Topic: [DICE]Bikinidice, Multicurrency,auto bet, range selector.AUCTION, PLEASE ENTER !! - page 36. (Read 56002 times)

Good luck with your site. Do you plan to accept XMR as a payment method, too?

TXID: ab2138ec3a6b723a3b4b479930b5b864dba7ce9d8568c70c8bd07fa36a881eda

Thanks!

Got 3 reasons to make our bots.

1. Marketing reason
Some player need to see other users to play with a game. This marketing strategy, however, has its negativity. You said that our users always lost when in fact they were simply our bots.

2. Stress test
We need to test our database with large amount of data.

3. Provably fair check
We try to calculate long term profit of our dice game with many fake bet made by bot.



I know don't worry. Me/You/My partners are only bitcoin fans

Hide bots when?  As soon as you get a real customer?  As I said to somebody, it could be that you are trying to promote a legitimate gambling site.  You just have to prove it.  I have nothing against you.  Good luck!

Yes we will hide our bots soon

I think you should remove the 'bots' (user ids under 10000). While you obviously just want the site to look more active, having a bunch of obviously fake random bets isn't going to attract serious players, and people will probably feel more involved in your site if they can watch real players playing according to their own patterns.

Dear user 13328,
https://blockchain.info/address/1Ctv6Yph1YnqVYu1yW73oVt9YcpebeUtyo

Thanks to test our anti-double-spending system.

It was a pleasure to verify proper operation!

Anyone need an official API system? We saw many robo-rolled.

WOW!!!
geat idea!!!
now i can chose my lucky number 
I like so much you website!!!

No bro, it's morning where are you 

Ah, it's morning where you are?  So you gave me a clue.  Maybe you are in Latin or South America after all, or even in the USA, as an immigrant from Russia.  Keep talking, I want to know more about you my friend.

What do you mean in particular? 

We think is a good/soft layout, or not?

A bit confused with the design.. Can you make it more easy with the eyes?

Good morning to you too Tony 

Nice spot of a programming error.  Indeed you could have stayed silent and profited.  But I doubt this character gives you any reward.  He's a slippery character out to make a quick buck seems to me.  Whether or not he is corrupt remains to be seen.  He may even be honest, albeit slippery and without any morals whatsoever.

It's also an example of why you should never do your own "home grown" randomizer.  (A programmer's rule of thumb that I have broken myself, I code in C#).  In fact, had he used rand(), as you say, perhaps rand() can be broken, but it would not have been as easy to break as the error he made that you saw.

Also it's interesting that the loss of a mere 5 BTC --about USD $3000--will shut down a site.  Thinly financed, fly by night.

We've got another roll function right now.

But 10852 is extremely suspicious 

You have helped us , we will reward you Bro.

@NLNico
Thanks NLNico!

He have not yet implemented this because he need to do more testing, so don't worry

You are kinda lucky you post this before implementing it:

This is extremely vulnerable. An attacker could probably steal all your coins this way.

Let's say my clientseed is "hacker1":

$clientSeed.$nonce

will become:

#1 - hacker11
#2 - hacker12
...
#8 - hacker18
#9 - hacker19

Now after 9 bets, I will change my clientseed to "hacker":

#11 - hacker11
#12 - hacker12
etc.

See the problem? The rolls will be the same as the previous 10 and we know the outcome. A decent attacker would do this only with 100 or 1000 bets to make it less obvious. He could slowly win all your funds. This is the same way satoshicarnival.co got "hacked" and lost like ~5 BTC. They decided to close the site afterwards and work out a refund plan with their investors. This btw only works if the serverseed is not forced to change after changing the clientseed, but this seems common practice to me.

Solution: use a separator. Like n:c:n,n:s:n > $nonce.":".$clientSeed.":".$nonce,$nonce.":".$serverSeed.":".$nonce

Normally I would privately disclosure this and kindly ask for a bounty. But considering it's not yet implemented I guess I could just reply here. Any bounty would be still appreciated though (donation addy is in signature.)




About the function rand(), you could consider reading this 35 page paper "I Forgot Your Password: Randomness Attacks Against PHP Applications". Basically rand() is not random enough and should be considered as vulnerable. Although I am personally not sure how an actual attack vector against your implementation would be.

Basically using openssl_random_pseudo_bytes() or as fallback mcrypt_create_iv() will be better than rand() or mt_rand(). You should/could definitely google a bit on that too. Most times the server seed is random though and the actually roll generation is based on the SHA512 HMAC of the seeds+nonce.