Pages:
Author

Topic: BetterBets.io - NOT provably fair - page 2. (Read 3369 times)

legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 05, 2016, 05:14:44 PM
#57
It were 2 different mistakes, but same problem. One was server-side and one was client-side (that "re-generate button".) I noticed the server-side one which was quickly fixed, but the client-side problem was still there (and now fixed.) I am not sure if I simply didn't notice it or if it was "added" after that. Also the lack of getting a new clientseed after each bet seemed more serious to me....



So yeh.. I noticed that the site actually still doesn't generate a new clientseed after each bet right now :\ I am a bit surprised about that because I thought this would be fixed already after 1+ year. This still allows MP in theory to cheat. If I pick my client seed, for example "1,523,456,648" and make 10 low bets, MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.

3) IMO, you should generate a random client seed before every bet in the browser. If a player bets with the same client seed every time, in theory MoneyPot could give "next server seeds" based on their betting pattern. So if a player is betting high every time, they would give low numbers based on the same repeated client seed. I am not accusing MoneyPot of this AT ALL, RHavar seems a trustworthy person to me, but provably fair is all about not needing to trust the site owner.

That being said. I still disagree with some fundamentals as discussed a long time ago: https://bitcointalksearch.org/topic/m.12015013 (basically: needs to generate the clientseed between every bet in the browser with cryptographically secure method.) I don't think you guys changed that yet (to for example RHavar's solution.) I also discussed it a bit at Rollin thread - they did change it after few days: https://bitcointalksearch.org/topic/--687571 IMO the provably fair implementation is barely provably fair at this moment. So TBH I think that verification script isn't a high priority compared to that.

^ seems like I have to ask for this every 7 months :X

I actually just removed BB from my site now too (probably should have done that much earlier.) It's so easy to fix their provably fair implementation but I feel pretty much ignored. Sure, I still don't think AT ALL that MP cheats nor that BB is doing this on purpose. I understand it's hard to prioritize when most players don't really care (or understand those details.) But it should be our goals to have the best provably fair implementation as possible.

RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.

Hmm, we had that fixed at some point but it seems that code got lost during one of the bigger code merges I did. I'll fix all of this tonight.

My most humble apologies.

OK, the client seed randomization error has been fixed. The way it works now is like this:

1) The client seed is regenerated using the code from Rhavar's gist after every roll.
2) In the event that a server error is reported, the code returns *before* reaching the client seed regeneration statement, leaving the client seed unchanged.

This also means that the "enter your favorite client seed" functionality is no longer applicable; this input field has been removed.

In closing, I would like to say the following:

1) Yes, I messed up. I had numerous personal issues over the past months (cancer case in the family, daughter catching sever pneunomia, etc.) and as a result work was not really on my mind.
2) While we have had these issues, I would like to state that no bet has ever been tampered with intentionally on our side and I'm 99.99999% (basically 100%) certain that this is also the case on the Moneypot side. So while the implementation was lacking, there never was any fraudulent activity which exploited the potential this issue offered.

My apologies for dropping the ball, it will not happen again.


interesting change of mindset! wonder why?
sr. member
Activity: 348
Merit: 250
October 05, 2016, 05:08:18 PM
#56
It were 2 different mistakes, but same problem. One was server-side and one was client-side (that "re-generate button".) I noticed the server-side one which was quickly fixed, but the client-side problem was still there (and now fixed.) I am not sure if I simply didn't notice it or if it was "added" after that. Also the lack of getting a new clientseed after each bet seemed more serious to me....



So yeh.. I noticed that the site actually still doesn't generate a new clientseed after each bet right now :\ I am a bit surprised about that because I thought this would be fixed already after 1+ year. This still allows MP in theory to cheat. If I pick my client seed, for example "1,523,456,648" and make 10 low bets, MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.

3) IMO, you should generate a random client seed before every bet in the browser. If a player bets with the same client seed every time, in theory MoneyPot could give "next server seeds" based on their betting pattern. So if a player is betting high every time, they would give low numbers based on the same repeated client seed. I am not accusing MoneyPot of this AT ALL, RHavar seems a trustworthy person to me, but provably fair is all about not needing to trust the site owner.

That being said. I still disagree with some fundamentals as discussed a long time ago: https://bitcointalksearch.org/topic/m.12015013 (basically: needs to generate the clientseed between every bet in the browser with cryptographically secure method.) I don't think you guys changed that yet (to for example RHavar's solution.) I also discussed it a bit at Rollin thread - they did change it after few days: https://bitcointalksearch.org/topic/--687571 IMO the provably fair implementation is barely provably fair at this moment. So TBH I think that verification script isn't a high priority compared to that.

^ seems like I have to ask for this every 7 months :X

I actually just removed BB from my site now too (probably should have done that much earlier.) It's so easy to fix their provably fair implementation but I feel pretty much ignored. Sure, I still don't think AT ALL that MP cheats nor that BB is doing this on purpose. I understand it's hard to prioritize when most players don't really care (or understand those details.) But it should be our goals to have the best provably fair implementation as possible.

RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.

Hmm, we had that fixed at some point but it seems that code got lost during one of the bigger code merges I did. I'll fix all of this tonight.

My most humble apologies.

OK, the client seed randomization error has been fixed. The way it works now is like this:

1) The client seed is regenerated using the code from Rhavar's gist after every roll.
2) In the event that a server error is reported, the code returns *before* reaching the client seed regeneration statement, leaving the client seed unchanged.

This also means that the "enter your favorite client seed" functionality is no longer applicable; this input field has been removed.

In closing, I would like to say the following:

1) Yes, I messed up. I had numerous personal issues over the past months (cancer case in the family, daughter catching sever pneunomia, etc.) and as a result work was not really on my mind.
2) While we have had these issues, I would like to state that no bet has ever been tampered with intentionally on our side and I'm 99.99999% (basically 100%) certain that this is also the case on the Moneypot side. So while the implementation was lacking, there never was any fraudulent activity which exploited the potential this issue offered.

My apologies for dropping the ball, it will not happen again.
sr. member
Activity: 348
Merit: 250
October 05, 2016, 12:55:03 PM
#55
It were 2 different mistakes, but same problem. One was server-side and one was client-side (that "re-generate button".) I noticed the server-side one which was quickly fixed, but the client-side problem was still there (and now fixed.) I am not sure if I simply didn't notice it or if it was "added" after that. Also the lack of getting a new clientseed after each bet seemed more serious to me....



So yeh.. I noticed that the site actually still doesn't generate a new clientseed after each bet right now :\ I am a bit surprised about that because I thought this would be fixed already after 1+ year. This still allows MP in theory to cheat. If I pick my client seed, for example "1,523,456,648" and make 10 low bets, MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.

3) IMO, you should generate a random client seed before every bet in the browser. If a player bets with the same client seed every time, in theory MoneyPot could give "next server seeds" based on their betting pattern. So if a player is betting high every time, they would give low numbers based on the same repeated client seed. I am not accusing MoneyPot of this AT ALL, RHavar seems a trustworthy person to me, but provably fair is all about not needing to trust the site owner.

That being said. I still disagree with some fundamentals as discussed a long time ago: https://bitcointalksearch.org/topic/m.12015013 (basically: needs to generate the clientseed between every bet in the browser with cryptographically secure method.) I don't think you guys changed that yet (to for example RHavar's solution.) I also discussed it a bit at Rollin thread - they did change it after few days: https://bitcointalksearch.org/topic/--687571 IMO the provably fair implementation is barely provably fair at this moment. So TBH I think that verification script isn't a high priority compared to that.

^ seems like I have to ask for this every 7 months :X

I actually just removed BB from my site now too (probably should have done that much earlier.) It's so easy to fix their provably fair implementation but I feel pretty much ignored. Sure, I still don't think AT ALL that MP cheats nor that BB is doing this on purpose. I understand it's hard to prioritize when most players don't really care (or understand those details.) But it should be our goals to have the best provably fair implementation as possible.

RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.

Hmm, we had that fixed at some point but it seems that code got lost during one of the bigger code merges I did. I'll fix all of this tonight.

My most humble apologies.
legendary
Activity: 1463
Merit: 1886
October 05, 2016, 11:56:30 AM
#54
Nice digging up there NLNico  Grin


RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.

Yeah, although I think step b) and c) are also very important. It's good for BB, as they can be sure their customers aren't getting cheated, and it's good for MP because it removes the ability for them to cheat so there's no doubt in anyone's mind. And I doubt it'd take more than 10 minutes, so it's pretty good bang-for-buck. One of the features I was planning on adding on MP but never got around to, was a "cheating" mode, where the server would attempt to cheat (e.g. give results that were not provably fair, try predict, use "bet stalling" ) and then I could test sites with server-cheating-mode enabled, and if the server was able to cheat without the site giving a warning (e.g. alert("We got a bet result that wasn't provably fair?!")   ) the site wouldn't be "certified" as provably fair.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
October 05, 2016, 03:41:28 AM
#53
It were 2 different mistakes, but same problem. One was server-side and one was client-side (that "re-generate button".) I noticed the server-side one which was quickly fixed, but the client-side problem was still there (and now fixed.) I am not sure if I simply didn't notice it or if it was "added" after that. Also the lack of getting a new clientseed after each bet seemed more serious to me....



So yeh.. I noticed that the site actually still doesn't generate a new clientseed after each bet right now :\ I am a bit surprised about that because I thought this would be fixed already after 1+ year. This still allows MP in theory to cheat. If I pick my client seed, for example "1,523,456,648" and make 10 low bets, MP can just give results between 602,552,164 - 2,771,510,647 and it would be a high result. Of course this would also allow a player to cheat if he tricks MP and makes a high bet instead of the "expected low bet". So it is not likely at all that casinos (in this case MP) cheat in situations like this ("based on previous plays".) Still it is a flaw in the implementation and should be fixed.

3) IMO, you should generate a random client seed before every bet in the browser. If a player bets with the same client seed every time, in theory MoneyPot could give "next server seeds" based on their betting pattern. So if a player is betting high every time, they would give low numbers based on the same repeated client seed. I am not accusing MoneyPot of this AT ALL, RHavar seems a trustworthy person to me, but provably fair is all about not needing to trust the site owner.

That being said. I still disagree with some fundamentals as discussed a long time ago: https://bitcointalksearch.org/topic/m.12015013 (basically: needs to generate the clientseed between every bet in the browser with cryptographically secure method.) I don't think you guys changed that yet (to for example RHavar's solution.) I also discussed it a bit at Rollin thread - they did change it after few days: https://bitcointalksearch.org/topic/--687571 IMO the provably fair implementation is barely provably fair at this moment. So TBH I think that verification script isn't a high priority compared to that.

^ seems like I have to ask for this every 7 months :X

I actually just removed BB from my site now too (probably should have done that much earlier.) It's so easy to fix their provably fair implementation but I feel pretty much ignored. Sure, I still don't think AT ALL that MP cheats nor that BB is doing this on purpose. I understand it's hard to prioritize when most players don't really care (or understand those details.) But it should be our goals to have the best provably fair implementation as possible.

RHavar already gave a solution for in back in July 2015: https://bitcointalksearch.org/topic/m.12018096 The easiest solution is just calling that "new clientseed" function after each bet, takes literally 1 minute to implement.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 05, 2016, 02:02:13 AM
#52
I was trying to explain to OP that the 2^31 limit on the client seed was probably a result of the maximum value that could be stored in an integer in the language you were coding in rather than a deliberate attempt to cheat your players.

does anyone know if this was the case? if yes that would sound actually good for the BB dev lobos and all involved parties if I understand dooglus explanation it would have been just a code language limitation
Before this there was actually a similar issue that was indeed a server-side limit (I assume just MySQL INT limit), I mentioned this more than a year ago:

So I assume they added that "automatic clientseed generation" after that (which is good) but unfortunately had this bug in it to not calculate in the full range (like RHavar mentions earlier in this topic.) TBH it is pretty silly to make the same mistake twice, but yeh mistakes happen I guess. Too bad I didn't really check that myself anymore by that time too (:




But anyway, is fixed now and since it would require basically both MP as BB to cheat (based on bet patterns), I don't think that's likely at all and probably just an oversight indeed.

finally the right people are entering this discussion at least for me (dooglus & NLNico)

lets see if I understood what you explained. are you saying that this happened before with BB and you found it out? I understood they fixed/corrected it in those times. and then it appeared again just out of the blue?
I am asking because you said it is pretty silly to make the same mistake twice. but how can that happen again after it was fixed? I am not a coder and will not be in this life Smiley

let me also emphasize again that I never thought that RH or new MP owners would use this to their advantage. yes they could but it would kill their business in a second imo they are not stupid and not thieves. so there is no reason to attack me again as always (not that I am afraid of any attacks)

we love BTC and the Provably Fair option (& casino) and want to learn and understand and if people have patience we will understand (not many out there)

thx to NLNico & dooglus for chiming in

legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
October 05, 2016, 01:18:40 AM
#51
I was trying to explain to OP that the 2^31 limit on the client seed was probably a result of the maximum value that could be stored in an integer in the language you were coding in rather than a deliberate attempt to cheat your players.

does anyone know if this was the case? if yes that would sound actually good for the BB dev lobos and all involved parties if I understand dooglus explanation it would have been just a code language limitation
Before this there was actually a similar issue that was indeed a server-side limit (I assume just MySQL INT limit), I mentioned this more than a year ago:

4) AFAIK you should allow the client seed to be a number in the range of 0 and 2^32-1. However you are saving it now a signed INT which has a limit of 2^31-1. You should make it unsigned so the player can put the full range of numbers as client seed. In theory again MP could influence the outcomes with the information that the client seed will always be limited/low.

If I remember correctly they did fix that limit quickly so it allowed all client seeds (by manually changing.)

By that time clientseeds weren't generated in browser every bet (which was also part of my feedback):

3) IMO, you should generate a random client seed before every bet in the browser. If a player bets with the same client seed every time, in theory MoneyPot could give "next server seeds" based on their betting pattern. So if a player is betting high every time, they would give low numbers based on the same repeated client seed. I am not accusing MoneyPot of this AT ALL, RHavar seems a trustworthy person to me, but provably fair is all about not needing to trust the site owner.

So I assume they added that "automatic clientseed generation" after that (which is good) but unfortunately had this bug in it to not calculate in the full range (like RHavar mentions earlier in this topic.) TBH it is pretty silly to make the same mistake twice, but yeh mistakes happen I guess. Too bad I didn't really check that myself anymore by that time too (:




But anyway, is fixed now and since it would require basically both MP as BB to cheat (based on bet patterns), I don't think that's likely at all and probably just an oversight indeed.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 05, 2016, 12:16:26 AM
#50

I was trying to explain to OP that the 2^31 limit on the client seed was probably a result of the maximum value that could be stored in an integer in the language you were coding in rather than a deliberate attempt to cheat your players.



does anyone know if this was the case? if yes that would sound actually good for the BB dev lobos and all involved parties if I understand dooglus explanation it would have been just a code language limitation
legendary
Activity: 2940
Merit: 1333
October 04, 2016, 09:08:14 PM
#49
I have no idea and couldn't care less. And that's the end of that.

I was trying to explain to OP that the 2^31 limit on the client seed was probably a result of the maximum value that could be stored in an integer in the language you were coding in rather than a deliberate attempt to cheat your players.

Something as simple as:

Code:
#include 
main() {
  int x = 2147483647;
  printf("x = %d\n", x);
  printf("x+1 = %d\n", x+1);
}

which outputs:

Code:
x = 2147483647
x+1 = -2147483648

demonstrates the issue with ints in C for example.

You remember C? It was invented around the time I was wearing diapers but you were already wearing big-boy pull-up pants.
sr. member
Activity: 348
Merit: 250
October 03, 2016, 04:00:06 PM
#48
and btw I am sure that you know who @pokerowned is or was.

I have no idea and couldn't care less. And that's the end of that.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 03:52:58 PM
#47


I don't quite understand why you're so interested in knowing who the WD owner is. All I can say is this: I've never heard the alias "pokerowned" before but then again, I don't really follow all the stuff going on in this scene.


hi lobos

thx for the visit ich habe mich sehr gefreut

not sure though if you were looking for any flaws or just stopped by to visit us today

the WD thread is here in case you didnt see it yet and it is handled by @pokerowned
https://bitcointalksearch.org/topic/wealthydicecom-bitcoin-cryptojacks-cjdiceplinkocj-farming-1-he-1609876

and btw I am sure that you know who @pokerowned is or was.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 03:29:40 PM
#46
This was resolved, I'm sorry for any confusion it may have caused some players. To our competitors, our team has never in over a year tried to find flaws in your sites nor detract from your business or hurt your image. I hope to see similar respect in the future.

Classy. Your site wasn't provably fair (due to an oversight), and thanks to the OPs discovery now is. But instead you are blaming "competitors" and not offering the OP at least a little bounty.

this issue just limited a user to 2 billion seed combinations versus 4 billion seed combinations

Actually, this would've allowed the casino to completely control with 100% certainty if the bet was going to be high or low. I don't believe this was ever used to cheat players and was a simple oversight (which does happen), but let's also not understate it. It was a very serious flaw.

He was offered a bounty and then when it wasn't what he wanted blackmailed us. You can defend him though it doesn't come as a shock. We can debate this off forums, unlike what you seem to think, these type of discussions make zero business sense to do publicly and are rarely ever public with a traditional company. Unless of course there's an ulterior motive behind it.

yes sure thing as always go private on skype and talk things out in the dark instead here where it should be discussed

why did the OP ask you for a bounty? cause you did not offer one and he should get a nice bounty from BB and MP

sr. member
Activity: 348
Merit: 250
October 03, 2016, 02:42:48 PM
#45
now this is lobos wie er leibt und lebt back to the roots  Grin

Natuerlich, had jij iets anders verwacht?  (to keep things linguistically interesting)

just not to answer my questions like
if you are also the coder of wealthydice or if pokerowned is the owner of wealthydice

I am the guy who provided the codebase, set it up for them and explained how things were structured. They did the reskinning themselves and I don't know who exactly did it (and I don't really care). They change some stuff on their own but me for advice on stuff which can affect betting and some of the more complicated logic, etc.

Does it even matter? They run their site and we run ours.

so I ask here @all who knows if @pokerowned is wealthy app owner? the app shows wealthydice as owner but pokerowned is handling the thread as his own app.

I don't quite understand why you're so interested in knowing who the WD owner is. All I can say is this: I've never heard the alias "pokerowned" before but then again, I don't really follow all the stuff going on in this scene.

just for info someone described the bug
"At best this is a programming error and confusion between a signed and unsigned integer. Should have never made it onto a productive system"

Correct. And it happened and it's my fault. There was no ill-will or intention to scam behind it. Software is a complex business and bugs happen.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 01:59:44 PM
#44
At best this is a programming error and confusion between a signed and unsigned integer. Should have never made it onto a productive system. I suspect that they have been fair and not used this to con their users - but saying that I wouldn't use the site until the matter is cleared up. Good spot - it shows that it is good to do your homework. I'm sure the devs will be happy you found it if they are legitimate.

very well said!!!

but how can one exaplin that this happens to a coder like lobos? I know everything can happen but his behavior tells otherwise or he does not like to confirm own mistakes = sad

Unfortunately, its an easy mistake to make - this kind of thing can happen when a programmer tests his own work - its always better to get external testers involved. I work with a lot of programmers and a lot of them very rarely admit to making errors even if they are very clear.

thx for explaining and imo one year or more and no one saw it and not he owners and dev? all can happen and I dont point my finger at BB or MP as all is possible

interesting would be if MP pre owner RyanHavar could tell or confirm if it was already when he owned it




This was resolved, I'm sorry for any confusion it may have caused some players. To our competitors, our team has never in over a year tried to find flaws in your sites nor detract from your business or hurt your image. I hope to see similar respect in the future.

there is only one competitor in this thread. and yes you tried once to hurt our image you just did not succeed

you and everyone is welcome to search our site for flaws. we even invited the OP to check us out

IMO the OP was helping and not hurting you nor MP but lobos reaction and handling was unprofessional and suspicious. your mistake gave actually the option to think that MP could be involved and that means that your mistake was hurting MP owners now and before when RH was owner. IMO MP owners and pre owner would never try a cheat and kill their business

please dont forget to check our site for flaws but we need more time to fix it cause we dont have a coder right now

what we can learn is that the best way is straight forward if someone finds a bug or flaw and especially if it is a provably fair bug.

legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 01:43:01 PM
#43
Op was asking for a bounty and imo it is legit

lobos asked him not to publish it! why would he do this? he or BB should publish it immediately and fix it as they did anyway

lobos behaved in a very unprofessional way

why would wealthy need to ask lobos if they have their own coder? another good question is if lobos is also the coder for wealthy?


Wealthy bought a license for the BB code and their site will be updated tonight.

I read about it but may I ask you if you  lobos is also the coder of wealthy? why would they need to ask you to help to fix it? their coder could fix it as I understood it was just an easy mistake

is pokerowned the owner?

thx

Who is the owner is entirely their business.

As for why would they need to ask: have you ever tried to find a subtle bug in large codebase? It's far from easy (although in this case it could have been done). And given the sensitivity of the issue, why would the not ask for confirmation on a codebase they don't know all that well ... it's the responsible thing to do IMHO.


now this is lobos wie er leibt und lebt back to the roots  Grin

just not to answer my questions like
if you are also the coder of wealthydice or if pokerowned is the owner of wealthydice

so I ask here @all who knows if @pokerowned is wealthy app owner? the app shows wealthydice as owner but pokerowned is handling the thread as his own app.

just for info someone described the bug
"At best this is a programming error and confusion between a signed and unsigned integer. Should have never made it onto a productive system"

full member
Activity: 134
Merit: 100
October 03, 2016, 01:38:48 PM
#42
That sucks, and will lose confidence in betting.
legendary
Activity: 1463
Merit: 1886
October 03, 2016, 01:17:18 PM
#41
This was resolved, I'm sorry for any confusion it may have caused some players. To our competitors, our team has never in over a year tried to find flaws in your sites nor detract from your business or hurt your image. I hope to see similar respect in the future.

Classy. Your site wasn't provably fair (due to an oversight), and thanks to the OPs discovery now is. But instead you are blaming "competitors" and not offering the OP at least a little bounty.

this issue just limited a user to 2 billion seed combinations versus 4 billion seed combinations

Actually, this would've allowed the casino to completely control with 100% certainty if the bet was going to be high or low. I don't believe this was ever used to cheat players and was a simple oversight (which does happen), but let's also not understate it. It was a very serious flaw.
hero member
Activity: 798
Merit: 503
October 03, 2016, 12:58:33 PM
#40
Op if you don't play at betterbets then there is a motive behind your post. I'm going to guess extortion probably.  This looks like some kind of oversight error. They fix it in minutes....now we can pick client seeds in the 4 billions on accounts.  So dev said they spoke to you and it seems outcome wasn't what you wanted -gimme money or I'm posting- and you made this post. Does this about sum it up?
They fixed it mainly because he contacted them and asked about this issue. Without him we probably wouldn't be aware that exploit like this can be even possible.
I don't know if he demanded money for this, but if I were the owner of BetterBets.io I would honor Op with some kind of small bounty for his bug hunting.


Same thing I would probably do in other to save the reputation which is even more important than the bounty even if he asked for one. The issue is the fact that he noticed it means someone else might noticed it and instead of raising it as OP has done, the next is scam accusations but I must say I am glad the way the issue was resolved instead for allowing it drag for too long to handle...
hero member
Activity: 728
Merit: 500
Betterbets.io Casino
October 03, 2016, 12:46:32 PM
#39
At best this is a programming error and confusion between a signed and unsigned integer. Should have never made it onto a productive system. I suspect that they have been fair and not used this to con their users - but saying that I wouldn't use the site until the matter is cleared up. Good spot - it shows that it is good to do your homework. I'm sure the devs will be happy you found it if they are legitimate.

very well said!!!

but how can one exaplin that this happens to a coder like lobos? I know everything can happen but his behavior tells otherwise or he does not like to confirm own mistakes = sad

Unfortunately, its an easy mistake to make - this kind of thing can happen when a programmer tests his own work - its always better to get external testers involved. I work with a lot of programmers and a lot of them very rarely admit to making errors even if they are very clear.

thx for explaining and imo one year or more and no one saw it and not he owners and dev? all can happen and I dont point my finger at BB or MP as all is possible

interesting would be if MP pre owner RyanHavar could tell or confirm if it was already when he owned it



The issue as explained by the OP of this thread was resolved before this thread was created, it was a 1 minute fix in our casino source code. The problem with a 'bug' like this is that it would have required 2 parties to coordinate and exploit if our intentions were to hurt players. They are not and never have been, this issue just limited a user to 2 billion seed combinations versus 4 billion seed combinations. I am happy that this was brought to our attention, however as pm's and chat logs were made public you can see (if you can read German) this turned into a situation where by not paying 2.5 BTC to this individual would result in a 'Betterbets not provably fair thread'.

Allinbox, I appreciate your efforts to privately inform us initially of this potential issue, because of your information we changed the allowed seed combinations from 2-4 billion possibles for our players. This potentially could have allowed bad actors on Moneypot to game the bankroll. I cannot speak for them, but in the past 10 months that my team has come to know the Moneypot team they are nothing but amazing business owners and extremely honest people. I would and have trusted them with my own funds in the past so while this client seed may have been a target for those with ill intentions, it's extremely unlikely to occur at our place of business or theirs.

This was resolved, I'm sorry for any confusion it may have caused some players.
sr. member
Activity: 348
Merit: 250
October 03, 2016, 12:36:31 PM
#38
Op was asking for a bounty and imo it is legit

lobos asked him not to publish it! why would he do this? he or BB should publish it immediately and fix it as they did anyway

lobos behaved in a very unprofessional way

why would wealthy need to ask lobos if they have their own coder? another good question is if lobos is also the coder for wealthy?


Wealthy bought a license for the BB code and their site will be updated tonight.

I read about it but may I ask you if you  lobos is also the coder of wealthy? why would they need to ask you to help to fix it? their coder could fix it as I understood it was just an easy mistake

is pokerowned the owner?

thx

Who is the owner is entirely their business.

As for why would they need to ask: have you ever tried to find a subtle bug in large codebase? It's far from easy (although in this case it could have been done). And given the sensitivity of the issue, why would the not ask for confirmation on a codebase they don't know all that well ... it's the responsible thing to do IMHO.
Pages:
Jump to: