "Hey Jane, remember that doll that I have, I can trade it to you for your bottle of Corona". Jane says ok, so then they phone up mom and dad, and say: "Hey mom, Annie's doll now belongs to Jane, and Jane's Corona now belongs to Annie".  Mom and Dad says ok, so now Annie's doll now belongs to Jane, and Annie starts her long journey of Corona addiction that ends with her turning tricks on Hollywood Boulevard until one very unfortunate night with Gary Busey... but more about that at another time.

Meanwhile, Sally gets home and finds that she's not getting Annie's doll. Since everybody else now thinks that Annie doesn't have a doll anymore, and it now belongs to Jane. Sally can complain like she wants, but mom and dad doesn't understand why Sally would make a bet with Annie against a doll that really belongs to Jane. Of course, in real life Sally would now beat up Annie with a baseball bet, which is why a stunt like this works better in BitCoin land than in Vegas (well, except if you cross DPR.).

amazing story hahahaha, you should just add that Annie is Ghash.io and Sally is BetCoin and the parents are the Bitcoin protocol which leaves Jane that I cant put anywhere.

[SquallLeonhart]

I don't believe they are doing this... maybe its one of the employee?

[dbbit]

which leaves Jane that I cant put anywhere.

The account that you do the double-spend to.

[drawingthesun]

amazing story hahahaha, you should just add that Annie is Ghash.io and Sally is BetCoin and the parents are the Bitcoin protocol which leaves Jane that I cant put anywhere.

Jane is also Ghash.io.

[MTBmanTT]

Can someone explain this to me like a 5yr old please

Sure. Imagine 3 sisters (let's call them the Potters).

Annie owns 1 doll.  Sally owns 1 doll.  Jane owns no dolls.

Now of course, doll ownership in the Potter household is only as good as to when Annie, Sally, Jane, Mom and Dad agrees to who owns what. Annie can't just take Sally's doll, as everyone knows it's not hers and will just restore rightful ownership.


However, Annie comes up with a plan. She makes a bet with Sally at school. She rolls a dice, with the terms that if Sally wins Sally would get Annie's doll when they get home. If Annie wins, she would get Sally's doll.

Let's say Sally is honest but Annie is not. The roll the dice. If Annie happens to win, Sally gives her the doll. They're both happy... well, except for Sally - but they're in agreement at least.

However, if Annie happens to lose, she quickly goes running to Jane and say: "Hey Jane, remember that doll that I have, I can trade it to you for your bottle of Corona". Jane says ok, so then they phone up mom and dad, and say: "Hey mom, Annie's doll now belongs to Jane, and Jane's Corona now belongs to Annie".  Mom and Dad says ok, so now Annie's doll now belongs to Jane, and Annie starts her long journey of Corona addiction that ends with her turning tricks on Hollywood Boulevard until one very unfortunate night with Gary Busey... but more about that at another time.

Meanwhile, Sally gets home and finds that she's not getting Annie's doll. Since everybody else now thinks that Annie doesn't have a doll anymore, and it now belongs to Jane. Sally can complain like she wants, but mom and dad doesn't understand why Sally would make a bet with Annie against a doll that really belongs to Jane. Of course, in real life Sally would now beat up Annie with a baseball bet, which is why a stunt like this works better in BitCoin land than in Vegas (well, except if you cross DPR.).

Nice story lol, much clearer now - thank you

[mmitech]

lets get to the bottom line here, it is not about BetCoin failure, we all agree on that, the whole thing is about someone holding 24% of the network hash power and using this position with bad attention.

it worries me when they get close to 51%, then the question is if they are doing it now, what will they do with 51% and that what matters to me at this point.

what the cumunity can do about it, I guess nothing, they are a private pool , they will be adding more and more power this is no question, in the classic case, miners can always switch to other pools when they feel the threat but what is the solution when some big private pool does this.

[bee7]

lets get to the bottom line here, it is not about BetCoin failure, we all agree on that, the whole thing is about someone holding 24% of the network hash power and using this position with bad attention.

Exactly

[Luke-Jr]

lets get to the bottom line here, it is not about BetCoin failure, we all agree on that, the whole thing is about someone holding 24% of the network hash power and using this position with bad attention.

I'm not sure it's that simple.
BetCoin Dice is currently* a DDoS attack against Bitcoin. GHash.IO's actions here could be construed as a kind of self-defence.

* BetCoin has indicated they will correct this problem eventually.