Topic: [PHP] BitLuck Lottery Script - Released under MIT License (Read 29885 times)

This is my version of the original code with some graphics added.

http://bitcoin.bigmoney.biz


Check it out.

I have been searching for a working lottery script also, well more of a raffle script

can somebody shoot up a working site to see how its looking .D?

Hi,

I need a raffle script with Bitcoin Gateway!!!
Any available here on this forum?!!!

Kind Regards,
Alex

that like asking...

How can I abuse non safe systems... mind you mine has updated code from the original. See my sig.

So it's a cool script made specifically for educational purposes, as it has multiple security flaws. I'm taking some look into this script, could you tell me those flaws?

Interesting that people are still commenting on this. If someone is willing to maintain a fork of BitLuck, please let me know. I will update the original post in this thread, as well as update the README on the Github repository. As of right now, there are 20 forks reported by Github's network graph, but not one of them seems to be maintained to me.

The project is more popular on Github than I would expect for something of this nature (guys, it's really ugly code), and I'd like to be able to link to something better. I've been leaving it up as an example for developers to understand how to interact with the Bitcoin API.

You can email me at [email protected].

~lulz

EDIT - Taking the project down for both security and licensing reasons. If you'd really like the code for some reason, you may use the email above.

From what others have stated, yes.    Please keep me in mind if you are able to fix the issue.  I would love a working version of this script.  I would even pay for it.    Thanks.

If I fix the vulnerability, is this a working and secure script in all other aspects?

Can someone who has patched the vulnerabilities send me a working version?   I would like to test it out and maybe design a nice skin for it. 

This thread is very old, but thank you so much I will take a look into this.

Latest version is now ready for testing at:-

http://bitcoin.bigmoney.biz

Enjoy!

Implement the code lottery using Script of Bitcoin or Ethereum platform increase the possibility that people to have more trust in the system/lottery?

Quarkcoin Lottery website, based on this code but pretty much modified. still need some work and desing but its working well!

http://qrklotto.no-ip.info/

Have a look at my 'fully working' Weekly Bitcoin Lottery website, based on this code.

http://bitcoin.bigmoney.biz

BUMP

http://s13.postimg.org/k5j2cxeh3/Capture.png

I have tried this on two different hosting accounts/servers now and still get the same result. Would really like to get this functioning.

I have installed this script but when I try entering a wallet address to play the lottery I always get "ERROR: You entered an invalid address. Please try again." but the address is valid??? Any ideas?

Didn't notice this but I have just pushed new updates to the Git repository with fixes to these and a few other minor issues.

Thanks for your script. I've noticed two minor issues though:
1. When bitcoind cannot be reached (not running/timeout) the php error displays the request (including username, password and IP adress). It would make sense to suppress this details and throw a generic error.
2. The page which shows the deposit address and waits for confirmation is not fully compatible to the new setting to allow inputs other than 1:

Ok, it was more directed to those who are thinking of using it as is.



I don't think so. At least I haven't figured out a way yet. I could not pay the winner or pay the wrong winner (Everyone would know right away) but I can't fake the results giving it to myself. I'd have to either rig Canada's national lottery or figure out a way to alter already existing blocks in the in Bitcoin network. It would be pretty tough.

The point is, I don't plan on using this script. I've released it for educational purposes. I don't plan on editing it or changing it because it does not benefit me at all. You can cheat anything. Hell, you could cheat your own system, bitlotto.

Ok I'm done. If you can cheat it, perhaps more work needs to be done on it before it's used! I'm saying that if you want to use this for a lottery perhaps a feature where it lists all the entries is needed with a method for picking the winner separate from the operator after the list is made. That's all. I like the script and think it has potential.

if an operator wants to cheat, he can easily cheat.
doesnt matter if it's a lottery-script, or a bubble-script, or my randomizer-script, even a mining-pool,
could all be cheating, i don't get it.

why not move this "be careful who and where to send your coins to" discussion to a new thread, if you want to warn people?

Agreed, I was trying to say that's why any lottery that depends on stuff done server-side is easy to fake results. The biggest difference is that with a manipulated script the lottery can run for a while before anyone catches on that it is a scam. The operator can cheat and keep taking the pot. A lottery done such that the operator CAN'T manipulate it, is more ideal because it boils down to if they paid the legitimate winner or not. If done correctly everyone can know who the winner is WITHOUT the operator saying. If they don't pay the proper person it's game over for the lottery. If the lottery has no transparency, the operator can take multiple jackpots before people catch on.

Yes, I was looking at BitLotto's which is similar. I could have done it that way, but I didn't. So yes, while it is transparently being picked, that doesn't mean the *script* could be as easily rigged. See, if TAABL released their script, I could mess with it just as easily.

We already had a lottery (taabl) where you didn't have to trust the operator not to pick the winner. He did it by using the last digits of the hash of a predetermined block as a ticket. Still had to trust him to pay out of course, but we'd know right away if he didn't.

I really don't get what you're trying to say. Any script can be rigged just as easily. Why? Because the script is server-side. There is no validation of it the client can do client-side. Watch where you're spending your money. It's the same way I might trust MyBitcoin, etc.

Agreed. I was merely trying to say that more trust is needed when using this script. Trust is always needed no matter what. Some systems are just easier/harder to rig than others. I just want people to be careful. That's all.

This was the point I was trying to get across. You have to trust the website, not the script BitLotto.

~lulzplzkthx

how would people know, if a lottery is using this script, or any other?
people should be careful about where to send their coins, or give their money each and every time they do,
no matter what for.

doesnt have anything todo with this script.

Don't get me wrong, you did a pretty cool job making a lottery script.    I was merely pointing out the flaws/stuff more for other people reading to be *VERY* careful playing a lottery using this script. That's all.

No, the script is a script. It does what it's supposed to, and anybody can modify it as they would like. That's what the GPL and LGPL licenses are designed for. I have created and script, released it, and hope it will be used for good. Yes, it could be used for nefarious purposes, just as Tor or Bitcoin could.

That's why the web-of-trust and similar concepts exist.

And a MySQL RAND() is beyond the control of the operator. If they choose to change the script, that's not my fault. I don't control that. You can feel free to implement another method, and post that if you would like. In fact, you might notice the script is divided into two parts: a front-end (paying), and a back-end (drawing). It makes it very easy to change how tickets are drawn to a more transparent way if whoever uses it would like.

Yes, BUT the script makes it WAY too easy for scammers to rig the results. All they have to do is make a new Bitcoin address for each "win". Every so often let "real" people win to avoid suspicion.
I'm just worried about people using this script to scam people. It's too easy to rip people off.
I'm not saying people are doing this now but with this script but it will happen.

The main problems is:
-all players need to be itemized before the draw somehow with a random way of picking the winner BEYOND the control of the operator

Trust is an essential point of Bitcoin, yes. Or really any lottery script.

~lulz

that's true i guess,
but people would notice sooner or later if no *real player* wins and start complaining.

Except proving that you didn't just pick whatever winner you wanted. (I guess people will just have to trust you.)

yeah, i also thought about that,
have to add some stats/overview of entered addresses and maybe last winners or such,
should be no big deal.

Interesting! How do the players keep track of who played/won? (It's cool as it is, I'm just worried lot's of scammers setting up something that looks just like it with the exception that it always pays to one of their own plays instead of using random like it should. I guess you have to trust the operator a little bit more I guess...)

if anyone want's to see this in action,
i'v set up a test-lottery on http://fxnet.co.cc/lottery

didnt change much, except for some of the text.
i had some troubles to get it to work on my main-server due to the lack of mysqli,
so (for testing) it's set up on a different server.

seems to work alright so far.

Nice setup. I considered incorporating this into the original, and would add your mod to it, but there's always a chance it could take a long time for a user to view the page, and the funds may not be sent for quite some time. I decided to use the cron as it insures they will be sent on time.

~lulz

I added some modifications

https://www.wuala.com/Slyck/bitcoin/lottery_V0.1_mod_by_Joozero.7z/?key=G0vvFcXPtnDz

I'm not an expert php developer, neither sql ... so I hope that you can take it as a simple idea.
If you like it, I'm sure that you will  make a better one

I did it to avoid the point 5.
( 5. Setup cron, or a similar service to run give_prize.php at the time you wish the prize to be drawn. )

Now it auto-restart simple with the help of users ( they just have to visit the page )

Please, can you give a look?

Thanks for pointing out the bug, I have updated the topic with a new link with the COST added to the waiting page.

If you use it and find it useful, feel free to donate.

I'm testing it.

Added line 186 on index.php:
'COST' => $ticket_cost
Now there is the dynamic cost to the waiting.html


XAMPP 1.7.4 for Windows ( windows 7 x64 )

It seems that there is a bug. ( I'll check it later ... )
I counted 20 times just one entry ( so it collected 20 entries even if I sent only one time a single bitcoin )

EDIT:
Ok, It's working perfectly, my mistake


Thank you for sharing this, it's really useful!

Yes, you should be able to use decimals in the ticket price. However, that piece of code is untested (I originally had it hardcoded to 1 BTC, and changed it when I uploaded it here,) so let me know how it goes.

Also: As for the MySQL RAND() it was just the easiest, quickest way to quickly grab a random entry from the table. If you would like to do it some other way, be my guest. However, I'm not sure how open you can really make it, since no matter how you do it, the code will still be on the server, out of user's eyes?

I don't know though.

No, I probably will be winning all the time! but thats because i'll probably be the only one playing

I'm not saying you will but you could just not use the script and then make a script that pays one of your accounts. You would win all the time and no one can see what's happening behind the scenes.

After checking the wiki looks like there already is some lotteries. BitLotto.com and TAABL

Yeah, was thinking the same myself. Maybe time to find some other way to pick the winner, using some formula to transform wallet addresses in numbers.

But you know, it runs automatically, even sending the prize, so i would have to be very quick to change the winner just like that when it happens.
I suspect the whole script to choose the winner and send the prize doesn't take more than a couple miliseconds to execute.

I dunno, honnestly. I'll build the site the same way. the bet will only be 10cents. If someone wants to try it, great, if not, great the same way.
I like putting up quick and dirty websites up. Better to buy domains and have something there than leaving them empty. You don't want to know how many parked domains i have... really...

That's what I was wondering. What's to stop the person from just picking a winner.

Yeah, you forgot the cron job

Can I use decimals on the ticket cost?
Now it shows
 /* Ticket cost, in BTC */
$ticket_cost = 1;

can I change it to
/* Ticket cost, in BTC */
$ticket_cost = .01;

??

I'm asking because i still havent installed it, was just giving the code a quick glance.

btw, Nice touch, using phpbb templating engine

Thanks

PS: Won't players get a little "suspicious/fearful" about the winner being chosen randomly by using a sql query instead it being chosen in a more open way?

Sounds interesting. How are you going to make sure the players can see you didn't just pick someone and alter the code?

No problem! You may want to do a bit of testing first to make sure entries are being counted, etc. I was unable to do much testing as I have only had a total of .11 BTC in my whole time with Bitcoin (.05 BTC right now.) I think it works, the logic is there, and when I use static variables it seems to input correctly, but I'm not 100% sure it'll detect payments correctly.

Also, please check the initial post as I forgot one step in the installation instructions.

Well, if you don't mind i'll give it a chance.
Just need to find a nice domain for it and give it a warm fuzzy look 

Thanks a lot!

11/15/2015 - BitLuck is deprecated and I've removed the public source for both security and licensing reasons. If you'd really like it for some reason, email me at [email protected]

WARNING: A vulnerability has been pointed out by PhilG in this script and it should not be used. This was an example script I made when I was 15. Additionally, I don't remember anything about this and don't plan to fix it. Feel free to fork it and work on it if you'd like. I'm not even sure it works anymore.

I created a lottery script which automates the process of payments and payouts, and I thought I'd open-source it since I'm not using it anyway... if you like it, please think about donating to me, my donation address is in my signature.

I am posting in this forum, as that's where I posted my initial thread about BitLuck. Mods: feel free to move it.

Version 0.3 is hosted only on Github. BitLuck on Github
You can download v0.2 here.
If for some reason you still want v0.1, you can find it here.

Changelog:

Version 0.2 - Added cost setting to waiting.html (used to be static 1 BTC.)
Version 0.1 - Initial Script

Requirements:

• PHP 5
• MySQLi for PHP
• cURL for PHP
• JSON for PHP

Installation instructions:

1. Create a database on your MySQL server and run lottery.sql on it.
2. Run "bitcoind" with either the -rpcuser and -rpcpass options, or with them specified in your bitcoin.conf
3. Type at the command prompt, to generate the lottery pool account (you don't need to do anything with the output): bitcoind getaccountaddress "Lottery Pool"
3. Edit config.inc.php, and update the $rpc_* variables to match your RCP server settings, the $sql_* variables to match your MySQL server settings, the owner's key, fee, draw time, and ticket cost.
4. Move give_prize.php outside of the webroot.
5. Setup cron, or a similar service to run give_prize.php at the time you wish the prize to be drawn.
6.
7. Profit!

Let me know how it goes, and if there are any bugs, I'll attempt to fix them. As this isn't an ongoing project, I'm not using Git or another source versioning system as there shouldn't be too many changes, only bug fixes.

DISCLAIMER: I offer no warranty, and if anything goes wrong, it's not my fault. Please also note that this is NOT an example of my best work, rather a quick thing I hacked together in an hour or two when learning about the Bitcoin API.

I hope this helps someone. If you'd like to send a donation for my efforts, please use this address: 1B7aTxrcaEVopuqrqidTQMxE9mpDUZRwAb