RE: [UPDATED] Epic Dice shut down due to witness cheating
(Edited)
You are viewing a single comment's thread:
Not unforeseen. These types of vulnerabilities are well-known for years, and I've personally advised people building games about them.
The developers of this game are either incompetent or knew about the vulnerability but built the game that way anyway so they themselves could "hack" it using a sock puppet. I'm making no claim as to which.
0
0
0.000
@raycoms and I talked a lot about theoretical ways to crack such randomness and how to design it in a way that is not deterministic for the witness that signs the block.
But I didn't think someone would actually do it.
Upon investigation it seems that it was super easy to hack, you didn't even have to collude with a witness. Basically if you craft the right transaction it just works.
And that is really easy, so I can actually imagine a lot of people doing that. Would probably take someone 30 minutes to code it up.
I really don't pity the devs here, if they use the tx in isolation as the randgen seed then they are as incompetent as can be 🤷♂️ that is like hiding passwords in the client application 😂
I didn't think that someone would modify steemd to make their witness produce specially crafted blocks that alter the randgen. But seriously, transactions?
They will if there is enough money at stake (or even if it isn't and just feel like it is worth doing for the lulz anyway) and on a global network making assumptions about what someone somewhere will be willing to do nearly always ends badly.
Thanks. Now I'm speechless for the rest of the week.
I like it more like this:
The developers of this game
are either incompetent orknew about the vulnerability but built the game that way anyway so they themselves could "hack" it using a sock puppet.I'm making no claim as to which.... When provably fair isn't enough.