bustabit.com -- The Social Gambling Game

[caga]

Foo has provided me with his exploit code:

http://privatepaste.com/164b29a720
http://privatepaste.com/9c14190b93
http://privatepaste.com/f4ebeb9b19


Highly impressive stuff! Hats off to you foo!

How is the code exploitive? I am new to this like a lot of others too.

[RHavar]

How is the code exploitive? I am new to this like a lot of others too.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

[dooglus]

How is the code exploitive? I am new to this like a lot of others too.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

Let me see if I can explain it differently.

As a round progresses, the server sends regular 'tick' messages to the client, saying:

"1.10x and the game didn't crash yet",
"1.20x and the game didn't crash yet",
etc.
and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc.

The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier.

When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly.

The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick.

The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code.

[RHavar]

Great explanation, as always, Dooglus. The only thing missing is the adding that one reason for the complexity in the exploit was that the game ticks are scheduled using a setTimeout after the last game tick, as opposed to on fixed intervals or at particular game multipliers. When enough people cash out at a particular point in time, it actually makes an extremely large (~50ms?) impact on the game tick. Since it's using non-blocking IO, I'm not quite sure why this is. But regardless there's quite a bit of work involved in just figuring out when the game ticks will run to be able to abuse the exploit.

I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.

[dooglus]

I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.

He probably still has most of the 1000 BTC he took from primedice... 

[dooglus]

He probably still has most of the 1000 BTC he took from primedice... 

Sounds if this is sort of a suggestion on who it is.  Did you recently learn linear regression?

Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since.

I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both.

[caga]

How is the code exploitive? I am new to this like a lot of others too.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

Let me see if I can explain it differently.

As a round progresses, the server sends regular 'tick' messages to the client, saying:

"1.10x and the game didn't crash yet",
"1.20x and the game didn't crash yet",
etc.
and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc.

The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier.

When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly.

The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick.

The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code.

Thanks for the explanation. That sounds like a really clever method, and only an extremely smart coder, would be able to pull it off.
Sometime, when such smart people take your money , it doesn't feel bad

[Magic Of Nigeria]

Moneypot is by far my favorite game to play when I have some extra bitcoins lying around. It's never a boring time at MoneyPot!

[Testing123]

He probably still has most of the 1000 BTC he took from primedice... 

Sounds if this is sort of a suggestion on who it is.  Did you recently learn linear regression?

Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since.

I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both.

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

[dooglus]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

[BayAreaCoins]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

Which is sort of funny cause I believe PD had a big winner before the "hack".

Someone told me IRL "Did you hear about that big winner on PD?!"

[blockage]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

Which is sort of funny cause I believe PD had a big winner before the "hack".

Someone told me IRL "Did you hear about that big winner on PD?!"

Is that about hufflepuff? Was it a confirmed hack or just Stunna being butthurt searching for explanations? Do you have a link to the topic, so that I don't have to go through tons of spam in the PD thread?

[calci]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

[FirestarterX]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

[BayAreaCoins]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

Speculating there is a chance that is is the same dude.  Both pretty bright attacks n such.

[FirestarterX]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

Speculating there is a chance that is is the same dude.  Both pretty bright attacks n such.

I see.

[myohmy81]

very interestiong

really greate site!

[4ever]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

Speculating there is a chance that is is the same dude.  Both pretty bright attacks n such.

What was the attack on PD? Was it the guy who flat bet many bets and won.?

[dooglus]

What was the attack on PD? Was it the guy who flat bet many bets and won.?

Apparently somebody was able to gain access to their server seed, so they could know what their rolls would be before they rolled.

As I remember, he won over 100 max bets in a row at 49.5%, and was able to withdraw 40 BTC before being caught.

There are screenshots on the PD thread - go back a couple of weeks I guess.

Edit:

something like 150 wins in a row  




Hacked? Or admins having some fun with a gag 

[J3VVL]

Uh, take a look at this guy's chart. It seems to me that he's cheating. Ryan might want to investigate this.

https://www.moneypot.com/user/foo

https://www.moneypot.com/user/foo

The page you are looking for doesn't exist...



^hmmmm


*edit* wow i see now