So the first thing I notice is that I can't find any information on the site about the provable fairness. I don't see a FAQ link, and clicking 'verify' just asks me for a bunch of info I don't have, since I didn't even make an account yet.
Then I noticed there's a 'help' link, with "Each bet is provably fair and we show you how to check it" - but none of that is linked to further information. I'll keep looking.
OK, so further down the help text there's a section "How is it provably fair?"
Each bet can be verified using the day's secret, user seed and user id, we also use your bet number as nonce. We create a bet hash using those data, we then take the first 5 characters of that hash string and convert them to a decimal integer, If it is less than 1 million, we divide it by 10,000 and use it as your dice roll. If it's not we take another 5 characters and repeat.
If we could not find less than a million number of the 25 groups of five characters, we use the remaining 3 characters, which give a number in the range 0 through 4095, which corresponds to a dice roll of 0.0000 through 0.4095.
Each day we select new secrets, however we already generated all of them, and their SHA512 hashes ( we perform a SHA512 cryptographic algorithm on secret to get a completely different value. Thus when we release last day secret you can hash it and confirm that we used exactly that secret) available for download.
Secret file can be found here
We implemented new engine with Hi\Low since bet #228033, below code can be used to verify new algorithm.
I don't like the idea of daily secrets. It means I have to wait up to 24 hours to verify my bets.
I'm a little worried about "bet number". Is that a system-wide betid? If so, that's not provably fair. Maybe it's a personal bet counter (my first bet is 1, my 2nd bet is 2, etc.) in which case that's fine. It would be good if that text was less ambiguous.
Looking at the code at the end, I see it uses the userid in the hash, which I guess is only needed if the bet number is per-user, not global.
Maybe mention that the code is Ruby (if it is?) to give people a hint as to how to run it.
The help text mentions "user seed". The script mentions "client seed". I don't see any mention of how to set that value. I presume they're the same thing, so you should decide what to call it.
I see you're using a simple sha512 to generate the rolls rather than the more standard practice of using hmac. Any reason for this?
So I went to create an account, but couldn't see how to. It appears one was automatically created for me and I just need to set the username. And now I see how to set the user/client seed too.
Trying to set up 2FA, I'm given a QR code, but not the secret string. I like to make a note on paper of the secret string as a way of backing up my 2FA codes in case I lose my 2FA device. Since I can't back it up, I decide not to enable 2FA now. I click the 'x' in the 2FA dialog and the whole password-setting thing disappears too. Did I lose my username and password setting too? I open it up again, and my username and password are in there, so I hope the password is still what I typed. I click 'update' and it tells me "Can be only a-z and 0-9". But it doesn't tell me WHAT Can be only a-z and 0-9. I'm guessing it's the user seed, since I tried setting it to a sentence. Why can't I have spaces in my client seed? And if I can't, why not tell me I can't when I edit the field, or before I edit it. I remove the spaces and it lets me update. I sign out and in again to make sure I have the password right. I do.
So I went to the chat, looking for rain (of course)... It's apparently only available to players who have bet already. That seems kind of backwards - I would expect freebies to be given to new players to get them started, but whatever. Maybe rain is different than faucets. Apparently there's been some other 'dooglus' in the chat pretending to be me. I guess I'll deposit and play a little.
