This is from a interesting pdf https://anonymousfiles.io/UeRFSjpa/
Quote
3.4 Reversed Commitment Order
Suppose Alice manages to convince Bob to provide 𝑠𝐵 before she provides 𝐶(𝑠𝐴). We will show in this case how Alice can gain a slight advantage over Bob (in excess of the advertised house edge) using very little computational power. One example of a site employing this flawed scheme is FortuneJack [11].
One additional aspect of the scheme used by FortuneJack is that the client can define what constitutes the winning outcome. After providing 𝑠𝐵 and receiving 𝐶(𝑠𝐴), the client can freely choose the corresponding winning range and thereby the payout. The server fixes a house edge, so that defining one of the winning range or the payout automatically fixes the other value such that in expectation, the house edge is achieved.
The client will generally pick between two game variants. The first is a high risk, high reward game. In this game type, the client wins in less than 50% of the output space. The other option is a low risk, low reward game where the client wins in more than 50% of the output space. An example of this can be seen in the image above. By observing the public log for some time, we noticed that a vast majority of players choose the high risk, high reward game, which is perhaps more in the spirit of gambling.
Undoubtedly, the server has more clear data regarding client preferences. If the server can target clients who play the high risk, high reward game, it is able to skew results in its favor by selecting an advantageous 𝑠𝐴 given its observation of 𝑠𝐵. The reason is that if the client wins in less than 50% of the output space, there is a range in the middle for which regardless of which side the client chooses, the server will always win. For the example in the image, the client wins if 𝐺(𝑠𝐴,𝑠𝐵) ∈ [0,20) or 𝐺(𝑠𝐴,𝑠𝐵) ∈ [80,100).
The client does not always switch its seed after every roll. Instead, the game function is computed with an incrementing nonce over many rolls. This complicates the attack slightly, but still allows for noticeable deviations assuming a reasonably bounded maximum nonce
value. The server can simply compute the average maximum nonce value for a given client and use that as is target nonce.
Given both the client’s preference for the high risk, high reward game and a bounded nonce 𝑛∗, the server simply tries a few different hash values and computes the function below. Note that 𝐺(𝑠𝐴,𝑠𝐵) will output a list of rolls of length 𝑛∗.
𝑣(𝑠𝐴,𝑠𝐵) = ∑(𝐺(𝑠𝐴,𝑠𝐵)[𝑖] − 50)2 𝑛∗−1 𝑖=0
arg max 𝑎
𝑓(𝑥) = {𝑣(𝑎,𝑠𝐵) ∣ ∣ 𝑎 ∈ 𝜎𝐴 }
In effect, the server is looking for a seed value 𝑎 = 𝑠𝐴 such that for a given 𝑛∗ and 𝑠𝐵, there are more numbers close to 50 than would be in expectation. The value function 𝑣(𝑠𝐴,𝑠𝐵) is just one example of what the server might be optimizing for. A more sophisticated attacker would use the behavior of the client to adjust the value function.
It is not feasible to get the most optimal value 𝑎 ∈ 𝜎𝐴, since the space of all seeds is too large. However, it is enough for the server to select a small subset of 𝜎𝐴 and look for the best 𝑎 within that subset. To reduce suspicion, the server could simply generate random 𝑎 values and compute the value functions for these seeds up to a certain time threshold, so that it is harder to detect foul play.
There is not much the client can do to defend against this attack aside from choosing to play the low risk, low reward variant of the game. Proving that the server is employing such a scheme would be equally difficult without access to the entire history of rolls, which is not available to the public. Testing the random number generator would require a large amount of cryptocurrency, which might be out of reach for most clients.
https://pasteboard.co/IB99iCp.jpg
Suppose Alice manages to convince Bob to provide 𝑠𝐵 before she provides 𝐶(𝑠𝐴). We will show in this case how Alice can gain a slight advantage over Bob (in excess of the advertised house edge) using very little computational power. One example of a site employing this flawed scheme is FortuneJack [11].
One additional aspect of the scheme used by FortuneJack is that the client can define what constitutes the winning outcome. After providing 𝑠𝐵 and receiving 𝐶(𝑠𝐴), the client can freely choose the corresponding winning range and thereby the payout. The server fixes a house edge, so that defining one of the winning range or the payout automatically fixes the other value such that in expectation, the house edge is achieved.
The client will generally pick between two game variants. The first is a high risk, high reward game. In this game type, the client wins in less than 50% of the output space. The other option is a low risk, low reward game where the client wins in more than 50% of the output space. An example of this can be seen in the image above. By observing the public log for some time, we noticed that a vast majority of players choose the high risk, high reward game, which is perhaps more in the spirit of gambling.
Undoubtedly, the server has more clear data regarding client preferences. If the server can target clients who play the high risk, high reward game, it is able to skew results in its favor by selecting an advantageous 𝑠𝐴 given its observation of 𝑠𝐵. The reason is that if the client wins in less than 50% of the output space, there is a range in the middle for which regardless of which side the client chooses, the server will always win. For the example in the image, the client wins if 𝐺(𝑠𝐴,𝑠𝐵) ∈ [0,20) or 𝐺(𝑠𝐴,𝑠𝐵) ∈ [80,100).
The client does not always switch its seed after every roll. Instead, the game function is computed with an incrementing nonce over many rolls. This complicates the attack slightly, but still allows for noticeable deviations assuming a reasonably bounded maximum nonce
value. The server can simply compute the average maximum nonce value for a given client and use that as is target nonce.
Given both the client’s preference for the high risk, high reward game and a bounded nonce 𝑛∗, the server simply tries a few different hash values and computes the function below. Note that 𝐺(𝑠𝐴,𝑠𝐵) will output a list of rolls of length 𝑛∗.
𝑣(𝑠𝐴,𝑠𝐵) = ∑(𝐺(𝑠𝐴,𝑠𝐵)[𝑖] − 50)2 𝑛∗−1 𝑖=0
arg max 𝑎
𝑓(𝑥) = {𝑣(𝑎,𝑠𝐵) ∣ ∣ 𝑎 ∈ 𝜎𝐴 }
In effect, the server is looking for a seed value 𝑎 = 𝑠𝐴 such that for a given 𝑛∗ and 𝑠𝐵, there are more numbers close to 50 than would be in expectation. The value function 𝑣(𝑠𝐴,𝑠𝐵) is just one example of what the server might be optimizing for. A more sophisticated attacker would use the behavior of the client to adjust the value function.
It is not feasible to get the most optimal value 𝑎 ∈ 𝜎𝐴, since the space of all seeds is too large. However, it is enough for the server to select a small subset of 𝜎𝐴 and look for the best 𝑎 within that subset. To reduce suspicion, the server could simply generate random 𝑎 values and compute the value functions for these seeds up to a certain time threshold, so that it is harder to detect foul play.
There is not much the client can do to defend against this attack aside from choosing to play the low risk, low reward variant of the game. Proving that the server is employing such a scheme would be equally difficult without access to the entire history of rolls, which is not available to the public. Testing the random number generator would require a large amount of cryptocurrency, which might be out of reach for most clients.
https://pasteboard.co/IB99iCp.jpg
