Topic: BitcoinBetGames.com • FREE BTC • Video Poker • Quincunx • Provably Fair • NEW (Read 4939 times)

...
Address lookup

canonical name   bitcoinvanitygen.com.
aliases   
addresses   104.27.129.8
104.27.128.8
Domain Whois record

Queried whois.internic.net with "dom BitcoinVanityGen.com"...

   Domain Name: BITCOINVANITYGEN.COM
   Registrar: OVH
   Sponsoring Registrar IANA ID: 433
   Whois Server: whois.ovh.com
   Referral URL: http://www.ovh.com
   Name Server: BRAD.NS.CLOUDFLARE.COM
   Name Server: SANDY.NS.CLOUDFLARE.COM
   Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Updated Date: 29-apr-2015
   Creation Date: 26-mar-2014
   Expiration Date: 26-mar-2016

>>> Last update of whois database: Tue, 28 Jul 2015 07:26:43 GMT <<<
Queried whois.ovh.com with "BitcoinVanityGen.com"...

Domain Name: bitcoinvanitygen.com
Registry Domain ID: 1852143808_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-29T19:48:18.0Z
Creation Date: 2014-03-26T21:38:13.0Z
Registrar Registration Expiration Date: 2016-03-26T21:38:13.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization:
Registrant Street: bitcoinvanitygen.com, office #6917528, c/o OwO, BP80157
Registrant City: 59053
Registrant State/Province:
Registrant Postal Code: Roubaix Cedex 1
Registrant Country:  FR
Registrant Phone: +33.899498765
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:


Domain Name: bitcoinbetgames.com
Registry Domain ID: 1917404004_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-09T21:27:11.0Z
Creation Date: 2015-04-07T19:42:12.0Z
Registrar Registration Expiration Date: 2016-04-07T19:42:12.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization: VERSERO
Registrant Street: Opolska 14/11
Registrant City: Jastrzębie Zdrój
Registrant State/Province:
Registrant Postal Code: 44-335
Registrant Country: PL
Registrant Phone: +48.607495744
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Nosalik Remigiusz
Admin Organization: VERSERO
Admin Street: Opolska 14/11
Admin City: Jastrzębie Zdrój
Admin State/Province:
Admin Postal Code: 44-335
Admin Country: PL
Admin Phone: +48.607495744
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Nosalik Remigiusz
Tech Organization: VERSERO
Tech Street: Opolska 14/11
Tech City: Jastrzębie Zdrój
Tech State/Province:
Tech Postal Code: 44-335
Tech Country: PL
Tech Phone: +48.607495744
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: ns3.bitcoinbetgames.com
Name Server: ns4.bitcoinbetgames.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-04-09T23:33:43.0Z


Seems he is also the owner/operator of the shady ass site Bitcoinvanitygen.com that steals peoples coins

Rework of provably fair system is now complete
It would be nice to be verified by third party.
We also upgraded our real time chat.

Happy playing!

Blackmail failed, we found this bug. In quincunx ajax response. There was commented out not hashed server seed.
We have it documented. Only one user exploited this.
Hackers vs BitcoinBetGames 0:2

I just want things to get paid for my work. I am the security researcher it is job not nothing. All other sites gave me money if I found a serious problem. I tell you , several times I will no been abusing it or no will to .

If you can not have 0.5 BTC, then you should say so, I can sell you cheap. But you should not pretend that you can pay 50 BTC to give winners then because it is a lie to offer a prize you will not pay

Your english is fine. We don't have official bug bounty, but your messages on chat sounded dangerously close to extortion or even blackmail. Give me 1.5 BTC or someone will abuse this bug and you will loose more.
Well how you could treat someone serious after something like that.

Sorry for my English . You do not even give me 0.5 BTC for responsible disclosure , and would only pay 0.1 BTC . I even gave a serious problem for free , and this is my job to eat.

Now you say you can pay 50 BTC winners per game , but you can not pay me 1 / 100th of it to help your security.

My time is too valueable to be wasted in this and has made it clear for the next person to find it more profitable to abuse your site getting insulted by your tiny bounties

RHavar thank you for this post, many usefull informations
There was not many details, thats the problem, since this user wanted serious BTC for disclosure of this information. He said there are two security flaws. One severe and one very very severe.
After some talk he gave couple hints. First that this very very severe one is about quincunx predicting coin path. Second one after further talk turned out to be hard to exploit CSRF in one function. We found it right away and its already fixed.
Giving that his one bug report was true, second could be also.

Anyway, only possible way of cheating in quincunx i could think of, would be to know current server seed in non hashed way. For example trivial mistake after reworking provably fair system, one place could be showing current server seed in non hashed way that should be hashed now. Finishing checking this.

It is hard, even more since first day design flaw which allowed user to calculate result before game. Ended without any harm, but we check everything twice now.

Yeah statistics is like that, you can have 50% chance for either 1 or 0, and get 1 for twenty times straight. Because of that very often people conclusion is that site is rigged, seen that many times on dice sites.

Max bet was 0.05 and it was lowered around ~14 hours ago to 0.01 temporary. Our provably fair system need 3rd party verification first, for safety of players and site itself.
It will be raised when we will be 100% sure of our provably fair system.

We got info on site chat, that there is still critical bug in quincunx that lets you predict coin path before betting.
While we are working hard to verify this information, it would be helpfull to also someone else give it a look. Like they say, four pair of eyes are better than two.
This can be bogus report, but reports like this must be checked carefully.

One indication that it could be true is one user, that hit on quincunx red table 130x in first real bet, then again between ~20 bets... chance for x130 on red table is around 1 to 25000.

Thank you. I moved this link to bottom of Provably Fair tab, underlined it, bigger font. Hope it will fit better there
Also removed couple bugs that could affect verification process, maybe its good that you have waited with full verification.

Better from impression will be full verification of Quincunx provably fair system on real bet examples .

Any impressions from the provably fair system?

Ah you are correct. Although that link is very small lol, I would probably display it slightly different. Anyway, seems technically okay then, although I didn't actually calculate the results and didn't check the details (just had quick look only.) But yeh, nice job improving it already.

I think we already do have this second method. Player know in advance next server seed hash (below SET button, need to click Next server seed (hash) to reveal it).

It seems like the idea is good now. But unfortunately there is still a mistake and the site is still not provably fair

When a player changes the clientseed, you give a new serverseed. This means you could calculate bad results based on these seeds. The idea of a clientseed is that there is a variable in the calculation which the site doesn't know in advance and therefor cannot predict the results in advance. 2 options:

1.  When someone sets the clientseed, you should keep the same hash (and don't reset the nonce or else player can cheat.) And then there should be a separate button to "request new serverseed" that also resets the nonce.

2. OR show the "next serverseed hash" already when setting the new clientseed (that is actually what PD does.)




Truthfully I didn't fully test the provably fair method but this is what I saw already.

Thank you for kind words, we have just started so its great motivation to continue.
We have big plans so stay tuned

Cool game.  I donated 0.03 BTC. 

After over 4 hours of non-stop programming Quincunx provably fair system with nonce is finished.
Please verify our implementation (only Quincunx game), its based on primedice system.

If verification will be positive, we will implement it also in poker.

Not sure if you're talking about the 2nd method here (nonceless), but i would find this system provably, but not fair.  As, it could be possible that the user does not update his client seed while the serverseed will update after every bet.  If the operator is unscrupulous, he could take advantage of the users that don't change their client seed as often, and find a serverseed pair that will have an advantage, assuming that the user does not change his betting % or hi/lo option.

of course this would require some work on the operator's part as well as some added technical knowhow, but i could see something like this being done.

After consideration we will implement 3rd mehod with nonce as NLNico suggested.
NLNico will you verify our implementation of 3rd method tommorow? (will write here as soon it will be ready)
RHavar from what you are writing i predict you also have tech knowledge to verify our implementation. Hope you can do it also.

Yes. Let's do 10 bets w/o and w/ nonce:

Serverseed per roll without nonce
1. Click to see serverseed hash & copy it, change clientseed, make bet.
2. Verify if hash was really correct and check bet result.
3. Click to see serverseed hash & copy it, change clientseed, make bet.
4. Verify if hash was really correct and check bet result.
5. Click to see serverseed hash & copy it, change clientseed, make bet.
6. Verify if hash was really correct and check bet result.
7. Click to see serverseed hash & copy it, change clientseed, make bet.
8. Verify if hash was really correct and check bet result.
9. Click to see serverseed hash & copy it, change clientseed, make bet.
10. Verify if hash was really correct and check bet result.
11. Click to see serverseed hash & copy it, change clientseed, make bet.
12. Verify if hash was really correct and check bet result.
13. Click to see serverseed hash & copy it, change clientseed, make bet.
14. Verify if hash was really correct and check bet result.
15. Click to see serverseed hash & copy it, change clientseed, make bet.
16. Verify if hash was really correct and check bet result.
17. Click to see serverseed hash & copy it, change clientseed, make bet.
18. Verify if hash was really correct and check bet result.
19. Click to see serverseed hash & copy it, change clientseed, make bet.
20. Verify if hash was really correct and check bet result.

Serverseed with nonce
1. Click to see serverseed hash & copy it, change clientseed, make bet.
2. Make bet.
3. Make bet.
4. Make bet.
5. Make bet.
6. Make bet.
7. Make bet.
8. Make bet.
9. Make bet.
10. Make bet.
11. Get new serverseed hash to reveal old serverseed, verify hash and check bet results.

So first one (which we have currently) is bad (can be better). We will change it again after midnight (to give users ability to verify bets from current day).
Second one we had before, but both client seed and server was revealed (critical design flaw) before the game began. Server seed should be revealed after game, to not be able predict game results.
Third one, i can't wrap head around how it is faster to verify this than second method. After thinking a while its because you need to only copy one value from game (nonced client seed) while you always have (untill you change it) nonced server seed in script already.

If i got above correctly, we are ready to put third method live after midnight.

There will be added "Bet browser in Provably Fair tab". But you would need to know bet ID to pull out older game. How current popular sites do that? I would think of maybe option to pull out in simple text form list of last 200 bets for example with data || to be able to verify in quick way many bets quickly.