I don't think the issue here is the system's provable fairness, although I haven't verified it.
Their provably fair is actually not provably fair. The bust points are provably predetermined, but there's nothing that requires them to have a degree of randomness or keep true to their 2% edge. This is how the system works:
(screenshot)How is the drawing done and what is a provably fair credibility code?
The server is pre-generated with the next 10 drawing with its maximum winning point (BPS) and unique code. Each drawing code is produced by the following 3 components
● Drawing number
● Maximum winning point of the drawing (BPS)
● Unique combination of randomly generated symbols
The unique code is produced by algorithm sha256 by merging these 3 components
For example: if the drawing number is 012345, the maximum profit point of the same drawing is 5.63 and the unique number of the drawing is a1bscasca1231
The drawing code will have the following format: x12341241
This is what the "provably fair" section looks like. It's a list of hashes and the hashed value.
Basically, how it works is that they generate the next 10 bust points before they happen, and combine it with a random hash as well as the game ID. For example, for game #148861, they would give the hash of the game ahead of time:
AA52E6C67BE59C21380DA5642942CB6237308FC249CB06DC554D961B0AB695C6
Once the game has been played, they reveal the unhashed value:
148861:2.98:d2c5059f-6b0b-4120-96fd-63d9c17271c4
I have four issues with this setup:
1. Each bust point is supposedly randomly generated, however this can't be proved. We only know that the result was predetermined. We can't know that the result was generated fairly. Each bust point is independent of the previous bust points (unlike how bustabit works, which uses hash chains). FortuneJack can easily cheat and the game can still verify as "provably fair". If there is a whale playing the game, the next 10 bust points might be legitimately randomly generated, but after that, FortuneJack can purposely provide hashes that are lower than they should. Is the whale constantly cashing out above 2x? FortuneJack can feed them bust points always below 2x, and it would still appear as "provably fair". However, this is clearly not fair.
bustabit counters this by using a chain of hashes. RHavar generated 10 million hashes, and
posted the first one publicly. The last hash is used to generate the first bust point, and was obtained by hashing the second last hash. The second last hash is used to generate the second bust point, and was obtained by hashing the third last hash. This method, combined with a random seed allows for provably fair full randomness.
FortuneJack has no proof of randomness in their provably fair.
RollinCoin (scam) used a very similar system, and kolloh's response perfectly points out the issue:
The results of the bets are not generated in a manner that provides proof to the house edge. The results are arbitrary and the hashes show the results of the precalculated result.
NLNico (arguably one of the top minds in the provably fair gambling space) agrees:
Added negative trust.
People should realize that their "provably fair" implementation is already not provably fair anyway. They could literally show 10000s of hashes where the string is "Lose:......" and claim it's provably fair because the hash is the same. That is not how provably fair works.
Somehow, with such a crappy bad non-"provably fair" implementation, they still managed to cheat it extra - by changing the hash. That is like almost impressive. <- unrelated to FortuneJack situation
Please ignore such sites.
If I was FortuneJack and a whale started playing, I am able to give them only 10 rounds that are fair, and feed them hashes with low bust values after the 10. A big whale,
baaaitcoin played 884 rounds on bustabit (with that account. IIRC they made multiple), and bet on average 10.85
BTC per bet. If they played on FortuneJack, FJ could have manipulated all of the bust points after the first 10 rounds to have lower bust points than they should, causing baaaitcoin to go bankrupt very quickly. Something like this could have been given:
148852:1.21:cf13f713-8d0b-4268-8c5e-dc7f088a5540 // should have been 5.01, modified to 1.21
148851:1.17:4e7da20e-07e7-47a6-816d-3b021f3c3dd5 // should have been 41.88, modified to 1.17
148850:1.37:f8c08863-c87d-4df6-961d-5d29d21aa6b0 // should have been 4.47, modified to 1.37
148849:1.00:99920d7f-b197-4740-9291-58fd8128eb2b // should have been 1.87, modified to 1.00
148848:1.25:aa5f0f49-c16a-491c-a985-a297cbad1bde
148847:1.37:1a2396eb-fe8b-499e-8492-7f42c3b5a294
148846:1.34:1c87a433-0153-44a3-8f62-7774097c1c4b
<insert 10 legit hashes>
If baaaitcoin was aiming for multipliers above 1.38, that's an easy 70
BTC in profit for FortuneJack. And the best part is, the games would verify as provably fair. I don't know if FortuneJack did this to cheat anyone, and I can't download the ~148k bust points from games played to see if the bust points hover near a 2% house edge. I don't think they cheated anyone (most likely incompetence), but
any system that allows a casino to undetectably cheat is not provably fair.
2. There is no history for prior games available as far as I know. The provably fair list given only shows the last 19 game results. No available prior bust history combined with no proof of random bust points means that it is impossible for the community to verify that the bust points deviate around the x1.98 bust point (based off of 2% house edge). For all we know, the game code could be set to generate bust points with an average at x1.8, which would significantly increase the house edge.
There is no way for the player to even attempt the verify that the game is fair.3. Even if the game history is provided, and the bust points deviate from x1.98, FortuneJack could simply fill in some very high bust points when no one is playing the game. The chance that someone would join the game and play in 10 rounds is low, and the chance that the player who joined would be chasing a very high multiplier is even lower. This could allow them to have the bust points deviate from a higher bust point when no one is playing, and a lower bust point when someone is playing.
This gives them fully undetectable "provably fair" where they can easily cheat.4. Let's pretend they do have a legitimate bust value generation in the background, and can provide a hash chain + seed that gives all of the bust points. Let's also pretend that we have access to the full game history that has no chance of being modified. There is still an issue with this: they did not post a hash chain publicly and find the seed in a fair way. They can easily manipulate this to give themselves a much higher edge.
RHavar explains how in this post. This leaves them with no way of proving that all bust points were generated fairly in the backend.However, it's much more likely that they're using a Math.random(); in the backend which they can freely modify.
5. Game hashes are only provided 10 games in advance. This makes it hard for gamblers to verify their bets, as every time, a new game hash is given, they need to write it down somewhere to verify later. This is incredibly tedious to do (especially if you make hundreds of bets) and more likely than not, players won't be doing this and just trusting that FortuneJack won't modify the hash. Knowing this, FortuneJack can modify hashes with a very low risk of detection, and even if they were detected, it's the player's voice against FortuneJack's. (their page is set up in a way that can't be archived). Ironically, RollinCoin had a better system than this. Furthermore, having no past history further amplifies this problem. A player needs to verify each game before 19 more games has passed, as they can't check the data for older games.
FortuneJack makes it very difficult and annoying for a player to reasonably verify their games. Provably fair systems should be easy and intuitive to use, as players would be heavily discouraged from verifying bets otherwise.
If FortuneJack did swap hashes and a player came here to complain, you can bet that a bunch of people who are conveniently wearing FortuneJack signatures will come defend them, using arguments like "FortuneJack is an established and old casino, why would they cheat you? Go away." or "FortuneJack is trustworthy, they paid me for my signature! Stop spreading FUD."
FortuneJack can swap game hashes with very low risk of being detected. Even if they were detected, it's the player(s) word against FortuneJack and if that player had no reputation somewhere (ie bitcointalk), people would quickly reject the player(s) claims.
SummaryThere is no proof that bust points are generated to only have a 2% house edge. FortuneJack can very easily manipulate the bust points for each round, if they do it 10 rounds prior and there is no way to detect this. This essentially allows them to cheat, with 'provably fair' still showing the game was fair. NLNico, owner of
DiceSites.com and one of the most well known people in the provably fair space suggests to "ignore such sites."
They should fix this by copying a working provably fair system, like the one bustabit uses.
TLDR: Read bolded lines
edit: fixed incorrect explanation of bustabit's system
edit2: added fifth point