search

aftermath2 / btry

Accountless lottery powered by the Bitcoin Lightning Network
GNU Affero General Public License v3.0
3 stars 1 forks source link

verifiable winner selection #24

Closed conduition closed 9 months ago

conduition commented 9 months ago

Bringing this over from stacker.news

From a glance at the code, it seems like the winner is chosen by the server completely at random. How is that verifiable?

Specifically this is the function (in lottery/lottery.go) which chooses a winner from a set of bets.

It computes a die roll, weighted by bet size, which seems OK. But the actual entropy for the die roll is pulled from the server's internal RNG. I can't see where the 'provable fairness' or 'auditability' of the winner is derived from. Honest players would have no way of distinguishing an honest win from a colluding win.

It would make more sense to me if the winner was selected by hashing some undisputable but unpredictable future data, like the hash of a yet-to-be-mined block, along with a lottery-specific salt to prevent tampering by miners. You'd want to let the block confirm two or three times before choosing the winner, in case of chain reorgs.

There's also the question of proving the server won't run away with the prizes. Once everyone deposits money into the lottery, what prevents the server from simply not paying out the prizes to the true winners? (maybe that should be a separate issue)

aftermath2 commented 9 months ago

Thank you for opening the issue, I'll bring some of the answers from stacker.news to here.

it seems like the winner is chosen by the server completely at random. How is that verifiable?

When I mentioned provably fair random numbers and non-custodial PvP games I was referring to the Battles implementation, which is a completely different service.

As you said, the winning numbers are generated using an RNG (/dev/random in linux).

However, I did create an issue https://github.com/aftermath2/btry/issues/20 which changes the way in which lotteries duration are measured.

Switching to block-based lotteries would allow the numbers to be generated using the last block hash as an entropy source and that way the users would be able to verify that the numbers are fair.

You'd want to let the block confirm two or three times before choosing the winner, in case of chain reorgs.

Good point, this has the drawback that it gives the server more time to cheat, but it could still be considered pretty hard to hand-pick the numbers within ~20 minutes. I think we could continue this discussion in #20.

There's also the question of proving the server won't run away with the prizes. Once everyone deposits money into the lottery, what prevents the server from simply not paying out the prizes to the true winners? (maybe that should be a separate issue)

Lotteries are custodial, and as such, requires the users to trust that the server won't rug-pull them. I couldn't find a way of doing this in a non-custodial fashion. HODL contracts solve this in battles but are not practical for a large number of users.

conduition commented 9 months ago

When I mentioned provably fair random numbers and non-custodial PvP games I was referring to the https://github.com/aftermath2/btry/issues/9 implementation, which is a completely different service.

Ah my mistake. I think i conflated the two because of this claim in the readme:

Transparent and auditable

Perhaps that should be removed, at least until players can verify the lottery winners were chosen and paid honestly? Otherwise, what is that claim referring to?

Lotteries are custodial, and as such, requires the users to trust that the server won't rug-pull them. I couldn't find a way of doing this in a non-custodial fashion. HODL contracts solve this in battles but are not practical for a large number of users.

There are some ways you can get around this limitation. Although the server does technically have custody of customer funds, you can set it up so that the server will lose more money more than it can earn by cheating, if it doesn't pick a winner in time. i'll do a more detailed write up and post it in #20

aftermath2 commented 9 months ago

Perhaps that should be removed, at least until players can verify the lottery winners were chosen and paid honestly? Otherwise, what is that claim referring to?

The claim refers to the fact that the code is open source and users can audit how lotteries work and what the server is supposed to do on each scenario. I think that auditable is not the same as verifiable, but that could be discussed of course.

Although the server does technically have custody of customer funds, you can set it up so that the server will lose more money more than it can earn by cheating, if it doesn't pick a winner in time

I think I get where you are going, I have a few questions about how it would be implemented and where the funds would go if the server cheats, but I'll wait for the post in the other issue to continue the discussion. Thank you for bringing this up!

conduition commented 9 months ago

Details on verifiable winner selection posted here: https://github.com/aftermath2/btry/issues/20#issuecomment-1817903734

I'll close this for now as #20 is a better discussion spot for this topic