[Full Disclosure] Live mtgox.com trade matching bug. - page 4.

jrmithdobbs

newbie

Activity: 67

Merit: 0

Quote from: Herodes on June 27, 2011, 10:39:56 PM

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

Quote from: wumpus on June 27, 2011, 11:04:41 PM

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.

DrYe5

sr. member

Activity: 490

Merit: 250

Close Gox trading.

wumpus

hero member

Activity: 812

Merit: 1022

No Maps for These Territories

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Meatpile

sr. member

Activity: 277

Merit: 250

Well as shitty as security issues are.... its quite obvious that once its public, action will be taken.

I think that is a better option than letting a few select people take advantage of it covertly for possibly weeks or months?

jrmithdobbs

newbie

Activity: 67

Merit: 0

Quote from: vragnaroda on June 27, 2011, 10:39:30 PM

After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Quote from: Klestin on June 27, 2011, 10:51:41 PM

Erm, no it doesn't mean this. If it's well designed, there is a semaphore or lock to prevent this. No sense jumping to conclusions based on what is essentially little more than a display bug.

You're right, that should say possibly, not actually.

Klestin

hero member

Activity: 493

Merit: 500

Quote from: jrmithdobbs on June 27, 2011, 10:33:22 PM

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

Erm, no it doesn't mean this. If it's well designed, there is a semaphore or lock to prevent this. No sense jumping to conclusions based on what is essentially little more than a display bug.

Herodes

hero member

Activity: 868

Merit: 1000

Quote from: jrmithdobbs on June 27, 2011, 09:55:41 PM

...

You show nothing but hostility totwards mtGox. The only motive I could think of is jealousy. If you think your technical expertice and knowledge is superior to that of MagicalTux's, then please go ahead and create the ultimate exchange. I believe you're already involved with britcoin.co.uk ?

Seriously, acting like you do is of no good for nobody. Why waste your time talking shit and disclosing bugs when mtGox is actually working on it to fix it?

You'll be better off in the long run if you focuse on the things you do, and do them well, instead of talking negatively about other people. I think this says more about you, then it says about MT and mtGox.

I am sure you can mend your ways if you wanted to.

vragnaroda

newbie

Activity: 40

Merit: 0

Quote from: jrmithdobbs on June 27, 2011, 10:33:22 PM

Quote from: GeniuSxBoY on June 27, 2011, 10:31:58 PM

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

No.

Quote from: FooDSt4mP on June 27, 2011, 10:23:11 PM

Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

After making yourself look like such an ass, you should really reconsider that.

jrmithdobbs

newbie

Activity: 67

Merit: 0

Quote from: GeniuSxBoY on June 27, 2011, 10:31:58 PM

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

No.

Quote from: FooDSt4mP on June 27, 2011, 10:23:11 PM

Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

GeniuSxBoY

hero member

Activity: 616

Merit: 500

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

FooDSt4mP

full member

Activity: 182

Merit: 100

Quote from: bitbot on June 27, 2011, 10:10:13 PM

someone explain this

The order isn't being removed on withdrawal. Funds are being checked before it is executed.

bitbot

member

Activity: 70

Merit: 10

someone explain this

BitcoinPorn

hero member

Activity: 630

Merit: 500

Posts: 69

Quote from: MagicalTux on June 27, 2011, 10:05:34 PM

Quote from: jrmithdobbs on June 27, 2011, 09:55:41 PM

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute.

MagicalTux

vip

Activity: 608

Merit: 501

-

Quote from: jrmithdobbs on June 27, 2011, 09:55:41 PM

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

jrmithdobbs

newbie

Activity: 67

Merit: 0

Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

==========
Welcome 0.00000000 ฿TC 424.44901
Buying 138468.901 0.01 Active 1384.69 06/26 15:27 cancel
==========

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.

bitcoin-dev: http://sourceforge.net/mailarchive/forum.php?thread_name=C9421AA2-D741-4989-9DA8-395D1F532F52%40jrbobdobbs.org&forum_name=bitcoin-development
f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081682.html

Topic: [Full Disclosure] Live mtgox.com trade matching bug. - page 4. (Read 15376 times)