Friday, January 25, 2013

Satoshi Dice is the internet's most popular bitcoin betting site.

Taken from their website:
"The SatoshiDice Bitcoin game operates with zero confirmations, meaning the time it takes for you to send a transaction and receive your winnings is near-instant. Bets are evaluated as soon as the client picks up the broadcast. This is safe because it always builds the answering transaction with the output of your bet transaction. This means a blockchain that does not contain your bet cannot contain the site's answer.

You place a bet by sending bitcoins to one of the addresses listed in the bet options table. SatoshiDice sees this, evaluates win or lose and generates a return transaction. If you lose, the return your bet times 0.005. That means a number way lower than your bet. If you win, your bet is multiplied by the prize multiplier and that amount is sent back.
There is thus an answering transaction for each bet and normally you see that transaction in your client after a few seconds."

ScrotConf has pulled through with this latest exploit: 
He's got access to the satoshi dice beta scripts that handle all the bets on the site.  Something jumped out at him: an unlisted account that isn't on their bet options table, and pays out with greater than 100% returns!  Thats right! An address with 100% win ratio!
That last one only lasted a couple days before being deactivated, I updated the site yesterday with a new address with a higher multiplier!  No more 1.004x, now you get 1.957x  That almost double each time you do it!  Unfortunately the min bet went up from .01 to .1BTC,  I have no control over this, so if you bet anything below .1BTC, don't expect to get anything returned.

Details: 100% win ration, 1.957 multiplier, .1BTC min, 500BTC max