I don't think the issue here is the system's provable fairness, although I haven't verified it.
Their provably fair is actually not provably fair. The bust points are provably predetermined, but there's nothing that requires them to have a degree of randomness or keep true to their 2% edge. This is how the system works:
(screenshot)How is the drawing done and what is a provably fair credibility code?
The server is pre-generated with the next 10 drawing with its maximum winning point (BPS) and unique code. Each drawing code is produced by the following 3 components
● Drawing number
● Maximum winning point of the drawing (BPS)
● Unique combination of randomly generated symbols
The unique code is produced by algorithm sha256 by merging these 3 components
For example: if the drawing number is 012345, the maximum profit point of the same drawing is 5.63 and the unique number of the drawing is a1bscasca1231
The drawing code will have the following format: x12341241
This is what the "provably fair" section looks like. It's a list of hashes and the hashed value.
Basically, how it works is that they generate the next 10 bust points before they happen, and combine it with a random hash as well as the game ID. For example, for game #148861, they would give the hash of the game ahead of time:
AA52E6C67BE59C21380DA5642942CB6237308FC249CB06DC554D961B0AB695C6
Once the game has been played, they reveal the unhashed value:
148861:2.98:d2c5059f-6b0b-4120-96fd-63d9c17271c4
I have four issues with this setup:
1. Each bust point is supposedly randomly generated, however this can't be proved. We only know that the result was predetermined. We can't know that the result was generated fairly. Each bust point is independent of the previous bust points (unlike how bustabit works, which uses hash chains). FortuneJack can easily cheat and the game can still verify as "provably fair". If there is a whale playing the game, the next 10 bust points might be legitimately randomly generated, but after that, FortuneJack can purposely provide hashes that are lower than they should. Is the whale constantly cashing out above 2x? FortuneJack can feed them bust points always below 2x, and it would still appear as "provably fair". However, this is clearly not fair.
bustabit counters this by using a chain of hashes. RHavar generated 10 million hashes, and
posted the last one publicly. The 1st hash is used to generate the first bust point. The second hash is generated by hashing the first hash, and it is used to calculate the first bust point. He also used the hash of a future Bitcoin block as the seed, to ensure he did not generate a hash with a higher house edge.
FortuneJack has no proof of randomness in their provably fair.
RollinCoin (scam) used a very similar system, and kolloh's response perfectly points out the issue:
The results of the bets are not generated in a manner that provides proof to the house edge. The results are arbitrary and the hashes show the results of the precalculated result.
NLNico (arguably one of the top minds in the provably fair gambling space) agrees:
Added negative trust.
People should realize that their "provably fair" implementation is already not provably fair anyway. They could literally show 10000s of hashes where the string is "Lose:......" and claim it's provably fair because the hash is the same. That is not how provably fair works.
Somehow, with such a crappy bad non-"provably fair" implementation, they still managed to cheat it extra - by changing the hash. That is like almost impressive. <- unrelated to FortuneJack situation
Please ignore such sites.
If I was FortuneJack and a whale started playing, I am able to give them only 10 rounds that are fair, and feed them hashes with low bust values after the 10. A big whale,
baaaitcoin played 884 rounds on bustabit (with that account. IIRC they made multiple), and bet on average 10.85
BTC per bet. If they played on FortuneJack, FJ could have manipulated all of the bust points after the first 10 rounds to have lower bust points than they should, causing baaaitcoin to go bankrupt very quickly. Something like this could have been given:
148852:1.21:cf13f713-8d0b-4268-8c5e-dc7f088a5540 // should have been 5.01, modified to 1.21
148851:1.17:4e7da20e-07e7-47a6-816d-3b021f3c3dd5 // should have been 41.88, modified to 1.17
148850:1.37:f8c08863-c87d-4df6-961d-5d29d21aa6b0 // should have been 4.47, modified to 1.37
148849:1.00:99920d7f-b197-4740-9291-58fd8128eb2b // should have been 1.87, modified to 1.00
148848:1.25:aa5f0f49-c16a-491c-a985-a297cbad1bde
148847:1.37:1a2396eb-fe8b-499e-8492-7f42c3b5a294
148846:1.34:1c87a433-0153-44a3-8f62-7774097c1c4b
<insert 10 legit hashes>
If baaaitcoin was aiming for multipliers above 1.38, that's an easy 70
BTC in profit for FortuneJack. And the best part is, the games would verify as provably fair. I don't know if FortuneJack did this to cheat anyone, and I can't download the ~148k bust points from games played to see if the bust points hover near a 2% house edge. I don't think they cheated anyone (most likely incompetence), but
any system that allows a casino to undetectably cheat is not provably fair.
2. There is no history for prior games available as far as I know. The provably fair list given only shows the last 19 game results. No available prior bust history combined with no proof of random bust points means that it is impossible for the community to verify that the bust points deviate around the x1.98 bust point (based off of 2% house edge). For all we know, the game code could be set to generate bust points with an average at x1.8, which would significantly increase the house edge.
There is no way for the player to even attempt the verify that the game is fair.3. Even if the game history is provided, and the bust points deviate from x1.98, FortuneJack could simply fill in some very high bust points when no one is playing the game. The chance that someone would join the game and play in 10 rounds is low, and the chance that the player who joined would be chasing a very high multiplier is even lower. This could allow them to have the bust points deviate from a higher bust point when no one is playing, and a lower bust point when someone is playing.
This gives them fully undetectable "provably fair" where they can easily cheat.4. Let's pretend they do have a legitimate bust value generation in the background, and can provide a hash chain + seed that gives all of the bust points. Let's also pretend that we have access to the full game history that has no chance of being modified. There is still an issue with this: they did not post a hash chain publicly and find the seed in a fair way. They can easily manipulate this to give themselves a much higher edge.
RHavar explains how in this post. This leaves them with no way of proving that all bust points were generated fairly in the backend.However, it's much more likely that they're using a Math.random(); in the backend which they can freely modify.
SummaryThere is no proof that bust points are generated to only have a 2% house edge. FortuneJack can very easily manipulate the bust points for each round, if they do it 10 rounds prior and there is no way to detect this. This essentially allows them to cheat, with 'provably fair' still showing the game was fair. NLNico, owner of
DiceSites.com and one of the most well known people in the provably fair space suggests to "ignore such sites."
They should fix this by copying a working provably fair system, like the one bustabit uses.
TLDR: Read bolded lines
I will reply here as well, this post was sent to game provider and game developers and I would like to thank you firstly for thorough examination of the game and secondly, can assure you to get back to you as soon as I hear from them.
David.
