EpicDice is compromised

in epicdice •  5 years ago  (edited)

Artboard 5@20x.png

EpicDice is an open-source gaming platform built on top of Steem blockchain with absolute transparency and fairness. Join the most epic fun today!

https://epicdice.io/


Let’s start this post with a brief announcement we made in Discord not long ago

The bad news is, after some in-depth investigation we concluded our game is exploited due to we are using the simplest provably-fair mechanism. All the game result is solely relying on the blockchain transaction ID. We thought it was random and hard enough for bad actors to game the system but apparently, it wasn’t. We will have to halt the platform until a new mechanism is being implemented, and this is going to be the team’s top priority now.

The good news is, the house fund wasn’t completely drained so we are ready to come back strong as soon as the system is patched. And for those who previously suspect EpicDice is not playing fair, this is the best(or worst) example to prove our claim: Absolute fairness. Even in such an event where the randomness of transaction ID is exploited, house is on the vulnerable side. We were truly running the best gambling service in term of everything we can.

Timeline of event

  • UTC 28, Aug, 10:04: @mys started “above 99” attack against @epicdice and managed to score rolled number 100 in a long streak(27 in total). It worked by sending in 1.02 STEEM as wager with prediction “above 99” and won away 100 STEEM every hand.

  • UTC 28, Aug, 11:17:
    User @selce-n and @thegoliath reported abnormal betting behaviour of @mys via blog comment and Discord channel.

  • UTC 28, Aug, 11:35: EpicDice was shutdown upon a clear sign of system vulnerability exploitation.

  • UTC 28, Aug, 17:04: EpicDice announced the system is being gamed due to its randomness generation which is purely relying on Steam pseudorandom transaction ID.

  • UTC 28, Aug, 18:31:
    Witness @themarkymark made a post reporting the incident and confirmed that 2,698.921 STEEM has been taken away by @mys.

  • UTC 28, Aug, 21:58:
    It turns out @mys is a Steem witness himself who followed up the incident with a detailed explanation of how the exploitation been done in this post.

  • UTC 29, Aug, 07:29: @mys returned the full fund from the exploitation after getting in touch with EpicDice representative.

Black hat? White hat?

EpicDice would not take a side on this topic regarding what is the real intention of @mys in this attack, but choose to lay the plain facts straight and let the crowd makes the call.

We would not speak highly of him since the cold hard fact is that his exploitation was stopped by other’s alarm and he showed no intention of stopping until the system was halted. We also will not put unnecessary blame since he did the right thing by returning all fund at last.

As much as @mys was trying to make it looks like a white-hat attempt in our private interaction, it was disheartening to see someone who represents our beloved blockchain did this to a hardworking business without prior information to the team. We wouldn't not be sure if this can be a much worse situation. But certainly it would have been ended in a much better way by keeping us in the loop from the beginning.

We, however, would like to thank @mys in showing us the greatest vulnerability in the system so that we can grow stronger from here. Nothing lost, nothing gained!

Reward time

2m EPC to each @selce-n and @thegoliath for reporting the incident at earliest timing. 2m EPC to our Mr.Genius @mys for such a clever exploit deserves every bit of it from white-hat perspective.

Verdict

Like what we have stated, this is far from being the end for EpicDice. Instead, we take this as a rare opportunity to better our platform and treat such challenge as a touchstone to the team’s competency staying afloat and above no matter what is falling upon us.

We were on a mood roller-coaster the moment we found out it was a witness who did it to us. What comes to our great relief is that the tremendous support from the exact community we love all along. That was the greatest reason we chose to start our business right here on Steem, after all.

Be right back, soon.


We are recruiting

We are still looking for awesome moderator talent from the Korean and Japanese community. The requirements will be the same as here and we will leave the recruitment open until the position is filled with capable soul. Recommend yourself if you are up to the interesting role, or refer us a potential candidate. We have a little surprise for each successful referral!

Earn EPC via delegation

EPC is the only token to earn from the daily dividend and prize pool in STEEM. Every 1 SP delegation earns 2 EPC daily. It takes one day for the delegation to be effective in order to receive the dividend from the moment of delegation.

Quick delegation via Steemconnect links below:

100 SP | 500 SP | 1000 SP | 5000 SP | 10000 SP


Join our Discord server for better communication.

Disclaimer and Important Notice: Epicdice.io reserves the right, at its discretion, to change, modify, add, or remove portions of the Terms and Rules at any time without notice.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

damn this sucks

Poor coding and lack of testing isn't a hack and nothing is compromised. @Mys seems to have acted in good faith and returned the funds while this entire post is blatantly insulting towards him. (Edit: I see you're not responding to my comment and instead downvoted me. Don't think politely responding to the whales commenting vs someone you don't recognize is making you look any better.)

Isn't it the same all over, like the way a Casino will ban a card counter when actually that is a skill. Funny isn't it, a game fixed in such a way the house wins cries foul when due to their poor coding and lack of testing they have the tables turned on them.

Like you say its not a hack, it was gaming of the system and to some may be a step too far in their morals, viz a viz the under arm bowl by Australia to win a test, perfectly acceptable under the rules but roundly condemned throughout the world of cricket.

Personally I think its fine to try to find errors in a system, I would do the same but after verifying the exploit I would have contacted them to fix it and negotiated a fee for the work done that they never did, in this case like keep half, though given the price of Steem its close to $500 which I would imagine most bounties would be around about at.

Since he has been given 2 Million tokens (approx 220 Steem) I guess it all worked out well in the end. Add that to the post earnings and everyone is probably happy now.

There isn't any insulting, just plain fact. Thanks for the care, also the commentor's status has nothing to do with our response.

Okay, but no need to buy votes to reward yourself for your incompetence. Downvoted.

Same Here, I agree!

Appreciate the attention and thanks for the downvote, have a nice day buddy.

Maybe he just wanted to alert community that epicdice sucks

Downvoted. One-line comment should not be rewarded this high.

@mys being a witness is irrelevant to that case

Please make up your mind: are you saying that @mys is cool and you are rewarding him or that he is not cool ... and you are rewarding him anyway?

You've made a game with some rules and @mys played that game and was rewarded according to those rules.

The house always wins, except when is being surprised by people who can do math.

Simplifying:

There's a game:
You pick a number.
Then the house will randomly chose one.
If numbers matches, you win.
The house promise fairness, providing the code that clearly shows you when you lose and when you win.
What are the odds?


Source: https://xkcd.com/221/

You are right. Anyone can perform the same attack as long as he possess of in-depth knowledge of how the block producing works. Don't get us wrong, we have huge respect towards witnesses who put in tremendous amount of time and effort in securing the network(you can track our witness-voting history), else we would not have been in the first place.

Let’s just focus on the fact and eliminate all the “what-ifs”. He was cool that he did published the exploitation in detail and returned all the fund. He was not cool on how he performed the “white-hat” trick which only be halted by third party’s alarm to the house, which is very likely to drain the bank if nobody was aware what he was doing. He was rewarded with the former cool part.

If you think what he did was a fair play, we don’t think we should further discuss on this. Appreciate the feedback!

I guess I see both sides… If it was truly malicious he would not have returned the winnings. However, I fully believe it was because he got "caught". I believe he should have been compensated with a bounty, I just wish there would have been more transparency from the get-go rather than continuing the exploit. Epicdice… I think the wording in this post is a little much and you should focus on a good PR representative to the team :) Remember, as a business you always have to take the high road.

Regardless, As an investor, I think the way Epicdice handled this is very Impressive. This issue was resolved in a very timely manner and could have been something to completely take down the platform. Or an excuse to just leave like other gaming dapps have in the past. This is given me even more confidence in the Epicdice team. Now let's all move forward and roll some Dice!!

Indeed we are here to stay, no matter what is happening. Thanks for seeing that and thanks for all the kind words.

I am glad @mys decided to return all the funds and was given a bounty for it.
Also thank you for the EPC bounty for helping find it! This helps show why helping a community you find problems with something they offer, worthwhile to report to help them out.

Posted using Partiko Android

Glad you were with us all the time, please keeping an eye on us as always.

It is good to see the system back again more stronger. Hopefully everything will be better and better on blockchain.

Fortunately @mys didnt try to hide himself and made the things in a sequence just as trying to be noticed.

Even i didnt have intention to get any rewards, thanks for the bounty.

Hoping the best for @epicdice abd blockchain. We need to keep enjoy.

Could not be more glad in such ending. Have a great day ahead!

At least it got fixed fast and you leaned something from it. Sad to see the site down for some time. But you will stand up stronger. Best of Luck!

Definitely an impressive experience. Thanks for dropping by!

Definitely an
Impressive experience.
Thanks for dropping by!

                 - epicdice


I'm a bot. I detect haiku.

Great to see a quick come back!

In a way, you were extremely lucky that your system was compromised by someone like @mys who didn't ripped your bankroll completely and finally returned everything he got from it. You're also very lucky to have active player community with alert players like @selce-n and @thegoliath, who played a watchdog by instantly alerting you. But IMHO, 18 minute respond time (according to the event timeline) for taking the website down was a little longer than expected. It could have done a massive damage!.

The situation could have been far worse!

I wonder, if this bug was so obvious and well-known (as pointed out by some Steemians), how did it take 6 months for someone to actually take advantage of it! Could it be possible that someone else too was silently profiting from it?

Finally, I was expecting some talk in this post on your decision for reducing the bank-roll from 16K to just 5K. Why did it happen? Are you still not very confident of the security of the House balance?

Good luck!

Indeed, more preventive and safety measurement will be taken place after this incident and we are always grateful for such ending. We always wanted to safeguard the bank from main account and this is just the right time to do it. Thanks for the support!

“ Nothing lost, nothing gained!”
Not exactly, Epic Dice gained the experience, thus resulting to a better system later on. Gained as the community, really never sleeps and always alert to protect the integrity of the blockchain and the community.

Posted using Partiko iOS

We surely love the awesome community!

Exactly. I think that's the big takeaway. There are some blaming epicdice in the comments above for incompetence, but it's also worth noting that the goodwill you've earned by behaving the way you have through this all provided you with a support system that ameliorated the consequences of coding errors. So, let's also give you credit for competence when it comes to human relations, which is too often regarded a soft skill. Kudos to you for building a supportive community!

@mys did nothing wrong. You have to thank him.
Do you think that if he acted in bad faith, he would have done that through his main account?

We did. Thanks for the comment.

Flag for

2m EPC to our Mr.Genius @mys

You guys are definitely geniuses to secure the game in such a stupid way.

If @mys was malicious, he would clean your account with multiple anonymous accounts for weeks before you know it. Lucky for investors that he did it this way and return the money.

Appreciate the attention and feedback. No flag for you tho.

I’ve never toyed with gambling apps like this and am new to Steem so don’t have much in the way of funds to play with.

But well done for being so transparent. This is quite honourable behaviour on your part.

Posted using Partiko iOS

So it wasn't really as fair as you marketed it after all? Your post seems legit and you reacted quick.

In 2016 I built a Loto website for STEEM (I think it was the first gambling app), and even Dan Larimer asked me to use the block hashes for 'provably fair' verification (see https://steempeak.com/steemloto/@heimindanger/introducing-the-first-steem-dollars-lottery-only-usd0-01-sbd-per-ticket) so I guess people cannot blame you so much for doing this. But obviously Dan Larimer was trying to cheat too, he knew these hashes are manipulable (PoW was fast and easy in Steem back then)

My main question is how do you feel about lying to your customers about having a 'provably exploitable' instead of 'provably fair' pseudo random number generation algorithm? And how bad do you think this would have been if your userbase was 100x bigger than what it is today?

Finally, who was the witnesses who controlled the hashes of the blocks where the attack happened, you should blame him and try to get him unvoted out of top 20?

  ·  5 years ago (edited)

They used transaction hashes. Those are different, as they can be pre-computed by anyone before sending the transaction. There's no one else to blame but them, for using a mechanism they didn't understand in a critical part of their system.
Block hashes are way harder to manipulate, it would need to be done by the witness producing that block, which is not really trivial to do (calculate hash with the tx included, if win publish the block with, if not publish it without the tx) and as you correctly said should absolutely result in downvoting him.
If you use the hash of a later block than the one the transaction is included in there's no way to cheat it, and Dan's suggestion would've been totally valid.

//edit: well, I guess witness collusion would be theoretically possible, if the witness following the one including the bet publishes a block with a fitting hash. That won't always work though, as it requires quite some calculation to find a fitting block, and during that time you may miss the time window to publish. It would also require at least one of the two to be a top-20 witness)

My main question is how do you feel about lying to your customers about having a 'provably exploitable' instead of 'provably fair' pseudo random number generation algorithm?

Not sure if you get the full context of the post. There is zero lying from the first day of conducting business. Everything is exploitable, as long as you try hard enough.

Finally, who was the witnesses who controlled the hashes of the blocks where the attack happened

This attack has nothing to do with the witness status, it just that the attacker happens to be a witness. Anyone possess of the Steem coding structure and logic can perform the exact same knowledge.

disagree on so many points

good thanks for sharing this interesting information

This post has been included in the latest edition of The Steem News - a compilation of the key news stories on the Steem blockchain.

Hey!
I'd also like to tell you that I find your New "Div & Token" navigation button to be good for one way switch but isn't intuitive enough to return back to home page. Just my feedback!

It should works as two-way button.

Yes, technically it does work two-way. What I meant was that it's not intuitive for me to click on "Div & Token" to return back to the game interface. If it works for all others, then let it be