Gambling is the riskiest form of investment, if it can even be called such, known to man. Casinos worldwide use any marketing tactic imaginable to attract that hallowed sucker born every minute, including giving money to new players, free drinks, and publishing odds.
Online casinos, especially in the cryptocurrency space, have the added ability to use what they call a “provably fair” method. This means that the gambler can hash two seeds and determine whether or not the result on the bet was fair or not. In many systems the user is able to see the server hash as soon as the bet is completed.
However, one major gambling site, 99.9% Dice, which promotes a house “edge” or win ratio of just .1%, has recently found itself under scrutiny after a player cried foul ball over the way their system works. In the 99.9% Dice system, the user must click a button to reveal the hash after each game.
The user in question, Ed Benckert, believes that the server actually generates a correct hash when this button is clicked, and that the seed the server actually uses is whatever the server needs it to be. He wrote a long article describing his experience at 99.9%, where he placed a total of 92,000 BTC in bets over time.
Until you click that button, you cannot see the hash. If you NEVER click that button, that seed, and the hash that is generated from it, can be WHATEVER THE HELL 999dice wants and needs the seed to be. Are you on a big winning streak, and feeling lucky, and place a huge bet? Are you on a horrifically bad martingale losing streak, doubling your 5 satoshi bet all the way up to 3.35 bitcoin and praying to god you don’t lose AGAIN? **DID YOU CLICK THE BUTTON TO GET THE HASH BEFORE YOU BET?**
No? Oh, ok then – sorry – you lost the roll. I guess it was just really bad luck. Do you want to validate that it was actually a losing roll and make sure we aren’t cheating? Ok, here’s the server seed we used, right there on the hard to find and not explained how to get there validation page, you can use that with the client seed and the bet number and you can validate and see clearly that it all matches up. See? We aren’t cheating.
What he left out in this was the fact that he had originally attempted to scam the casino. The evidence of this appears in this e-mail archive, where Benckert says:
Truth is I was messing with peter todd’s replace by fee tool (I thought it would be an even better way to tumble some coins – add some confusion and anonynmity to the transfers by having some go bad and then others take their spot, and well, seeing if I can break shit is a hobby, so, I messed with the double spend tool) and if my logs are correct, three 1 BTC payments to you were actually double spent. A few others I was playing with the tool and the parameters and were not. Then I was messing with it further, and you can clearly see I never actually sent the second transaction.
Regarding the admin of the site, who members of the community have claimed is most likely known scammer Noah Matisoff, Benckert told CCN:
Here’s the thing: I think this guy is absurdly brilliant. He built the site in such a way he CAN cheat and no one can prove it. He addressed every question or issue I asked him, EXCEPT when I asked him about the hash being hidden. I believe that was intentional.
Again, this does not make Benckert’s claims that 99.9% Dice isn’t operating properly any less plausible, but it does feel a bit like going into a casino with fake money and then complaining of a rigged system. There are actually two stories here: one, a system that is flawed and possibly taking advantage of users and two, a scammer who is unsuccessful and claims his victim is the scammer. The site’s administrator claims the double-spending scheme works like this:
Step 1: Deposit (credited instantly to your account)
Step 2: Quickly make bets
Step 3: If you won the bets, do nothing, because your deposit will be confirmed and you won money and can withdraw it. If you lost the bets, send the double-spent transaction, abandon the account, and start a new one.
He elaborated a great deal about his interactions with Ed Benckert. He claims that the user initially played innocent even though he’d been clearly caught, and that Benckert was brash and rude from early on in the exchanges. Specifically, the administrator says:
Ed was more than 11 BTC into his attacks before he noticed it wasn’t working as expected (I have some tricky countermeasures =D). His coins were seized and he lost the money he was using to try to rob us. I kept leaving notes on his accounts asking him to contact me, but he didn’t do so until a day or two later. In his initial message (in the contact tab on my website), he played innocent and said I was holding his money hostage, but after my response to him suggesting I was willing to give him his coins back despite knowing what he was trying to do, he was much more open.
He then came back to the site under a new account to make bets. He won 20 BTC or so. Then he returned and lost a bunch. (Then won a bunch and was profiting again, then lost a bunch again, a few times).
After losing, he began sending the scam accusations, each time demanding all his losses back, with threats if I did not. Any response I gave him which did not include “ok, here’s all your BTC back”, basically had no effect.
Publicly and to CCN, the admin has stated that the situation will be rectified and hashes will be published with each bet, as is done on other sites. “I just didn’t think about it. I gave people a provably fair system and the means to use it. I guess it takes a sinister (or more experienced mind) to think of loopholes like he’s suggesting,” he says. The updated site will rollout within the week, according to the admin. This prevents future problems of the same sort from happening to users of the site.
As for Benckert, he is banned from the site due to his double-spending attempts. While he seems quite unhappy with the results of his gambling at 999Dice.com, he hopes that his experience and the attention given it will benefit other users and ultimately that the site will falter and go out of business.