Hi Bitcointalk,
Researching this problem, I noticed a lot of complaints on this board about provably fair games at casinos. I've spent the last few months building an independent audit framework for them. Sharing it here because this board will have opinions worth hearing.
The problem: most crypto casinos build their own games and the verifier players use to check them. When you verify a bet, you're checking the casino's verifier against the casino's game, same authors, same assumptions. They agree, but that only proves internal consistency, not that the live game does what the casino publicly claims.
That gap isn't hypothetical. In the last six months, all marketed provably fair and all passing the operator's own verification:
- A pay table changed silently to lower RTP, verifier updated to match.
- A client seed accepted by the API but never used in the outcome calculation.
- A server seed rotated every bet with the nonce held at zero, allowing unfavorable seeds to be pre-generated and discarded.
- A pre-committed hash swapped after the player submitted their seed.
- A verifier running entirely different code from the production game.
A self-verification system can't catch a problem its author built into both halves.
The approach: instead of re-running the casino's code (which only confirms self-consistency), we rebuild each game independently from its published spec and test the live game against it.
Per game:- Capture thousands of real bets and recompute every outcome (100% must match, byte-for-byte, including intermediate state)
- Verify the full commit-reveal / seed-nonce chain
- Derive RTP from first principles and validate via large-scale simulation
- Run an adversarial integrity battery against the API
Every audit ships as an open-source repo: dataset, simulation code, and full verification suite. Anyone can clone it and reproduce every finding. It's runnable code, not a PDF asking you to trust a conclusion. First casino audited is Duel.com (10 games).
Methodology: https://www.provablyfair.org/methodologyFirst Audit Repos / dashboard: https://audit.provablyfair.org/casino/duel/We are new but currently in progress with a couple other casinos atm, will have more published soon.
A few questions I expect, answered up front:
Who pays you, and isn't that a conflict of interest? The casino pays, same as any auditor or testing lab. But we can't soften or fabricate a result, because it's all open source, anyone can clone the audit and reproduce the findings themselves. The fee is the same whether a game passes or fails, and findings publish either way. You don't take our word for it, you check it.
Why should we trust the audits? You shouldn't have to. Every audit is runnable code with the full dataset, simulation, and verification suite published. You don't trust the conclusion, you can clone the repo and reproduce it yourself.
If a casino fails, do players find out? Yes. Every audit publishes whatever it finds, the casino doesn't get to see the result and then decide whether it's released. Implementation bugs found and fixed are recorded with their resolution; an unresolved fairness problem is reflected in the verdict and published.
Two things I'd be interested in this board's take on:1.
Is the audit readable enough for an actual player? This is a deep technical audit, and making it both technically rigorous and accessible to a normal player is genuinely hard. Each audit has plain-English summaries alongside the technical sections. If you look at one, I'd like to know whether a non-technical player could actually follow what was verified and what it means for them, or whether it's still engineers writing for engineers.
2.
Technical criticism is welcome, and worth something. If you find a genuine flaw, a gap in the methodology, an attack that passes the checks, an error in an audit, and we end up implementing your fix, I'm happy to pay a bounty for it. Tell me what you find.
Happy to answer anything else in the thread.
Thanks ProvablyFair Team
Discussion on X:
https://x.com/provablyfairorg/status/2064736658231378354?s=20
