78 comments

[ 2.8 ms ] story [ 158 ms ] thread
The (costly) lesson learned here doesn't revolve around Primedice's RNG architecture but the strict importance of testing.

We all face pressure to deliver but at the end of the day -like brakes on a car- testing is one thing you should never cut corners on.

Although another 2 weeks of testing may not have explicitly exposed the vulnerability, it surely would have offered a better baseline from which to evolve better heuristics for the analysis of the exploit when it did occur.

I'd say the degree of testing depends on the domain. Facebook in its early days could probably afford to drop a some data on the floor. Boeing and its subcontractors can't simply can't screw up flight software (or this happens: https://en.wikipedia.org/wiki/2015_Seville_A400M_crash). In-between, we're seeing a lot of Bitcoin and other sorts of handling money associated firms discover that "move fast and break things" can result rather quickly in a broken firm.
Yeah, this is definitely one of those places where if you didn't test and analyze the system relatively well before deployment, you probably shouldn't be surprised that someone came along and did this. Is it nice/fair, no, not really, but if you're going to be moving lots of money in and out, you really ought to be developing to the same standards as maybe a brokerage or bank (not that they do exceptionally well on this front either). Also doxxing this guy in this context seems rather juvenile, especially given that it's unlikely it will help your cause in any tangible way.
Testing is important, but I don't think that's enough for this sort of problem. What this needs is in-depth code review. Tests are only as good as the tests you write, and if there was no test to account for this particular issue nothing would have been caught.

For concurrency issues someone thinking real hard is as important as testing.

someone thinking real hard is as important as testing

With one caveat.

The "thinking real hard" has to happen before and as the code is written.

If you try to catch fundamental design problems and misconceptions during a code review, you're much too late. At that point there is a "status quo" i.e. the existing code, and a defensive resistance to change, even if you can demonstrate clear problems with said code. The end result is band-aids on top of band-aids, rather than a proper solution to the problems.

Edit: the article itself alludes to band-aids:

   our developer had improperly patched the glitch
i.e. they attempted a quick fix, instead of understanding at a fundamental level the overall mistakes in what they were doing.
I don't think he did much wrong here. It doesn't appear that he actually broke in to your computers, he just submitted lots of bets.

If you're going to run a casino (whose entire business model is based on exploiting weaknesses of others for profit), don't be surprised if people try to exploit your weaknesses for profit.

I'm not saying there's anything wrong with running a casino, I think it is fine. I just think that what he did is fine too.

EDIT: Except the part where you apparently didn't pay out all of his winnings. I'm not fine with that part. Also doxing one of your customers just because he made a profit out of you.

Just because you actually do have a moral problem with casinos doesn't mean a malicious user is a "customer".
Just because you have a moral problem with the customer doesn't mean they are a malicious user. Even if a user's actions are outright illegal, illegal is neither sufficient nor necessary for saying something is wrong in the moral views of anyone who uses a moral system divorced from the legal system. In short, deeply held moral views can differ so greatly that a common language to describe the situation can be impossible unless one sticks purely to the facts which include accepting the legal system does exist and make judgment calls but putting no authority in those calls.
The indicated that they emailed the exploiter and basically told them to stop playing. They have the right to refuse service, it was circumvented by making new accounts. I don't see any reason they would need to pay after refusing services.
Basically would be the key word in your description of their actions. As they do not mention actually telling the user to stop playing. They only mention "demanding" their bitcoins back. Demanding something you are at that point probably not entitled to from a user of your service, and informing them that you have decided to refuse future service to them may appear basically the same, but they are in fact not.

"We reached out to Hufflepuff via his bitcointalk forum account and demanded the return of the coins, however this backfired unbelievably hard. "

> If you're going to run a casino (whose entire business model is based on exploiting weaknesses of others for profit),

There are plenty of casios, and many of them comply with the law. People who choose to gamble there might be exploited by some definition, but it is consentual. But Primedice is a casino that uses bitcoin to allow users to circumvent local gambling laws, and thus exploits weakness in criminal laws.

(I will not discuss the morality of current anti-gambling laws in the US, as any rational person can see the hypocrisy in the current system of state-sponsored lotteries and state-granted casino monopolies)

> don't be surprised if people try to exploit your weaknesses for profit.

Primedice reusing a nonce/seed is like a casino dealing blackjack from a marked deck. It is so incredibly stupid that you are guaranteed to have someone notice, and clean you out while still playing by yor rules.

Note that they are offering a reward for the "return of the [bit]coins". I assume that means they are offering that if someone hacks a bitcoin wallet and gives them the proceeds, they will share a fraction of the stolen assets. I would happily make the same offer; paying random people who give me bitcoins from hacked wallets some of the stolen bitcoin, except that I'm not an exploitive, criminal-minded narcissist rationalizing theft to support the operation of a gambling site based on a cyber-currency designed to facilitate extra-legal activity.

>There are plenty of casios, and many of them comply with the law.

There are plenty of Nazis, and many of them comply with the law.

And most countries with a sense of free-speech try to(pretend to, would ideally, take your pick depending on your view of how successful free-speech is) respect the law biding citizen's freedom to hold whatever views they want even if they are ridiculous.

I feel like unless you are trying to troll, it is best to avoid all analogies that compare current events to what would be deemed by many as 'historical evil doers'.

I meant only to attack the unsoundness of the argument being presented.

Just because entities comply with "laws", which may have been created (and are modifiable) by the very same entities, does not provide any type of moral, or otherwise, justification that the entities' actions are reasonable, acceptable, exemplary, or other.

In fact, some Nazi's actually tried to argue something exactly analogous to what the sentence argued: that complying with the law can be used as axiomatic justification for any behavior.

I only state that such logic is fallacious.

I can see that line of thought being a fine one to voice, however I am curious how you expected others to infer all of it simply from your comparison of casinos to nazis. As when I read it my initial reaction was simply that you were calling casinos nazis, and if I were to ignore this reply I would still see it as the most logical way to interpret the post.
There are multiple symmetries (or near symmetries) in the construction of the post and the argument itself.

>There are plenty of casios, and many of them comply with the law.

>There are plenty of Nazis , and many of them comply with the law.

Basically, if you believe the first sentence is legitimate, I have shown you a second sentence that is of equally legitimate construction. It is grammatically correct and has real semantic meaning. In fact, it is a true statement, just as the first statement (probably) is.

The fact that the second statement is true and is as legitimate as the first might strike a reader and cause them to think more about it.

Nazis rose to power by crafting law and used it to drive people to do things they wouldn't have otherwise. When some of those people were caught and tried for their actions, some of them argued that they did nothing wrong because they were merely complying with the law.

The sentences in comparison make the (implicit) argument that 'complying with the law' is somehow relevant to the exculpation of the actions of the entity in question. Many consider this to be absurd.

All you did was swap out one word for another from the sentence, which to me when reading it says 'these two words are equivalent.' The sentence is so vague on its own so as to be true for basically any noun which represents an individual, group, or organization that you substitute in for casinos. Hell it is even true for animals 'There are plenty of cows, and many of them comply with the law'.

How you expected anyone to jump to the conclusion you were talking about the manner in which Nazis rose to power and their eventual punishment or lack there of as being the analogous part is beyond me. Especially since you kept your sentence in the present tense leading me to believe it was about modern day people who hold the beliefs of the Nazi party.

>The sentence is so vague on its own so as to be true for basically any noun which represents an individual, group, or organization that you substitute in for casinos.

Exactly. The statement is irrelevant. Its use as the foundational axiom in the defense of casino's behavior is absurd.

Everything else (striking similarity to Nazi arguments) is bonus.

Their point is still valid regardless of which group of people engaging in something that is now deemed immoral and illegal but which was legally tolerated back then. The 'it isn't illegal' defense isn't worth much to anyone who uses a moral system not dependent upon the law.
> I assume that means they are offering that if someone hacks a bitcoin wallet and gives them the proceeds, they will share a fraction of the stolen assets.

I'd assume that what they're saying is: if you provide information that lets them identify Hufflepuff, and they successfully sue him for the money, then they'll reward you.

My interpretation doesn't require you to have control of the bitcoins at any point, and also explains why they provided their information about the guy.

> EDIT: Except the part where you apparently didn't pay out all of his winnings. I'm not fine with that part. Also doxing one of your customers just because he made a profit out of you.

They asked him to stop playing at that point and he created a new account to evade that. I'm not sure why you feel people don't have the right to refuse service.

It's not that person's fault that these guys suck at enforcing their own policies
If you are explicitly contacted and refused service, its actually illegal to do what the user did.
They don't actually say they asked him to stop playing, they say they demanded their coins back.
(comment deleted)
How do they know that it was the same person?
Definitely agree with this, minus the 2nd duplicate account. That is not OK and they absolutely have the right to refuse payment on the 2nd attempt.

Going after the person on a bitcoin forum and attempting to demand repayment is a joke, however. How did Primedice think that was going to work out for them?

> Sorry for the long read

Didn't feel long at all; it was concise and had enough detail to satisfy a casual reader (me) with links to more detail if I wanted it.

"To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works."

"Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff."

To me it sounds like your company simply didn't understand how the system you created worked, it sounds like you merely understood how you wished it to work. Gambling has always favored people who actually understand the system in place, by not understanding the system you yourselves were implementing you created the opportunity for a customer to understand it better than you. What you describe with your database having seeds that were both in use and inactive at the same time, sounds to me like you did not do a good job managing concurrency on records which were crucial to your business.

While I can not say whether the users did anything illegal, the post you have created to call attention to this does not make an adequate case for wrong doing on the users part. However your response does make an amazing case for you having responded to an implementation issue in your software very poorly, and I think would make future users who are aware of this less likely to use your service.

That is just my opinion given the information you have presented, as you seem to focus more on maliciously providing information of the person you are accusing as opposed to proving your accusations that the person in question committed a crime while doing so.

I'd be willing to place a bet on what sort of database technology they weren't using. Hint: it has three letters, starts with an S, and ends with an L. ;-)
SQL won't force you to respect flag columns in your application layer (unless your entire application is in SQL?).
From the article it sounds like constraints could have been used to prevent having multiple seeds linked to the same account?
Yeah, I guess it depends on how good your constraints engine is versus what your constraints actually are. If your actual constraints can't be modeled, or if you choose not to model them at the database layer (e.g. for performance reasons) then you have to implement the constraints somewhere else.

I worked on a database that allowed (almost) every table to mark a row as deleted with a boolean-type column. This caused problems when you wanted to create a new row that had the same values for the table's key-columns as a deleted row. You can't just add the deleted column to the key and have all the functionality you want (multiple deleted rows with the same values in the table's key-columns). Each table could use (or not) the flag in different ways and there was no simple way to enforce consistent behavior across all tables. The constraint has to be placed somewhere else, either in explicit code, or by creating new abstractions inside the database that allow you to represent the actual constraints of your application.

There are benefits for marking a row as deleted w/ a boolean column though. Undo-ing deletes would be easy to implement, and retaining references to deleted records would be simple as well.

The solution the problem you described would be to use a surrogate key column (typically a UUID/auto-increment), and not natural keys.

There are reasons for everything in the database. Undo and historical records were the primary use case.

All tables had a unique, integer primary key.

However, if you want to enforce a uniqueness constraint across your data [eg. UNIQUE(name, location)], the constraint breaks when you introduce the boolean deleted column [and UNIQUE(name, location, deleted) does not provide the appropriate semantics]. The application semantics must be provided at some other level than SQL column constraints.

The way a student is taught to model something like this is to have the 'seed' entry refer to the 'account' entry (or, better yet, the 'game' entry). This is just how one models a one:many relationship. It is then trivially true that a given seed will only be used in one game at a time. As long as one never updates the reference on an existing seed, a seed can't be re-used in this way.

Of course, relational data models only encourage this type of design: they do not require it, nor are they required for it.

Also, this is by no means the only possible bug of this nature. For example, the seed generation might be based on the current wall-clock time. I'd hope someone trying to run a casino would know better than that, but hopes of that nature are frequently unfulfilled.

Unfortunately just using SQL doesn't mean your system is free of race conditions nor that every atomic domain operation is implemented atomically.

Of course, it's a great start.

Ah, another gamble. How nice.

So, let's see if I get this. Three letters, that means 1/26th chance of getting the correct number. And.. wait, what do I do now?

Now you submit all twenty six guesses via proxy accounts, allowing for random delays between each guess to appear less suspicious.
> and time again to investigate and each time our developers could not find any wrong-doing.

> ...

> This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second

Sounds like your developers really messed up. The server logs would be the #1 place I would look. Where else really? How do you not notice hundreds of requests per second (from the same IP I assume)?

This was my question as well. How do you not notice 100's of qps from the same IP, and then go on to say, he was betting $8k/second. server logs, and basic networking chomps seems like it would have found this much quicker.
I've never heard of Primedice before, but based on their blog post (and the general concept of a bitcoin casino)...

...I can't imagine the slightest reason why they would expect, would want, or would tolerate automated gambling. ANY evidence that someone is using a script or bot, making too many bets, making bets with an oddly regular pattern, making too many requests from a single IP, making requests from different IPs at the same time, etc. would seem to be a red flag, and should cause the associated account to be suspended. Right?

Like, if there's a hole in your code, the attacker is very likely to automate the attack to try and maximise their gains. But if there's no hole in your code, your punters are very unlikely to automate their playing. Any hint of automation is a huge red flag; any hint of automation combined with a string of "lucky" wins should be an automatic account suspension, because you're obviously looking at successful attack.

Saying that your developers couldn't find any "wrong-doing" just raises questions. Like, why do your developers need to look, shouldn't those checks be automated? And how did they miss it when it turns out it was obvious? And why were you even looking when the underlying activity was obviously illegitimate? Real casinos don't wait until they understand the scam before cutting someone off.

So many questions.

> How do you not notice hundreds of requests per second (from the same IP I assume)

To be fair to them, I imagine a bitcoin casino is a magnet for weird traffic patterns. Giving them the benefit of the doubt, maybe they're getting bursts of crazy traffic all the time, and they had no way of knowing which ones were "potential timing attacks" and not just "bored script kiddy with a botnet". Maybe "Hufflepuff" was hitting them from an unrelated network constantly, and a small fraction of those times he also made a bet he already knew the outcome of. Maybe he was also making normal bets at the same time. (...or maybe not.)

Still, even if the bad traffic was hidden by noise, I don't believe that his account activity could have looked normal the entire time he was building up his 1 million payout.

Uh, that post includes some doxxing.

From an observer's view, after fully reading it and seeing how hostile their response is, I can only applaud the player. To me it seems fair game. She exploited a weakness in the game, something that in meatspace is often hailed as genius. In bitcoin online gambling, race conditions are a part of the game that has to be expected to be attacked.

With their doxxing they lost any bit of sympathy I had.

She? How did you know?
Many people wouldn't even notice "he" used for a person of unknown gender. In the spirit of equality, some use "she" instead to subvert this male-default.

In fact, the article uses male pronouns for the user -- did you think to ask how they know?

Yeah, I am playing with switching he for she whenever the gender is unknown or irrelevant. It's weird how weird it is.
buttcoin is stupid and if you have anything to do with them, you are stupid and deserve to be scammed
It is really interesting to me how different Bitcoin users' understanding of morality and the typical person's are. To almost any joe or Jane on the street, exploiting a weakness in someone else's security -- be it an unlocked door or an unchecked error code -- to acquire money from them without their intent, is Wrong. On the other hand, taking retaliatory action, such as providing what detail you can about that person in the service of returning the ill-gotten gains, is right.

Judging by the contents of this thread, the Bitcoin/hacker community feels just the opposite. How odd. I feel like this more than anything will impede the mass adoption of Bitcoin.

There's also a lot of moralizing around casinos, so when you combine the two, people can't really help themselves.

"They deserve it!"

Few people see scamming a casino (a business designed around scamming people) as "wrong". They see it as "a taste of their own medicine".

Go to any Joe or Jane on the street and ask them if swindling (conning) $50 from a lifetime "professional" con artist is wrong. Out-conning the con artist is typically seen as a thing of approval.

I'm not sure the difference is really there. The fact that this place is a casino matters a lot. My understanding of typical morality is that it's totally cool to exploit a weakness in a casino's games to shift the odds in your favor, and the casino's recourse is limited to trying to make this impossible, and banning people who do it (while still paying out whatever they won before they were banned).

However, it's not cool to break the casino's games from within. To make an analogy, if you discover that e.g. a casino's blackjack decks have twice as many 7s in them as they should, and you use that knowledge to make a ton of money playing blackjack at the casino, that's legitimate. However, if you break into the casino and replace all their normal blackjack decks with ones which have twice as many 7s, then use that knowledge to make a ton of money at blackjack, that's bad.

So the question is, which category does this particular attack fall into? Apparently they exploited a race condition, wherein outcomes became predictable if lots of games were played simultaneously. Is that exploiting the game within its rules, or is that breaking and entering?

To me, this feels legitimate. An analogy to physical games here might be finding a roulette table where the dealer under some circumstances lets you place a bet after it becomes apparent where the ball is going to land.

if you break into the casino and replace all their normal blackjack decks with ones which have twice as many 7s

I've always wondered about this from the other perspective. Why can't the casino remove a few cards?

E.g. in Blackjack in a six-deck shoe the house edge is perhaps 0.5% to 2.0% against a "pretty good player" (depending on exact rules). Remove a few face cards and you would probably hurt the player by another 1% or thereabouts.

But you've now moved the house edge from 1% to 2%. Double the profit!

When is the last time you've ever seen any player at a casino ask the dealer to reconstruct the six or eight starting decks that are in a shoe? I've never seen that.

But I still do enjoy taking the occasional trip to Vegas.

>When is the last time you've ever seen any player at a casino ask the dealer to reconstruct the six or eight starting decks that are in a shoe? I've never seen that

You see the decks fanned out, each card visible, before they get shuffled and put in the shoe. It would require some sleight of hand from the dealer to cheat that way. If you're going to do that, it's much less risky to rig your slot machines or your craps dice or your Wheel of Fortune, where no one will ever notice any wrongdoing short of an audit by the gaming commission.

There are some potentially huge downsides.

First, if people ever find out you're cheating, your reputation will take a huge hit and you'll lose a ton of clients. People know that the house always wins, but they still insist that the house must play fair within those bounds.

Second, I'm guessing there's some way for a player to take advantage of this change if he knows what's going on, so you're potentially losing money if anyone discovers it.

Compared against these downsides, what's the upside? Casinos practically print money. Why risk destroying that just so you might print a little more? Better to put your effort into convincing people to bet more, or getting less experienced players to play more.

All the people I asked about this seemed to think that using the bug was wrong, and that the dox in this context was not wrong. But it is obv a biased sample.
Lol. They (as any sane Casino operator would) should have booted this guy immediately on day 1, claiming they felt he was scamming the system. Sure, pay him out, but don't let him keep betting. Yeesh. I have to wonder if this was an inside job and they let him siphon those winnings. I am highly suspicious of most bitcoin companies, and I wonder if they're all just shells around vulnerabilities looking to siphon user deposits / investments.
That doesn't make much sense.

If they have a legit exploit, then kicking them will just make them create a new account. Or perhaps distribute the +EV betting over a bunch of accounts so that it was much harder to detect.

If they don't have an exploit, then you want them to keep betting and lose. And if you have no real basis for kicking them, then, what, your casino just doesn't pay out people that win big?

The casino's only real option here was to discover the exploit.

No, pay him out, but just don't let anyone bets that way continue betting. Betting that rapidly has to be a huge flag for even the dimmest of sys admins.
What is "bets that way"? It seems like initially all they knew was that some accounts were unusually active (betting every second, for hours) and implausibly lucky. They saw the flags, they just didn't know any useful way to react (which is also incompetence, but IMO different than what you said.) (I'm assuming a dumb rate-limiting solution would be off the table, as it would be ineffective at stopping the attack, and/or lose money as other players stop betting when they hit a limit.)
> What is "bets that way"?

I dunno, maybe anyone who is clearly automated (ie, betting every second for hours) and probably cheating (ie, implausibly lucky)?

> It seems like initially all they knew was that some accounts were unusually active (betting every second, for hours) and implausibly lucky.

Exactly.

> They saw the flags, they just didn't know any useful way to react

The useful way to react would be to not let them continue betting.

But how do you reliably identify one anonymous entity? Like I said, putting a rate limit is going to turn away legitimate bettors (if too strict) and not make much of a dent in the attacker's profits (if not strict enough). Doing an "implausibly lucky" check is going to piss off legitimately lucky winners who might have given you more money (if the limit is too conservative), and/or not hurt the attacker much. Any per-account limits can be circumvented by the attacker making more.

Maybe they took some measures like this that they didn't tell us about. With that much money at stake, maybe "do something, anything" does make sense -- my point was there's no way for them to ultimately prevail until they understood/addressed the root issue, and knee-jerk responses could backfire.

From the article:

> There was also strong incentive for us to promptly pay him, so he’d keep playing.

I loved that line, because it's the converse of a casino player in a hole, thinking maybe they can make it back if they keep on playing.

Well, the entire difference between the house and the player is that the house has the edge, so the house always wants the player to indefinitely recycle their winnings until they have none.

It's more than an inverse in thinking, it's how the house makes money.

No, it's the same thing as the dumb guy in a hole. They already know this guy has an edge over them. The more he plays, the worse that gets.

But, as you pointed out, they can't ban him, because they have no way of recognizing him when he walks back in.

Oh, as in Stunna was gambling that the player didn't have an exploit and that the developers were drawing the right conclusion. I'll allow it. :)
"We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky." ROTFL
Strange choice to put a picture from the Ocean's Eleven series at the top of the article, seeing as how the thieves in those films are considered the protagonists/heroes.

I think a bit more information included with the article to verify this was actually a 'hack' would be helpful. I mean, was this akin to counting cards or what? It's hard to tell from the article.

Since the player was making hundreds of simultaneous requests, it sounds like a race condition in the casino's server-seed mechanism where the player was able to get the server-seed of future bets.

Obviously, the server only wants to divulge the server-secret of closed-out bets so that you can verify them as provably fair.

> Strange choice to put a picture from the Ocean's Eleven series at the top of the article, seeing as how the thieves in those films are considered the protagonists/heroes.

It's not so strange after reading a number of these HN comments.

I think the strangeness for me is that the article is written from the casino's perspective. They went so far as to dox the 'culprit' and are portraying him in a negative light in the article.
Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.

What does this mean? Are they trying to steal the thief (according to them). Shouldn't they inform the local authorities and let them handle the case?

    > Shouldn't they inform the local authorities and let them
    > handle the case?
In which jurisdiction? The one containing the VPN IP addresses? Or the internet police?

An open letter to the internet asking for help ends up sounding about 1000x more effective than phoning this in to the "authorities".

  ... did the math and came to the conclusion that he was just 
  incredibly lucky
Woah. Red flag. Just incredibly lucky doesn't exist. Odds are odds.
I think they just mean, if you have 10,000 customers, it's not surprising if someone hits the 1 in 10,000 odds. You could say that person was "lucky", though they have no greater chance than anyone else of hitting those odds again.
They don't give us enough info to say for sure, but something tells me Hufflepuffs winnings were a few orders of magnitude less likely than one in 10,000.
I'm reflexively sympathetic to the small, scrappy startup. But...

...man this is not a sympathetic story. You're running a gambling site (morally shady and an obvious magnet for abuse), using bitcoins (another huge abuse magnet), you had very supicious gambling patterns (a massive red flag that no real casino would accept), and you just let the guy keep playing? That's not how you're supposed to do that.

And as for the whole "we had a timing bug in our code, and we couldn't find it even with hard proof that it existed, and then we finally thought we'd fixed it, and then we asked the guy for the million dollars back (??!?), and then it turned out we hadn't fixed it at all, and he hit us up for another few thousand"? Like, that just sounds screaming amateurish.

If you can't be trusted to write secure code, or at least fix the bugs you find in it, maybe online bitcoin casinos aren't for you? And if you think asking people nicely to give you your money back works in casinos, maybe you don't understand the industry?

Edit: I'm not trying to be a dick, but I feel like the proper blogpost to write would be a grovelling "hey guys, I know it's super obvious, but if you're doing an online gambling website, monitor your transactions for specific patterns. Know what a real punter looks like, and aggressively throttle anyone who doesn't behave like one. Otherwise you'll be stupid idiots who lose a million dollars over a stupid bug, and then have to write a magnanimous letter congratulating the guy who exploited you for winning so much money (man that was painful to write)." You made some huge mistakes, and it doesn't sound like you really learned from them, or even identified them. Hint: Your core mistake was not a timing bug that emerged when your system was under heavy load.

Some pretty hilarious YouTube comments on the linked video[0]: "could you please share your strategy in that video", "Please, Send your method of play and programs for this need". Sorry, but I'm pretty sure nobody's going to share their bot for making 2000 BTC in an hour.

[0] https://www.youtube.com/watch?v=lSLXv5Tz1ZY , linked from "$8000 worth of bitcoin every second for hours on end"