Bitcoin online gambling site Primedice has revealed how a scammer exploited a software flaw to take the site for over $1m worth of bitcoin last year.
In a confessional post on Medium, a Primedice principal identified only as Stunna revealed that the heist took place shortly after the site debuted the third version of its software last August. A new user named ‘Hufflepuff’ quickly became the site’s biggest betting whale, wagering up to $8k worth of bitcoin “every second for hours on end.” Even more surprising was that Hufflepuff continually managed to beat the 1% house edge.
Convinced something was amiss, the site delayed Hufflepuff’s cashouts while they attempted to figure out what angle he was playing. Unable to pinpoint any overt chicanery, they reluctantly released the funds, and on it went. Hufflepuff kept betting and winning big. All told, Hufflepuff won and withdrew over 2,400 bitcoin, worth over US $1m at the time.
Eventually, Primedice’s digital detectives discovered the exploit. Primedice offers one simple game in which a bettor essentially wagers on whether the roll of a dice will be above or below a certain value. The site shows players an encrypted random value before the players submits his own value and decides how much to wager. Once the bet is made, the encrypted value is exposed to the player and the outcome of the wager becomes clear.
We encourage you to read the Medium piece for the complete technical explanation, but in a nutshell, Hufflepuff had figured out a way to view the encrypted value before submitting his own value, thereby ensuring his wagers were all winners.
Armed with this evidence – and convinced they’d patched their software flaw – Primedice confronted Hufflepuff and demanded their money back. But Hufflepuff refused and, adding insult to injury, he discovered that Primedice’s patch hadn’t fixed the problem.
Hufflepuff quickly created a new account and won an additional 2k bitcoin. Fortunately, the site’s hot-wallet was drained and Hufflepuff was only able to cash out around 60 bitcoin before Primedice realized their patch hadn’t worked.
Primedice has provided information regarding Hufflepuff’s various blockchain addresses in the hopes that some internet sleuths can figure out where their money has gone. The site says any info that leads to the return of their purloined coins “will be greatly rewarded.” Primedice also offered reassurances that no player deposits were negatively affected by Hufflepuff’s escapades.