Author

Topic: Double Spend on Pocket Dice (Read 2753 times)

hero member
Activity: 602
Merit: 501
October 04, 2015, 02:39:19 AM
#28
Probably the best thing to do (like most other casinos here) is to only allow deposit once it hits 1 confirmation.
copper member
Activity: 2996
Merit: 2374
October 04, 2015, 01:42:08 AM
#27
It might be a good idea for others to be warned about both yakuza699 and amaclin who both have a history of executing double spend attacks on gambling websites.......
legendary
Activity: 1134
Merit: 1118
July 24, 2015, 02:17:19 AM
#26
Right now we updated our system to make it more secure from any future attempts of hacking.

No hacking took place here. Scamming - yeah, but no hacking took place. Yakuza exploited the ability to double-spend unconfirmed transactions and it hit you for a decent amount of money. I suggest you test double-spending against yourself so that you are 100% sure your system can't be double-spended against.
copper member
Activity: 2996
Merit: 2374
July 24, 2015, 12:38:15 AM
#25
Hello this morning I received a PM by BuyAreaCoins and he gave me this link https://www.reddit.com/r/Bitcoin/comments/3dygn9/double_spend_on_pocket_dice/.I was pretty shocked after reading it because who wouldn't when he is innocent.I am going to quote my self what I wrote on reddit.
Yakuza699 also tried sending a double-spend to repay his loan
Regarding that check this:
I would be weary about accept 0/unconfirmed transactions from this person.  
Not only with me but with everyone coins are not yours if they are unconfirmed.I knew(was not sure 100%) that that transaction will not confirm that is why I stated "If this tx doesn't confirm ask me to resend!" And that is what I just did.
https://blockchain.info/tx/162f89bbf6118bc06c2d26e6be5d1823b680f6f6c12b194bdaf3e568de2f3404
This time the transaction will confirmJust got confirmed. Sorry for all the inconvenience marco. I hope I don't have to take a loan ever again but if I do I will contact you.
It was an accident and I re-sent it.
Dude, it could not be more clear that you are behind this double spend attack. You should give back the BTC that you stole from pocket dice and give back the BTC that you stole from other casinos that similarly (stupidly) accept 0/unconfirmed deposits.

I have it on good authority that you were double spending against luckyb.it if you were not double spending against pocket dice. Furthermore there is a look of evidence that you were creating transactions designed to never confirm on their own.

Here you posted the address 12ZMT7Qn2rysM3XKxkSBrVfzdXXufoS13t and looking at the transaction history, you split up a single output of .4994BTC into over 90 outputs all to the same address, and all of roughly .0055BTC (in a single transaction with 0 fees attached to the transaction), and this would never have confirmed on it's own. You later consolidated these outputs to three outputs via 205d6967349a64d8f7c99deacfb5f37e733f5ec9a497f53d42afd03df48678c1 and then proceeded to make at least one bet with those new outputs that would never confirm on it's own. (there are other examples of this, however I think one should suffice)

In This thread, you were offering a 1 BTC bounty to pools who were willing to include transactions you give them in their found blocks. (this is somewhat circumstantial evidence against you, however it should certainly be taken info consideration). What you were asking for was essentially a way to be able to get double spend transactions confirmed and to get other low fee transactions confirmed when they shouldn't.

Here, you post about depositing 10 BTC to a site that accepts 0/unconfirmed deposits, gamble with that 10 BTC, and proceed to make over 4 BTC, all before the transaction confirms (you even say that it should confirm "in a few minutes" when you post that you will be withdrawing). People in that thread were suspicious of you, however there was little risk to you because if you lost then you would have simply double spent the transactions.

In this thread, you were told that creating a number of chained transactions will sometimes result in transactions that will be rejected by nodes other then blockchain.info (this is not exactly what you were doing above, however it did set the basis for your actions).

I have additional evidence against you, however I am going to keep that private for now.

tl;dr - do not accept a 0/unconfirmed transaction from yakuza699 and it is a bad idea to accept these kinds of transactions in general
legendary
Activity: 2562
Merit: 1414
July 23, 2015, 07:35:47 AM
#24
-snip-

This issue and thread is pretty cloudy. Im not sure what you are trying to get in this thread since you put an example of yakuza attempted a double spend on your site and thus this thread was placed on scam accusation.

However no proof / data is presented about this and it appears you are more into looking for a suggestion on how this issue wont be repeated in the future ( if this is so then this thread should not be in scam accusation )
If truly yakuza attempted a double spend on your site then you should present the proof to back what you claimed ( this is a form of scamming as well since he supposed to lose the 71.38 BTC )
sr. member
Activity: 342
Merit: 250
July 23, 2015, 07:23:15 AM
#23
We're glad this thread appears to be so important and relevant for you. We appreciate all your feedbacks and solutions you've offered. Some of them were really helpful and effective. Right now we updated our system to make it more secure from any future attempts of hacking.

Of course we understand that the most effective way to fight double-spends is to require confirmation of EACH deposit. Though we always have to balance between providing world-class user experience on one side and security on another.

Once again, many thanks for your support!
member
Activity: 84
Merit: 10
July 21, 2015, 11:12:04 PM
#22
I see there is also a mistake on the pocketdice side. Many bitcoin users know how to double spend zero confirmations with no fee transactions.
legendary
Activity: 1120
Merit: 1000
July 21, 2015, 09:45:20 PM
#21
The best way to avoid that problem is asking for 1 confirmation on all the depos, before any withdraw.  Wink

thats how the site works but the cheater is doing something to the coins when he was supposed to lost it all, double spending so the site wont recieve the lost coins like there is no deposit happened

No, you could start rolling with 0 confirmations, or did i miss something here? This is why almost EVERY dice site requires at least 1 confirmation before you can play.
hero member
Activity: 504
Merit: 500
July 21, 2015, 09:11:54 PM
#20
The best way to avoid that problem is asking for 1 confirmation on all the depos, before any withdraw.  Wink

thats how the site works but the cheater is doing something to the coins when he was supposed to lost it all, double spending so the site wont recieve the lost coins like there is no deposit happened
hero member
Activity: 714
Merit: 500
one for one and 1 2 3
July 21, 2015, 02:24:44 PM
#19
Big amount, sorry for your lost.
hero member
Activity: 518
Merit: 500
July 21, 2015, 10:51:53 AM
#18
I would point out 2 comments from Reddit, it's 100% true.



#1: Easy: Don't accept 0-conf. transactions.
    #2: Easy! Just wait up to 1 hour for your internet money of the future to go through!



It's really complicated to do it. Maybe require 1 confirmation on TX without fee like DiamondCardz said, but I don't know if it's possible..
legendary
Activity: 1288
Merit: 1043
:^)
July 21, 2015, 10:44:12 AM
#17
If you want to accept unconfirmed transactions, do not accept them with 0 fee,

this exactly, requiring 1 conformation on 0 fee transactions would be a possible fix to this issue.

also, you guys are practically advertising that your site has a vulnerability, and have not taken the site down to fix the issue. people will try to abuse this, guaranteed. of course, i could be wrong and youve already patched this problem up, but if you havent, taking the site down for a bit would be a good idea. in fact, it would be a fantastic idea.
legendary
Activity: 1134
Merit: 1118
July 21, 2015, 10:33:05 AM
#16
Don't accept unconfirmed 0-fee transactions. If you want to accept unconfirmed transactions, do not accept them with 0 fee, and/or immediately revoke the balance if a double spend attempt is detected and return it only if the original transaction is confirmed first (unlikely if a purposeful double spend has been made). The former is more preferable than the latter, as you can still gamble it all away and THEN double spend.
legendary
Activity: 3346
Merit: 3130
July 21, 2015, 09:52:10 AM
#15
The best way to avoid that problem is asking for 1 confirmation on all the depos, before any withdraw.  Wink
hero member
Activity: 935
Merit: 1002
July 21, 2015, 09:35:49 AM
#14
Hello this morning I received a PM by BuyAreaCoins and he gave me this link https://www.reddit.com/r/Bitcoin/comments/3dygn9/double_spend_on_pocket_dice/.I was pretty shocked after reading it because who wouldn't when he is innocent.I am going to quote my self what I wrote on reddit.
Yakuza699 also tried sending a double-spend to repay his loan
Regarding that check this:
I would be weary about accept 0/unconfirmed transactions from this person.  
Not only with me but with everyone coins are not yours if they are unconfirmed.I knew(was not sure 100%) that that transaction will not confirm that is why I stated "If this tx doesn't confirm ask me to resend!" And that is what I just did.
https://blockchain.info/tx/162f89bbf6118bc06c2d26e6be5d1823b680f6f6c12b194bdaf3e568de2f3404
This time the transaction will confirmJust got confirmed. Sorry for all the inconvenience marco. I hope I don't have to take a loan ever again but if I do I will contact you.
It was an accident and I re-sent it.
legendary
Activity: 1288
Merit: 1043
:^)
July 21, 2015, 08:49:40 AM
#13
I never understood this doublespend thing but thats not very fair to exploit in on the other hand why your system does not need at least 1 confirmation before the coins can be used.

because people like to be able to play when they want to, which is usually as soon as possible. to prevent this, usually casinos require 1 confirmation before being allowed to withdraw, but clearly that didnt work here.
newbie
Activity: 3
Merit: 0
July 21, 2015, 08:40:18 AM
#12
I never understood this doublespend thing but thats not very fair to exploit in on the other hand why your system does not need at least 1 confirmation before the coins can be used.
legendary
Activity: 1288
Merit: 1043
:^)
July 21, 2015, 08:38:14 AM
#11
Im impressed by everyone here attacking the site and why the allow such things instead of attacking the user that is actually CHEATING this site and seems like he tried to cheat others yet he has no negative trust, not even by op?

that would be because there is no sure proof provided that the person who abused the deposit system on pocketdice and initiated the double spend attack is the yakuza699 here on the forum. until such evidence is provided, leaving negative feedback on the user's profile would be on the hasty side.
hero member
Activity: 1624
Merit: 645
July 21, 2015, 08:33:34 AM
#10
Im impressed by everyone here attacking the site and why the allow such things instead of attacking the user that is actually CHEATING this site and seems like he tried to cheat others yet he has no negative trust, not even by op?
hero member
Activity: 518
Merit: 500
July 21, 2015, 08:05:22 AM
#9
I sent 0.001 BTC with 0 fee and I was able to gamble it right after the transactions was sent. Confirmations are needed only for withdrawal. If I lost my 0.001 BTC I could easily double spent it, because there's not waiting time between deposit and bets.
Just one yolo bet on 90% takes few seconds so you have a plenty of time to double spend it. I really like that we can use our money instantly after the deposit is done, but you should do something with double spends.
sr. member
Activity: 434
Merit: 250
July 20, 2015, 10:43:51 PM
#8
I`m pretty new to spotting a double spent address or how it works.

Any chance to screen cap how it looks like? since anyone can get pm`d by him or does future business w. that person.
hero member
Activity: 504
Merit: 500
July 20, 2015, 09:44:32 PM
#7
Hi everyone!

Today we'd like to talk about double-spending.

We've had a player named yakuza699 – he's got the same username on bitcointalk and is actually a Hero member here, which means he's a respected part of the community. Here is a link to his profile here: https://bitcointalksearch.org/user/yakuza699-136722.

He's been playing Pocket Dice for a while now using the same strategy over and over: he makes a large deposit, places a couple of low-risk ALL IN bets, and then withdraws. All his game sessions have been profitable for him though yesterday he returned to Pocket Dice, deposited 71.38 BTC and lost them all. This happens sometimes as this is the game of chance. What happened next was he double-spent his deposit transaction.

So why are we writing all this? Just to say you all should beware of any kind of cooperation with yakuza699. Moreover, you should never seriously rely on user's rating at Bitcointalk.

Has anyone of you ever had any cooperation with yakuza699? did he also double spend in your web services?
Any ideas on how to solve this will be aprreciated.

why such a gambling site accepts instant deposit since double spend attacks isn't new in the BTC world? can you give more proof that yakuza699 in your site is the same yakuza699 here at BCTalk?
legendary
Activity: 1288
Merit: 1043
:^)
July 20, 2015, 09:06:51 PM
#6
How did he double spend? Your system is vulnerable?

Post this on the scam accusations section with your evidence.

my guess is that he sent a 0 fee deposit to pocket dice then broadcast a second transaction with a fee to get the network to forget about the first transaction.

1st question, why do you accept double spend transactions? Secondly, could you provide the txid's of the transactions in question, and other evidence to link that profile to the person you are claiming scammed you?

question is, why do they accept 0 fee deposits? accepting them is ok, but they should wait for 1 confirmation in the case the deposit transaction has no fee as those are vulnerable to double spending. other than that, we do need proof the account on your site that initiated this double spend is indeed yakuza699, 71+ BTC is not a small amount.
copper member
Activity: 2996
Merit: 2374
July 20, 2015, 08:59:37 PM
#5
1st question, why do you accept double spend transactions? Secondly, could you provide the txid's of the transactions in question, and other evidence to link that profile to the person you are claiming scammed you?
hero member
Activity: 602
Merit: 500
July 20, 2015, 07:04:55 PM
#4
Yakuza699 also tried sending a double-spend to repay his loan..                                               

Repaid 0.43(+0.01) damn it took longer than I fault.
https://blockchain.info/tx/c985bc196067e84ac11f595dc7d25f7d342e009dfbd1b9433804d07950ff996d
EDIT. If this tx doesn't confirm ask me to resend!

That's not very nice Sad now I have the tag: Warning! this bitcoin address contains transactions which may be double spends. You should be extremely careful when trusting any transactions to or from this address.
Don't worry it will vanish after 2-3 days plus it's only on blockchain.info block explorer.

The transaction has failed please resend it.
It looks like yakuza699 actually double spent the transaction. I would be weary about accept 0/unconfirmed transactions from this person.  
full member
Activity: 182
Merit: 100
July 20, 2015, 05:51:42 PM
#3
How did he double spend? Your system is vulnerable?

Post this on the scam accusations section with your evidence.
hero member
Activity: 633
Merit: 591
July 20, 2015, 02:34:54 PM
#2
Today we'd like to talk about double-spending.
[...]
Any ideas on how to solve this will be aprreciated.

Simple. Do not provide services that are vulnerable to double-spending.
sr. member
Activity: 342
Merit: 250
July 20, 2015, 10:16:43 AM
#1
Hi everyone!

Today we'd like to talk about double-spending.

We've had a player named yakuza699 – he's got the same username on bitcointalk and is actually a Hero member here, which means he's a respected part of the community. Here is a link to his profile here: https://bitcointalksearch.org/user/yakuza699-136722.

He's been playing Pocket Dice for a while now using the same strategy over and over: he makes a large deposit, places a couple of low-risk ALL IN bets, and then withdraws. All his game sessions have been profitable for him though yesterday he returned to Pocket Dice, deposited 71.38 BTC and lost them all. This happens sometimes as this is the game of chance. What happened next was he double-spent his deposit transaction.

So why are we writing all this? Just to say you all should beware of any kind of cooperation with yakuza699. Moreover, you should never seriously rely on user's rating at Bitcointalk.

Has anyone of you ever had any cooperation with yakuza699? did he also double spend in your web services?
Any ideas on how to solve this will be aprreciated.
Jump to: