caga
Full Member
Offline
Activity: 238
Merit: 100
www.secondstrade.com - 190% return Binary option
|
|
November 30, 2014, 02:06:31 AM |
|
How is the code exploitive? I am new to this like a lot of others too.
|
|
|
|
RHavar
Legendary
Offline
Activity: 2557
Merit: 1886
|
|
November 30, 2014, 02:30:30 AM |
|
How is the code exploitive? I am new to this like a lot of others too.
It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled). Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.
|
Check out gamblingsitefinder.com for a decent list/rankings of crypto casinos. Note: I have no affiliation or interest in it, and don't even agree with all the rankings ... but it's the only uncorrupted review site I'm aware of.
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
November 30, 2014, 02:46:08 AM Last edit: November 30, 2014, 04:17:30 AM by dooglus |
|
How is the code exploitive? I am new to this like a lot of others too.
It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled). Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act. Let me see if I can explain it differently. As a round progresses, the server sends regular 'tick' messages to the client, saying: "1.10x and the game didn't crash yet", "1.20x and the game didn't crash yet", etc. and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc. The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier. When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly. The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick. The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
RHavar
Legendary
Offline
Activity: 2557
Merit: 1886
|
|
November 30, 2014, 02:56:59 AM |
|
Great explanation, as always, Dooglus. The only thing missing is the adding that one reason for the complexity in the exploit was that the game ticks are scheduled using a setTimeout after the last game tick, as opposed to on fixed intervals or at particular game multipliers. When enough people cash out at a particular point in time, it actually makes an extremely large (~50ms?) impact on the game tick. Since it's using non-blocking IO, I'm not quite sure why this is. But regardless there's quite a bit of work involved in just figuring out when the game ticks will run to be able to abuse the exploit.
I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.
|
Check out gamblingsitefinder.com for a decent list/rankings of crypto casinos. Note: I have no affiliation or interest in it, and don't even agree with all the rankings ... but it's the only uncorrupted review site I'm aware of.
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
November 30, 2014, 04:22:23 AM |
|
I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.
He probably still has most of the 1000 BTC he took from primedice...
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
November 30, 2014, 04:32:37 AM |
|
He probably still has most of the 1000 BTC he took from primedice... Sounds if this is sort of a suggestion on who it is. Did you recently learn linear regression? Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since. I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
caga
Full Member
Offline
Activity: 238
Merit: 100
www.secondstrade.com - 190% return Binary option
|
|
November 30, 2014, 03:55:21 PM |
|
How is the code exploitive? I am new to this like a lot of others too.
It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled). Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act. Let me see if I can explain it differently. As a round progresses, the server sends regular 'tick' messages to the client, saying: "1.10x and the game didn't crash yet", "1.20x and the game didn't crash yet", etc. and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc. The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier. When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly. The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick. The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code. Thanks for the explanation. That sounds like a really clever method, and only an extremely smart coder, would be able to pull it off. Sometime, when such smart people take your money , it doesn't feel bad
|
|
|
|
Magic Of Nigeria
|
|
November 30, 2014, 06:43:37 PM |
|
Moneypot is by far my favorite game to play when I have some extra bitcoins lying around. It's never a boring time at MoneyPot!
|
|
|
|
Testing123
|
|
November 30, 2014, 06:53:12 PM |
|
He probably still has most of the 1000 BTC he took from primedice... Sounds if this is sort of a suggestion on who it is. Did you recently learn linear regression? Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since. I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both. Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
November 30, 2014, 09:06:49 PM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
BayAreaCoins
Legendary
Offline
Activity: 3920
Merit: 1248
Owner at AltQuick.com & FreeBitcoins.com
|
|
November 30, 2014, 09:39:29 PM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? Which is sort of funny cause I believe PD had a big winner before the "hack". Someone told me IRL "Did you hear about that big winner on PD?!"
|
|
|
|
blockage
Member
Offline
Activity: 100
Merit: 10
Vires in numeris.
|
|
November 30, 2014, 10:50:37 PM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? Which is sort of funny cause I believe PD had a big winner before the "hack". Someone told me IRL "Did you hear about that big winner on PD?!" Is that about hufflepuff? Was it a confirmed hack or just Stunna being butthurt searching for explanations? Do you have a link to the topic, so that I don't have to go through tons of spam in the PD thread?
|
|
|
|
calci
Full Member
Offline
Activity: 168
Merit: 100
www.secondstrade.com - 190% return Binary option
|
|
November 30, 2014, 10:52:24 PM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.
|
|
|
|
FirestarterX
Member
Offline
Activity: 109
Merit: 10
|
|
December 01, 2014, 12:33:54 AM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time. Why are we talking about PD on the MoneyPot thread?
|
|
|
|
BayAreaCoins
Legendary
Offline
Activity: 3920
Merit: 1248
Owner at AltQuick.com & FreeBitcoins.com
|
|
December 01, 2014, 04:08:12 AM Last edit: December 01, 2014, 04:18:52 AM by BayAreaCoins |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time. Why are we talking about PD on the MoneyPot thread? Speculating there is a chance that is is the same dude. Both pretty bright attacks n such.
|
|
|
|
FirestarterX
Member
Offline
Activity: 109
Merit: 10
|
|
December 01, 2014, 04:50:28 AM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time. Why are we talking about PD on the MoneyPot thread? Speculating there is a chance that is is the same dude. Both pretty bright attacks n such. I see.
|
|
|
|
myohmy81
|
|
December 01, 2014, 05:43:47 AM |
|
very interestiong really greate site!
|
|
|
|
4ever
|
|
December 01, 2014, 08:56:49 PM |
|
Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?
On the account where he was obvious about it, sure. I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way? The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time. Why are we talking about PD on the MoneyPot thread? Speculating there is a chance that is is the same dude. Both pretty bright attacks n such. What was the attack on PD? Was it the guy who flat bet many bets and won.?
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
December 01, 2014, 10:47:49 PM |
|
What was the attack on PD? Was it the guy who flat bet many bets and won.?
Apparently somebody was able to gain access to their server seed, so they could know what their rolls would be before they rolled. As I remember, he won over 100 max bets in a row at 49.5%, and was able to withdraw 40 BTC before being caught. There are screenshots on the PD thread - go back a couple of weeks I guess. Edit:
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
J3VVL
Newbie
Offline
Activity: 28
Merit: 0
|
|
December 02, 2014, 04:55:14 PM Last edit: December 02, 2014, 05:22:06 PM by J3VVL |
|
https://www.moneypot.com/user/fooThe page you are looking for doesn't exist... ^hmmmm *edit* wow i see now
|
|
|
|
|