A few critical points...
According to your Provably Fair Explanation
It says you use
Combination = Server Seed + Client Seed + Nonce and
Hash = SHA512 (Combination)
This formula/statement is
false and misleading.
Given the values:
const ServerSeed = "c678cae375a07e4456a5532a19e5b1311d3434795f5bcdf50e7f4f27ae660d5d"
const ClientSeed = "client"
const Nonce = 0;
According to your Verification page
1. The
Combination Value is wrong. It shows "
clientc678cae375a07e4456a5532a19e5b1311d3434795f5bcdf50e7f4f27ae660d5d0" but on your explanation above it should be "
c678cae375a07e4456a5532a19e5b1311d3434795f5bcdf50e7f4f27ae660d5dclient0" - (this is still wrong btw, read below)
2. The SHA512 value shows "
8c0bd8c9ad2261ccaf0650de9135088484085d328293a42ce9a69e734f93ded96ae3a6f6e31c908 3a59e97650d97a0f3eda8e71d0210ef44f9132214ccfb9531" which is also
wrong if we follow the given formula above.
Even if we hash either "
clientc678cae375a07e4456a5532a19e5b1311d3434795f5bcdf50e7f4f27ae660d5d0" or ""
c678cae375a07e4456a5532a19e5b1311d3434795f5bcdf50e7f4f27ae660d5dclient0" both will not result to the SHA512 that is being shown (you can test it here
https://www.convertstring.com/Hash/SHA512)
Question is: Where did that SHA512 result come from? Why is the formula given not resulting in the correct values?
The answer is: You actually don't use SHA512. But instead, you are use HMAC-SHA512. HMAC-SHA512 accepts a message and a secret value. And in site's case, the message is constructed like "
ClientSeed:Nonce" (the : is included), and the ServerSeed acts as the secret value.
There's a big difference between the two, SHA512 and HMAC-SHA512. The correct formula is:
// hmac512(message, secret)
hmac512( ClientSeed + ":" + Nonce, ServerSeed )
If you expect players to just trust your verifier, you'd be mistaken and this could lead to many concerns.
Here is a quick verifier that would explain the verification properly.
https://codepen.io/uniibu/full/OJyyNgLCheers!
