Topic: How can Bitsler and Primedice cheat players? (Read 488 times)

I understand your concern,  I myself have been looking at the figures and saw that too many gamblers had not 1-2 or even 5% loss
many were like 20-50% (especially the ones with only so many high roller bets) in the red
but as I pointed out above, people do not know  how to manage their banks ,they chase loss, they engage in extremely risky martingales etc.
I do not exclude the possibility that casinos  cheat, but this would mean the whole cryptography and provably fair is flawed and all of the owners are conspiring against us poor gamblers
which is very far fetched
RHavar explained it perfectly , reread his posts in this thread

This is very hard to calculate because you need to play a number near infinite to get a real value.
If you have money to lose you can try to play with the minimal amount of bet and get a decent value as result, I think if you can play 10000 games you will get a "real value" but if you test this you most likely you will lose money for obvious reasons.

IMHO gamblers lose, on average, way more than 1% house edge

That is exactly what worries me, it is not as simple as they claim it because of 1% house edge.
I think there this more going on behind the curtain, which is not right.

casinos are making enough money because of the house edge and the ignorance of the vast majority of gamblers as to the simple gambling practices
casinos do not need to cheat you for you to lose , you are bound to lose 1 bitcoin out of 100 bitcoins wagered in the long run, I mean collectively, of course there is variance
but IMHO gamblers lose, on average, way more than 1% house edge
many are oblivious to the math behind the game they are playing, hell , many are in all seriousness claiming that they just have been cheated because they had 15 reds in a row
or they "cannot be losing every time they play on this site" - yes you can if you don't know how to play

This is just so perfect. You guys can just read this and this thread is already over.

RHavar basically talks about how it is perfectly provable that if a casino can scam you or is looking out to scam you in anyway and lays down all the possible ways. There will never be any other messages that shows clear ways of how it could be done any better than this.

Unless you are playing on a website that has bad provably fair code either knowingly for bad reasons or unknowingly for incompetent reasons all you have to do is to go play there and see that their provably fair works with couple of checks and if you can deposit and withdraw small amounts it means you can gradually increase the amount and you will be fine.

When huge casinos are making thousands of bitcoins every single year and profiting so much that its a wonder how this is not a crime (yes that much profits) it would make NO sense to scam anyone from their point of view.

thanks for such a valuable information.

Just google "x verifier" and you'll find quite a few. The ones on jsfiddle are the easiest to see the source code of, although personally I'm a fan of dicesites.com which has a verifier there. It doesn't appear to be opensource, but it doesn't particularly matter if you trust it to be independent from the site you're verifying. You can also just save the page and run it offline if you're worried. The site's code is also pretty readable if you're familiar with jquery  (after throwing it through a js formatter...)

Please tell me if bitsler and primedice have open source code?

Going to ignore the first half of your message because its just you being smug and contradicting the lower half of your message.
(Seriously how are you still trying to argue about provably fair while I never said it was the problem?)

But yes! Perfect justdice quote, now we're getting somewhere!

So let me recapitulate, you're telling me that after all the security and provably fair mishmash, in the end, justdice uses the last 3 bytes of the hmac output, creates a number, and divides it by 10k? This part right here buddy, that you need to verify every time you want to trust a website.

Sure, im very sure justdice are legit. But you could EASILY, for example instead of divide by 10k and get the dice roll, you divide and substract 5 every time. Or use modulo to turn every nth number into a 0 bet... Oh and flash news, YOU WOULD GET THE SAME RIGGED OUTCOME EVERY TIME. So where can you check that they dont do this? You need to read the verifier source code.

If the verifier isnt open sourced, you cannot prove that the website isnt scalping the house edge. Even if it is open source, you need to verify that the part where the hex output becomes a bet roll is uniformly distributed on the target interval.

I would recommend reading: https://dicesites.com/provably-fair it has a great overview

But to answer your points:
a) You don't need "trust the implementation", you just need to verify your rolls (.e.g. use an external trusted tool, like one I linked to in my previous post)
b) "convert into a roll"  must be included in the provably fair system, or it would make no sense at all
c) You do not convert to a "completely random number", in fact it's provably it's not.

Not really. The output is a 256 bit. It's most commonly represented in hex, but you can just as easily write in any way you want. It's really just a huge number.  Or probably best thought of an ordered list of 256  "1s" and "0s".


You don't.


Did you even read the description on just-dice? It literally specifies *exactly* how this is done:


You will notice all the verifiers follow that exact procedure, to all arrive at the exact same rolls.

I'm not doubting the provably fair system, I'm doubting its implementation.

I understand how hmac works. But what you don't understand is that "convert into a roll" isn't included in the provably fair bit.

You can take a game seed and server seed and nonce, and generate a completely random number. This is true, and provable.

But what's the output of the hmac-sha256 hash algorithm? It's a hexadecimal string of bytes. How do you turn this into a random number? By generating say a big int, or an int, or using the string into a pseudo-random generator, it doesn't matter really, because so far, the number is still random and reproductible in the future using the same server + client + nonce input.

But this is where you can't tell me there's any provably fair bit. How do you turn this random number, into a bet? You're not telling me that just-dice generates random numbers written as integers between 1 and 100. This is just not true. So you have to take the random number, and somehow convert it into a bet between a limited interval.

THIS conversion is what a lot of websites use to take a higher house edge than what they might advertise. This also needs to be double-checked in every bet verifier script, because you can easily modify the function that maps every random bigint value to a closed bet interval.

You're kind of mixing up terminology here, but you're also on the wrong track. Provably fair means you can prove the game was fair. End of story. If you can't do that, then it's not provably fair.



This is all making no sense. Let's use Just-Dice.com provably fair system for reference (mainly just because it's the basically the scheme pretty much everyone uses): https://just-dice.com/ and click "fair?"

There's no randomness employed. It's all based on cryptographic hashes ( hmac.sha512 ) in particular. The problem with randomness is that you can't prove that it's in fact random. That's why they use the output of a hash function.  Although the site probably uses randomness itself to generate the original server seed, but it's irrelevant to the user.



This makes absolutely zero sense. If you don't understand how it works, it's best to just ask or take a look instead of coming up with a random guess and then hypothesizing how it's broken. A proper provably fair scheme guarantees an exact house edge, because they encode the way to convert the output of a hash into a game result. From that you can derive an exact house edge.



All decent provably fair sites have fully open source client side verification tools that are hosted externally. For just-dice:

http://rgbkey.github.io/just-dice/
http://jsfiddle.net/usrfyxn0/show/
https://bitcointalksearch.org/topic/m.10190283
https://github.com/VolosStorm/JD-Roll-Verifier


You'll notice all of them convert into a roll, thus encode the house edge (1% in this case).

Those all don't touch a point that very little people realize.

Provably fair means that you can re-create the seed using known hashes.

I could stay here and talk about provably fair all day long, it works, and it stands for something. But the other element that people miss is how a random number is turned into a gambling number. For dice, for roulette, for god knows what kind of gambling system that uses random numbers to generate its bets.

You see, the original number CAN be random, but the way it's converted into a bet would make all the difference, and makes me seriously doubt every gambling website out there.

It's simple :

You generate a true random number using server + client seeds + a nonce that gets incremented. So far so good. But once you do generate the random number, (let's say that has a range of 0 - 1.000.000), instead of having your algorithm use a normal distribution to convert the random number into a percentage, you lie in your odds.

Say every number between 0 and 50.000 will result in a losing bet of 1x, but everything else will increment into a nice exponential looking slope.

This effectively makes the house edge 5%, and goes completely undetected, and unprovable unless you have access to the code that turns a random number into a bet.

This is probably very common because rare are the websites that open-source, and fully client-side their bet verifiers. And even then, you'd need someone with knowledge to go into the source code, verify that there isn't a hidden range that benefits the house more than they should.

Excellent question. This is the exact sort of question that needs to be asked.

So the very first, and most important thing that needs to be verified is if the provably fair algorithm itself makes sense. I can't remember the scheme bitsler uses (and the site doesn't appear to be working for me at the moment to take a quick look) but primedice uses the sort of "industry norm" scheme which I believe was originally made by just-dice.com (if memory serves..).

I can't really offer proof it's sane, but I can assure you it is. There's been a lot of provably fair schemes from shitty sites that don't make any sense, like those incompetent enough to use md5 (wtf??) or those malicious-enough to insert information directly under their control (999dice did this with the "bet id") or produce a house edge larger than advertised.

So let's just assume that PrimeDice's scheme is fair (which is is ) we need to ask "how can they still cheat" and we can come up with a list:

1) They don't credit your deposit
2) They don't process your withdrawal
3) They don't properly adjust your balance according to the bets
4) They give you a maliciously picked client seed (or alter the code that generates them to do so)
5) The bet results don't match what they should (i.e. altered bet amounts / targets / outcome )



So  1) and 2) are the most obvious and easiest to verify (you're probably already doing this without paying much attention). 3) Is a little annoying to do, but pretty simple maths.  4) Is the hardest to verify, I personally would never even try bother. Just just always pick your own client seed, so you don't need to worry about if their generation is rigged or not. And 5) is the most annoying, you need to record all your bets, your client seed, and the server seed hash (before you started betting...)  and then match them all.


If you do all that, and it all checks out -- then you are guaranteed you weren't cheated.  Hence the site is "provably fair".


But if we're discussing weaknesses: The biggest weakness by far is that if you are cheated, you can't prove it (it's not non-repudiable). It would be 100% your word against theres, and people would tend to err on not believing you.

The good news though is, none of the serious sites would even consider scamming you. I've been following the space closely (and a former casino operator) and haven't seen a single credible scam accusation against PD in the last ~4 years.   From a business point of view it just wouldn't make much sense.

That question rather sounds rhetorical to me 

Good point. In 2018, if they can't cheat you through games, they can easily get away with cheating by introducing all sorts of terms and conditions as if the website pays taxes to the government. I'm not worried about provable fair games as I'm with the terms and conditions.

Well said chief! It's sad to see you finally getting the tags over the shady betking operations.

Was reading something similar on a faucet website, basically, it seems the website changes the seeds on when high rolls come.

I don't know if is possible to do the same on those big websites but, to get a better point of view on this potential problem read here Freebitco.in provably cheating

Some payouts are checked/done by hand which takes time. Of course, some may just claim to check, some may check when it's not the case.
But just think that they did the same in 2017 and then the players got more $ when the casino delayed the withdrawal. So no, you better go with the mindset that 1 Bitcoin = 1 Bitcoin. It could help you stay same in years like 2018


If you want technical, we're back to provably fair. As others said, with provably fair your bets can be checked.
In theory the casinos could get 3rd party audit now and then for extra trust.
In practice, and this is what interests you, I guess that a casino could "cheat" and not all the bets would be provably fair. But I think that sooner or later such practice would be caught and then that casino is doomed and the owners will face lawsuits. So imho it's not worth it, especially for big established casinos. I mean, why would somebody risk to ruin a well working business for some extra bucks?

Thanks for your reply, ya this can also be one of the cheating method but I am more interested in the technical type of cheating behind the curtain. It might be possible that they have designed the software to payout 50% of all player deposit with in 24 hours and no matter how you play you can not suck out more than the previously fixed amount.
Please give your thought on that.

Please elaborate further about this afaik both sites only allow to change seed not hashes.

Did they cheated you? I am not sure how they can cheat you but priably fair means each and every games is just random they are not doing anything with that so don't thinka bout cheating on that,you may end up not paid the rewards when you win.