OFFICIAL DICEBITCO.IN ANNOUNCEMENT ABOUT THE SKIPPED NONCES INCIDENT
============================================================
Hello everybody. There has been a lot of speculation going around, especially since we decided to stop forum announcements/communications and locked our official topic. Threfore, we decided to come straight and give all the explanations people wanted/demanded.
Due to the massive and fast growth of DiceBitcoin, we decided to hire one more coder, who would help us with the load (new features, various fixes, etc) we were dealing with. If you were following DB from the start, you would notice that every few days we were fixing / upgrading / implementing new features non stop. We had and still have tons of ideas and things we want to deploy, so we decided that hiring one more guy would be a good idea. We first assigned him some simple tasks and he was quickly adapting to the demanding environment that we have. The payment agreement was a simple one that we thought it would give extra motivation to work harder: 20% of our cut, per month. So far so good.
However, thats where the problem apparently begun. On 27th of August, we merged some of his changes without proper review of the code. We made sure that the build is not broken - that all tests were passing. There are no excuses for that. We didn’t review it like we should, and thats how we ended up in this shitty situation. The code, which went live, was allowing the skipping of winning bets when the bet met some criteria (e.g. the bet wins X amount of btc with odd higher than Y). This was not active by default, he had to chose manually which player to ‘cheat’ and this is why not all users were affected. That was a totally stupid way to implement it, since if you do that, the bets will not be verifiable since the nonce sequence would be broken. But we will return to that in awhile.
On the 7th of September, one of our players (finnile) noticed that something was wrong on his rolls. All his rolls were skipping winning nonces. When we confirmed it, we halted betting for everyone immediately (made all accounts invest-only, so betting was prohibited). It took us a lot of time to find out WTF was happening and just winning bets were skipped. Our first thought was that our database was having issues but then again why only the winning bets?. When we found out that in fact this was deliberate we looked for malicious code. We wrote some failing tests, due to non verifiability of the bets, then rolled back the commit that introduced this and having tests passing we deployed the fix and we re enabled betting.In addition, we refunded EVERY PLAYER who lost his coins due to this malicious code, from our own stash of bitcoins, leaving both the website's and investors' coins completely untouched. We took full responsibility for the mistake and we paid for it.
However, what followed was chaos(or shall i say, bank run).A lot of trolls, both on chat and on the forum didnt lose a chance and went apeshit on us, scaring everyone away and warming users to pull their coins immediately because we would steal them - disappear them - abracadabra them. What we did though, was non stop refunds on accounts that got negatively affected by this, processing thousand coins withdrawals and refilling the hot wallet. Betting resumed since the incident was fixed on the spot, and all refunds were carried by our stash, leaving investors intact, giving them zero reason to worry about their coins. Although, they were free to act at will. Not to mention investors were the only ones that got massive profit out of this!
In around 24hrs past the incident, the bankroll shrinked from 7500 coins to ~1700. Then,we had one user, mateo, which was hitting the bankroll non stop for almost 12hrs more, eating almost 600 BTC of profit (site was ~288 BTC profit prior to the 7th of September and around -320 BTC when mateo stopped playing).. Lot of speculation exists as well around that user, so please allow me to elaborate. User mateo was registered on 2014-08-06 18:22:05 and before the incident of 7th of September was -33 BTC in total. The date he registered the other developer was not hired yet, so it is impossible that it was him. The new hire had no access to the database (or to the production server) which means that it is impossible for him to know other users’ seeds. On top of that, mateo did randomize his rolls before he goes on with his crazy streak (my guess would be to verify if he got affected by the malicious code - btw he was not affected). Given all those facts there is 0% chance it could be someone that knew the server seed and played against it. When he asked for a withdrawal when done, we are left astonished with that run (like we didn’t have enough shit already to deal with). We postponed his withdrawal for several hours. We went through his rolls again and again, we searched every possible way of ”cheating”. Everything was legit, so we paid him out.
Story doesn’t finish here though! Bankroll was left ”bleeding” and nearly dead at around ~500 BTC, when people started investing little by little again. Finally two days ago, when we touched ~1k BTC bankroll again (and ~1700 BTC invested, exactly as it was before he started his crazy run), mateo returned. He made a massive deposit of 650 BTC, and after near half day of betting plus lot of fluctuations (we was winning up to 140 BTC at one point again - that sure made us shit our pants) he ended up losing everything he won on his previous lucky run plus some more. So what that means? That means that everyone who did not divest when mateo won, didn’t lose a single satoshi and made a very nice return on top (let alone those that invested after mateos’ huge win and stayed invested until his bust).
So does this make it right for everyone? Has our behavior been correct?
The answer is "No".
We did 3 mistakes. I will get to all 3 of them in detail among with solution.
1 We put code live on our site, without testing. No excuses for that. Its no others' fault apart from ours, and we took full responsibility for it (that is why we paid from our own stash of bitcoins, and not from investors' or sites' coins). Our fault, our bill. We decided from now on that only we will work on this project, even if it means that future features will be delayed.
2 When shit hit the fan, we said that we will not refund people who didn’t lose from that (i.e. ended up with profit). That was wrong. Some users(with best example user marie_lemke ) even if he got his initial deposit refunded, he should end up with much higher profit if the skipped nonces were not in place.. So what we decided to do is simple: We credited all winning nonces that got skipped. That creates three types of users affected :
a) User had negative profit but he would end up with negative profit anyways. We refund the initial deposit anyways (favors user)
b) User had negative profit but he would end up with positive profit if it wasnt for the skipped nonces. Initial deposit is already refunded and we are crediting all the positive skipped rolls as well.
c) User had positive balance despite the malicious code. We are crediting all the winning skipped rolls as well.
3 We abandoned forum / closed chat / locked our topic because we got so fed up with trolls and flaming.We allowed it to go under our skin, and that was our mistake. Communication is crucial, and absence of it is what they wanted and allows them to shrine. We wont do them the favor anymore! Effective immediately we are back on forum, back on twitter (will post a link to this topic so everyone can be aware of what happened) and unlocking our original topic. Chat also will be re-activated but we want first to think some way to limit spam there. One idea is to allow chat to active members (x amount of BTC wagered OR x amount invested OR x amount in balance). Please allow us a few days or best case tomorrow.
To sum it up:
-We made a major mistake and 2 smaller ones. We took everything we could to make it right for everyone and make sure they wont happen again.
-Rolls ARE provably fair. That was patched the same moment we became aware of It.
-All accounts that were affected by skipped nonces have been refunded, to their best interest. List of usernames among with voucher code (tied to their account) is posted here. The list is here publicly available and we have emailed all the users who were affected and had email in their profile.
-All refunds are made from our own stash, and not investors' or sites' money.
-All withdrawals / divests honoured. Never missed even one.
Bottom line, BankRoll was 7500BTC, which means we COULD HAVE STOLEN 3m$, but we didn't. Those BTCs missing are from investors who pulled out their own coins. Not only we never stole one btc, but we did return ~6k btc to date back to whoever requested it. Some people try very hard to take DB down, but we wont do them the favour!
I would like also to grab this opportunity again, and re-invite dooglus to co-sign the cold wallet with us. I think we proved ourselves that we didn’t run with 7500 coins when we could, but it would relax a lot of people if a co-sign was a possibility (especially now that it starts growing again and passed 1600 coins). Also, we have no problem if there is a way to take the roll server. For the story, we did discuss that in the past but we couldn’t find an efficient way to do it. That to answer to a lot of people who wondered ”why you didn’t take up dooglus offer?”. We never said no to dooglus. We just haven’t found a way to make it possible yet.
P.S Our sister site, DiceLiteco.in was not affected by this, since we didnt push any fix on that site for the last 2months+(we were waiting to finish with all the addons on the BitCoin version first, to pass it on the LTC site)
P.S.2 If possible please bitcoininformation and dooglus inform me about the signature campaign (who got paid, who is crossed out etc.) so I can finalize the payments at end of the month. Having said that, we are back and I do apologize for 10 days bsence.
P.S. 3 The reason we are making this post self-moderated, is simply to avoid troll posts like this one :
https://bitcointalksearch.org/topic/m.8878492 . That doesn’t mean you can’t address your concerns here/mention our fuckup/ criticize us. Thats why we reopen our original topic as well. However since this is our official statement, we would like to keep it clear and on topic as much as possible.
I want to thank all users who send support tickets wishing us good luck and to hopes to stand again in our feet, even if they cannot express it on the forum, because they are afraid of ”negative trust” from alt accounts. Again thank you for your support. We will return stronger than ever!
Thank you all.
Regards
The list with affected users and vouchers follows:
ID USERNAME TOTAL AFFECTED ALREADY REFUNDED WE OWE VOUCHER
---------------------------------------------------------------------------------------------------------------------------
861 cuwirebeard 7.1556 5.90107777 1.25452223 DICE-OOMZ-RHAO-VVJM-NADM-VPID
4153 chris.jakubowski 0.17653184 0 0.17653184 DICE-WRER-RGQN-WBQK-SAKG-YVCY
4433 presto 0.92611544 0 0.92611544 DICE-SGXP-HDOH-NQIJ-OBHR-BSNH
12599 RNG 6.93989901 2.62806461 4.3118344 DICE-IQPB-VQHY-KRQN-NJLW-LLRQ
13835 Altitude 0.51368555 0 0.51368555 DICE-YVKB-WGVS-LROH-QUHU-QKNT
16189 andyazz 1.49798912 0 1.49798912 DICE-KTAW-CVNY-QCTR-BSBT-POYV
16511 marcellus_hand 1.23665803 0 1.23665803 DICE-GLXJ-BGHY-DNHT-JPXB-UKCD
16657 kinki 1.234375 0 1.234375 DICE-POMK-UXEH-EACC-IYDC-YHHK
18541 coty_predovic 27.64702008 20 7.64702008 DICE-IEZN-HFKV-OEUX-RTXE-WPBD
18544 Degenerate 0.4 0 0.4 DICE-RVYD-WUQQ-NTPH-YIEJ-TJKH
19864 marie_lemke 55.18 35.1 20.08 DICE-WFQT-YWBJ-JFSC-KLLM-LROU
19914 lewis.aufderhar 1.781328 0 1.781328 DICE-CIFJ-FTUE-OSIP-MYIU-RPWD
20178 esperanza.ritchie 1.74797619 0 1.74797619 DICE-HHWZ-LVKF-ZVMM-HRLK-UJQD
10637 themikego 1.50665557 2.85665558 0
18165 Focus 7.5 8.00258683 0
6769 finnile 1.47746763 2 0
16416 James 7 14.3792809 0Note vouchers are bind to account, meaning only the spesific userid/username can claim it!