The game works and the code is well tested. Go review it yourself.
I have =)
There is no need to be aggressive and start making wild, unfounded accusations. Let’s keep it civil please!
Sure, I'm merely asking some questions which you aren't giving a straight answer to =)
We have some of the finest developers in Ethereum on our team.
This I have no doubt
Our coders and game are live, working and can be verified. We are obviously legitimate.
Now, I have no idea why you are posting the same questions, over and over, in
EVERY forum. Because you have been ignoring my questions for days, which make me believe you are hiding something
I would think "blockchain nerds" like yourselves, would be happy to discuss things on a technical level
Requesting to kindly keep this just one forum.
It's really annoying to have to go and paste the same answer over and over again.
Sure, I'd be happy to keep it here if you reply to me here.
The very reason why the authenticated JSON-RPC APIs of random.org are used, is because of the "requestsLeft" field which is returned by each API call response ( https://api.random.org/json-rpc/1/signing ). This field content is tied to the API credentials specified in the query and is there to indicate how many requests are left in a given day.
However, AFAICT your contract never actually checks the "requestsLeft" field or the ids. Am I wrong? You also provide no tooling to check if any are skipped. Furthermore, this does not provide protection against oraclize making 2 or more requests at the same time, and re-arranging them. I would assume a properly designed contract would have an explicit checks for the id that it expects, and only accept a result that matches the one it expects?
Furthermore, using a service like random.org seems backwards, because there is absolutely no guarantee they're giving you a fair result. Contrast this provably fair bitcoin gambling services, where a cryptographic proof exists that the number was fair.
If we check all the TLSNotary proofs published on the blockchain (which contain the whole API response!), an independent auditor can verify whether any subsequent number in the "requestsLeft" fields is missing - when that happens, the auditor has a good indicator that something wrong happened (either on the Oraclize side - which sent more requests than expected - or by any external party knowing that specific API key (vDice itself & random.org)).
Why do you verify the TLS, when api.random.org actually provides its *own* signature. Checking the api.random.org signature seems to be the correct thing to do, not the TLS one. By verifying the TLS signature instead of the api.random.org one, it just introduces more opportunities for a party to cheat (notably: cloudflare, which the requests are going though).
Of course this doesn't say much about the intent in itself (can just be some failure in the HTTP request, which had to be sent again), but in general it provides some level of security against replay attacks.
Well, then it's not really provably fair as a player/investor has no way to distinguish being cheated with "http request failure"
I could go on forever about this. But, as I said before, it is an issue of centralization v decentralization.
Again this is nonsense. You have 1 decentralized part (ethereum contract) and 3 centralized single-points-of-failure (orclize, cloudflare, random.org). Players have significant less protections than playing at a current bitcoin gambling site, with a better user experience. I fail to see a single*advantage that your site offers a player, other than affording you the possibility of getting rich with an ICO