Primedice.com Loses Over $1 Million to Player Exploiting Coding Flaw

Posted on: July 1, 2015, 12:52h. 

Last updated on: July 1, 2015, 02:15h.

Casino.org Staff Writer Read More
Expertise: Commercial Gaming.
Prime dice logo, bitcoin gambling, cheating scam
Primedice.com, which lost over $1 million in bitcoin to a scammer who was able to manipulate its random number generator. (Image:themerkle.com)

Bitcoin gaming operator Primedice.com, which claims to be the “number one bitcoin gaming operator and casino,” has admitted that it was fleeced out of over $1 million worth of bitcoin by a gambler who was able to exploit a flaw in the website’s coding.

The revelation was made by an unnamed member of the Primedice team, who posted under the name “Stunna” on the blog-publishing platform Medium.com.

“Shortly after the launch of the third version of Primedice, our team faced an adversary that challenged the existence of our website,” explained Stunna.

Stunna described how, last August, a player appeared with the username ‘Hufflepuff’ who began spending big, and winning. Hufflepuff was betting up to $8,000 worth of bitcoin at a time for hours on end and was somehow managing to defeat the house edge of 1 percent.

“We were highly skeptical of his winnings and were forced to hold his cashouts time and time again to investigate and each time our developers could not find any wrong-doing,” said Stunna.

“We couldn’t justify greatly delaying his withdrawals when there was no evidence he was cheating. There was also strong incentive for us to promptly pay him, so he’d keep playing. We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky.”

Too Little, Too Late

By the time Primedice figured out what was going on, it was too late: the player had withdrawn his $1 million. It seems Hufflepuff had figured out a way to disrupt the site’s random number generator. Stunna explains:

“To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works. A user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed). These two random values are combined and used to determine win or lose. The random encrypted random value used for the bet then is shown to the user after the bet so that they can be guaranteed that their bet is not rigged.”

“Part of the functionality of our site is that we have to give out decrypted server seeds (to assure users no bet manipulation has occurred) and put a new random seed in place, essentially trashing the old revealed seed. Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed.”

“Your Demands are Laughable”

The result of this was that Hufflepuff knew all the information required to corroborate the outcomes of his bets. “He knew whether he would win or lose, and could wager accordingly,” said Stunna.

Primedice contacted Hufflepuff to inform him that his ruse had been exposed and asked that he return the money he won by deception.

The cackling Bond villain’s response is chilling:

“Your offer is declined. Your demands are laughable,” scoffed Hufflepuff. “I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move. Oh, and by the way, there are some pending withdrawals that you need to process.”