Pages:
Author

Topic: Wixiplay.io is rigged | one in ten million session | fake PF - page 4. (Read 1698 times)

newbie
Activity: 23
Merit: 22
The domain was registered by GoDaddy in Romania.  I went ahead and contacted GoDaddy's abuse email

http://whois.domaintools.com/wixiplay.io
https://i.ibb.co/7pGjDGf/wixi-domain-reg.png
newbie
Activity: 23
Merit: 22
I played some more rounds, carefully verifying each round. I used https://wtools.io/php-sandbox with this php source code:

Quote
$client_seed = "...";
$server_seed = "...";
$server_seed_hash = "...";

$result_seed = hash_hmac('sha512', $server_seed, $client_seed);
$result_number = hexdec(substr($result_seed,0,10));
$lucky_number = $result_number % 10001;

echo $lucky_number;

if($server_seed_hash==hash('sha256',$server_seed)){ echo "\ntrue"; }

Most rounds verified, but occasionally it generated an abnormally long server seed whose hash didn't match, and I always lost those rounds.  So the site has multiple ways of cheating.

1. If you don't request the server seed hash in advance it can change the server seed to achieve whatever result it wants, undetectably
2. even if you do request the server seed hash in advance, it will still sometimes change the server seed to achieve whatever result it wants.

Definitely 100% scam.
legendary
Activity: 2436
Merit: 1104
Stake, Primedice and Cryptogambling Foundation = same s**t, same owner, same people
Keep and kiss his big booty dear members.
See the cases, lucky games, luckyfish usw. Who wants to close them by invoking different problems ? Be a little more thoughtful, do not stay locked in the cage being manipulated by those who believe the best.

who would take you seriously when you have to hide behind your new created throwaway alt account you created to express your opinion. grow some balls and express your opinion proudly on your main account.
full member
Activity: 261
Merit: 100
Win 10,000$ Daily - click on sig
Stake, Primedice and Cryptogambling Foundation = same s**t, same owner, same people
Keep and kiss his big booty dear members.
See the cases, luckygames, luckyfish usw. Who wants to close them by invoking different problems ? Be a little more thoughtful, do not stay locked in the cage being manipulated by those who believe the best.

Dont understand what are you talking about
newbie
Activity: 1
Merit: 0
Stake, Primedice and Cryptogambling Foundation = same s**t, same owner, same people
Keep and kiss his big booty dear members.
See the cases, luckygames, luckyfish usw. Who wants to close them by invoking different problems ? Be a little more thoughtful, do not stay locked in the cage being manipulated by those who believe the best.
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
Damn. I was planning on playing on this site after seeing in the top rankings of many casino ranking sites, but I will definitely avoid it now after learning about this bullshit. Thanks for the heads-up op. You deserve a lot of merit in my opinion.

The biggest issue with all these provably fair stuff is that many newbies don't understand them due to all the technical stuff involved which is why they ignore it and end up losing money to such shady sites.
It's really shocking to know that you think it's fair because you see it in the top rankings but the truth is it's rigged and not ptovably fair as we know it. It's good that op did share this information and if you haven't know it yet then you might also experience what op did and lose money from that site.
legendary
Activity: 1463
Merit: 1886
From what I understand by what Rhavar is trying to explain (which I will turn into layman terms for people who are like me that have hard time understanding technical talk) the game "looks" like it is fair but they do have a secret way of knowing if you are gambling by checking the seed or not.

I think the better explanation is:

If you go through the verification process for each individual bet, then each bet is actually provably fair. But if you don't do that process for each individual bet, then it's impossible to verify the bet later. They also know which bets you are able to verify or not. So from their point of view, they know exactly which bets they need to behave with (0.00001% for nerds like me who verify) and which bets they have free-reign to undetectably cheat.

This doesn't prove they're actually cheating, just they have the opportunity to do so without anyone having proof. Which more or less defeats the purpose of having a provably fair system in the first place. If I was a betting man, I'd however bet they are abusing this to cheat. Basically because of the stats BitwiseOperator gave -- and they talk about their nonce system:

Quote from: wixiplay.io
The Provably Fair and NONCE system makes your game 100% manipulation free.

But it's 100.00% useless! It literally does nothing other than making it look like the industry-standard provably fair system (which requires a nonce) but it's not!  This to me also seems pretty suspicious.


Personally I'd strongly caution people against playing here...



I would hope that after this (regardless if they were honest or not) they immediately switch to the industry-standard provably fair system (AKA copy exactly what just-dice.com does).
legendary
Activity: 3038
Merit: 1188
Quoting, to re-read later.

Basically the simple-version is:

From what I understand by what Rhavar is trying to explain (which I will turn into layman terms for people who are like me that have hard time understanding technical talk) the game "looks" like it is fair but they do have a secret way of knowing if you are gambling by checking the seed or not.

If you are a guy who doesn't check the seed that often they hide the previous seed so that you can't get it and that means you can be scammed out of your money, that is only if you don't care about the seed and not checking anything which they can see by you not changing the seed frequently or maybe even never.

So, it does "look" fair and that is true but if you let them away with it by not checking they could potentially become not provably fair given the opportunity. This doesn't mean they are stealing money from you, it just mean they have that option if they want to and you have to trust them not to do it which is not provably fair if you ask me.
legendary
Activity: 1554
Merit: 1014
I was planning on playing on this site after seeing in the top rankings of many casino ranking sites,

its good that you just want to play here and stopped because of this thread but me already playing there joining the contest for 3 straight days
but at the end, i just lose all my balance there
legendary
Activity: 2198
Merit: 1014
Bitdice is scam scam scammmmmmmmmmmmmmmmmmmmmmmmmm
This is really out of order and one more reason why have to be even more careful when playing 'provably fair' games that are not approved by Cryptogambling foundation.
If you want to learn more about randomness and provably fair https://cryptogambling.org/articles/ are very well written.
newbie
Activity: 23
Merit: 22
But then it hit me!

They can actually check if you're going through the impractical ceremony on not! I verified this by checking the network requests, and AFAICT the only way to view the server-seed hash is via a network request to "/ajax/modal" with "modal=fairness".

So this means they can actually if you're verifying the bets or not. So they could trivially cheat only when they know you won't be able to tell (when you never requested the server-seed hash).

Sounds like 999dice all over again.

I agree.  this combination of factors is suspicious:
1. new server seed every round
2. the server seed hash is only transmitted to the client when you click for it.

Whenever you don't click to request the server seed hash, the server KNOWS it's not being watched and that it can get away with cheating, by changing the server seed to make you lose the roll.
hero member
Activity: 3178
Merit: 977
www.Crypto.Games: Multiple coins, multiple games
Damn. I was planning on playing on this site after seeing in the top rankings of many casino ranking sites, but I will definitely avoid it now after learning about this bullshit. Thanks for the heads-up op. You deserve a lot of merit in my opinion.

The biggest issue with all these provably fair stuff is that many newbies don't understand them due to all the technical stuff involved which is why they ignore it and end up losing money to such shady sites.
legendary
Activity: 2772
Merit: 3282
But then it hit me!

They can actually check if you're going through the impractical ceremony on not! I verified this by checking the network requests, and AFAICT the only way to view the server-seed hash is via a network request to "/ajax/modal" with "modal=fairness".

So this means they can actually if you're verifying the bets or not. So they could trivially cheat only when they know you won't be able to tell (when you never requested the server-seed hash).

Sounds like 999dice all over again.
legendary
Activity: 1463
Merit: 1886
Quoting, to re-read later.

Basically the simple-version is:

* wixiplay uses a unique server-seed per bet (and thus unique server-seed-hash per bet)

* To verify a bet, you need to record the sever-seed-hash *BEFORE* you bet (that way you know they didn't change the server seed in response to your bet)

* To get the the server-seed hash you have to go out of your way and specifically request it, for that bet

---

So what this means, is wixiplay knows if you're able to verify the bet or not. If you're not able to verify the bet, it has free-reign to undetectably cheat!


--

If BitwiseOperator played 523 coin-flips and only won 199, his maths is probably correct (I don't actually know off-hand to do that calculation, so I tried to simulate it. After 200 million simulations, it appears to only happen every 1 in ~5 million times, so it's definitely an (expected) real freak occurrence. )

Combined with the fact they're using a *totally pointless* nonce , makes me feel like they're trying to (maliciously?!) pass their system off their system as a traditional provably fair (which it's definitely not).
legendary
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
Just tried the site, and the half a dozen bets I made did checkout in the provably fair system. You can view the "server seed" by double-clicking on the bet-id of the previous bets you made.


But it looks like a really stupid system. There's no absolutely no reason they should be changing the server-seed each bet (makes it so difficult to be impractical to verify a bunch of bets). And the way the system is now, the nonce serves no purpose at all (other than also complicating verification). But it does appear to be give you enough to verify your bets, if you go through an impractical ceremony.

--

But then it hit me!


They can actually check if you're going through the impractical ceremony on not! I verified this by checking the network requests, and AFAICT the only way to view the server-seed hash is via a network request to "/ajax/modal" with "modal=fairness".

So this means they can actually if you're verifying the bets or not. So they could trivially cheat only when they know you won't be able to tell (when you never requested the server-seed hash).

---

So I'm going to agree with the OP on this one: the site doesn't meet standards expected of a provably fair site.





Quoting, to re-read later.
legendary
Activity: 1463
Merit: 1886
Just tried the site, and the half a dozen bets I made did checkout in the provably fair system. You can view the "server seed" by double-clicking on the bet-id of the previous bets you made.


But it looks like a really stupid system. There's no absolutely no reason they should be changing the server-seed each bet (makes it so difficult to be impractical to verify a bunch of bets). And the way the system is now, the nonce serves no purpose at all (other than also complicating verification). But it does appear to be give you enough to verify your bets, if you go through an impractical ceremony.

--

But then it hit me!


They can actually check if you're going through the impractical ceremony on not! I verified this by checking the network requests, and AFAICT the only way to view the server-seed hash is via a network request to "/ajax/modal" with "modal=fairness".

So this means they can actually if you're verifying the bets or not. So they could trivially cheat only when they know you won't be able to tell (when you never requested the server-seed hash).

---

So I'm going to agree with the OP on this one: the site doesn't meet standards expected of a provably fair site.



newbie
Activity: 23
Merit: 22
Generate new server seed and you will get old server seed

When I click "generate new server seed" it does NOT show the old server seed.  Also, the server seed hash changes between every round, so there's no reason for it to not automatically show last round's server seed.
legendary
Activity: 2198
Merit: 1014
Bitdice is scam scam scammmmmmmmmmmmmmmmmmmmmmmmmm
I just played 523 coin flips (49.5% chance of success with a 1% house edge).  Only won 199 of them.  The probability of winning 199 or fewer out of 523 is 8.9696e-8, or about one in ten million.

Their provably fair system doesn't work because they only show the server seed hash, but they never reveal the server seed of past rounds, so there is no way to do the calculation to verify that those rounds were fair.

They say the algorithm is:

Quote
$client_seed = "your_client_seed";
$server_seed = "your_server_seed";

$result_seed = hash_hmac('sha512', $server_seed, $client_seed);
$result_number = hexdec(substr($result_seed,0,10));
$lucky_number = $result_number % 10001;

echo $lucky_number;

But this is all they show you in the fairness dialog.


It never shows the server seed for the previous round, so you can't check the fairness.  This is a fake PF system.

I recommend avoiding the site until they fix their PF.
Generate new server seed and you will get old server seed
newbie
Activity: 23
Merit: 22
I just played 523 coin flips (49.5% chance of success with a 1% house edge).  Only won 199 of them.  The probability of winning 199 or fewer out of 523 is 8.9696e-8, or about one in ten million.

Their provably fair system doesn't work because they only show the server seed hash, but they never reveal the server seed of past rounds, so there is no way to do the calculation to verify that those rounds were fair.

They say the algorithm is:

Quote
$client_seed = "your_client_seed";
$server_seed = "your_server_seed";

$result_seed = hash_hmac('sha512', $server_seed, $client_seed);
$result_number = hexdec(substr($result_seed,0,10));
$lucky_number = $result_number % 10001;

echo $lucky_number;

But this is all they show you in the fairness dialog.
https://i.ibb.co/1KDN8s5/wixi-fairness.png

It never shows the server seed for the previous round, so you can't check the fairness.  This is a fake PF system.

I recommend avoiding the site until they fix their PF.
Pages:
Jump to: