So the first thing I notice is that I can't find any information on the site about the provable fairness. I don't see a FAQ link, and clicking 'verify' just asks me for a bunch of info I don't have, since I didn't even make an account yet.
Then I noticed there's a 'help' link, with "Each bet is provably fair and we show you how to check it" - but none of that is linked to further information. I'll keep looking.
OK, so further down the help text there's a section "How is it provably fair?"
I don't like the idea of daily secrets. It means I have to wait up to 24 hours to verify my bets.
I'm a little worried about "bet number". Is that a system-wide betid? If so, that's not provably fair. Maybe it's a personal bet counter (my first bet is 1, my 2nd bet is 2, etc.) in which case that's fine. It would be good if that text was less ambiguous.
Looking at the code at the end, I see it uses the userid in the hash, which I guess is only needed if the bet number is per-user, not global.
Maybe mention that the code is Ruby (if it is?) to give people a hint as to how to run it.
Help section has been updated, I've also added small text in the VERIFY modal that more information can be found in help section.
Well, I was thinking about changing algorithm to per user server seed, maybe it will be implemented with future updates, it's in my todo list.
Sorry for the confusion, bet number is unique for each user and is being used as our nonce. Also all bets can be checked with our API (/api/BET_NUMBER), you will get a JSON reply with all information except secret for that bet. So everyone can check their concerns about nonce skipping.
The help text mentions "user seed". The script mentions "client seed". I don't see any mention of how to set that value. I presume they're the same thing, so you should decide what to call it.
I see you're using a simple sha512 to generate the rolls rather than the more standard practice of using hmac. Any reason for this?
So I went to create an account, but couldn't see how to. It appears one was automatically created for me and I just need to set the username. And now I see how to set the user/client seed too.
I removed "client seed" from site, now it's user seed everywhere. You can change it under the user box, using a-z symbols. You can't type spaces or new lines as it will allow to make a padding attack on the hashing algorithm.
When you open the site for the first time, you see an alert with information that account has been already created and you need to change password and username.
Trying to set up 2FA, I'm given a QR code, but not the secret string. I like to make a note on paper of the secret string as a way of backing up my 2FA codes in case I lose my 2FA device. Since I can't back it up, I decide not to enable 2FA now. I click the 'x' in the 2FA dialog and the whole password-setting thing disappears too. Did I lose my username and password setting too? I open it up again, and my username and password are in there, so I hope the password is still what I typed. I click 'update' and it tells me "Can be only a-z and 0-9". But it doesn't tell me WHAT Can be only a-z and 0-9. I'm guessing it's the user seed, since I tried setting it to a sentence. Why can't I have spaces in my client seed? And if I can't, why not tell me I can't when I edit the field, or before I edit it. I remove the spaces and it lets me update. I sign out and in again to make sure I have the password right. I do.
So I went to the chat, looking for rain (of course)... It's apparently only available to players who have bet already. That seems kind of backwards - I would expect freebies to be given to new players to get them started, but whatever. Maybe rain is different than faucets. Apparently there's been some other 'dooglus' in the chat pretending to be me. I guess I'll deposit and play a little.
Error text has been adjusted.
Also I show secret for 2FA as well now.
We have zero tolerance to beggars and decided to block all attempts to get anything free on site. There's nothing to test and try the site, our community likes it because we rarely see any beg attempts and all conversation in chat are relative to everyone. We have small rules under the chat, which can help to get what the rain is and why we have one. It's intended to active users. System monitors chat activity and reward only active users, also only level 1 and above can get something from rain.
