Pages:
Author

Topic: BetterBets.io - NOT provably fair - page 4. (Read 3369 times)

legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 06:29:26 AM
#17
Op if you don't play at betterbets then there is a motive behind your post. I'm going to guess extortion probably.  This looks like some kind of oversight error. They fix it in minutes....now we can pick client seeds in the 4 billions on accounts.  So dev said they spoke to you and it seems outcome wasn't what you wanted -gimme money or I'm posting- and you made this post. Does this about sum it up?

can you prove your claims or are you just brown nosed? BB and MP should be thankful to this guy and his findings easy as that

they should even give him a bounty! maybe a movado watch or some btc

thx to op for posting his findings and helping MP to stay clean

hero member
Activity: 785
Merit: 502
October 03, 2016, 06:09:03 AM
#16
Op if you don't play at betterbets then there is a motive behind your post. I'm going to guess extortion probably.  This looks like some kind of oversight error. They fix it in minutes....now we can pick client seeds in the 4 billions on accounts.  So dev said they spoke to you and it seems outcome wasn't what you wanted -gimme money or I'm posting- and you made this post. Does this about sum it up?
legendary
Activity: 1288
Merit: 1000
October 03, 2016, 05:10:25 AM
#15
I wonder if situation similar to this could be also possible for other services powered by MoneyPot. I mean people are usually lazy to check.

Op said this is possible only for BetterBets.io and "all other Moneypot Sites are provably fair because they let the User pick his Clientseed"

Is this really the case?
legendary
Activity: 1400
Merit: 1021
October 03, 2016, 04:24:43 AM
#14
Good to see this issue was resolved so fast.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
October 03, 2016, 03:51:10 AM
#13
I was looking at some moneypot apps to check, and noticed a major flaw in the BetterBets.io implementation of the MoneyPot Provably Fair System.

This flaw allowed Moneypot to cheat all players who played on BetterBets since the creation of the site. (approximatly 1 year I believe)

The Moneypot algorythm is this one:

(ClientSeed + ServerSeed) / 2^32 resulting in your individual roll outcomes between 0 and 99.99

2^32 = 4,294,967,296

In case the sum of ClientSeed and ServerSeed is higher than this number, the rest is taken and divided by 2^32, resulting in your roll outcome.

Most sites implement this correctly and let the user chose a number between 0 and 4,294,967,296.
But BetterBets is limiting the User to a chose a number between 0 and 2,147,483,648.

This allows Moneypot to chose a ServerSeed that will make the Users/Players lose. Because the User can only change the outcome by max 50 %. Sounds complicated, but it isn't. Heres an example:

Let's say Moneypot picks a Serverseed of 0.

Now the User picks his ClienSeed in the given Range between 0 and 2,147,483,648.

Then the roll result will be between 0 and 49.99.

With other words, if the User plays 2x on high, he will lose.
And there is no way the User can change this because BetterBets limits the ClientSeed he can chose.

Of course nobody can prove if BetterBets and Moneypot used this to make people lose and fill their own pockets.

But what we know is, that BetterBets.io has NEVER BEEN PROVABLY FAIR.


Just to mention this: That only counts for BetterBets.io, all other Moneypot Sites are provably fair because they let the User pick his Clientseed up to 4,294,967,296. At least the ones I've checked.

Regards !

Btw. no I did'nt play there and got buthurt because I lost. I've done my homeworks, this is a fact...

thank you very much for your posting and work

did you check our app/games? would be interested to know if it is the same with our games

I am not an expert and a non coder. please let me ask a question

could BB cheat their customers?

could BB cheat their customers with MP together?

edit
could MP cheat without BB's help?

edit2
you said this was since BB exists so it was already when RH owned MP?

edit3
you wrote "This allows Moneypot to chose a ServerSeed that will make the Users/Players lose."

could they also decide that a user/player will win?

I am not saying that anyone did cheat but I am trying to learn and understand it in full. sadly we have no coder now to let him check and explain it

cheers
sr. member
Activity: 348
Merit: 250
October 02, 2016, 08:19:33 PM
#12
Well this was a positive outcome  Shocked Kudos to betterbets for fixing the problem in minutes, and to allinbox for being one of the very few people who actually verify stuff!

Your gist is implemented as well but hasn't been pushed to production yet (will happen probably tomorrow).

Sleep is for wussies :-)
legendary
Activity: 1463
Merit: 1886
October 02, 2016, 08:15:44 PM
#11
Well this was a positive outcome  Shocked Kudos to betterbets for fixing the problem in minutes, and to allinbox for being one of the very few people who actually verify stuff!
sr. member
Activity: 348
Merit: 250
October 02, 2016, 08:11:13 PM
#10
I'll implement your gist tomorrow; thank for pointing it out; I was not aware of it's existence (thanks for making it available).

Hopefully this resolves it once and for all.

No problems. Also while stepping through the validation of the manual client seeds, I think there's a couple of minor bugs:

Code:
function(_0x2a5dx7f) {
        var _0x2a5dx90 = parseInt($(_0x58ef[187])[_0x58ef[14]]());
        if (isNaN(_0x2a5dx90)) {
            _0x2a5dx90 = 0
        } else {
            if (_0x2a5dx90 > 4294967296) {
                _0x2a5dx90 = 2147483647
            } else {
                if (_0x2a5dx90 < 0) {
                    _0x2a5dx90 = 0
                }
            }
        }
        ;$(_0x58ef[187])[_0x58ef[14]](_0x2a5dx90)
    });

I believe the line "if (_0x2a5dx90 > 4294967296) {"  should be >= not >. And if it's over, it should probably be set to 4294967295 not 2147483647, I guess.

(i might be wrong, stepping through obsfucated code is a annoying Tongue)


I just 5 minutes ago fixed the assignment of 2147483647 and >= comparison.
legendary
Activity: 1463
Merit: 1886
October 02, 2016, 08:08:36 PM
#9
I'll implement your gist tomorrow; thank for pointing it out; I was not aware of it's existence (thanks for making it available).

Hopefully this resolves it once and for all.

No problems. Also while stepping through the validation of the manual client seeds, I think there's a couple of minor bugs:

Code:
function(_0x2a5dx7f) {
        var _0x2a5dx90 = parseInt($(_0x58ef[187])[_0x58ef[14]]());
        if (isNaN(_0x2a5dx90)) {
            _0x2a5dx90 = 0
        } else {
            if (_0x2a5dx90 > 4294967296) {
                _0x2a5dx90 = 2147483647
            } else {
                if (_0x2a5dx90 < 0) {
                    _0x2a5dx90 = 0
                }
            }
        }
        ;$(_0x58ef[187])[_0x58ef[14]](_0x2a5dx90)
    });

I believe the line "if (_0x2a5dx90 > 4294967296) {"  should be >= not >. And if it's over, it should probably be set to 4294967295 not 2147483647, I guess.

(i might be wrong, stepping through obsfucated code is a annoying Tongue)
legendary
Activity: 1330
Merit: 1000
October 02, 2016, 08:03:58 PM
#9
I think this is slightly exaggerated.

This would make it technically not provably fair from an honest oversight in which it had no effect on players rolls or results.  

No app is capable of controlling the outcome by itself.  It would require the controlling of the server seed on Moneypot's side which is pseudo-random and never tampered with.

I do thank you OP for bringing light to this so that the BetterBets team can make the appropriate fixes so that it can be completely provably fair.  Cheers.
sr. member
Activity: 348
Merit: 250
October 02, 2016, 08:01:42 PM
#8
Their manual client-seed stuff seems correct:

https://dl.dropboxusercontent.com/spa/rmczv2tqcr196vz/0wk_we9v.png


But looking at how they actually generate it, I found the obfuscated function:

function() {
    var _0x2a5dx16d = parseInt(Math[_0x58ef[589]]() * 2147483647);
    $(_0x58ef[187])[_0x58ef[14]](_0x2a5dx16d)
}

which we can easily deobfsucate as _0x58ef is just a global variable with some constants, and we get this:

function regenerateClientSeed() {
    var x = parseInt(Math.random() * 2147483647);
    $("#account_client_seed").val(x);
}


Which has the problem you pointed out, that it doesn't use the full range and it's also using Math.random() which is also a bad idea. They should be better using the gist I have.


I'll implement your gist tomorrow; thank for pointing it out; I was not aware of it's existence (thanks for making it available).

Hopefully this resolves it once and for all.

Edit: I just also fixed the 2147483647 range limitation in the auto-generation.
sr. member
Activity: 348
Merit: 250
October 02, 2016, 08:00:25 PM
#7
Their manual client-seed stuff seems correct:

https://dl.dropboxusercontent.com/spa/rmczv2tqcr196vz/0wk_we9v.png


I'll see if I can debug how they automatically generate it

Yeah, the guy who stared this thread contacted us and alerted us to this (and caught me in a bad mood after 14 hours of writing code and stuff, my apologies for that).

For some reason we changed this ages ago, I honestly don't remember why (it's been more than a year). I just fixed this, you can now enter seeds for the full 2^32 range.

For anybody wondering: we have never fudged a single bet and have never even discussed the subject of doing so with Moneypot (and neither have they). We are both stand-up operations who take security and fairness seriously.

So your bets are processed correctly but we (as stated above, for some reason I have long since forgotten) limited the client seed range. Nobody ever noticed or brought this to our attention or it would have been fixed ages ago; I've fixed it within 10 minutes after I was alerted of the issue.

Our apologies for the oversight.
legendary
Activity: 1463
Merit: 1886
October 02, 2016, 07:51:12 PM
#6
Their manual client-seed stuff seems correct:

https://dl.dropboxusercontent.com/spa/rmczv2tqcr196vz/0wk_we9v.png


But looking at how they actually generate it, I found the obfuscated function:

Code:
function() {
    var _0x2a5dx16d = parseInt(Math[_0x58ef[589]]() * 2147483647);
    $(_0x58ef[187])[_0x58ef[14]](_0x2a5dx16d)
}

which we can easily deobfsucate as _0x58ef is just a global variable with some constants, and we get this:

Code:
function regenerateClientSeed() {
    var x = parseInt(Math.random() * 2147483647);
    $("#account_client_seed").val(x);
}


Which has the problem you pointed out, that it doesn't use the full range and it's also using Math.random() which is also a bad idea. They should be better using the gist I have.
full member
Activity: 165
Merit: 100
October 02, 2016, 07:44:39 PM
#5
Good post, although a bit sensationalist.


But BetterBets is limiting the User to a chose a number between 0 and 2,147,483,648.

Assuming that is true (I didn't check) you are correct, it would make betterbets not provably fair. This is almost certainly an oversight on their part, as for them to cheat would require a collaboration between them and moneypot. If they use the same system for rubies (I didn't check) then cheating is a lot more possible.

Actually if what you're saying is true, BB needs to fix this ASAP because it means a) they're not provably fair, b) It would allow MP to cheat their customers.

I strongly, strongly doubt BB has used this to cheat. But you would be correct, they are not provably fair if you can only pick a seed of half the range.


I wrote this a while ago: https://gist.github.com/RHavar/a6511dea4d4c41aeb1eb  which is what MP casinos really should be using (client side) for picking client seeds. I'm not sure why anyone would use anything different.

Thanks for your confirmation. I did not say they did, I just said it would be possible.

Thats exactly the randomizer I'd also recommend. It's integrated in most browsers I believe.
legendary
Activity: 1463
Merit: 1886
October 02, 2016, 07:38:13 PM
#4
Good post, although a bit sensationalist.


But BetterBets is limiting the User to a chose a number between 0 and 2,147,483,648.

Assuming that is true (I didn't check) you are correct, it would make betterbets not provably fair. This is almost certainly an oversight on their part, as for them to cheat would require a collaboration between them and moneypot. If they use the same system for rubies (I didn't check) then cheating is a lot more possible.

Actually if what you're saying is true, BB needs to fix this ASAP because it means a) they're not provably fair, b) It would allow MP to cheat their customers.

I strongly, strongly doubt BB has used this to cheat. But you would be correct, they are not provably fair if you can only pick a seed of half the range.


I wrote this a while ago: https://gist.github.com/RHavar/a6511dea4d4c41aeb1eb  which is what MP casinos really should be using (client side) for picking client seeds. I'm not sure why anyone would use anything different.
full member
Activity: 165
Merit: 100
October 02, 2016, 07:36:06 PM
#3
Are you joking? Because I ever saw someone hit 99.99 or even 0 to make a big hit and now you said that their client doesnt let us hit that? You should check their big winner tab and then you can post something like this

U understand me wrong. I said that they only allow u to change the outcome by 50 %. So whatever Serverseed they give you, you can maximal add 50 % to it.

So if they give u ServerSeed of 2,147,483,648 then your outcome can be in a range between 50 and 99.99, depenedent on the ClientSeed you pick. But with this given ServerSeed it would not be possible to have an outcome below 50.

To better understand that I recommend to just try to calculate your outcome for an example. It's really not hard to do.
Server can chose a seed between 0 and 2^32 and the client only between 0 and 2^31. The sum of both numbers devided by 2^32 will be your roll result.

You will notice that u can only change the outcome to a 50 % range between the possible 0 and 99.99.
And which range this is, get's basically defined by the ServerSeed you get provided.
legendary
Activity: 1078
Merit: 1000
October 02, 2016, 07:31:57 PM
#2
Are you joking? Because I ever saw someone hit 99.99 or even 0 to make a big hit and now you said that their client doesnt let us hit that? You should check their big winner tab and then you can post something like this
full member
Activity: 165
Merit: 100
October 02, 2016, 07:19:32 PM
#1
I was looking at some moneypot apps to check, and noticed a major flaw in the BetterBets.io implementation of the MoneyPot Provably Fair System.

This flaw allowed Moneypot to cheat all players who played on BetterBets since the creation of the site. (approximatly 1 year I believe)

The Moneypot algorythm is this one:

(ClientSeed + ServerSeed) / 2^32 resulting in your individual roll outcomes between 0 and 99.99

2^32 = 4,294,967,296

In case the sum of ClientSeed and ServerSeed is higher than this number, the rest is taken and divided by 2^32, resulting in your roll outcome.

Most sites implement this correctly and let the user chose a number between 0 and 4,294,967,296.
But BetterBets is limiting the User to a chose a number between 0 and 2,147,483,648.

This allows Moneypot to chose a ServerSeed that will make the Users/Players lose. Because the User can only change the outcome by max 50 %. Sounds complicated, but it isn't. Heres an example:

Let's say Moneypot picks a Serverseed of 0.

Now the User picks his ClienSeed in the given Range between 0 and 2,147,483,648.

Then the roll result will be between 0 and 49.99.

With other words, if the User plays 2x on high, he will lose.
And there is no way the User can change this because BetterBets limits the ClientSeed he can chose.

Of course nobody can prove if BetterBets and Moneypot used this to make people lose and fill their own pockets.

But what we know is, that BetterBets.io has NEVER BEEN PROVABLY FAIR.


Just to mention this: That only counts for BetterBets.io, all other Moneypot Sites are provably fair because they let the User pick his Clientseed up to 4,294,967,296. At least the ones I've checked.

Regards !

Btw. no I did'nt play there and got buthurt because I lost. I've done my homeworks, this is a fact...
Pages:
Jump to: