Primedice, an online gaming site, learned a hard lesson when it lost $1 million in bitcoin to a hacker that exploited its RNG (random number generation) system last year. The company recently shared its experience on Medium, a website where people share stories. Stunna, the author of the story said the company wanted to share its experience so that others can learn from it.
Primedice has also invited readers for help in recovering its losses and promises rewards for helpful leads.
In August of 2014, Primedice released its third version after one week of closed beta testing. Shortly after launching, the team noticed unusual patterns from two players; one automatically cashed out while the other won bets. The team found the patterns unusual but could find no wrong doing.
A month later, after a delayed cashout, the winning player created a new account that placed the largest bets Primedice had ever seen. This bettor, “Hufflepuff,” was betting upwards of $8,000 in bitcoin every second for hours.
Our entire team was shocked that Hufflepuff continued to beat the house edge (1%) and stack up more and more profit over time.
The team could find no wrong doing and continued to pay Hufflepuff his winnings.
They eventually determined that a few accounts were sharing the same server seed. The game shows the player an encrypted random value, the server seed, before they bet. The player must show their own random value, the client seed. The system combines the two random values to determine win or loss. (See the explanation.)
Primedice gives decrypted server seeds so there is no manipulation. Hufflepuff found a way to cause the server to give out a decrypted server seed that was also an active seed. He was able to corroborate the outcomes of his bets. Hence, he wagered based on whether he would win or lose.
By the time Primedice detected the exploit, it had cashed out roughly $1 million to Hufflepuff. “Given the nature of Bitcoin there wasn’t much we could do but take it on the chin.”
Unfortunately, Primedice’s woes were not over.
When Primedice demanded Hufflepuff return the coins, Hufflepuff created a new account and was able to circumvent the patch the team implemented. The team had improperly patched the glitch. After winning more bitcoin, Hufflepuff sent a sarcastic note to Primedice.
In retrospect, Primedice realizes that if they had rigged Hufflepuff’s bets, they would have known he was cheating the system.
I believe he would have cleaned us had we never discovered what was going on.
Primedice funds its own bank account, so no users were affected by the cheating.
The company has listed the culprits’ withdrawal and deposit addresses and emails in its account on Medium for anyone interested in helping them secure the return of coins.
Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.
Image from Shutterstock.