EpicDice is compromised

in #epicdice5 years ago (edited)

Artboard 5@20x.png

EpicDice is an open-source gaming platform built on top of Steem blockchain with absolute transparency and fairness. Join the most epic fun today!

https://epicdice.io/


Let’s start this post with a brief announcement we made in Discord not long ago

The bad news is, after some in-depth investigation we concluded our game is exploited due to we are using the simplest provably-fair mechanism. All the game result is solely relying on the blockchain transaction ID. We thought it was random and hard enough for bad actors to game the system but apparently, it wasn’t. We will have to halt the platform until a new mechanism is being implemented, and this is going to be the team’s top priority now.

The good news is, the house fund wasn’t completely drained so we are ready to come back strong as soon as the system is patched. And for those who previously suspect EpicDice is not playing fair, this is the best(or worst) example to prove our claim: Absolute fairness. Even in such an event where the randomness of transaction ID is exploited, house is on the vulnerable side. We were truly running the best gambling service in term of everything we can.

Timeline of event

  • UTC 28, Aug, 10:04: @mys started “above 99” attack against @epicdice and managed to score rolled number 100 in a long streak(27 in total). It worked by sending in 1.02 STEEM as wager with prediction “above 99” and won away 100 STEEM every hand.

  • UTC 28, Aug, 11:17:
    User @selce-n and @thegoliath reported abnormal betting behaviour of @mys via blog comment and Discord channel.

  • UTC 28, Aug, 11:35: EpicDice was shutdown upon a clear sign of system vulnerability exploitation.

  • UTC 28, Aug, 17:04: EpicDice announced the system is being gamed due to its randomness generation which is purely relying on Steam pseudorandom transaction ID.

  • UTC 28, Aug, 18:31:
    Witness @themarkymark made a post reporting the incident and confirmed that 2,698.921 STEEM has been taken away by @mys.

  • UTC 28, Aug, 21:58:
    It turns out @mys is a Steem witness himself who followed up the incident with a detailed explanation of how the exploitation been done in this post.

  • UTC 29, Aug, 07:29: @mys returned the full fund from the exploitation after getting in touch with EpicDice representative.

Black hat? White hat?

EpicDice would not take a side on this topic regarding what is the real intention of @mys in this attack, but choose to lay the plain facts straight and let the crowd makes the call.

We would not speak highly of him since the cold hard fact is that his exploitation was stopped by other’s alarm and he showed no intention of stopping until the system was halted. We also will not put unnecessary blame since he did the right thing by returning all fund at last.

As much as @mys was trying to make it looks like a white-hat attempt in our private interaction, it was disheartening to see someone who represents our beloved blockchain did this to a hardworking business without prior information to the team. We wouldn't not be sure if this can be a much worse situation. But certainly it would have been ended in a much better way by keeping us in the loop from the beginning.

We, however, would like to thank @mys in showing us the greatest vulnerability in the system so that we can grow stronger from here. Nothing lost, nothing gained!

Reward time

2m EPC to each @selce-n and @thegoliath for reporting the incident at earliest timing. 2m EPC to our Mr.Genius @mys for such a clever exploit deserves every bit of it from white-hat perspective.

Verdict

Like what we have stated, this is far from being the end for EpicDice. Instead, we take this as a rare opportunity to better our platform and treat such challenge as a touchstone to the team’s competency staying afloat and above no matter what is falling upon us.

We were on a mood roller-coaster the moment we found out it was a witness who did it to us. What comes to our great relief is that the tremendous support from the exact community we love all along. That was the greatest reason we chose to start our business right here on Steem, after all.

Be right back, soon.


We are recruiting

We are still looking for awesome moderator talent from the Korean and Japanese community. The requirements will be the same as here and we will leave the recruitment open until the position is filled with capable soul. Recommend yourself if you are up to the interesting role, or refer us a potential candidate. We have a little surprise for each successful referral!

Earn EPC via delegation

EPC is the only token to earn from the daily dividend and prize pool in STEEM. Every 1 SP delegation earns 2 EPC daily. It takes one day for the delegation to be effective in order to receive the dividend from the moment of delegation.

Quick delegation via Steemconnect links below:

100 SP | 500 SP | 1000 SP | 5000 SP | 10000 SP


Join our Discord server for better communication.

Disclaimer and Important Notice: Epicdice.io reserves the right, at its discretion, to change, modify, add, or remove portions of the Terms and Rules at any time without notice.

Sort:  

damn this sucks

Poor coding and lack of testing isn't a hack and nothing is compromised. @Mys seems to have acted in good faith and returned the funds while this entire post is blatantly insulting towards him. (Edit: I see you're not responding to my comment and instead downvoted me. Don't think politely responding to the whales commenting vs someone you don't recognize is making you look any better.)

Isn't it the same all over, like the way a Casino will ban a card counter when actually that is a skill. Funny isn't it, a game fixed in such a way the house wins cries foul when due to their poor coding and lack of testing they have the tables turned on them.

Like you say its not a hack, it was gaming of the system and to some may be a step too far in their morals, viz a viz the under arm bowl by Australia to win a test, perfectly acceptable under the rules but roundly condemned throughout the world of cricket.

Personally I think its fine to try to find errors in a system, I would do the same but after verifying the exploit I would have contacted them to fix it and negotiated a fee for the work done that they never did, in this case like keep half, though given the price of Steem its close to $500 which I would imagine most bounties would be around about at.

Since he has been given 2 Million tokens (approx 220 Steem) I guess it all worked out well in the end. Add that to the post earnings and everyone is probably happy now.

There isn't any insulting, just plain fact. Thanks for the care, also the commentor's status has nothing to do with our response.

Okay, but no need to buy votes to reward yourself for your incompetence. Downvoted.

Appreciate the attention and thanks for the downvote, have a nice day buddy.

Maybe he just wanted to alert community that epicdice sucks

Downvoted. One-line comment should not be rewarded this high.

@mys being a witness is irrelevant to that case

Please make up your mind: are you saying that @mys is cool and you are rewarding him or that he is not cool ... and you are rewarding him anyway?

You've made a game with some rules and @mys played that game and was rewarded according to those rules.

The house always wins, except when is being surprised by people who can do math.

Simplifying:

There's a game:
You pick a number.
Then the house will randomly chose one.
If numbers matches, you win.
The house promise fairness, providing the code that clearly shows you when you lose and when you win.
What are the odds?


Source: https://xkcd.com/221/

You are right. Anyone can perform the same attack as long as he possess of in-depth knowledge of how the block producing works. Don't get us wrong, we have huge respect towards witnesses who put in tremendous amount of time and effort in securing the network(you can track our witness-voting history), else we would not have been in the first place.

Let’s just focus on the fact and eliminate all the “what-ifs”. He was cool that he did published the exploitation in detail and returned all the fund. He was not cool on how he performed the “white-hat” trick which only be halted by third party’s alarm to the house, which is very likely to drain the bank if nobody was aware what he was doing. He was rewarded with the former cool part.

If you think what he did was a fair play, we don’t think we should further discuss on this. Appreciate the feedback!

I guess I see both sides… If it was truly malicious he would not have returned the winnings. However, I fully believe it was because he got "caught". I believe he should have been compensated with a bounty, I just wish there would have been more transparency from the get-go rather than continuing the exploit. Epicdice… I think the wording in this post is a little much and you should focus on a good PR representative to the team :) Remember, as a business you always have to take the high road.

Regardless, As an investor, I think the way Epicdice handled this is very Impressive. This issue was resolved in a very timely manner and could have been something to completely take down the platform. Or an excuse to just leave like other gaming dapps have in the past. This is given me even more confidence in the Epicdice team. Now let's all move forward and roll some Dice!!

Indeed we are here to stay, no matter what is happening. Thanks for seeing that and thanks for all the kind words.

I am glad @mys decided to return all the funds and was given a bounty for it.
Also thank you for the EPC bounty for helping find it! This helps show why helping a community you find problems with something they offer, worthwhile to report to help them out.

Posted using Partiko Android

Glad you were with us all the time, please keeping an eye on us as always.

It is good to see the system back again more stronger. Hopefully everything will be better and better on blockchain.

Fortunately @mys didnt try to hide himself and made the things in a sequence just as trying to be noticed.

Even i didnt have intention to get any rewards, thanks for the bounty.

Hoping the best for @epicdice abd blockchain. We need to keep enjoy.

Could not be more glad in such ending. Have a great day ahead!

At least it got fixed fast and you leaned something from it. Sad to see the site down for some time. But you will stand up stronger. Best of Luck!

Definitely an impressive experience. Thanks for dropping by!

Definitely an
Impressive experience.
Thanks for dropping by!

                 - epicdice


I'm a bot. I detect haiku.

Great to see a quick come back!

In a way, you were extremely lucky that your system was compromised by someone like @mys who didn't ripped your bankroll completely and finally returned everything he got from it. You're also very lucky to have active player community with alert players like @selce-n and @thegoliath, who played a watchdog by instantly alerting you. But IMHO, 18 minute respond time (according to the event timeline) for taking the website down was a little longer than expected. It could have done a massive damage!.

The situation could have been far worse!

I wonder, if this bug was so obvious and well-known (as pointed out by some Steemians), how did it take 6 months for someone to actually take advantage of it! Could it be possible that someone else too was silently profiting from it?

Finally, I was expecting some talk in this post on your decision for reducing the bank-roll from 16K to just 5K. Why did it happen? Are you still not very confident of the security of the House balance?

Good luck!

Indeed, more preventive and safety measurement will be taken place after this incident and we are always grateful for such ending. We always wanted to safeguard the bank from main account and this is just the right time to do it. Thanks for the support!

“ Nothing lost, nothing gained!”
Not exactly, Epic Dice gained the experience, thus resulting to a better system later on. Gained as the community, really never sleeps and always alert to protect the integrity of the blockchain and the community.

Posted using Partiko iOS

We surely love the awesome community!

Exactly. I think that's the big takeaway. There are some blaming epicdice in the comments above for incompetence, but it's also worth noting that the goodwill you've earned by behaving the way you have through this all provided you with a support system that ameliorated the consequences of coding errors. So, let's also give you credit for competence when it comes to human relations, which is too often regarded a soft skill. Kudos to you for building a supportive community!