Just-Dice is not provably fair to gamblers - page 3.

Automatic

full member

Activity: 238

Merit: 109

Quote from: royalblako on February 23, 2014, 01:41:42 PM

I'm not tech savy so i didn't understand much of what you said, but i lost some btcs there, so i'd like to know what's up.

What's up? In theory he could have influenced the numbers that come up to be in a less-than-random (But still not chosen) order, as, he provides two of the three parts of a hash, and, the third part is simply an incrementing number, something that you could easily test with.

He still couldn't force you to bed more than/less than, or, what percentage, so, the best he could do is profile your betting procedure to guess how you bet, then attempt to test a bunch of hashes until they are ordered in the way that profiles you.

tl;dr no, he probably didn't steal from you, but, it is an issue to be concerned with, assuming I'm understanding this correctly (I believe I'm understanding the issue correctly, but, maybe not the repercussions)

everydice

member

Activity: 98

Merit: 10

Quote from: a1choi on February 23, 2014, 01:06:15 PM

how could it be changed to be provably fair to gamblers? Do other sites also exhibit similar weakness?

It depends on how the site generate their server seed.

If and only if the method they are using is unique per user with instant checking (like Just-Dice.com and EveryDice.com), then you only need to change the client seed once. After that, there is *no way* the site is able to manipulate the roll. Remember that you pick your client seed after the site show their server seed hash

aahzmundus

hero member

Activity: 644

Merit: 500

Invest & Earn: https://cloudthink.io

From my understanding of the issue... JD IS provably fair, you just have know way of knowing doog did not cheat.

If doog wanted to fuck people over he could just look at the seeds and bet on his own site and win. Or hell, he could just run away with the 40,000+ that people trust with him.

If doog wanted to cheat you, he would just run with the money.

Also, doog is not anonymous...

royalblako

newbie

Activity: 4

Merit: 0

I'm not tech savy so i didn't understand much of what you said, but i lost some btcs there, so i'd like to know what's up.

Automatic

full member

Activity: 238

Merit: 109

Quote from: a1choi on February 23, 2014, 01:06:15 PM

how could it be changed to be provably fair to gamblers?

Generate client seed client-sidedly.

a1choi

sr. member

Activity: 323

Merit: 254

how could it be changed to be provably fair to gamblers? Do other sites also exhibit similar weakness?

RGBKey

hero member

Activity: 854

Merit: 658

rgbkey.github.io/pgp.txt

It is provably fair if the gambler takes the correct steps to make sure it is. If you are reckless, then it does not matter anyways. As to changing the way the rolls are calculated, he did this to make it more secure for the site. This is no way would cause losses to people.

Kyraishi

hero member

Activity: 952

Merit: 513

haha dooglus should do provably fair for investment.

elbill

hero member

Activity: 952

Merit: 1005

frantorres_995 at socialmedia

Dooglus also change the algorithm without warning in September and arbitrarily, causing losses to many users, the only way to solve this is in court but he has hidden in his anonymity to avoid starting a legal process. But the day will come.

FPCN

sr. member

Activity: 266

Merit: 250

Reserved.

feedthedogs

newbie

Activity: 12

Merit: 0

I have raised this with Dooglus over a week ago, we discussed solutions but he has decided the site will not change.

The problem
The client side key is generated by the server initially and has no security so it can be changed at any time

Background
There are three parts to generating a fair bet:

Server Key - given to the user as a hash
Client Key - known by the user (and should be generated by the user)
Bet number

The time and size of a bet have nothing to do with the result.

How can this be abused
The nature of Just-Dice rolls are that you bet high or low in a 0-100, if the client and server key are generated by the server they can pre-prepare client-server keys that will result in rolls in their favor.
for example they can generate millions of sets of hashs until the results:
1) are generally 10-90 so that people will not get the rare 10x payout rolls (less than 10 or greater than 90)
2) have long streaks above or below 50 to send martingalers bust
So use your imagination, they can dictate the roll results

The technical details
The code is available here:
https://just-dice.com/javascripts/dice.js
A beautified copy:
http://pastebin.com/CatuARX2

The Server and Client keys can be changed at any time by the server, here is the corresponding code:

Code:

  socket.on("shash", function(data) {
    $("#shash").html(data)
  });
  socket.on("seed", function(data) {
    $("#seed").html(data)
  });

The only protection is if the user writes down both keys and verify their bets every 100 rolls, after that your bets a no longer visible

When you load the site, the client key is provided by the server, this is not a problem for returning users, but first time visitors should have their own java-script engine generating a client key, here is the code:

Code:

  socket.on("init", function(data) {
    ... other code ...
    $("#shash").html(data.shash);
    $("#nonce").html(data.nonce);
    $("#seed").html(data.seed);

It is possible to use the randomize function when you first enter the site, but I do not believe many users do this.

Caveat
I am not accusing the site of rigging rolls, I am just saying that it is possible.

Topic: Just-Dice is not provably fair to gamblers - page 3. (Read 4145 times)