Pages:
Author

Topic: [BOUNTY] - Bugs at the Kraken.com Exchange - page 3. (Read 22282 times)

member
Activity: 64
Merit: 10
BTCX/Dargo:



I have a password set for trading and 2-factor for login.   I tried with both trading password and login 2-factor password.

I get this error message no matter what trade I do from the advanced screen. 

Tried with and without margin, and with and without condition set.  I also tested with 1 USD order, so this is not dependent on my order size.

Site is looking good, hope this helps.

legendary
Activity: 2408
Merit: 1009
Legen -wait for it- dary
The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

Can you clarify exactly which order form is refreshing automatically? I haven't run across this.

I clicked on the 'X' button of an open margin position to close it. It opens up an order form to fill out the volume, order type, price... It was the order type that reverted from limit to market, just as, or right before  I clicked the review button. I didn't see it change, just that it was a market order on the review screen, and I had set it for limit with a price of $104.
legendary
Activity: 1820
Merit: 1000
Hey, I didn't get my first bounty yet, be sure to check out my 2nd post of bugs also. Cheesy

Don't worry, you'll get it.   Tongue
legendary
Activity: 1820
Merit: 1000
The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

Can you clarify exactly which order form is refreshing automatically? I haven't run across this.
legendary
Activity: 1820
Merit: 1000
Just a suggestion here.
Perhaps put the margin balance and current P/L somewhere near the balance box at the top. This will make for quick reference without changing tabs.

We don't want things to get too crowded up there, but I agree some important numbers like P/L would be nice.

Quote
What is the margin requirement?
At 10:1 and a starting balance of $5000, the margin balance should be $50,000. With a $100/BTC price tag, if I try to short 300BTC which would be $30,000 +fees, I get an "Insufficient margin balance" error.

I'll have to check on this.
legendary
Activity: 1820
Merit: 1000
Thanks man, I'll be sure to look for more bugs.

Also, with EDIT7 when you couldn't reproduce the issue, this is what I meant.
http://puu.sh/3gtKW.png

If I just filled that out, it didn't give me an error for no email entered, it just refreshed the page and gave me that.

I see now.

Quote
EDIT1:
When going under the about section on the main website, "Payward Inc., Press, and Jobs" are all empty. Not sure if intentional or accidental.

EDIT2:
When going to Bug Bounty at the bottom of the page, it's empty. Should give an explanation of the current bounty.
https://beta.kraken.com/security/bug-bounty

EDIT3:
When going to deposit, or withdrawl it doesn't display the current time. I know they are disabled, but this could pose a issue later on.
http://puu.sh/3gugt.png

All this is intentional, so not a bug.

Quote
EDIT4:
When I changed my time to EST, it just gave me the hour, http://puu.sh/3gun1.png
Americans use AM and PM feature, and it should auto-configure to that, if you would change.

I think we are going to stick with military time, so those who love the am/pm thing are going to be a bit disappointed.
member
Activity: 70
Merit: 10
Hey, I didn't get my first bounty yet, be sure to check out my 2nd post of bugs also. Cheesy
legendary
Activity: 2408
Merit: 1009
Legen -wait for it- dary
The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves
legendary
Activity: 2408
Merit: 1009
Legen -wait for it- dary
Just a suggestion here.
Perhaps put the margin balance and current P/L somewhere near the balance box at the top. This will make for quick reference without changing tabs.

What is the margin requirement?
At 10:1 and a starting balance of $5000, the margin balance should be $50,000. With a $100/BTC price tag, if I try to short 300BTC which would be $30,000 +fees, I get an "Insufficient margin balance" error.
member
Activity: 70
Merit: 10
Thanks man, I'll be sure to look for more bugs.

Also, with EDIT7 when you couldn't reproduce the issue, this is what I meant.
http://puu.sh/3gtKW.png

If I just filled that out, it didn't give me an error for no email entered, it just refreshed the page and gave me that.

EDIT1:
When going under the about section on the main website, "Payward Inc., Press, and Jobs" are all empty. Not sure if intentional or accidental.

EDIT2:
When going to Bug Bounty at the bottom of the page, it's empty. Should give an explanation of the current bounty.
https://beta.kraken.com/security/bug-bounty

EDIT3:
When going to deposit, or withdrawl it doesn't display the current time. I know they are disabled, but this could pose a issue later on.
http://puu.sh/3gugt.png

EDIT4:
When I changed my time to EST, it just gave me the hour, http://puu.sh/3gun1.png
Americans use AM and PM feature, and it should auto-configure to that, if you would change.
legendary
Activity: 1820
Merit: 1000
One bug I know of so far, is when choosing language options, English US and UK have NO difference.
Might want to remove it completely, since they are virtually the same exact thing.
EDIT:
Bug#2 in the email you receive when joining, it should be " The Kraken Team" not "The Kraken team" it looks doesn't look official when doing a deep search.
EDIT2:

Semi major one pretty much when you go to fill out a support ticket, you can upload ANY size file. I've seen this to lag websites, or even upload shells into the site.
Maybe set a limit, to 100MB and no .exe, those are just examples.
Anyways, to replicate it just go to fill a request, and you can upload ANY file.
Imagine if a 100GB file was uploading just to overdraft your hosting, or lag your website.
Also just realized that in your reply to the request you can also upload files, so try to make it a universal limit.


EDIT3(there could be a lot lol):
When receiving the request email, that pretty much confirms It you get this
"##- Please type your reply above this line -##"
That could be for you guys to fill out, but it definitely shouldn't be in the email.
Found it here: https://support.zendesk.com/entries/20378368-Customizing-your-email-templates

EDIT4:
When going to look at the ticket it just says
"Kraken User
Jun 15 02:46"
It should say your username, and it should sync with your time you selected when creating an account.
Such example of the time, is when I submitted it said 02:46
but, going back to my current set time it says 1:58, which isn't even close.

EDIT5:
http://puu.sh/3fSTG.png All the tabs except Requests by Kraken User just seem like default things you aren't going to be using.
I suggest cleaning those out unless you will use them.

Thanks, this all looks like stuff we want to change.

Quote
EDIT6:
There should be a way to change your email, this is needed so if you need to change your email because you're making a new one, or even if the email got hacked, to be more secure.

You can change your email under Account > Settings

Quote
EDIT7:
When going to request a password reset, if you just click the button without doing filling in anything, or even filling in the username field it just refreshes the page, and doesn't give any error. It should give a bug, like "Invalid email" etc.

I can't reproduce this - I get "Failed to update password" as the error message.

Quote
EDIT8:
When receiving emails I notice to always get this weird file, called "signature.asp"
When opening it I get http://puu.sh/3fT7a.png which has no meaning, and could confuse some people, Googling it didn't help and the only thing I could think this relate to is http://puu.sh/3fT9N.png
1PdS1neSpqQB6TEKjvuF9rsGHcqZz9fy5X

This is our PGP key, but maybe this needs explanation somewhere in the site content.

Thanks sbregar, bounty on the way.
legendary
Activity: 1820
Merit: 1000
I think I got the bounty yesterday, I don't know who else would've sent it. If so, thanks for your generosity Smiley

Yeah it was from us - thank *you* - the issue you raised was very helpful.  Smiley
full member
Activity: 182
Merit: 100
I think I got the bounty yesterday, I don't know who else would've sent it. If so, thanks for your generosity Smiley
member
Activity: 70
Merit: 10
One bug I know of so far, is when choosing language options, English US and UK have NO difference.
Might want to remove it completely, since they are virtually the same exact thing.
EDIT:
Bug#2 in the email you receive when joining, it should be " The Kraken Team" not "The Kraken team" it looks doesn't look official when doing a deep search.
EDIT2:

Semi major one pretty much when you go to fill out a support ticket, you can upload ANY size file. I've seen this to lag websites, or even upload shells into the site.
Maybe set a limit, to 100MB and no .exe, those are just examples.
Anyways, to replicate it just go to fill a request, and you can upload ANY file.
Imagine if a 100GB file was uploading just to overdraft your hosting, or lag your website.
Also just realized that in your reply to the request you can also upload files, so try to make it a universal limit.


EDIT3(there could be a lot lol):
When receiving the request email, that pretty much confirms It you get this
"##- Please type your reply above this line -##"
That could be for you guys to fill out, but it definitely shouldn't be in the email.
Found it here: https://support.zendesk.com/entries/20378368-Customizing-your-email-templates

EDIT4:
When going to look at the ticket it just says
"Kraken User
Jun 15 02:46"
It should say your username, and it should sync with your time you selected when creating an account.
Such example of the time, is when I submitted it said 02:46
but, going back to my current set time it says 1:58, which isn't even close.

EDIT5:
http://puu.sh/3fSTG.png All the tabs except Requests by Kraken User just seem like default things you aren't going to be using.
I suggest cleaning those out unless you will use them.

EDIT6:
There should be a way to change your email, this is needed so if you need to change your email because you're making a new one, or even if the email got hacked, to be more secure.

EDIT7:
When going to request a password reset, if you just click the button without doing filling in anything, or even filling in the username field it just refreshes the page, and doesn't give any error. It should give a bug, like "Invalid email" etc.

EDIT8:
When receiving emails I notice to always get this weird file, called "signature.asp"
When opening it I get http://puu.sh/3fT7a.png which has no meaning, and could confuse some people, Googling it didn't help and the only thing I could think this relate to is http://puu.sh/3fT9N.png
1PdrhY7ngQnA7rZwtXFzC3rzS44FMk8mNy
legendary
Activity: 1820
Merit: 1000
* Found another 2 bugs (related to Two-Factor Authentication).

- Bug 1:
To reproduce - Set a two-factor authentication for login using a password. Log out and try login in without the authentication, you will not be able to login. Now try logging in with the authentication. After logged in, you will see on top right under your username - 1 bad login since... If you click on that, the grey background shows up weirdly, it is overlapping the top menu bar.
To fix it - This is a css issue. The padding you have as
#user-menu .dropdown-toggle {
    padding: 14px 8px;
}
did not account for the extra bad login line so the grey background overlaps the top menu bar. To fix this, simply add a max-height: 38px; or code the background differently.

- Bug 2:
To reproduce -  Setup a  two-factor authentication. Will see an extra space typo in email.
To fix it - fix "You have updated your  two-factor setting on your account.  The IP recorded was " the extra space after "You have updated your" and the space before "The IP recorded. The same goes for "You have updated your  secret two-factor setting", "You have updated your  trade two-factor setting" etc

These are pretty minor of course, but I was able to reproduce them, so I'll tell btcx to send a small bounty your way.
legendary
Activity: 1820
Merit: 1000
Found another 2 bugs. Had these two bugs before and spent a long time to find out how to reproduce it. Let me know if you need more info. You have my btc address  Smiley

Bug 1
To reproduce: When you have low in USD fund, buy BTC that is higher than your fund and switch the option to buy at market rate.
Bug: The system will let you proceed anyway and created an order id, however when you check the order, it is cancelled right away. You may check Order OV6OYZ-JSLCK-3DXH6O
Proposed solution: System should not waste the resource to create id if the user clearly does not have fund to complete the order. System can check the current market rate and do a calculation, compare it against user's fund and decide if a new order should be created.


Maybe I'm misunderstanding you here coinator, but if you create an order which you don't have the funds to complete, the system does let you proceed and will give you a partial fill for what you do have the funds for. The remaining partially completed order will be cancelled. If this is what you are talking about, it isn't a bug. If it isn't what you are talking about, please clarify.
newbie
Activity: 19
Merit: 0
Middle-clicking links doesn't do anything in Firefox 21.0 on Windows 8, it should open them in a new tab. Only right click -> "Open Link in New Tab" works.

14eazyBQToTfAcZsYLNcofyDMjVKjtVykh
newbie
Activity: 23
Merit: 0
Thanks for your prompt response. I'm quite positive that the one bounty I received was for #29 and followed up on #31. The reason why I remembered this is because it was one of the first few BTC I received, thanks for that! Then, I spent more time debugging the site and posted more bug report. Btcx was busy since and I did not hear back from him. Now that I know the site is still in progress, I will try and report more bugs.

Since those bugs posted was found quite some time ago, I'm not sure if it has been fixed already but I'm sure I have tried many times to find and was able to reproduce the bug that time.

I have just pm you my btc address, you may send my bounty there, thanks again.
legendary
Activity: 1820
Merit: 1000
Hi, can you please send my bounty reward to my btc address?  Smiley
I only received my first reward on #29 and #31
I have posted several other bugs report at #33 #35 #38 and btcx acknowledge the find on #34 but he went to bitcoin meeting and was out of contact since.

Dargo, I see that you are in charge of this now, should I send you my btc address or you guys have it on file? Thank you.

From the thread it looks to me like btcx probably sent a single bounty for 29, 31, 33. But there's no response for 35 and 38, so I'll need to look into those. btcx probably has your address on file, but go ahead and PM it to me. Thanks for you help coinator!
newbie
Activity: 23
Merit: 0
Hi, can you please send my bounty reward to my btc address?  Smiley
I only received my first reward on #29 and #31
I have posted several other bugs report at #33 #35 #38 and btcx acknowledge the find on #34 but he went to bitcoin meeting and was out of contact since.

Dargo, I see that you are in charge of this now, should I send you my btc address or you guys have it on file? Thank you.
Pages:
Jump to: