Checking the integrity of the roulette game on the Ethereum smart contract

Few have now heard about cryptocurrencies and, in particular, Bitcoin. In 2014, on the wave of interest in Bitcoin, a new cryptocurrency appeared - Ethereum. Today, in 2017, it is the second largest by capitalization after Bitcoin. One of its most important differences from bitcoin is the use of a turing-complete virtual machine - EVM. More information about the broadcast can be found in his Yellow Paper .

Ethereum smart contracts are usually written in the Solidity language. On Habré there were already articles about writing and testing smart contracts, for example 1 , 2 , 3 . And about the connection of a smart contract with the site, you can read, for example, an article about creating the simplest voting ballot on a smart contract . This article uses the browser built into the Mist wallet, but the same can be done using a Chrome plugin, such as MetaMask . This is exactly how, through MetaMask, the game that we will explore works.

The game is a realization of European roulette : there are 37 cells in the field, numbered from 0 to 36. You can bet on a specific number or on a set of numbers: even / odd, red / black, 1-12, 1-18, etc. In each round, you can make several bets by adding a token (costing 0.01 ETH ≈ $ 0.5) to the corresponding field of the game table. Each field corresponds to the odds. For example, the rate of "red" corresponds to the coefficient 2 - that is, paying 0.01 ETH you, in case of winning, get 0.02 ETH. And if you bet on zero, the coefficient will be 36: if you pay the same 0.01 ETH for the bet, you will receive 0.36 if you win.
')

When all bets are made, the player presses the “Play” button and, via MetaMask, sends a wager * to the Ethereum-blockchain, to the address of the smart contract of the game. The contract determines the dropped out number, calculates the results of the bets and, if necessary, sends the winnings to the player.
_{* - I will use the wager term to refer to a set of bets (i.e., a bet type pair - the number of bet tokens) that a player makes in one round. If you know a more correct term, please write me, I will correct.}

In order to understand whether the game works honestly (that is, whether the casino does not manipulate the definition of the number dropped in its favor) let us analyze the operation of the smart contract.

His address is listed on the site of the game. In addition, before confirming payment, you can check to which address the wager will be sent. I will analyze the contract at 0xDfC328c19C8De45ac0117f836646378c10e0CdA3 . Etherscan shows its code, and for easy viewing you can use the Solidity Browser .

A contract starts with a call to the placeBet () function:


For newcomers to Solidity, I’ll explain that the public and payable modifiers mean that the function is part of the contract API and that when you call it, you can send air. At the same time information about the sender and the amount of the broadcast sent will be available through the variable msg.

The call parameters are the bit mask of the bet types and two 32-byte arrays with the number of tokens for each of the types. You can guess this by looking at the definition of the GameInfo type and the functions getBetValueByGamble () , getBetValue () .


Note that getBetValue () returns the amount of the bet, not in tokens, but in wei.

First of all, placeBet () checks that the contract is not turned off and then the betting checks begin.
The gambles array is the repository of all wagers played in this contract. placeBet () finds all the bets in its block and checks whether the player has sent another bet in this block and whether the allowed number of bets per block has been exceeded. Then limits on the minimum and maximum amount of the bet are checked.

In case of any error, the execution of the contract is interrupted by the throw command, which rolls back the transaction, returning the broadcast to the player.

Further, the parameters passed to the function are stored in the GameInfo structure. Here it is important for us that the wheelResult field is initialized with the number 37.

After another check that the amount of bets coincides with the amount of air sent, RLT tokens are distributed, the referral program is processed, the bet information is saved in gambles and the PlayerBet event is created with the number and the bet amount, which is then visible in the game's web part.


Further betting life begins with a call to the ProcessGames () function, which, after the appearance of a new bid, is executed, at present, from the address 0xa92d36dc1ca4f505f1886503a0626c4aa8106497 . Such calls are well visible when viewing the list of transactions of the contract of the game : they have Value = 0.
In the call parameters, an array is transmitted with betting numbers that need to be calculated, and ProcessGame is called for each.

 function ProcessGame(uint256 index, uint256 delay) private returns (GameStatus) { GameInfo memory g = gambles[index]; if (block.number - g.blockNumber >= 256) return GameStatus.Stop; if (g.wheelResult == 37 && block.number > g.blockNumber + delay) { gambles[index].wheelResult = getRandomNumber(g.player, g.blockNumber); uint256 playerWinnings = getGameResult(gambles[index]); if (playerWinnings > 0) { if (g.player.send(playerWinnings) == false) throw; } EndGame(g.player, gambles[index].wheelResult, index); return GameStatus.Success; } return GameStatus.Skipped; } 

The call parameters are the number of the bet and the number of blocks that must pass between the bet and its processing. When calling from ProcessGames () or ProcessGameExt (), this parameter is currently equal to 1, you can find out this value from the result of the getSettings () call.

If the block number in which processing takes place is more than 255 blocks away from the bet block, it cannot be processed: the block hash is available only for the last 256 blocks , and it is needed to determine the dropped out number.

Next, it checks whether the result of the game has already been calculated (remember, wheelResult was initialized by the number 37, which cannot fall?) And the required number of blocks have passed.

If the conditions are met, getRandomNumber () is called to determine the number that has fallen out, and the getGameResult () call calculates the win. If it is not null, the broadcast is sent to the player: g.player.send (playerWinnings) . Then an EndGame event is created that can be read from the game's web part.

Let's look at the most interesting, how the fallen out number is determined: the getRandomNumber () function.

 function getRandomNumber(address player, uint256 playerblock) private returns(uint8 wheelResult) { // block.blockhash - hash of the given block - only works for 256 most recent blocks excluding current bytes32 blockHash = block.blockhash(playerblock+BlockDelay); if (blockHash==0) { ErrorLog(msg.sender, "Cannot generate random number"); wheelResult = 200; } else { bytes32 shaPlayer = sha3(player, blockHash); wheelResult = uint8(uint256(shaPlayer)%37); } } 

Her arguments are the address of the player and the block number in which the bet was made. First of all, the function receives a hash of the block, which is separated from the block of the bet on BlockDelay blocks into the future.

This is an important point, because if a player can somehow find out the hash of this block in advance, he can form a bet that is guaranteed to win. If we recall that there are Uncle-blocks in Ethereum, there may be a problem and further analysis is required.

Next, the SHA-3 is calculated from the gluing of the player’s address and the resulting block hash. The number dropped out is calculated by taking the remainder of dividing the result of SHA-3 by 37.

From my point of view, the algorithm is quite honest and the casino has no advantage over the player.


It is also interesting to see how the win is calculated. As we have seen, this is what the getGameResult () function does .

 function getGameResult(GameInfo memory game) private constant returns (uint256 totalWin) { totalWin = 0; uint8 nPlayerBetNo = 0; // we sent count bets at last byte uint8 betsCount = uint8(bytes32(game.bets)[0]); for(uint8 i=0; i<maxTypeBets; i++) { if (isBitSet(game.bets, i)) { var winMul = winMatrix.getCoeff(getIndex(i, game.wheelResult)); // get win coef if (winMul > 0) winMul++; // + return player bet totalWin += winMul * getBetValueByGamble(game, nPlayerBetNo+1,i); nPlayerBetNo++; if (betsCount == 1) break; betsCount--; } } } 

The parameter here is the GameInfo structure with data about the bet being calculated. And its wheelResult field is already filled in with the number drawn.

We see a cycle for all types of bets, in which the bit mask of game.bets is checked and if the bit of the type being checked is set, then winMatrix.getCoeff () is requested. winMatrix is a contract at 0x073D6621E9150bFf9d1D450caAd3c790b6F071F2 , loaded in the SmartRoulettee () constructor.

As a parameter of this function, a combination of the type of the bet and the number drawn is passed:

 // unique combination of bet and wheelResult, used for access to WinMatrix function getIndex(uint16 bet, uint16 wheelResult) private constant returns (uint16) { return (bet+1)*256 + (wheelResult+1); } 

I will leave you the analysis of the WinMatrix contract code as homework, but there is nothing unexpected there: a matrix of coefficients is generated and the required one is returned when you call getCoeff () . If desired, it is easy to check it manually by calling this function on the contract page .