Pages:
Author

Topic: Just-Dice is not provably fair to gamblers - page 3. (Read 4184 times)

full member
Activity: 238
Merit: 109
February 23, 2014, 12:48:59 PM
#11
I'm not tech savy so i didn't understand much of what you said, but i lost some btcs there, so i'd like to know what's up.

What's up? In theory he could have influenced the numbers that come up to be in a less-than-random (But still not chosen) order, as, he provides two of the three parts of a hash, and, the third part is simply an incrementing number, something that you could easily test with.

He still couldn't force you to bed more than/less than, or, what percentage, so, the best he could do is profile your betting procedure to guess how you bet, then attempt to test a bunch of hashes until they are ordered in the way that profiles you.

tl;dr no, he probably didn't steal from you, but, it is an issue to be concerned with, assuming I'm understanding this correctly (I believe I'm understanding the issue correctly, but, maybe not the repercussions)
member
Activity: 98
Merit: 10
February 23, 2014, 12:47:38 PM
#10
how could it be changed to be provably fair to gamblers?  Do other sites also exhibit similar weakness?

It depends on how the site generate their server seed.

If and only if the method they are using is unique per user with instant checking (like Just-Dice.com and EveryDice.com), then you only need to change the client seed once. After that, there is *no way* the site is able to manipulate the roll. Remember that you pick your client seed after the site show their server seed hash Smiley
hero member
Activity: 644
Merit: 500
Invest & Earn: https://cloudthink.io
February 23, 2014, 12:44:57 PM
#9
From my understanding of the issue... JD IS provably fair, you just have know way of knowing doog did not cheat.

If doog wanted to fuck people over he could just look at the seeds and bet on his own site and win.  Or hell, he could just run away with the 40,000+ that people trust with him.

If doog wanted to cheat you, he would just run with the money.

Also, doog is not anonymous...
newbie
Activity: 4
Merit: 0
February 23, 2014, 12:41:42 PM
#8
I'm not tech savy so i didn't understand much of what you said, but i lost some btcs there, so i'd like to know what's up.
full member
Activity: 238
Merit: 109
February 23, 2014, 12:12:09 PM
#7
how could it be changed to be provably fair to gamblers?

Generate client seed client-sidedly.
sr. member
Activity: 323
Merit: 254
February 23, 2014, 12:06:15 PM
#6
how could it be changed to be provably fair to gamblers?  Do other sites also exhibit similar weakness?
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
February 23, 2014, 08:52:20 AM
#5
It is provably fair if the gambler takes the correct steps to make sure it is. If you are reckless, then it does not matter anyways. As to changing the way the rolls are calculated, he did this to make it more secure for the site. This is no way would cause losses to people.
hero member
Activity: 952
Merit: 513
February 23, 2014, 07:07:25 AM
#4
haha dooglus should do provably fair for investment.
hero member
Activity: 952
Merit: 1005
frantorres_995 at socialmedia
February 23, 2014, 06:58:30 AM
#3
Dooglus also change the algorithm without warning in September and arbitrarily, causing losses to many users, the only way to solve this is in court but he has hidden in his anonymity to avoid starting a legal process. But the day will come.
sr. member
Activity: 266
Merit: 250
February 23, 2014, 05:26:20 AM
#2
Reserved.
newbie
Activity: 12
Merit: 0
February 23, 2014, 04:01:31 AM
#1
I have raised this with Dooglus over a week ago, we discussed solutions but he has decided the site will not change.

The problem
The client side key is generated by the server initially and has no security so it can be changed at any time

Background
There are three parts to generating a fair bet:
  • Server Key - given to the user as a hash
  • Client Key - known by the user (and should be generated by the user)
  • Bet number
The time and size of a bet have nothing to do with the result.

How can this be abused
The nature of Just-Dice rolls are that you bet high or low in a 0-100, if the client and server key are generated by the server they can pre-prepare client-server keys that will result in rolls in their favor.
for example they can generate millions of sets of hashs until the results:
1) are generally 10-90 so that people will not get the rare 10x payout rolls (less than 10 or greater than 90)
2) have long streaks above or below 50 to send martingalers bust
So use your imagination, they can dictate the roll results

The technical details
The code is available here:
https://just-dice.com/javascripts/dice.js
A beautified copy:
http://pastebin.com/CatuARX2

The Server and Client keys can be changed at any time by the server, here is the corresponding code:
Code:
  socket.on("shash", function(data) {
    $("#shash").html(data)
  });
  socket.on("seed", function(data) {
    $("#seed").html(data)
  });
The only protection is if the user writes down both keys and verify their bets every 100 rolls, after that your bets a no longer visible

When you load the site, the client key is provided by the server, this is not a problem for returning users, but first time visitors should have their own java-script engine generating a client key, here is the code:
Code:
  socket.on("init", function(data) {
    ... other code ...
    $("#shash").html(data.shash);
    $("#nonce").html(data.nonce);
    $("#seed").html(data.seed);
It is possible to use the randomize function when you first enter the site, but I do not believe many users do this.

Caveat
I am not accusing the site of rigging rolls, I am just saying that it is possible.
Pages:
Jump to: