Topic: BetterBets.io - NOT provably fair - page 2. (Read 3350 times)

interesting change of mindset! wonder why?

OK, the client seed randomization error has been fixed. The way it works now is like this:

1) The client seed is regenerated using the code from Rhavar's gist after every roll.
2) In the event that a server error is reported, the code returns *before* reaching the client seed regeneration statement, leaving the client seed unchanged.

This also means that the "enter your favorite client seed" functionality is no longer applicable; this input field has been removed.

In closing, I would like to say the following:

1) Yes, I messed up. I had numerous personal issues over the past months (cancer case in the family, daughter catching sever pneunomia, etc.) and as a result work was not really on my mind.
2) While we have had these issues, I would like to state that no bet has ever been tampered with intentionally on our side and I'm 99.99999% (basically 100%) certain that this is also the case on the Moneypot side. So while the implementation was lacking, there never was any fraudulent activity which exploited the potential this issue offered.

My apologies for dropping the ball, it will not happen again.

Hmm, we had that fixed at some point but it seems that code got lost during one of the bigger code merges I did. I'll fix all of this tonight.

My most humble apologies.

Nice digging up there NLNico  



Yeah, although I think step b) and c) are also very important. It's good for BB, as they can be sure their customers aren't getting cheated, and it's good for MP because it removes the ability for them to cheat so there's no doubt in anyone's mind. And I doubt it'd take more than 10 minutes, so it's pretty good bang-for-buck. One of the features I was planning on adding on MP but never got around to, was a "cheating" mode, where the server would attempt to cheat (e.g. give results that were not provably fair, try predict, use "bet stalling" ) and then I could test sites with server-cheating-mode enabled, and if the server was able to cheat without the site giving a warning (e.g. alert("We got a bet result that wasn't provably fair?!")   ) the site wouldn't be "certified" as provably fair.

It were 2 different mistakes, but same problem. One was server-side and one was client-side (that "re-generate button".) I noticed the server-side one which was quickly fixed, but the client-side problem was still there (and now fixed.) I am not sure if I simply didn't notice it or if it was "added" after that. Also the lack of getting a new clientseed after each bet seemed more serious to me....



So yeh.. I noticed that the site actually still doesn't generate a new clientseed after each bet right now :\ I am a bit surprised about that because I thought this would be fixed already after 1+ year. This still allows MP in theory to cheat. If I pick my client seed, for example "1,523,456,648" and make 10 low bets, MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.



^ seems like I have to ask for this every 7 months :X

I actually just removed BB from my site now too (probably should have done that much earlier.) It's so easy to fix their provably fair implementation but I feel pretty much ignored. Sure, I still don't think AT ALL that MP cheats nor that BB is doing this on purpose. I understand it's hard to prioritize when most players don't really care (or understand those details.) But it should be our goals to have the best provably fair implementation as possible.

RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.

finally the right people are entering this discussion at least for me (dooglus & NLNico)

lets see if I understood what you explained. are you saying that this happened before with BB and you found it out? I understood they fixed/corrected it in those times. and then it appeared again just out of the blue?
I am asking because you said it is pretty silly to make the same mistake twice. but how can that happen again after it was fixed? I am not a coder and will not be in this life

let me also emphasize again that I never thought that RH or new MP owners would use this to their advantage. yes they could but it would kill their business in a second imo they are not stupid and not thieves. so there is no reason to attack me again as always (not that I am afraid of any attacks)

we love BTC and the Provably Fair option (& casino) and want to learn and understand and if people have patience we will understand (not many out there)

thx to NLNico & dooglus for chiming in

Before this there was actually a similar issue that was indeed a server-side limit (I assume just MySQL INT limit), I mentioned this more than a year ago:


If I remember correctly they did fix that limit quickly so it allowed all client seeds (by manually changing.)

By that time clientseeds weren't generated in browser every bet (which was also part of my feedback):


So I assume they added that "automatic clientseed generation" after that (which is good) but unfortunately had this bug in it to not calculate in the full range (like RHavar mentions earlier in this topic.) TBH it is pretty silly to make the same mistake twice, but yeh mistakes happen I guess. Too bad I didn't really check that myself anymore by that time too (:




But anyway, is fixed now and since it would require basically both MP as BB to cheat (based on bet patterns), I don't think that's likely at all and probably just an oversight indeed.

does anyone know if this was the case? if yes that would sound actually good for the BB dev lobos and all involved parties if I understand dooglus explanation it would have been just a code language limitation

I was trying to explain to OP that the 2^31 limit on the client seed was probably a result of the maximum value that could be stored in an integer in the language you were coding in rather than a deliberate attempt to cheat your players.

Something as simple as:


which outputs:


demonstrates the issue with ints in C for example.

You remember C? It was invented around the time I was wearing diapers but you were already wearing big-boy pull-up pants.

I have no idea and couldn't care less. And that's the end of that.

hi lobos

thx for the visit ich habe mich sehr gefreut

not sure though if you were looking for any flaws or just stopped by to visit us today

the WD thread is here in case you didnt see it yet and it is handled by @pokerowned
https://bitcointalksearch.org/topic/wealthydicecom-bitcoin-cryptojacks-cjdiceplinkocj-farming-1-he-1609876

and btw I am sure that you know who @pokerowned is or was.

yes sure thing as always go private on skype and talk things out in the dark instead here where it should be discussed

why did the OP ask you for a bounty? cause you did not offer one and he should get a nice bounty from BB and MP

Natuerlich, had jij iets anders verwacht?  (to keep things linguistically interesting)


I am the guy who provided the codebase, set it up for them and explained how things were structured. They did the reskinning themselves and I don't know who exactly did it (and I don't really care). They change some stuff on their own but me for advice on stuff which can affect betting and some of the more complicated logic, etc.

Does it even matter? They run their site and we run ours.


I don't quite understand why you're so interested in knowing who the WD owner is. All I can say is this: I've never heard the alias "pokerowned" before but then again, I don't really follow all the stuff going on in this scene.


Correct. And it happened and it's my fault. There was no ill-will or intention to scam behind it. Software is a complex business and bugs happen.

there is only one competitor in this thread. and yes you tried once to hurt our image you just did not succeed

you and everyone is welcome to search our site for flaws. we even invited the OP to check us out

IMO the OP was helping and not hurting you nor MP but lobos reaction and handling was unprofessional and suspicious. your mistake gave actually the option to think that MP could be involved and that means that your mistake was hurting MP owners now and before when RH was owner. IMO MP owners and pre owner would never try a cheat and kill their business

please dont forget to check our site for flaws but we need more time to fix it cause we dont have a coder right now

what we can learn is that the best way is straight forward if someone finds a bug or flaw and especially if it is a provably fair bug.

now this is lobos wie er leibt und lebt back to the roots  

just not to answer my questions like
if you are also the coder of wealthydice or if pokerowned is the owner of wealthydice

so I ask here @all who knows if @pokerowned is wealthy app owner? the app shows wealthydice as owner but pokerowned is handling the thread as his own app.

just for info someone described the bug
"At best this is a programming error and confusion between a signed and unsigned integer. Should have never made it onto a productive system"

That sucks, and will lose confidence in betting.

Classy. Your site wasn't provably fair (due to an oversight), and thanks to the OPs discovery now is. But instead you are blaming "competitors" and not offering the OP at least a little bounty.


Actually, this would've allowed the casino to completely control with 100% certainty if the bet was going to be high or low. I don't believe this was ever used to cheat players and was a simple oversight (which does happen), but let's also not understate it. It was a very serious flaw.

Same thing I would probably do in other to save the reputation which is even more important than the bounty even if he asked for one. The issue is the fact that he noticed it means someone else might noticed it and instead of raising it as OP has done, the next is scam accusations but I must say I am glad the way the issue was resolved instead for allowing it drag for too long to handle...

The issue as explained by the OP of this thread was resolved before this thread was created, it was a 1 minute fix in our casino source code. The problem with a 'bug' like this is that it would have required 2 parties to coordinate and exploit if our intentions were to hurt players. They are not and never have been, this issue just limited a user to 2 billion seed combinations versus 4 billion seed combinations. I am happy that this was brought to our attention, however as pm's and chat logs were made public you can see (if you can read German) this turned into a situation where by not paying 2.5 BTC to this individual would result in a 'Betterbets not provably fair thread'.

Allinbox, I appreciate your efforts to privately inform us initially of this potential issue, because of your information we changed the allowed seed combinations from 2-4 billion possibles for our players. This potentially could have allowed bad actors on Moneypot to game the bankroll. I cannot speak for them, but in the past 10 months that my team has come to know the Moneypot team they are nothing but amazing business owners and extremely honest people. I would and have trusted them with my own funds in the past so while this client seed may have been a target for those with ill intentions, it's extremely unlikely to occur at our place of business or theirs.

This was resolved, I'm sorry for any confusion it may have caused some players.

Who is the owner is entirely their business.

As for why would they need to ask: have you ever tried to find a subtle bug in large codebase? It's far from easy (although in this case it could have been done). And given the sensitivity of the issue, why would the not ask for confirmation on a codebase they don't know all that well ... it's the responsible thing to do IMHO.