Investigating the Bustabit.com API

[wunderwaffe]

In case you're as interested as I am about Bustabit, and the Bustabit API, I invite you to read the medium blog post I just made, where I disclose all the results of my research: https://medium.com/@biscofficecream/investigating-the-bustabit-api-and-all-of-its-mysteries-4f285fee0e5a

(if you don't know Bustabit, it's a behemoth of a Bitcoin gambling website that has generated billions in USD in revenue purely off promotion received from Bitcointalk)

[TryNinja]

Interesting read.

Out of curiosity, what would be the next step for you if you managed to access the ws endpoint off the client?

[wunderwaffe]

Interesting read.

Out of curiosity, what would be the next step for you if you managed to access the ws endpoint off the client?

Thank you! If I was able to access the WS endpoint off the client, the first thing I'd do is start looking for bugs. They have a great bug bounty program 

[BattleDog]

This was great. The FlatBuffers sniff + raw WS decode was smooth.

Two add-ons from the trenches: You don't have to RE to automate, Bustabit ships a client-side "autobet" API in JS. Subscribe to GAME_STARTING, call engine.bet() / engine.cashOut(), read userInfo, and use the built-in provably-fair helpers (gameResultFromHash / ...Signature) to verify rolls. It's the safest supported path for bots.

Their v1 server and web client are open on GitHub. Different era (Node+WS, pre-FlatBuffers) but it shows the original crash architecture and is a solid blueprint if you want to tinker or build your own.

All-in-all good job on the write‑up. Looking forward to seeing if you find anything else interesting, especially around how they obfuscate the index-0e8b0ebf.js functions.