Does transaction malleabilty mean that Satoshi Dice is not "provably fair"?

[DannyHamilton]

I'll admit, it's been a while since I paid any attention to SD or any of it's clones.  It is possible that they've changed their operating procedures since the last time I looked.

It is my understanding that SD uses the transactionID in the calculation to determine if a player is a "winner".

Doesn't this mean that SD can use Transaction Malleability to adjust the transactionID and re-calculate the user's entry if the user is a "winner"?  Therefore, they can influence their payout percentages by randomly changing some winners into losers?

To assist in disguising this effort, they could also adjust a small number of losing bets into winning bets or into losing bets with a different hash.

The idea that SD is "provably fair" relied on the fact that they couldn't influence which bets would win and which would lose, but clearly, they can recalculate transactionID until they get the result they desire.  They can't guarantee that their malleated transactionID will be the one that is confirmed, but it will happen often enough that they can't exactly be called "provably fair".

Perhaps SD (and its many clones) should be called out for false advertising until they either drop the "provably fair" description or change to something like NTXID for calculating winners?

[Peter R]

Interesting.  I hadn't thought about that before but I believe you are right.  

That being said, I don't think it was happening.  Experienced users would have quickly noticed that their bet transaction got malled and reported it here.  I don't recall ever hearing such a thing.  

Moving forward, I don't see this as a major problem because (a) it is detectable, (b) users are migrating away from on-chain gambling to off-chain gambling using sites like just-dice.com, anyways.  

It would be nice to eliminate malleability as quickly as possible, however.    
 

[monsterer]

Interesting.  I hadn't thought about that before but I believe you are right.  

No because they haven't accept bets at 0 confirmations for months now, ever since someone demonstrated a double-spend attack on them.

[Rannasha]

Interesting.  I hadn't thought about that before but I believe you are right.  

No because they haven't accept bets at 0 confirmations for months now, ever since someone demonstrated a double-spend attack on them.

This issue is independent of the number of confirmations required for payouts. The steps would be as follows:
1) User sends tx to SD, tx-id A.
2) SD computes outcome for bet with id A.
3) If A is a winning bet, SD submits a malleated copy, tx-id B, which is a losing bet. (This step can be done with only a fraction of the winning bets, to prevent win-stats from appearing too skewed.)
4) Either A or B makes it into the block, but there's a non-zero chance of tx-id B being included, so the house-edge for SD has increased beyond the advertised edge.
5) Payout according to which tx-id made it into the block.

Only if the user stores the tx-id that he has sent and later compared that to the tx-id that was added to a block, can he find out that there has been foul play.

[DannyHamilton]

Interesting.  I hadn't thought about that before but I believe you are right.  

No because they haven't accept bets at 0 confirmations for months now, ever since someone demonstrated a double-spend attack on them.

Interesting.  If that's true, then it seems that binaryFate of luckyb.it is lying, or at least doesn't understand how Satosi Dice works and is falsely advertising his own service as "provably fair".

In another thread in a discussion about the dangers of using unconfirmed inputs, binaryFate stated that luckyb.it accepts 0 confirmations and implied that SatoshiDice does as well:

I'm an operator of luckyb.it, and payouts there typically have an unconfirmed input (the players' bets)

Transaction Malleability makes it a VERY BAD idea to be using unconfirmed inputs in your transactions.  There is a very real possibility that the transaction ID of the player's bet will NEVER confirm (if a malleated version of it is confirmed instead). How do you handle this situation?  

That is the point of doing it that way (same for satoshidice btw), if the bet never confirms, the payout neither. Which is exactly what you want as a game operator, (from the operator point of view the malleability issue is the same as with "classic" double-spends).

Do you use any part of the player's transaction ID in determining whether the player wins?

Yes we use part of player transaction ID to determine outcomes (same as satoshidice again), that is partly what makes the game provably fair.

Regardless of the errors that luckyb.it is making, as Rannasha has pointed out waiting for confirmations doesn't make SatoshiDice "provably fair" since they can mess with the transactionID before it is confirmed.  The only way for them to be provably fair is to use something from the transaction that cannot be modified after transmitting (such as NTXID)

[monsterer]

This issue is independent of the number of confirmations required for payouts. The steps would be as follows:

Not payouts, this is the point they actually compute the bet on the old send to bet address satoshi dice, which is what I presumed you were talking about?

[seedtrue]

saw this in an old thread

Just to re-iterate: this kind of modification, transaction malleability, is something that can be done by miners without the person who submitted the transaction even knowing. In other words that "high-roller" may not have had anything to do with the double-spend at all.

That is a very good point!  Anybody at all can create modified versions of any transaction in that manner and change its txid arbitrarily.  This presents a way for satoshidice to cheat their players too, by transmitting modified versions of winning bets before they confirm.

[DannyHamilton]

saw this in an old thread

Just to re-iterate: this kind of modification, transaction malleability, is something that can be done by miners without the person who submitted the transaction even knowing. In other words that "high-roller" may not have had anything to do with the double-spend at all.

That is a very good point!  Anybody at all can create modified versions of any transaction in that manner and change its txid arbitrarily.  This presents a way for satoshidice to cheat their players too, by transmitting modified versions of winning bets before they confirm.

Good find. Thanks!

So it seems that it was discovered over a year ago that due to malleability Satoshi Dice and other similar games were NOT "provably fair".  Some suggestions were presented on how those games could become "provably fair", but I'm not sure if Satoshi Dice, or any similar gambling games, ever implemented the necessary changes.

[Test User]

The thing about the "provably fair" algorithms used by sites such as satoshi dice, is that they work by hasing the TxId with a nonce and a daily secret key.

The key is revealed the next day, so that the previous day's betting can be publicly inspected.

Even if the TxID can be manipulated, this should not be an advantage to an attacker as if the hash function used is secure, then it will not be possible to predict a priori what transaction ID will result in a win and which will not.

[DannyHamilton]

The thing about the "provably fair" algorithms used by sites such as satoshi dice, is that they work by hasing the TxId with a nonce and a daily secret key.

The key is revealed the next day, so that the previous day's betting can be publicly inspected.

Even if the TxID can be manipulated, this should not be an advantage to an attacker as if the hash function used is secure, then it will not be possible to predict a priori what transaction ID will result in a win and which will not.

The point you are missing is that the game provider knows the daily secret and the nonce.  The game provider can calculate the hash result, and if it is a winner, the game provider can quickly release a malleated TxID onto the network.  If that malleated txID is confirmed by a miner, then the game provider doesn't have to pay out and increases their profits.

In other words they are providing you a game that they can cheat at.  It is not "provably fair".