Monero dice seed hacked? - page 3. | Bitcointalksearch.org

BillyBurns

sr. member

Activity: 429

Merit: 263

Quote from: fluffypony on October 18, 2016, 12:39:30 PM

Quote from: BillyBurns on October 18, 2016, 12:17:03 PM

Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

You don't have any invested in the bankroll? Is your investment on another account?

I divested and withdrawal what was left right after I saw his rolls.

-16.660736590630 Xmr, ( Don't know if all loses were from him but I assume a large portion of it was) I was only invested on site for around 20 hours before I divested.

Deposit Hash
c7a2edb767827fb3d32d58150a7cfa3c1d855c83bf7a3e3a134b23abbcd1778a

Withdrawl Hash
c9cf4173c48e773ce85f84b0fb6a3a6e80e7a51a0665cbf00d1783ea20e1ddba

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Quote from: BillyBurns on October 18, 2016, 12:17:03 PM

Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

You don't have any invested in the bankroll? Is your investment on another account?

BillyBurns

sr. member

Activity: 429

Merit: 263

Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

BetKing.io

legendary

Activity: 1400

Merit: 1021

Quote from: ?? on ??

Quote from: NLNico on October 18, 2016, 08:22:46 AM

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better. I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins.

That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that

I've said it to the investors before (noticed FAQ used to say it but not now after re-enabling investments a long time ago) that if this happens (or any big mess up) the investors lose/pay for it. That's the risk they take investing in the site/me.

Fortunately this hasn't ever happened at BetKing anyway.

BillyBurns

sr. member

Activity: 429

Merit: 263

Quote from: ?? on ??

Quote from: NLNico on October 18, 2016, 08:22:46 AM

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better. I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins.

That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that

Look at his bet pattern and the outcomes of the bets, its extremely obvious he was intentionally showing he could cheat.

BillyBurns

sr. member

Activity: 429

Merit: 263

Quote from: Daffadile on October 18, 2016, 11:23:48 AM

So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....

Just like a losing streak a winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.

Yeah its not very weird for him to make all those 1Xmr bets and lose every single one of those and then win all of these huge bets with tiny win % over and over, the only big bet he lost was the first one where he made a mistake... ohh and on top of all those rolls be up another 33k xmr.

Daffadile

hero member

Activity: 1162

Merit: 500

CryptoTalk.Org - Get Paid for every Post!

So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....

Just like a losing streak a winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Quote from: NLNico on October 18, 2016, 08:22:46 AM

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".

In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

Yes we're taking a look at the API logs, and correlating it against recent betters. We'll weed out any other accounts he has;)

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: hubballi on October 18, 2016, 08:49:12 AM

What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.

I think that there's still a chance he didn't know the withdraw is processed manually and got greedy.

A white hat hacker would have told the owner, not like this.
Somebody who would try only to show off would mean that 66k XMR (over 400 000 $) means nothing to him, since he already stole more than that.

hubballi

sr. member

Activity: 882

Merit: 297

Quote from: NLNico on October 18, 2016, 08:22:46 AM

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".

In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.

NLNico

legendary

Activity: 1876

Merit: 1295

DiceSites.com owner

Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.

The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".

In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Quote from: Jungian on October 18, 2016, 04:42:57 AM

Quote from: fluffypony on October 18, 2016, 04:33:22 AM

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

It's entirely possible, but one of the Monero Research Lab wrote a paper (for fun) a year ago establishing a way to analyse whether someone is cheating by determining whether they are massively changing the deviation of the site.

We run this analysis in the back all the time, so if someone was consistently cheating, even if they were using multiple accounts and small amounts, we'd see it show up because the site would (statistically speaking) be far out of the expected variance.

You can read the paper here: https://lab.getmonero.org/pubs/MRL_Monte_Carlo_Edition.pdf

Jungian

legendary

Activity: 930

Merit: 1010

Quote from: fluffypony on October 18, 2016, 04:33:22 AM

Quote from: NeuroticFish on October 18, 2016, 04:23:41 AM

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Quote from: NeuroticFish on October 18, 2016, 04:23:41 AM

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

smoothie

legendary

Activity: 2492

Merit: 1473

LEALANA Bitcoin Grim Reaper

#HackThatGotTrumpedByAPony
Cheesy

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: fluffypony on October 18, 2016, 04:11:47 AM

Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.

itod

legendary

Activity: 1974

Merit: 1077

^ Will code for Bitcoins

Quote

5 biggest win in the last 24h
22000.000000000000   PolakPotrafi
12000.000000000000   PolakPotrafi
10000.000000000000   PolakPotrafi
9352.000000000000   PolakPotrafi
8000.000000000000   PolakPotrafi

and:

Quote

5 biggest win alltime
22000.000000000000   PolakPotrafi
12000.000000000000   PolakPotrafi
10000.000000000000   PolakPotrafi
10000.000000000000   othe
10000.000000000000   othe

If he only was less greedy he could make much bigger damage. Luckily he had idiotic betting strategy regarding being painfully obvious.

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!

oxygen88

sr. member

Activity: 306

Merit: 250

Yes, especially this few big bets

7908821 3000.000000000000 +3000.000000000000 <49.50 46.38 07:23 PolakPotrafi
7908820 3000.000000000000 +3000.000000000000 >50.50 57.52 07:22 PolakPotrafi
7908819 1400.000000000000 +5600.000000000000 >80.20 81.28 07:22 PolakPotrafi
7908818 789.600000000000 +7106.400000000000 <9.90 2.06 07:21 PolakPotrafi - looks most unusual
7908817 1535.200000000000 +6140.800000000000 <19.80 13.15 07:21 PolakPotrafi - looks most unusual
7908816 935.200000000000 +8416.800000000000 >90.10 94.58 07:20 PolakPotrafi - looks most unusual

As if he already knew the result and he does big bets, and looking at the bet ID 8816, 8817, 8818.

This shows he knew the result beforehand, 3 continuous roll with that percentage to win, the chance is 0.000000001% in real life to hit all 3 wins.

Jungian

legendary

Activity: 930

Merit: 1010

They do look unusual. Like he knew exactly what percentage to change to in order to win.

Edit: Looks like he did and FluffyPony is on to it (according to the monerodice chat)

Maybe the seed has been compromised a long time. The site has not been running at EV (although nothing particulary strange about that).

Topic: Monero dice seed hacked? - page 3. (Read 4158 times)