Would be pretty easy in theory. Send the bet to moneypot as attempting to win 90 BTC, but present it to the user as attempting to win a 72 BTC jackpot. If win, use the tip API to send 18 BTC to an account that collects the fee.
Then I've misunderstood the model.
I thought one of the points of MoneyPot was that it allows random untrusted strangers to run a casino by proxying the trust of the MoneyPot owner.
I thought it went like this:
I deposit to MoneyPot, the untrusted site places my bet on MoneyPot for me, and my winnings stay in my MoneyPot account, leaving no way for the untrusted site operator to steal any of my winnings.
Where did I get it wrong? I thought the site operator could place bets on my behalf that I hadn't agreed to, or could change the details of my bet before placing them, but I didn't realize they could outright take a portion of my winnings without me knowing it.
Edit: I guess if the untrusted casino site allows me to tip players then there's not much that can be done to prevent this attack other than banning the offending casino(s). It would even be possible for a dodgy casino to show a winning bet as a loss and keep all the winnings for themselves. If the player didn't bother checking the bet (and/or tipping history) on MoneyPot itself he wouldn't even know he was being stolen from.