Lootie’s mystery box unboxings are provably fair. This means that the odds of receiving an item displayed on the site are accurate, and you can mathematically verify this fact. Combining client-server seed architecture with nonce bet identifiers, Lootie.com makes it easy for users to understand exactly what they’re getting each time you open a new box.

Why transparency is direly needed in the lootbox space

When it comes to online mystery boxes for sale, the one thing we need a lot more of is openness. Historically, online casinos don’t have a great track record when it comes to being transparent with their users. Most online casinos and games have an opaque game settling methodology (the true odds aren’t always displayed, and even if there are, there usually isn’t a cryptographically sound method for users to verify them). This becomes a problem, because on sites like that, it’s impossible to know whether you’re being scammed or not.

This lack of transparency ties in with mystery boxes too. Formerly one of the world’s biggest lootbox sites, Mystery Brand (now defunct), although previously known for having the best mystery boxes, became tied up in a giant exposé. Several large YouTubers were involved with promoting this website, including Jake Paul and Ricegum. It was later revealed that the website was akin to a scam, promoting prizes worth millions of dollars without actually having them in stock. After they were exposed for the fraud, the site was taken down immediately and several users have had their balances revoked.

There’s a lot to learn from this tragedy, and we’ll take a look at a few key takeaways that everyone should be aware of.

• Odds must always be transparent. If a website is claiming that a certain item has a “high win chance” without including numbers, run. If the site is very clearly telling you the probability of receiving an item with a percentage value included, then that’s a very good sign, but if they use vague terms like “randomly chosen” without giving actual probability values, then they’re hiding something: most likely the fact that it’s near impossible to get good items.
  
• All items on the website must have a real world analogue. Many lootbox sites, including Mystery Brand, were plagued with reports of items not being received, defective items being received, or delayed deliveries. It was later revealed that Mystery Brand never actually had many of the items that they advertised as prizes. If you hear that people aren’t receiving their items from a site, then that’s a big red flag.
  
• Advertised game mechanics must be verifiable. If a website claims that you have an X% chance of winning an item, that doesn’t necessarily mean anything until you’re able to verify it. A good mystery box site must have a cryptographically sound verifier that players can use to check the authenticity of the advertised odds. Without this, having the odds on the site are useless, since they can simply be fake.
  

What provably fair entails

Provably fair is a great phrase to hear, but what does it actually mean? In simple terms, the game operator should not be able to affect the outcome of any game, or deviate the outcome from the advertised random probability distribution. For example, if your chance of winning a certain item is displayed to be 5%, then there must be a way to verify that 5% of all games result in that item being chosen from a particular box.

As highlighted above, provably fair keeps things secure for the players of the website. Without a provably fair system, a game operator can advertise the odds to be very good, but in actuality will simply give you bad or low-value items (because they can). With a provably fair system, the game operator cannot pick and choose which item you get without immediately being detected. This is thanks to the cryptographic hash algorithms used to secure the provably fair system, which we will talk about in greater detail below.

How Lootie’s provably fair system works

Lootie uses a standard client-server seed architecture setup to determine game outcomes. To generate an outcome, a predetermined algorithm is used on a client seed and a server seed to return a game result. Since the algorithm is constant throughout, given any unique pair of seeds, the game result will always be the same.

For example:

Client seed A is combined with server seed B and a game result C is produced.
If you change the client seed, you will get a different game result. If you change the server seed, you will also get a different game result. However, if you input client seed A and server seed B into the algorithm again, you will always get game result C
.

If the game operator controls both seeds, then they can effectively select the game result that they want returned to the player. This is why Lootie.com incorporates a custom client seed into each unboxing. Since the user can choose their own client seed, they have protection against a malicious operator and know that all rounds are truly random based on the distribution algorithm. The client seed protects the player and ensures sufficient fairness.

On the other hand, the server seed protects the game operator. If the player knew both the client seed and the server seed, they could choose the outcome of the game and pick the best item every time. The server seed is kept secret during the game, and is revealed at the end of the game. There is a problem here, though: how do we know that the game operator didn’t change the server seed during the round? This would affect the outcome as well. Thus, in order to verify that the server seed has remained the same throughout, we make use of what’s known as a one-way hashing algorithm.

Lootie’s hashing algorithm of choice is SHA-256, which is the internet’s most common secure hashing algorithm. In SHA-256, every input is mapped to a single hash. You can turn an input string into a hash, but you cannot turn a hash back into an input string. This is important for maintaining data integrity whilst also maintaining data confidentiality.

Let’s see exactly how this works:

If you put the string “Lootie.com” into the SHA-256 algorithm, you will get the hash “7AEF5808FB3D6B623989433AFB1BC651854733E1B0684247F83E9C85B0C232D2”. If you are simply given this hash, you can’t get the string “Lootie.com”, since SHA-256 is one-way. However, if you are given the hash of the string beforehand, and the string is revealed later, you are given a cryptographic assurance of the fact that the string was predetermined without you actually having to see it.

SHA-256 also maps a string uniquely to a hash. We know that “Lootie.com” results in “7AEF5808FB3D6B623989433AFB1BC651854733E1B0684247F83E9C85B0C232D2”, but if we change one letter, the hash would change entirely. There is no string in the world that will result in the exact same hash as the one above. The hash above is completely unique to the string “Lootie.com”. This means that once you’re given the hash of a string, the data is set in stone, and once the string is revealed to you, you can use the algorithm to verify that the provided string actually results in the provided hash.

Before each unboxing, you are given the SHA-256 hash of the server seed. After the round, the server seed itself is revealed to you. In order to verify that the server seed remained the same throughout, simply input the server seed into a SHA-256 hash generator and see if you get the same hash. If you do, that means the server seed has not changed since the beginning. If you've set your client seed, then you can rest assured that the outcome of your game is entirely random, fair, and unaffected by the operator.

The final aspect of provably fair is how the game result is derived from the randomly generated number. What’s key is that the derivation algorithm is predetermined and remains the same for every mystery box. On Lootie.com, there’s no complex algorithm or derivation - it’s a very simple hashing RNG, the results of which can be verified using our open-source verifier. Using this transparent and simple algorithm, each unique pair of seeds generates a random number between 0 and 100. To figure out which item your generated number corresponds to, simply scroll down to the bottom of your unboxing page. Hover your mouse cursor over each item to see what range the randomly generated number needs to fall into in order for you to receive that item.

For example:

In the Adidas mystery box, the Adidas Yeezy Boost 350 V2 Black displays “98.01% ~ 99%” when you hover your mouse cursor over it. This means that if the random number generated by your client-server seed pair falls between 98.01 and 99, you will receive this item. The probability distribution is similarly transparent for each and every box.

The same provably fair system that unboxings use has also been implemented into the upgrade game mode. Every roll is generated using the same RNG algorithm and can be verified to be truly random. The win chance, game multiplier and winning/losing number values are displayed before each game commences, so each player receives full transparency. For both games, simply click on the “Provably Fair” button to be directed to the seed menu. Over here, you can view your client seed, the hashed server seed, and server seeds for previous games. You can easily input this data into the open-source verifier to authenticate the game results. Additionally, in this menu you can view your bet history. This includes timestamps, amount/items spent, items received and more for the upgrades and unboxings done on your Lootie account. Each game has a unique bet ID which you can use to regenerate the game’s client and server seeds for easy verification purposes.

If you have any questions, comments or suggestions regarding this article and/or Lootie’s offerings in general, we’re always here to listen! Send us a message via our contact page and we’ll get back to you shortly.