Pages:
Author

Topic: [BOUNTY] - Bugs at the Kraken.com Exchange - page 5. (Read 22282 times)

hero member
Activity: 584
Merit: 500
When creating a new order and filling out the "amount" and "price" fields, submitting a character (such as "e") yields the appropriate warning "Amount must be a numeric value" or "Price must be a numeric value". Entering a "0" in either field also gives the proper error of "1: Invalid amount" or "1: Invalid price".

The problem arises when an invalid number is followed by a non-numeric value. Enter "e", click buy and the numeric value error will appear, then enter "0" and click buy, the previous error is replaced with the invalid amount error, as it should. If you follow the same process and enter an invalid number first, then a character, both errors are given but the invalid number error should no longer be there.



When both the price and amount are invalid numbers, only "1: Invalid price" is given, but both "1: Invalid price" and "1: Invalid amount" should be shown.



If you feel this is reward worthy: 16cuSLuR3qfK4d3hkbvHzBfadJLEEgZvAJ
full member
Activity: 182
Merit: 100
I'm not sure if I'm missing something. I assumed I was selling 5million XRP (which I didn't have) for 602BTC, but I ended up with no BTC and a lot more XRP.

Here's the before and after.

legendary
Activity: 1820
Merit: 1000
  • When one is out of money, the money label shows a negative sign briefly before the first AJAX call changes it to a regular 0. See screenshot:
Not able to reproduce this one, but it may have been fixed since you found it.
Quote
  • In margin description (available margin = equity − active margin), a '-' (hyphen) is used to represent subtraction. A minus sign ('−') is better because it is longer and more clearly subtraction.
I get the same symbol for hyphen and minus sign in a variety of editors.
Quote
  • The "Scheduled Start" is allowed to be before the current time, but not before the current date. This should be rejected to reduce confusion.
Good catch. Not sure that one will be high priority though.
Quote
  • Decimal periods are not supported in the basic order page in UK English.
Looks like this has been fixed.
Quote
  • If "rate" is supposed to mean the current price, it's not working. Bitcoin's rate is $0.00000 for some reason.
Yes, I noticed this too a while back. Good catch.

Thanks dree, will send a bounty your way, but would appreciate clarification on the one I asked you about.
legendary
Activity: 1820
Merit: 1000
1A7d7Lifp9oFkek8YQtLySnoY7LWhagibx

I am on Safari 6.0.5 on OS X 10.8.4. On an open position, when I go to set up the closing order the form gets periodically reset whenever the ajax updates. This doesn't seem to affect the new order form. It can be replicated by pressing the blue refresh button after changing any of the options in the close position form.


Nice catch nitrous - I'll arrange to have a bounty sent your way.
legendary
Activity: 1820
Merit: 1000
  • A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

dree, could you elaborate on this one - I'm not following. Not sure what you mean by the "basic screen."
legendary
Activity: 1820
Merit: 1000
Alright i want to tell you about some security problems.



1 . There is a a small problem in your Two-Factor Authentication system which can be big loophole.


Let's say I am using "Password" Method for login,deposit and withdrawl.

If someone got my account's password, he can change Two-Factor Authentication password or disable it easily and withdraw all my BTC . I will get a notification mail but it will be too late, i can not get my Bitcoins back.

So better method is, if someone, even account owner tries to change or update Two-Factor authentication, He should get a verification mail first (Same as registration mail).

Same problem is with Master Key.

If you have two-factor enabled with the "Password" option you only get a static second passcode, so if someone gets your login info including the static code, yeah, they can login and wreak havoc. This is why you should use Google Authenticator or Yubikey for a dynamic passcode. Eventually we'll be adding a feature where you can lock your account so that two-factor settings can't be changed without requesting an unlock that would take some time to complete. In the meantime you'll get an email so you'd have a warning in case you didn't initiate the unlock request.  

Quote
2. Site should block account after x invalid login and there should be a ip check feature.If someone from another ip range tries to do login, it should send a mail. I know it shows a session hijack error on site but you should know who tried to access it (IP adddress)

Giving you the IP address for a potential hijack isn't done for privacy concerns, but we'll consider it.

Quote
3. Password reset mails,I tried it once, got a "reset expired" error and after that i tried 4 times, but never got a single mail. (I am using Gmail)  (Username on kraken.com = escrowms)

You should have gotten the emails. I'll have to check on this. Since you just have a beta account, it doesn't really matter, but for future reference, it would be better to give your public account ID (listed under "Settings") rather than your username.

Thanks escrow - please post your address for the bounty. Edit: We'll send to your tip jar.
legendary
Activity: 1820
Merit: 1000
Thanks for the input everyone - we haven't forgotten about you. I'll be addressing the stuff that's been added since May 5th, and for anyone that hasn't received their promised bounty yet please let me know.

I work for Payward (kraken.com), as vouched for by btcx here:

https://bitcointalksearch.org/topic/faq-suggestions-for-new-exchange-krakencom-192104
sr. member
Activity: 246
Merit: 250
1A7d7Lifp9oFkek8YQtLySnoY7LWhagibx

I am on Safari 6.0.5 on OS X 10.8.4. On an open position, when I go to set up the closing order the form gets periodically reset whenever the ajax updates. This doesn't seem to affect the new order form. It can be replicated by pressing the blue refresh button after changing any of the options in the close position form.



legendary
Activity: 1246
Merit: 1077
Problems, from least to most significant:

(address: 1MLZrr1oFahTgw73AjiLTMPEdkzUCGhci6)

Cosmetic
  • When one is out of money, the money label shows a negative sign briefly before the first AJAX call changes it to a regular 0. See screenshot:
  • In margin description (available margin = equity − active margin), a '-' (hyphen) is used to represent subtraction. A minus sign ('−') is better because it is longer and more clearly subtraction.
  • A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

Odd behaviour
  • The "Scheduled Start" is allowed to be before the current time, but not before the current date. This should be rejected to reduce confusion.

Incorrect behaviour
legendary
Activity: 1274
Merit: 1004
Alright i want to tell you about some security problems.



1 . There is a a small problem in your Two-Factor Authentication system which can be big loophole.


Let's say I am using "Password" Method for login,deposit and withdrawl.

If someone got my account's password, he can change Two-Factor Authentication password or disable it easily and withdraw all my BTC . I will get a notification mail but it will be too late, i can not get my Bitcoins back.

So better method is, if someone, even account owner tries to change or update Two-Factor authentication, He should get a verification mail first (Same as registration mail).

Same problem is with Master Key.

2. Site should block account after x invalid login and there should be a ip check feature.If someone from another ip range tries to do login, it should send a mail. I know it shows a session hijack error on site but you should know who tried to access it (IP adddress)

3. Password reset mails,I tried it once, got a "reset expired" error and after that i tried 4 times, but never got a single mail. (I am using Gmail)  (Username on kraken.com = escrowms)

vip
Activity: 302
Merit: 253
I mean that when i filled in the signup form I accidentally put my password in the username field.  When i fixed it and took it out it would not let me use that password as my password, still giving an error that username and password were the same.

good find.  post your btc address for a bounty.

btw, if there is anyone else who I missed the bounty for previously, please let me know.
hero member
Activity: 938
Merit: 500
CryptoTalk.Org - Get Paid for every Post!
I mean that when i filled in the signup form I accidentally put my password in the username field.  When i fixed it and took it out it would not let me use that password as my password, still giving an error that username and password were the same.
vip
Activity: 302
Merit: 253
When trying to buy a really small amount of BTC, it gives the error message "1: Amount too low". I suspect the '1:' is some sort of error code? Perhaps it's more useful to mention the minimal amount in the error message.

EDIT: Found a more serious one now.

I set a buy order at a ridiculously large amount of a million BTC for market price, at 1:250 leverage. I had $14k in my balance. Then something weird happened: the order got executed for 250.82679898 BTC (worth exactly $25k), but my balance remained untouched. Then the order was canceled automatically (and it is now listed as 'canceled' in my 'Closed orders' list) because the 'Margin allowance exceeded'. Not everything was unchanged, though: my fee-progress-bar jumped straight through four levels, to the point where it's now nearly at 0.36%. Being able to use this in a controlled fashion would make it a very viable attack to get into cheaper fee regions Tongue

I have thus been unable to reproduce it, but I'll keep trying. Perhaps you can see more info on the back end. It's trade order OYHWZH-PXEQY-PWFHKU.

Yeah, it would be good to actually tell you what that too low threshold is.  For BTC/USD it's an amount that would be worth less than $0.01 USD.

It looks like what happened with your 1:250 leverage order is that you hit the $25k per user cap on margin.  So, the remainder of your order got canceled after you ran out of margin and it filled $25k worth, which you should now have an open position for.  My guess is your fees were already < 0.4% when you made the order.  The margin cap per user isn't displayed anywhere so you couldn't have known and that's something we need to fix.  Thanks for the report!


Bug signing up.  I accidentally entered my password as the user name, now it will not let me enter that password. even after I changed the user name.

I'm not sure I understand you.  We don't allow you to change usernames, and we don't allow you to have your username as part of your password.  Can you clarify?

Are Ripple meant to be something that we can trade?  Also, I notice that unlike gox you can only put in as many orders as you actually have funds, is this intended behavior?  On Gox if it eats through all your bitcoin or dollars it cancels any remaining trades.
Yes, you should be able to trade XRP but the market is probably pretty shallow or nonexistent so you may want to check the order book.

Yes, setting a limit order will reserve that currency so you'll be unable to set up orders for more than you have.  You can, however, use the stop orders and conditional close to somewhat bypass those restrictions.
hero member
Activity: 938
Merit: 500
CryptoTalk.Org - Get Paid for every Post!
I figured out how to trade ripple, but it won't let me do so.  it always says the estimated cost is 0.  It will let me buy ripple with dollars, but not dollars with ripple.
hero member
Activity: 938
Merit: 500
CryptoTalk.Org - Get Paid for every Post!
Are Ripple meant to be something that we can trade?  Also, I notice that unlike gox you can only put in as many orders as you actually have funds, is this intended behavior?  On Gox if it eats through all your bitcoin or dollars it cancels any remaining trades.
hero member
Activity: 938
Merit: 500
CryptoTalk.Org - Get Paid for every Post!
Bug signing up.  I accidentally entered my password as the user name, now it will not let me enter that password. even after I changed the user name.
member
Activity: 68
Merit: 10
When trying to buy a really small amount of BTC, it gives the error message "1: Amount too low". I suspect the '1:' is some sort of error code? Perhaps it's more useful to mention the minimal amount in the error message.

EDIT: Found a more serious one now.

I set a buy order at a ridiculously large amount of a million BTC for market price, at 1:250 leverage. I had $14k in my balance. Then something weird happened: the order got executed for 250.82679898 BTC (worth exactly $25k), but my balance remained untouched. Then the order was canceled automatically (and it is now listed as 'canceled' in my 'Closed orders' list) because the 'Margin allowance exceeded'. Not everything was unchanged, though: my fee-progress-bar jumped straight through four levels, to the point where it's now nearly at 0.36%. Being able to use this in a controlled fashion would make it a very viable attack to get into cheaper fee regions Tongue

I have thus been unable to reproduce it, but I'll keep trying. Perhaps you can see more info on the back end. It's trade order OYHWZH-PXEQY-PWFHKU.
newbie
Activity: 24
Merit: 0
I created a market order for buying 1 BTC with 250:1 leverage. I canceled after a few minutes, and now it's been stuck in "Cancel Pending" for several minutes.

https://i.imgur.com/Vc5fE24.png
member
Activity: 66
Merit: 10
On "Overview" page, the rate of my BTC balance is $0.0000 - what does that mean?

http://cl.ly/image/311C083x371C
member
Activity: 66
Merit: 10
Another bug, this time it's UI one. I have a 13" MacBook Pro laptop, this might not be as confusing on a taller screen.

I sold some bitcoins with a leverage, now I have two positions, the first one of which is:

http://cl.ly/image/1Q3g1A1P352y

Now I scroll down on this page, find "Close Position" section

http://cl.ly/image/1S180L3z2R1v

and I am greeted with a blank screen

http://cl.ly/image/0v1p2U0K2y13

After a while, I realize it's the right screen (and works ok), only it's scrolled way down.
Pages:
Jump to: