Looks like the current site is vulnerable to a DoS attack through the 'withdraw' method:
In the withdraw form, enter a 34-digit address and any amount of BTC (doesn't matter if you
have them or not), and quickly hit 'Enter' 30 times or more, in rapid succession. The whole site
appears to become unresponsive for at least 10 seconds.
.
Topic: [ANN] Hey, BitMe! (#bitme) - page 3. (Read 9464 times)
I've managed to spam the orderbook by doing tiny increments in rate and have drowned out everything on the USD side of the order book using less than 1 USD in funds. Now nobody can see what's available. I'm sure i could do the same on the BTC side if i had any left and there was anything to drown, making the orderbook useless.
I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.
I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.
I put this on my todo list as an enhancement. I think combining them into different "bins" is a good idea, but I don't want to do that without giving the user the ability to change at what precision it does this.
Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me 
Me too
5 BTC
Hi,
a little cosmetic issue:
The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)
a little cosmetic issue:
The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)
confirmed, 5 BTC
I've managed to spam the orderbook by doing tiny increments in rate and have drowned out everything on the USD side of the order book using less than 1 USD in funds. Now nobody can see what's available. I'm sure i could do the same on the BTC side if i had any left and there was anything to drown, making the orderbook useless.
I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.
Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me
I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.
Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me
Hi,
a little cosmetic issue:
The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)
a little cosmetic issue:
The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)
Yes, javascript should never add features to the system. JS should be used to cosmetical things or to make some features easier to use. Therefore the javascript-method to disable multiple form sending is bad method. Should be done with confirmation page or something like that.
Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").
Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.
Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").
Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.
Yup, compatibility without javascript is a known issue.
Yes, javascript should never add features to the system. JS should be used to cosmetical things or to make some features easier to use. Therefore the javascript-method to disable multiple form sending is bad method. Should be done with confirmation page or something like that.
Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").
Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.
Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").
Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.
when submitting empty fields, you dont just get the empty field error message, but all other possible error messages, too.
instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
Thanks for the suggestion. I'm already using CSRF tokens, but am only generating once per session. As the article points out well, you can generate once per request, but this introduces some usability issues if the user opens multiple tabs for instance. I'm still on the fence about this.
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9
https://imgur.com/1OsY9
If you want to Withdraw BTC you'll have to buy or deposit some first
That's expected then, since you are on testnet. I Thought it might count the test funds in there. Notice where I was withdrawing to?
Huh? You only had USD in your account, not BTC. That's why you aren't able to withdraw any. The purpose of the fake depositing in USD is to test the execution and execution interface.
when submitting empty fields, you dont just get the empty field error message, but all other possible error messages, too.
instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9
https://imgur.com/1OsY9
If you want to Withdraw BTC you'll have to buy or deposit some first
That's expected then, since you are on testnet. I Thought it might count the test funds in there. Notice where I was withdrawing to?
Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks
Thanks
My bad, sent!
Excellent, thanks!
Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks
Thanks
My bad, sent!
if, by mistake, or due to network congestion, one double-clicks (or more) on the deposit button, the deposit is performed twice (or more) - this is perhaps true of withdrawals too.
Perhaps a bit of js magic to prevent double submission? 2 BTC
Yeah, disabling the submit button on onclick or something
Thanks!
Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9
https://imgur.com/1OsY9
If you want to Withdraw BTC you'll have to buy or deposit some first
I was able to deposit a fraction of a USD.
1.001
1.001
Expected behavior, again this is just a testnet feature to deposit arbitrary amounts of USD.
I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
I was able to deposit a fraction of a USD.
1.001
1.001
if, by mistake, or due to network congestion, one double-clicks (or more) on the deposit button, the deposit is performed twice (or more) - this is perhaps true of withdrawals too.
Perhaps a bit of js magic to prevent double submission? 2 BTC
Yeah, disabling the submit button on onclick or something
Thanks!
Why can't we deposit cents?
Deposit 0.25 USD:
Deposit 0.25 USD:
Quote
Amount must be at minimum 1.0
This is a testnet-only feature. It's just an arbitrary minimum amount.
Jump to: