Pages:
Author

Topic: [BOUNTY] - Bugs at the Kraken.com Exchange - page 6. (Read 22289 times)

hero member
Activity: 868
Merit: 1000
We've had the site in a limited beta with about 20 users for the past week testing basic functionality but now it's time to really try to break things.

For this your use a professional security auditing firm.
member
Activity: 66
Merit: 10
I placed a sell order for 99.5 BTC, which apparently went through since I only have 0.49751 BTC left (I originally had 100, I think) and lots of USD.

However, the status of the order is "Canceled":



This is the only order I've made. My balance afterwards:


tbd
newbie
Activity: 45
Merit: 0
- What is the difference between a status of "Untouched" and "Open"?  After placing a new order sometimes they would be "Open" status, and sometimes "Untouched".

- Twice I was unable to cancel my orders.  I clicked the "X" on the Orders screen but received an Unknown Order message.  References OHXHYC-7RUCJ-FJ4ILE and OWOO7Y-O5DXH-I6TOYF.

- The "Last Updated:" time at the bottom pane would occasionally default to "4 hours ago".

- You may want to place some limits on the order entry size in BTC.  If the value is too large it overflows your internal storage, which appears to have a max of 92,233,720,368.54775807.  Similarly, USD prices with more than 5 decimal places should not be allowed.  This seems to result in an "Insufficient funds" error message at the moment when entering in very small USD prices, even if the order total is less than my balance.
newbie
Activity: 23
Merit: 0
Two-Factor Authentication has been returned to the Beta under Security Settings.  Please give it a whirl.

P.S.  I'm on my way back to SF from Berlin so I may be offline until Saturday PT.  Bitcoin Documentary is going to be awesome.

No problem, hope everything is going fine there. Let me know when you have gone through post #35.

* Found another 2 bugs (related to Two-Factor Authentication).

- Bug 1:
To reproduce - Set a two-factor authentication for login using a password. Log out and try login in without the authentication, you will not be able to login. Now try logging in with the authentication. After logged in, you will see on top right under your username - 1 bad login since... If you click on that, the grey background shows up weirdly, it is overlapping the top menu bar.
To fix it - This is a css issue. The padding you have as
#user-menu .dropdown-toggle {
    padding: 14px 8px;
}
did not account for the extra bad login line so the grey background overlaps the top menu bar. To fix this, simply add a max-height: 38px; or code the background differently.

- Bug 2:
To reproduce -  Setup a  two-factor authentication. Will see an extra space typo in email.
To fix it - fix "You have updated your  two-factor setting on your account.  The IP recorded was " the extra space after "You have updated your" and the space before "The IP recorded. The same goes for "You have updated your  secret two-factor setting", "You have updated your  trade two-factor setting" etc
member
Activity: 102
Merit: 10
Some things to improve:

  • Homepage, Line 125, you forgot to close the
    tag.
    Weighted Avg
  • You have more than 1 H1 tag. You should change one of them to a lower heading level or put the first one between
    tags. You've got no H2 headings.
  • Sometimes the search engines shows the meta description on the results page. You should change it into another more extense and accurate.
  • In the FAQ, you should have a Questions List with links at the top of the section. Now there are a few example questions, but for an extense list it is very important to offer the list at the top.
  • You haven't got any favicon.

These things will make you get a higher Google score and will improve the user experience, so they are quite important. There's also some bad HTML use (which I find little important) that you can find in the W3C Validator. You should also fix them in order to have a fully valid website.

Hope it helped.
vip
Activity: 302
Merit: 253
Two-Factor Authentication has been returned to the Beta under Security Settings.  Please give it a whirl.

P.S.  I'm on my way back to SF from Berlin so I may be offline until Saturday PT.  Bitcoin Documentary is going to be awesome.
newbie
Activity: 23
Merit: 0
Found another 2 bugs. Had these two bugs before and spent a long time to find out how to reproduce it. Let me know if you need more info. You have my btc address  Smiley

Bug 1
To reproduce: When you have low in USD fund, buy BTC that is higher than your fund and switch the option to buy at market rate.
Bug: The system will let you proceed anyway and created an order id, however when you check the order, it is cancelled right away. You may check Order OV6OYZ-JSLCK-3DXH6O
Proposed solution: System should not waste the resource to create id if the user clearly does not have fund to complete the order. System can check the current market rate and do a calculation, compare it against user's fund and decide if a new order should be created.

Bug 2
To reproduce: From bug 1, after the system created the ID and a successful green message pop up and disappear. Try to buy btc using market or limit (set your own or auto).
Bug: You will see if you have insufficient fund, the system will show a pink box with no text it there, it is just an empty pink error box. If you navigate to another link, or if you log out and log in again. You will not be able to see the error message. Also, when you try to sell BTC after producing this bug, you will not see a success message, you will just see the pink box.
Proposed solution: Fix bug 1 and go from there. Looks like some id got missing and the message could not be displayed into the correct div.
vip
Activity: 302
Merit: 253
Thanks. I have pm you by bitcoin address, please send the reward there.

I have mess around with a site a little and believe I may have found something and crashed the login module?

To reproduce the bug, using Account 1, under settings, change the email to the email of account 2. Before activating it, cancel the email change using the button provided under the settings page. Then change the email to email of account 2 again.

Bug: You will see that under settings of account 1, the username is blank and the email disappeared too. When I tried to logout, I was unable to. The error message was "Failed to logout".

I tried using another browser to login account 1 and account 2, both are showing:

500

Application Error

An application error has occurred.

So, I believed I may have caused that to happen because I tried it right away.

Proposed solution: I believed that when a user set to change their email and cancel, the system did not actually cancel the request. It just hides the confirmation (count down) dialog box but still wait for 8 hours before it actually expires. So, when user request for another email change, something weird happen.

Let me know if you need more info. Thanks.

Another great find!  Apologies for being out of contact.  I've just made my way to Berlin from San Francisco to take part in the Bitcoin Documentary!

This should be fixed now.  See if you can get it to happen again.  some BTC headed your way right now!  Thanks!
newbie
Activity: 23
Merit: 0
Thanks. I have pm you by bitcoin address, please send the reward there.

I have mess around with a site a little and believe I may have found something and crashed the login module?

To reproduce the bug, using Account 1, under settings, change the email to the email of account 2. Before activating it, cancel the email change using the button provided under the settings page. Then change the email to email of account 2 again.

Bug: You will see that under settings of account 1, the username is blank and the email disappeared too. When I tried to logout, I was unable to. The error message was "Failed to logout".

I tried using another browser to login account 1 and account 2, both are showing:

500

Application Error

An application error has occurred.

So, I believed I may have caused that to happen because I tried it right away.

Proposed solution: I believed that when a user set to change their email and cancel, the system did not actually cancel the request. It just hides the confirmation (count down) dialog box but still wait for 8 hours before it actually expires. So, when user request for another email change, something weird happen.

Let me know if you need more info. Thanks.
vip
Activity: 302
Merit: 253
That could be why. But there could be a potential issue.

1) User who forgot their password before they activate are stuck.
Workaround:
When they provide the right username & password combination but wrong confirmation code, have the error message such as
- error message: Invalid username and password combination, click here to reset your password or wait x hours to register again.
- solution: Make it posibble to reset password before activation. Gives clear instruction how to proceed if you do not offer password reset before activation. (i.e, let them know how long to wait before they can register using same email & username)

When they provide invalid or expired confirmation code, have the error message such as
- error message: Invalid activation key or signup has expired. You may register using the same email again.
- solution: Let them know more clearly what can they do in this case. If your database still store their info, offer a link to resend new activation code. If not, let them know they should register again.

In my case, I'm not sure if I have my username/password combination incorrect. I have not activated the account yet and when I tried to sign in, I get the following error:
Invalid activation key or signup has expired.
I don't think the signup expired yet since it's only been a short while. I also got the activation code from email. So, I think I should havve wrong credential info. The system should be clear on this.

Please let me know how can I proceed now. Thanks!

This is a good find.  Thanks for pointing it out, and the proposed solutions.  For the time being, you will need to wait for that activation attempt to expire (8 hours), or create another account with a new email address.
newbie
Activity: 23
Merit: 0
That could be why. But there could be a potential issue.

1) User who forgot their password before they activate are stuck.
Workaround:
When they provide the right username & password combination but wrong confirmation code, have the error message such as
- error message: Invalid username and password combination, click here to reset your password or wait x hours to register again.
- solution: Make it posibble to reset password before activation. Gives clear instruction how to proceed if you do not offer password reset before activation. (i.e, let them know how long to wait before they can register using same email & username)

When they provide invalid or expired confirmation code, have the error message such as
- error message: Invalid activation key or signup has expired. You may register using the same email again.
- solution: Let them know more clearly what can they do in this case. If your database still store their info, offer a link to resend new activation code. If not, let them know they should register again.

In my case, I'm not sure if I have my username/password combination incorrect. I have not activated the account yet and when I tried to sign in, I get the following error:
Invalid activation key or signup has expired.
I don't think the signup expired yet since it's only been a short while. I also got the activation code from email. So, I think I should havve wrong credential info. The system should be clear on this.

Please let me know how can I proceed now. Thanks!
vip
Activity: 302
Merit: 253
1) Not receiving Forgot Username reminder email.
2) Not receiving Forgot Password reset email.

Checked spam folder, was not there. Did receive the activation email during signup.
Email Platform: Gmail


P.S: Please trigger a reset password email to me. Thanks.

It sounds like you haven't completed the activation process.
newbie
Activity: 23
Merit: 0
1) Not receiving Forgot Username reminder email.
2) Not receiving Forgot Password reset email.

Checked spam folder, was not there. Did receive the activation email during signup.
Email Platform: Gmail


P.S: Please trigger a reset password email to me. Thanks.
sr. member
Activity: 328
Merit: 250
While waiting for funds to try the trading system, here are some grammatical writing errors:

In the privacy policy, the following statement, the of is extraneous and is very confusing. :
We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

Under your TOS:
•   Website is one word (currently spelled as web site throughout your TOS) (accuracy is more professional imo)
•   Under 1. Terms, the first sentence should be “By accessing this website, you are agreeing to be bound by these Terms and Conditions of Use…” (these is extraneous)
•   Under 4. Limitations, the following phrase:  (including, without limitation, damages for loss of data or profit, or due to business interruption,) should be written as “(including, without limitation, damages for loss of data or profit due to business interruption),
o   This is assuming I understand the purpose of that statement.

In market data, the very top number of the spread graph is slightly cut off by the white border around Spread(BTC/USD)
vip
Activity: 302
Merit: 253
Feedback:

Timezones rather limited. For instance, Amsterdam (UTC+1) is missing, and with +1 it does list Dublin and London both of which use a different time for half the year. I selected Lisbon but I am not sure this is correct. (update: Lisbon is not correct and I needed to select Zurich UTC +2, while in fact we are on UTC+1 with daylight saving time).

Amsterdam is Central Europe Summer Time (CEST) UTC+2 right now, isn't it?  Central Europe Standard Time (CET) would be UTC+1.  CET UTC+1 with DST would be CEST (UTC+2).  We've chosen to use a single city per time zone but, if you think it'd help, we could potentially include a few more major cities per time zone, and/or state the alternative time abbreviation for that region (CEST, CET).  It would be impossible to include all cities.  The Tripoli timezone, while also CEST, UTC+2 right now differs in the time the CET->CEST change occurs so it has its own entry.


I created an account with a PGP public key, so the activation mail I got was encrypted (as it should be). When I decrypted the file it told me the signature was unknown which is of course to be expected because your signature isn’t in my address book. So I browsed the site and found the PGP public key. However navigating to the downloadable .asc file (https://beta.kraken.com/kraken.asc ) yields a 404.

So I used the PGP public key listed on https://beta.kraken.com/pgp , imported it and decrypted the email again. It tells me the key is NOT valid. This is incorrect of course. I retried it several times and it kept coming up with the same result. (to be clear, the message is decrypted correctly, it's just that you signature appears to be invalid).

Thanks for reporting the .asc.   I'm not sure why you're getting 'the key is NOT valid'.  I haven't had any problems with it and I just tried repeating the process you described, getting a new copy of the key from the site and everything, and it all looks good on my end.  Anyone else having this problem?  Maybe you can PM me and tell me what email client or program is giving you that message.

EDIT:  missing downloadable .asc file fixed.
legendary
Activity: 2324
Merit: 1125
Feedback:

Timezones rather limited. For instance, Amsterdam (UTC+1) is missing, and with +1 it does list Dublin and London both of which use a different time for half the year. I selected Lisbon but I am not sure this is correct. (update: Lisbon is not correct and I needed to select Zurich UTC +2, while in fact we are on UTC+1 with daylight saving time).

I created an account with a PGP public key, so the activation mail I got was encrypted (as it should be). When I decrypted the file it told me the signature was unknown which is of course to be expected because your signature isn’t in my address book. So I browsed the site and found the PGP public key. However navigating to the downloadable .asc file (https://beta.kraken.com/kraken.asc ) yields a 404.

So I used the PGP public key listed on https://beta.kraken.com/pgp , imported it and decrypted the email again. It tells me the key is NOT valid. This is incorrect of course. I retried it several times and it kept coming up with the same result. (to be clear, the message is decrypted correctly, it's just that you signature appears to be invalid).

Now I’ll PM you my username so I can test the actual trading functionality.
legendary
Activity: 892
Merit: 1013
where is the api description, i'd like to give it a try?

[EDIT] i confirm, if i change the language to english UK, i got the coma instead of dot.
vip
Activity: 302
Merit: 253
[EDIT] also i got a bug but i'm not sure it was there before ...
Just when i try to place an order now, the price that is set automatically -when loading the page end- use a coma (,) instead of a dot(.) so i have to correct it manually all the time to place the order.

feel free to tip :p
1MgiDgvf6LqBRxEghy4NXLFxeiKepbHFqK

By the way i like the clean look of the site and how you just took the right things from mtgox and adding some powerful features very nice job.

Thanks for the reports and I'm glad you like it.  Can you tell me what your system language is.. I'm guessing this is the source of the . or , issue.
I'm in french. and yep here we use coma instead of dots.
Would be nice to allow it instead of blocking coma like every other exchange (even btc-central wich is french and sometimes have the same problem)

Ah ok, you have English (UK) as the language set on the exchange.  I see the problem.  Will be fixed soon.  Thanks!
legendary
Activity: 892
Merit: 1013
[EDIT] also i got a bug but i'm not sure it was there before ...
Just when i try to place an order now, the price that is set automatically -when loading the page end- use a coma (,) instead of a dot(.) so i have to correct it manually all the time to place the order.


feel free to tip :p
1MgiDgvf6LqBRxEghy4NXLFxeiKepbHFqK

By the way i like the clean look of the site and how you just took the right things from mtgox and adding some powerful features very nice job.

Thanks for the reports and I'm glad you like it.  Can you tell me what your system language is.. I'm guessing this is the source of the . or , issue.
I'm in french. and yep here we use coma instead of dots.
Would be nice to allow it instead of blocking coma like every other exchange (even btc-central wich is french and sometimes have the same problem)
vip
Activity: 302
Merit: 253
I just clicked on the 2nd tab ('market data') and my computer almost ground to a halt.

I closed the tab and tried again.  This time the same happened, but the 'loading' progress bar froze part-way through.  That might give you a clue about what part of your code is broken I guess?



Edit: note that this has only happened since I switched from BTC/USD to BTC/XRP, so maybe that's the problem?

For anything that you can't get to repeat along the lines of the page not loading, it's probably just due to the changes we're constantly making.  If it's a security problem but you can't repeat it, that'd be worth reporting.  If it's not, don't worry about it.  I've tried the btc/usd to btc/xrp switch and haven't had any problems.
Pages:
Jump to: