Vulnerabilities in gambling websites in past

[worldofcoins]

There had been quite a number of Vulnerabilities in gambling websites since 2011 from satoshi dice to primedice and a lot more.

What was the total number of exploits and which ones were the lethal ones, I think that hufflepuff guy on primedice did the most damage.
The exploit was called something like "Race time condition" and I read something similar in my CS class but it was related to a banking system so it could be different.

Basically, it was giving multiple inputs to the system trying to get some response from the system in 2 places, and then exploiting the system.

Also, Is there any list for me to check regarding exploits? I'm thinking about developing something so it may come handy.

[1714092158]

1714092158

[1714092158]

1714092158

[1714092158]

1714092158

[1714092158]

1714092158

[seoincorporation]

As you mention, there have been a lot of Vulnerabilities in the past. I have personally reported vulns is some gambling sites, the ones I remember was:

1.- 999dice (The site is already down)
The faucet used to pay huge amounts, something like 1000 satoshis each 10 minutes. And there was a tip engine with a limit of 0.001 as the min amount. The exploit was about claiming the faucet with multiple accounts and collecting it with tips, I call the bug the Snowball because each tip you collect it grow 1k sat. So, let's say you claim the faucet with 100 accounts, and send a 0.001 tip to the first one, then send 0.00101000 to the second one and keep collecting all the other ones.

For reporting this I get a bounty of 0.025 in 2015.

2.- Prime dice
Some years ago this casino gets an update where each time you make a withdrawal you get back 0.0001... so if the min withdraw was 0.001 then you could earn easy money with this. I depo 0.1btc to my account, then send a tip of 0.001 to a second account and withdraw it. i get 0.0001 back, then I send another 0.001 tip and now withdraw 0.0011, I get back 0.0001, and I repeat the process a lot of times. Before I finish with the starting 0.1 the site blocks my account with close to 0.03 on it. and I never recover that money. I was just getting information to report the bug, ut for them I abuse the system and they never give me my money back.

It was a long time ago, and they do the right thing, even If i was about to report the bug i should do it from the start when i detect the bug and not after exploiting it, so, it was my fault.

3.- No confirmation sites.
Any site to allows you to gamble with nonconfirmed coins is vulnerable to a double-spend attack. People could wager their balance and if they win then waits for the transaction to confirm, and if they lose they could make a double spend, that's a known vulnerability.

I hope this information helps you in your development.

[RHavar]

Oh man, there's been a *lot*. And so many different classes of bugs. I think all the big casinos have at one time or another had at least one serious incident.

iirc, the primedice issue was they initialized the server-seed (i.e. for provably fairness) using a hash (?) function with the-current-time as (the only?) input. This meant that if two users created a server-seed at the exact same time, they would have the exact same server seed. Then one of the accounts just needs to reveal the server seed, and the other can continue using it for betting.  [Don't quote me on that, that's just my recollection of a many-years-old incident]


I used to run a major bitcoin casino (bustabit) and under my watch there was a pretty serious exploit:

https://bitcointalk.org/index.php?topic=709185.msg9679169#msg9679169

In that thread there's a pretty detailed technical postmortem of the issue. And kindly enough, the hacker even shared the code he used for the exploit -- which was pretty cool.

[dunfida]

Here's some similar scenario but this one only talks about 35 BTC.
https://bitcointalk.org/index.php?topic=1340581.0

It was on Rollin.io which is already dead or down as of this moment.Nothing on this world is unhackable no matter how tough the security would be.

[judeafante]

Here's some similar scenario but this one only talks about 35 BTC.
https://bitcointalk.org/index.php?topic=1340581.0

It was on Rollin.io which is already dead or down as of this moment.Nothing on this world is unhackable no matter how tough the security would be.

But in the case of the casino, once it's hacked that's the end of that casino, only big casinos offer refunds or protect their player's money compared to exchanges where they can do a refund and insured their trader's money, I don't think there's the same guarantee that they can offer that they will do a refund.

[dothebeats]

2.- Prime dice
Some years ago this casino gets an update where each time you make a withdrawal you get back 0.0001... so if the min withdraw was 0.001 then you could earn easy money with this. I depo 0.1btc to my account, then send a tip of 0.001 to a second account and withdraw it. i get 0.0001 back, then I send another 0.001 tip and now withdraw 0.0011, I get back 0.0001, and I repeat the process a lot of times. Before I finish with the starting 0.1 the site blocks my account with close to 0.03 on it. and I never recover that money. I was just getting information to report the bug, ut for them I abuse the system and they never give me my money back.

It was a long time ago, and they do the right thing, even If i was about to report the bug i should do it from the start when i detect the bug and not after exploiting it, so, it was my fault.

I remember this. This was in 2015 or 2016 IIRC. The exploit only lasted for a couple of days before they patched it up. I didn't have the energy to create multiple accounts back then in order to take advantage of this bug in their system. Good thing they patched it quickly right before anyone else can abuse it hard.

3.- No confirmation sites.
Any site to allows you to gamble with nonconfirmed coins is vulnerable to a double-spend attack. People could wager their balance and if they win then waits for the transaction to confirm, and if they lose they could make a double spend, that's a known vulnerability.

This one I don't think any service or platform still implements nowadays. The minimum that gambling platforms require before the balance appears on the account is one confirmation, and is enough to protect them from double-spending accounts for the mean time.

There is also a certain casino (betcoin.tm, now down due to scams) wherein their slots have this predictable pattern that you can exploit and make lost of money with. It may not be a vulnerability but it's something people at the time can certainly exploit. Won around 1 btc because of that game with a starting capital of 0.01BTC

[Ryker1]

Here's some similar scenario but this one only talks about 35 BTC.
https://bitcointalk.org/index.php?topic=1340581.0

Well the continuation, this hacker also hacked Primedice before and got 1000 bitcoin profit on PrimeDice in part one, and in part 2 hackers got 2000 bitcoin profit. This time will perhaps be the biggest profit have got and I don't know if the hacker was able to manage and withdraw the bitcoin successfully.
^{[ https://bitcointalk.org/index.php?topic=843892.0 ]}
The account was named Hufflepuff on Primedice and povpobava007 in Rollin.io.

[adzino]

There were lots. Just dig the forum and use google, you will find some. The primedice bug exploit was one of the notorious one.

-snip-
Before I finish with the starting 0.1 the site blocks my account with close to 0.03 on it. and I never recover that money. I was just getting information to report the bug, ut for them I abuse the system and they never give me my money back.


I hope this information helps you in your development.

Most of the "bugs" you mentioned weren't actually bugs. Bug is something that will gives an unexpected result. Claiming faucet with multiple account and tipping it to another account isn't a bug. It's more like a feature abuse that you took advantage of. And yeah, they will obviously ban your account and won't listen to you. Why would they believe you? Imagine someone exploiting a bug on purpose and when he gets caught, they say "i was just testing to make sure its actually a bug", would you believe him?

[AicecreaME]

There are so many vulnerabilities that have shown in several websites already in the past. One of the most known vulnerability of a website is being abused by the players to an extent of gaining something from it by violating the terms and conditions. Just like what happened way back in primedice wherein they encountered a problem on their system that happens to give a some sort of cashback whenever there's a withdrawal made. Some recognized this and managed to have multiple withdrawals made for the cashbacks. That is an exploitation of glitch and therefore anyone must be banned because it could cause a disruption in the ecosystem of the game.

There are still many more such as security and the likes. This should really be prevented to avoid abuse from anyone. Hence I commend you for taking the time to ask and gather information to make something to prevent it from happening again. Hopefully you'll succeed and be able to share us your discovery.

[swogerino]

I think that right now Cybersecurity engineers are hired from most major casinos to do penetration testings,audit all the IT infrastructure and that of the whole website of the casino together with all related elements needed to make it a safe place.The major reputable casinos only launch after finishing these tests and they do it regularly even when they are running to assure themselves that they will not be easy targets for hackers or bad actors which can be from script kiddies to state actors.When I deposit and play at one of such casinos I am free of worries that bad things will happen.

[Lordofthering]

There are still some weaknesses in the gambling sites, but what can be done about them? There is a lot of talk about cheating and arbitrage betting. Perhaps rightly so, but what can be done about it? That hassle with table tennis and cams, that does not make sites happy. And then with corona you also had a lot of competitions that were manipulated by the bookies. There are too many matches to monitor all of that in time.

The problem with all those vulnerabilities that the bookie can cancel the results or even stop your withdrawal once they have this opportunity and let you know that you have used those weaknesses to win.

[Saint-loup]

Most of the Casino right don't have exploit because they done audit on all there software before they can get there license. Most of the exploits are only minimal and not that serious compared before since most of the gambling software is just on the trial phase.

Only promotion and faucet abuse is the only known error encountered on the current established casino.

You really think crypto casinos are making audits for getting their licenses? Most of them have no license at all, and the ones which have one, usually bought it from some providers in Curaçao island or from other dubious offshore locations. In fact they are mostly concerned by their cyber security because they're afraid of being robbed by hackers while they are making good profits. But you're wrong there are constantly loopholes discovered and exploited by legit users and malicious hackers in casino games.

[Kakmakr]

I reported a possible exploit in the Slot game "Mount Magmas" - Push Gaming. Where highrollers could exploit the way that the daily and Super Jackpot could be won with limited wagering. They disabled the game to patch up the exploit and to make it fair for everyone that are hunting these Jackpots.  

It is a pity that it has been months since I have reported this and there are no news on when it will be fixed and when it will be enabled again.    This was one of my favorite Slots ...and quite unique ..because the Jackpot was not accessible by a network of casinos that hosted the Slot, but rather the gamblers from that specific casino that hosted the slot. (Your chances of winning the Jackpot was so much bigger)  

The casinos did not lose money, because the Jackpot would have paid out in any way, but people who knew what to do.. repeatedly won the Jackpot and other people had zero chance of winning it. 

[ayuskabob]

There were previous stances were besides these so called race time condition,java web token were used to exploit these casinos,from what it seems ,its always the new ones,since the big ones already had their fair shares of people trying to break in their system and probably already fixed many of these issues.

[ipanks]

Most of the Casino right don't have exploit because they done audit on all there software before they can get there license. Most of the exploits are only minimal and not that serious compared before since most of the gambling software is just on the trial phase.

Only promotion and faucet abuse is the only known error encountered on the current established casino.

We can not be sure because they will not announce how the exploit penetrates their system. The public will only know that their site has been compromised and hacked by someone and made the gambling sites lose the money.

Maybe the site does not know about the software, but their technicians and security team can detect if something wrong happens to their site. Even they make a bounty to the public or members to find the bug on their site and reward them based on the critical bug they find.

I do not know about the vulnerabilities in gambling websites in the past as I do not visit or play gambling too often. Maybe I only heard the gambling sites were hacked.

[mardaed]

There are still existing vulnerabilities in gambling websites till this day, but I believe they are not as notorious like before and many are just seldom occurring and are workable to be fixed immediately. Although, one thing I observed to be happening frequently than the others is the issues with regards to the security and such, and like what @ayuskabob said, it is majorly the new ones. Maybe this is also in the question of the capacity of the team to acquire such resources and services that could help them fill these vulnerabilities.

[cwil]

This is a fun topic. I'm a security researcher and actively look for exploits in casinos and other crypto spaces daily. I can't give nonpublic details, but I can talk about some of the more common things I find.

The BitMillions exploit detailed here (https://bitcointalk.org/index.php?topic=386711.0) was publicly known for a few days before the site operator fixed it. Keno, lottery, and bingo games tend to be vulnerable to similar exploits.

Craps games from various operators are often vulnerable to two different but similar attacks sometimes seen in physical casinos. A large pass bet is placed on the come out roll and then picked up or significantly reduced if a point is set. Alternatively, a small don't pass bet is placed and then increased and odds laid depending on the point. For example, if the point is 4 you might increase your bet 100x while if it's 8 you might leave the bet alone. These types of slightly +EV rather than instant win exploits are among the most sought after for bad actors as they generally look like normal gameplay.

Games in which multiple bets are placed on a board like roulette or sicbo can often be exploited. A developer will perform a sanity check to see if a bet falls within its limits and this prevents a person from placing negative losing bets. The proper way to do this is the check that each individual bet falls within limits, but sometimes a developer will take the sum of all bets and make sure it's above some minimum. This means you could place a bet of -90 on 0, 50 on red, and 50 on black to usually make 90 units per bet. You might also lose 3340 units if the ball hits 0. There may be ways to mitigate or eliminate that downside, such as betting a negative on -1 instead of 0. Various casinos and development studios have been vulnerable to this.

Sports betting sites are not immune to exploits either. Odds on single events can sometimes be manipulated in favor of the operator, so not very useful, but parlays can sometimes be made with the same event multiple times.

The most dangerous exploits I've found are pf seed leaks. These come in a few flavors. In the early days of bitcoin, dice sites would often generate a file with multiple years worth of daily seeds which were used site wide. The scheme here was hash(server seed + client seed + global bet number) to find the winning number. A popular dice site was vulnerable to a directory traversal attack which allowed the seed file to be read. As another example, there is a crash script available now that leaks the server seed whenever a player does a cash out. To exploit, a person sets up two accounts, once places the minimum bet and cashes out immediately, while the other places a large bet, waits for the cashout message of the first player, finds the outcome of the game from the leaked seed, and cashes out immediately before that point.

[fiulpro]

We have to understand the fact that it's not just about bugs but generally people abuse these bugs as well. There are many people who will try to do it using an external software or just use the already existing glitches. But we must understand the fact that these bug abuses won't really make you rich and you might even have legal charges against you. 

I think if you are going through with it you must focus more on the software induced bugs, which generally is due to the software provider.

There have been so many bugs over time an example:

One of such examples is the scandal that took place in Videoslots casino in June 2019.

At that time, due to some technical error, Edict slots had been crediting winnings without deducting wager amounts from players’ balances before the bug was found. It took the operator 48 hours to realize there’s a problem. Meanwhile, players enjoyed absolutely risk free gambling and real money payouts.

https://affgambler.com/casino-bugs-real-life-cases-and-operators-reaction/

[Silberman]

Here's some similar scenario but this one only talks about 35 BTC.
https://bitcointalk.org/index.php?topic=1340581.0

It was on Rollin.io which is already dead or down as of this moment.Nothing on this world is unhackable no matter how tough the security would be.

But in the case of the casino, once it's hacked that's the end of that casino, only big casinos offer refunds or protect their player's money compared to exchanges where they can do a refund and insured their trader's money, I don't think there's the same guarantee that they can offer that they will do a refund.

I think the main reason why casinos fail after a big hack is that they lose the trust of their customers, even if there was a big hack as long as a business still retained their customers somehow then a path to recovery exists, but many players when they see that their preferred casino has been hacked even if they were not affected they are going to be reluctant to play there anymore, which causes casinos to definitely close their doors.

[milewilda]

Here's some similar scenario but this one only talks about 35 BTC.
https://bitcointalk.org/index.php?topic=1340581.0

It was on Rollin.io which is already dead or down as of this moment.Nothing on this world is unhackable no matter how tough the security would be.

But in the case of the casino, once it's hacked that's the end of that casino, only big casinos offer refunds or protect their player's money compared to exchanges where they can do a refund and insured their trader's money, I don't think there's the same guarantee that they can offer that they will do a refund.

I think the main reason why casinos fail after a big hack is that they lose the trust of their customers, even if there was a big hack as long as a business still retained their customers somehow then a path to recovery exists, but many players when they see that their preferred casino has been hacked even if they were not affected they are going to be reluctant to play there anymore, which causes casinos to definitely close their doors.

Once trust and confidence is broken then there's no way that it could be returned or recover and this is the part of reality on which people would normally be having those kind of insights after an incident do happen because it is really just part of human instincts on finding a place which is something that more of secure than on the recent one that they engaging on which its a normal step for them to find
another place which doesnt really have some hacking incidents or histories.They dont like to experience the same thing twice but its true that getting hacked once doesnt mean that their security
wouldnt really be have an improvement but in most cases or most common impression would be something contradictory.