How Primedice was exploited for 2400 Bitcoins
This is the story of how we lost around $1 million worth of bitcoin to a hacker who exploited our online casino’s RNG system. This happened last year, but we’ve decided to share our experience for transparency and so that others can learn from our mistakes.
Shortly after the launch of the third version of Primedice, our team faced an adversary that challenged the existence of our website. Our team had nearly two years of experience building bitcoin gaming sites, however I personally had pretty limited coding experience. We were under heavy pressure to avoid further delays and released after a short week of closed beta testing.
The heist began immediately after launch with two unusual players, Nappa & Kane. We noticed unusual betting patterns from both those accounts. Kane was automatically cashed out, we reviewed Nappa’s bets and thought they were highly unusual but could find no wrong-doing and cashed him out after a delay and a brief email exchange
After getting spooked by his delayed cashout on Nappa, the exploiter waited a few weeks and created a new account named “Hufflepuff”. Hufflepuff was the largest bettor Primedice had ever seen, he was often seen betting upwards of $8000 worth of bitcoin every second for hours on end. Our entire team was shocked that Hufflepuff continued to beat the house edge (1%) and stack up more and more profit over time.
We were highly skeptical of his winnings and were forced to hold his cashouts time and time again to investigate and each time our developers could not find any wrong-doing. We couldn’t justify greatly delaying his withdrawals when there was no evidence he was cheating. There was also strong incentive for us to promptly pay him, so he’d keep playing. We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky.
About two days after sending his final withdrawal placing him above 2037 profit on the Hufflepuff account alone, our main developer detected the exploit after we found a handful of accounts sharing the same server seed.
To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works. A user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed). These two random values are combined and used to determine win or lose. The random encrypted random value used for the bet then is shown to the user after the bet so that they can be guaranteed that their bet is not rigged. You can find the detailed and in-depth explanations of provably fair here:
Part of the functionality of our site is that we have to give out decrypted server seeds (to assure users no bet manipulation has occurred) and put a new random seed in place, essentially trashing the old revealed seed. Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.
We figured this out after frantically checking our servers after a eureka moment. We suspected something could have been going on and eventually realized the possibility of a timing attack described above. Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff. Along these “Schrödinger” seeds existed many seemingly unused seeds connected to the same accounts, indicative of the rapid fire of requests needed to obtain these.
Unfortunately we detected this exploit after cashing out Hufflepuff and his handful of accounts 2400+ coins (roughly $1M at the time). Given the nature of Bitcoin there wasn’t much we could do but take it on the chin. We reached out to Hufflepuff via his bitcointalk forum account and demanded the return of the coins, however this backfired unbelievably hard. It turned out that our developer had improperly patched the glitch. In response to our message, Hufflepuff created a new account named Robbinhood and proceeded to rapidly win 2000+ additional bitcoins using a work-around to the patch. He was unable to cashout more than 50 or 60 coins this time around as our site hot-wallet was drained.
Shortly after he privately sent us this message which was preceded with the dox of a primedice employee:
“Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.
Oh, and by the way, there are some pending withdrawals that you need to process.”
And that was the day the house didn’t win…
Evidence for transparency and investigative purposes
Hufflepuff’s deposit address: https://blockchain.info/address/1BiPXmDrHm7VXZnWy6NnW1ZbPc4dcpfkH5
His primary withdrawal address: https://blockchain.info/address/14iS2UvcLK33xkC1K1qL1dhEbp49aiNfNp
— Note — : Nappa/Kane were two other usernames used early on, amongst many others.
Kane’s Withdrawal address: https://blockchain.info/address/18dMBap634aESPTeD3FGcAgJ2S9n4qtBTZ
Nappa Deposit address: https://blockchain.info/address/16h9ggSzUWdvagEJdNvWVYiUkytw6SJgiB
**Removed slightly more sensitive information (email/ip), everything shared above is publicly available.
It’s also important to note that this incident is proof of the strength of our integrity and provably fair system. If at any point we attempted to rig Hufflepuff’s bets (skip nonces etc) we would have instantly realized he was cheating and we would have 2400+ more bitcoins. Hufflepuff only took a brief break from playing after we halved our max bet, I believe he would have cleaned us had we never discovered what was going on. We fund our own bankroll so no users were negatively impacted as a result of this.
Sorry for the long read,