Bitcoin Forum
November 18, 2024, 01:27:06 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Insecurities in Ragecoin betting site == Profit?  (Read 2097 times)
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
April 21, 2012, 05:21:01 PM
Last edit: April 21, 2012, 06:41:43 PM by gmaxwell
 #1

Greetings.

So you want to make some money?

Well— people on IRC have been circulating links to https://ragecoin.appspot.com/  (there is also a thread here about it: https://bitcointalk.org/index.php?topic=63081.0 )

The site has two substantial security vulnerabilities.  One potentially in the sites favor, one in the users favor.

The site is totally anonymously run, so I can't report the vulnerabilities to the site: Their loss, your gain. My IRC logs strongly indicate that the site run by "Joric" but he outright denies this.  I also reported the vulnerabilities to him but he's clueless and just argued with me. Then again, he also denies running another site which I think mostly exists to part fools and their money (brainwallet) and which I have pretty much conclusive proof that he runs.  Danger will Robinson Danger.

In any case here we go:

The site sends you a cryptographic commitment to the next spin... E.g.  it tells you "57b12eb121a742b1cd0454408d1b38ec"  then you deposit funds and spin .... then it tells you MD5("0,1,0:W6Wv4t3x")  with the 0,1,0 being the slot positions you just got, and you can then see that this matches the commitment so that the site didn't change what it was going to spin for you based on your deposits.

There are two problems with this, first the one potentially against your favor:  The site is doing nothing to prove that its RNG used to come up with the spins is fair.  E.g. it may be the case that it will _never_ produce results with big winnings, thus giving lower payout than advertised and screwing over the player.    This could trivially be avoided using the pick-and-split cryptography I came up with for bitjack21: The server commits to a random value,  the user provides a random value (by default based on JS RNG, but modifiable)— the draw is based on the hash of the committed random (not the commitment itself) and the user random.  Thus proving that the site's RNG is unbiased.

The next is the one is in your favor, or at least in the favor of hackers with gpu farms:   The secret salt values, the part after the : in the value its committing to, only have log2(62^8) = 47 bits of entropy.   You could construct a rainbow table of all values that start with 0,0,0:.  Then you keep spinning until it gives you a "next hash" which is in your table. You know that hand will give you a 256x winning.  Bet like hell on that one.    If you want you can build a larger table that has additional winning combinations in it so you don't have to respin as much. Alternatively, you don't even have to cover all the 0,0,0 values... even a 'small' table will let you win if you don't mind spinning a whole bunch of times.

Building a table for all values for a single spin result is the same computational complexity as building an md5 rainbow table for 8character passwords from the A-Za-z0-9 set, and many such tables (and larger) already exist... so the computational work is high, but totally doable.   If anyone does this… I want a cut of your winnings. Wink (PM for deposit address, thanks!)

(Also, since you don't need to know the full preimage of the hash you could save a ton of space with some small chance of incorrect results by simply using a very large bloom filter: Figuring out the size needed in order to maximize profitability is an exercise left for the reader)

Keep in mind that this is a glaringly obvious vulnerability.  The operator of the site may have expected someone to figure this out, build the table, then drop 1000 BTC on a 0,0,0 win, and if you do that they may just vanish with the funds.   A lot of scams are powered by making you think you're the one scamming them.


In any case, enjoy and keep safe!


Edit: I dropped this in the speculation subforum because while gambing may be gambling, compromising a gambling site is a lot more like speculation than a lot of things people here consider speculation Smiley plus the site I'm talking about was previously discussed in this forum. Another cute thing: my vanity address probably took more computation than rainbow table for a single slot value would take. Smiley
FreeMoney
Legendary
*
Offline Offline

Activity: 1246
Merit: 1016


Strength in numbers


View Profile WWW
April 21, 2012, 07:18:22 PM
 #2

Interesting. I've been thinking about a site that would have the same sort of issues.

My plan is to hash [my guess, salt, timestamp] and give that to the player. They also give a guess and win if they are close enough depending on the specifics of the wager. If my guesses are non random it is to my detriment this way.

This avoids using a hash for the part that determines winnings since I was cautioned that the output of some hash functions will not be uniformly distributed. I haven't verified that, curious if anyone knows if/which are.






Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
TTBit
Legendary
*
Offline Offline

Activity: 1137
Merit: 1001


View Profile
April 21, 2012, 09:17:41 PM
 #3

To make it random, have option for user to input his own values prior to each spin. i.e 1,2,4 combined with 2,1,0 from site  = 3,3,4.

good judgment comes from experience, and experience comes from bad judgment
mroth7684
Full Member
***
Offline Offline

Activity: 196
Merit: 100



View Profile
April 22, 2012, 12:13:11 AM
 #4

If I'm reading the site right it says "Reserve: 0.06 BTC" I assume that means the site only has 0.06 btc left for payouts. I guess someone already took it for everything it had.

twobitcoins
Full Member
***
Offline Offline

Activity: 144
Merit: 100


View Profile
April 22, 2012, 01:34:23 AM
 #5

It seems to be fixed.  Now the salt is 12 characters, or 71 bits of entropy.
terrytibbs
Hero Member
*****
Offline Offline

Activity: 560
Merit: 501



View Profile
April 22, 2012, 01:41:15 AM
 #6

Then again, he also denies running another site which I think mostly exists to part fools and their money (brainwallet) and which I have pretty much conclusive proof that he runs.
More information and proof on both of these claims, please.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!