Pages:
Author

Topic: [ANN] Hey, BitMe! (#bitme) - page 3. (Read 9448 times)

legendary
Activity: 1092
Merit: 1016
760930
May 16, 2012, 09:03:18 AM
#46
Looks like the current site is vulnerable to a DoS attack through the 'withdraw' method:

In the withdraw form, enter a 34-digit address and any amount of BTC (doesn't matter if you
have them or not), and quickly hit 'Enter' 30 times or more, in rapid succession. The whole site
appears to become unresponsive for at least 10 seconds.
.
member
Activity: 92
Merit: 10
May 16, 2012, 08:28:21 AM
#45
I've managed to spam the orderbook by doing tiny increments in rate and have drowned out everything on the USD side of the order book using less than 1 USD in funds. Now nobody can see what's available. I'm sure i could do the same on the BTC side if i had any left and there was anything to drown, making the orderbook useless.

I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.

I put this on my todo list as an enhancement. I think combining them into different "bins" is a good idea, but I don't want to do that without giving the user the ability to change at what precision it does this.



Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me Smiley

Me too Smiley

5 BTC
member
Activity: 92
Merit: 10
May 16, 2012, 08:25:15 AM
#44
Hi,

a little cosmetic issue:

The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)



confirmed, 5 BTC
member
Activity: 90
Merit: 10
May 16, 2012, 07:04:51 AM
#43
I've managed to spam the orderbook by doing tiny increments in rate and have drowned out everything on the USD side of the order book using less than 1 USD in funds. Now nobody can see what's available. I'm sure i could do the same on the BTC side if i had any left and there was anything to drown, making the orderbook useless.

I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.



Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me Smiley

legendary
Activity: 1092
Merit: 1016
760930
May 16, 2012, 12:36:29 AM
#42
Hi,

a little cosmetic issue:

The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)

member
Activity: 92
Merit: 10
May 15, 2012, 06:01:53 PM
#41
Yes, javascript should never add features to the system. JS should be used to cosmetical things or to make some features easier to use. Therefore the javascript-method to disable multiple form sending is bad method. Should be done with confirmation page or something like that.

Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").

Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.

Yup, compatibility without javascript is a known issue.
legendary
Activity: 1511
Merit: 1072
quack
May 15, 2012, 05:58:39 PM
#40
Yes, javascript should never add features to the system. JS should be used to cosmetical things or to make some features easier to use. Therefore the javascript-method to disable multiple form sending is bad method. Should be done with confirmation page or something like that.

Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").

Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.
member
Activity: 92
Merit: 10
May 15, 2012, 05:57:14 PM
#39
when submitting empty fields, you dont just get the empty field error message, but all other possible error messages, too.

instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern



Thanks for the suggestion. I'm already using CSRF tokens, but am only generating once per session. As the article points out well, you can generate once per request, but this introduces some usability issues if the user opens multiple tabs for instance. I'm still on the fence about this.
member
Activity: 92
Merit: 10
May 15, 2012, 05:53:27 PM
#38
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9

If you want to Withdraw BTC you'll have to buy or deposit some first  Grin

That's expected then, since you are on testnet. I Thought it might count the test funds in there. Notice where I was withdrawing to? Cheesy

Huh? You only had USD in your account, not BTC. That's why you aren't able to withdraw any. The purpose of the fake depositing in USD is to test the execution and execution interface.
hero member
Activity: 991
Merit: 1011
May 15, 2012, 05:26:21 PM
#37
when submitting empty fields, you dont just get the empty field error message, but all other possible error messages, too.

instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern

full member
Activity: 195
Merit: 100
May 15, 2012, 04:57:30 PM
#36
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9

If you want to Withdraw BTC you'll have to buy or deposit some first  Grin

That's expected then, since you are on testnet. I Thought it might count the test funds in there. Notice where I was withdrawing to? Cheesy
legendary
Activity: 1092
Merit: 1016
760930
May 15, 2012, 04:44:38 PM
#35
Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks

My bad, sent!

Excellent, thanks!
member
Activity: 92
Merit: 10
May 15, 2012, 04:29:46 PM
#34
Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks

My bad, sent!
legendary
Activity: 1092
Merit: 1016
760930
May 15, 2012, 04:22:11 PM
#33
if, by mistake, or due to network congestion, one double-clicks (or more) on the deposit button, the deposit is performed twice (or more) - this is perhaps true of withdrawals too.

Perhaps a bit of js magic to prevent double submission? 2 BTC

Yeah, disabling the submit button on onclick or something Smiley

Thanks!

Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks
member
Activity: 92
Merit: 10
May 15, 2012, 04:01:30 PM
#32
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9

If you want to Withdraw BTC you'll have to buy or deposit some first  Grin
member
Activity: 92
Merit: 10
May 15, 2012, 03:59:53 PM
#31
I was able to deposit a fraction of a USD.

1.001

Expected behavior, again this is just a testnet feature to deposit arbitrary amounts of USD.
full member
Activity: 195
Merit: 100
May 15, 2012, 03:42:03 PM
#30
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.


full member
Activity: 195
Merit: 100
May 15, 2012, 03:10:59 PM
#29
I was able to deposit a fraction of a USD.

1.001
legendary
Activity: 1092
Merit: 1016
760930
May 15, 2012, 02:44:02 PM
#28
if, by mistake, or due to network congestion, one double-clicks (or more) on the deposit button, the deposit is performed twice (or more) - this is perhaps true of withdrawals too.

Perhaps a bit of js magic to prevent double submission? 2 BTC

Yeah, disabling the submit button on onclick or something Smiley

Thanks!
member
Activity: 92
Merit: 10
May 15, 2012, 02:09:49 PM
#27
Why can't we deposit cents?

Deposit 0.25 USD:
Quote
Amount must be at minimum 1.0

This is a testnet-only feature. It's just an arbitrary minimum amount.
Pages:
Jump to: