Pages:
Author

Topic: Hufflepuff Making 2k BTC On PrimeDice Nov 2014. March 2015 Update: He Cheated - page 27. (Read 50041 times)

sr. member
Activity: 252
Merit: 250
crazy! Whit how many BTC he started?
That is crazy. He has wagered over 27 thousand coins and is at a profit of 885 right now. Is he the biggest winner yet?
hero member
Activity: 868
Merit: 1000
With the video looked like he just about got even... What privileges do you get betting that much on PD?



ah never again have to work and deal with a boss
legendary
Activity: 1232
Merit: 1000
★YoBit.Net★ 1400+ Coins Exchange
crazy! Whit how many BTC he started?
legendary
Activity: 966
Merit: 1000
In holiday we trust
With the video looked like he just about got even... What privileges do you get betting that much on PD?
sr. member
Activity: 342
Merit: 250
Great video!
How much did he win at the end? And withdraw?  Smiley
legendary
Activity: 812
Merit: 1000
Hufflepuff crossing 1000 Bitcoin profit on PrimeDice, watched it live and recorded the moment (vid below), so sick.

https://www.youtube.com/watch?v=uALj-u-BvOc&list=UUYT9hwCLb2qhv8wnCGWmw9w

Part 2: Hufflepuff Continues And Makes 2000 Bitcoin Profit

https://www.youtube.com/watch?v=lSLXv5Tz1ZY&list=UUYT9hwCLb2qhv8wnCGWmw9w&index=1


March 2015 Update:

Hufflepuff cheated & managed to run off with the coins according to reports from primedice


------------------------

June 2015 Update:  https://medium.com/@Stunna/breaking-the-house-63f1021a3e6d

How it was done:

Quote
This is the story of how we lost around $1 million worth of bitcoin to a hacker who exploited our online casino’s RNG system. This happened last year, but we’ve decided to share our experience for transparency and so that others can learn from our mistakes.

August 2014

Shortly after the launch of the third version of Primedice, our team faced an adversary that challenged the existence of our website. Our team had nearly two years of experience building bitcoin gaming sites, however I personally had pretty limited coding experience. We were under heavy pressure to avoid further delays and released after a short week of closed beta testing.

The heist began immediately after launch with two unusual players, Nappa & Kane. We noticed unusual betting patterns from both those accounts. Kane was automatically cashed out, we reviewed Nappa’s bets and thought they were highly unusual but could find no wrong-doing and cashed him out after a delay and a brief email exchange

September 2014

After getting spooked by his delayed cashout on Nappa, the exploiter waited a few weeks and created a new account named “Hufflepuff”. Hufflepuff was the largest bettor Primedice had ever seen, he was often seen betting upwards of $8000 worth of bitcoin every second for hours on end. Our entire team was shocked that Hufflepuff continued to beat the house edge (1%) and stack up more and more profit over time.

We were highly skeptical of his winnings and were forced to hold his cashouts time and time again to investigate and each time our developers could not find any wrong-doing. We couldn’t justify greatly delaying his withdrawals when there was no evidence he was cheating. There was also strong incentive for us to promptly pay him, so he’d keep playing. We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky.

The Discovery

About two days after sending his final withdrawal placing him above 2037 profit on the Hufflepuff account alone, our main developer detected the exploit after we found a handful of accounts sharing the same server seed.

To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works. A user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed). These two random values are combined and used to determine win or lose. The random encrypted random value used for the bet then is shown to the user after the bet so that they can be guaranteed that their bet is not rigged. You can find the detailed and in-depth explanations of provably fair here:

https://primedice.com/verify and http://dicesites.com/provably-fair

Part of the functionality of our site is that we have to give out decrypted server seeds (to assure users no bet manipulation has occurred) and put a new random seed in place, essentially trashing the old revealed seed. Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.

We figured this out after frantically checking our servers after a eureka moment. We suspected something could have been going on and eventually realized the possibility of a timing attack described above. Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff. Along these “Schrödinger” seeds existed many seemingly unused seeds connected to the same accounts, indicative of the rapid fire of requests needed to obtain these.

Déjà vu

Unfortunately we detected this exploit after cashing out Hufflepuff and his handful of accounts 2400+ coins (roughly $1M at the time). Given the nature of Bitcoin there wasn’t much we could do but take it on the chin. We reached out to Hufflepuff via his bitcointalk forum account and demanded the return of the coins, however this backfired unbelievably hard. It turned out that our developer had improperly patched the glitch. In response to our message, Hufflepuff created a new account named Robbinhood and proceeded to rapidly win 2000+ additional bitcoins using a work-around to the patch. He was unable to cashout more than 50 or 60 coins this time around as our site hot-wallet was drained.

Shortly after he privately sent us this message which was preceded with the dox of a primedice employee:

    “Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.
    Oh, and by the way, there are some pending withdrawals that you need to process.”

And that was the day the house didn’t win…
Evidence for transparency and investigative purposes

Hufflepuff’s deposit address: https://blockchain.info/address/1BiPXmDrHm7VXZnWy6NnW1ZbPc4dcpfkH5

His primary withdrawal address: https://blockchain.info/address/14iS2UvcLK33xkC1K1qL1dhEbp49aiNfNp

Email: [email protected]

RobbinHood withdrawals:

https://blockchain.info/address/14HQ67ZhmATviHi9RdYhbUriAGSFmJpYoB

— Note — : Nappa/Kane were two other usernames used early on, amongst many others.

Kane’s Withdrawal address: https://blockchain.info/address/18dMBap634aESPTeD3FGcAgJ2S9n4qtBTZ

Nappa Deposit address: https://blockchain.info/address/16h9ggSzUWdvagEJdNvWVYiUkytw6SJgiB

Nappa email: [email protected]

Some IP’s used between accounts: 184.75.221.106, 184.75.223.34 , 151.224.50.156 , 76.179.22.16

Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.

It’s also important to note that this incident is proof of the strength of our integrity and provably fair system. If at any point we attempted to rig Hufflepuff’s bets (skip nonces etc) we would have instantly realized he was cheating and we would have 2400+ more bitcoins. Hufflepuff only took a brief break from playing after we halved our max bet, I believe he would have cleaned us had we never discovered what was going on. We fund our own bankroll so no users were negatively impacted as a result of this.

Sorry for the long read,

Stunna & Primedice


Contact: [email protected]


Pages:
Jump to: