fix(provably-fair): add clientSeed param to computeCrashPoint — empty seed breaks provably-fair guarantee#6
Open
amathxbt wants to merge 1 commit into
Conversation
computeCrashPoint() called computeHMAC(serverSeed, "", nonce) — always passing an empty string as the client seed. The client seed is the player-supplied entropy that lets them independently verify outcomes are not predetermined. With an empty seed, the crash point is solely a function of the server seed and nonce; the player contributes nothing and cannot verify the game was not rigged against them. Add clientSeed as a required parameter and throw if it is empty. Update the JSDoc comment accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
computeCrashPoint()calledcomputeHMAC(serverSeed, "", nonce)— always passing an empty string as the client seed:The client seed is the player-supplied entropy that lets them independently verify outcomes were not predetermined by the house. With an empty seed, the crash point is a pure function of
serverSeedandnoncealone — the player contributes zero entropy and cannot verify the game was not rigged against them for any given round.Impact: The provably-fair guarantee is broken for every crash round. Players are told they can verify outcomes, but the client seed they submit has no effect on the result.
Fix
Add
clientSeedas a required parameter, validate it is non-empty, and pass it through tocomputeHMAC. Throw an explicit error if it is empty so callers cannot accidentally reproduce the bug.