Pages:
Author

Topic: Nxt source code flaw reports - page 65. (Read 113369 times)

legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 08:08:55 AM
#20
https provides secured communications, otherwise it can be listened on network level and can be sniffed.

No problem with that, all data must be public anyway.
hero member
Activity: 600
Merit: 500
Nxt-kit developer
January 03, 2014, 08:08:01 AM
#19
Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.

Really? http://ideone.com/5zWQ0C
sr. member
Activity: 266
Merit: 250
January 03, 2014, 08:04:54 AM
#18
The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918

It is secure.

https provides secured communications, otherwise it can be listened on network level and can be sniffed.
hero member
Activity: 910
Merit: 1000
January 03, 2014, 08:04:48 AM
#17
another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.


The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh

Wrong, they have finished written statements - their hashes are posted in the first post.
hero member
Activity: 784
Merit: 501
January 03, 2014, 08:03:29 AM
#16
Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.

Source code analysis (QA).

Feel free everyone to post you suggestions there.
newbie
Activity: 42
Merit: 0
January 03, 2014, 07:59:07 AM
#15
another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.


The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:58:09 AM
#14
Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.
sr. member
Activity: 308
Merit: 250
January 03, 2014, 07:55:57 AM
#13
another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.
hero member
Activity: 600
Merit: 500
Nxt-kit developer
January 03, 2014, 07:51:35 AM
#12
Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:46:14 AM
#11
Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> tο:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;

Why?

It's part of Asset Exchange. Looks like BCNext forgot to remove this code. Don't pay attention.
legendary
Activity: 1526
Merit: 1012
January 03, 2014, 07:45:51 AM
#10
another polemic to bring the prices down ?  Wink
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:44:59 AM
#9
The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918

It is secure.
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:44:30 AM
#8
Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> tο:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;

Why?
hero member
Activity: 800
Merit: 502
January 03, 2014, 07:41:56 AM
#7
The http:// is not a real secure address:
--------------------------------------------------------
Code:
new URL("http://" + address);
--------------------------------------------------------
Code:
new URL("http://" + announcedAddress);
--------------------------------------------------------
Code:
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918
hero member
Activity: 490
Merit: 504
January 03, 2014, 07:38:47 AM
#6
Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> tο:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:38:03 AM
#5
Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.
member
Activity: 98
Merit: 10
January 03, 2014, 07:32:48 AM
#4
Ok, digging the code right now. 3rd April is too long to wait for.
hero member
Activity: 784
Merit: 501
January 03, 2014, 07:31:09 AM
#3
Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?
hero member
Activity: 600
Merit: 500
Nxt-kit developer
legendary
Activity: 2142
Merit: 1010
Newbie
January 03, 2014, 07:26:48 AM
#1
Nxt source code has been released - https://bitcointalksearch.org/topic/m.4287127

The code contains 3 flaws - serious, critical and fatal. The 1st person who reports these flaws will get 1'000, 10'000 or 100'000 NXT reward accordingly.

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

If u think that u found a flaw, post here its description. Mathematical proof is not necessary, common sense should be enough. If ur guess is correct u may* get the reward, if u find a non-injected flaw then u'll be asked for more formal proof (u may get a reward too).

NB: Some guys mentioned that they would just decompile 0.4.7e binaries and compare the source codes to find the flaws. As a countermeasure against such the trick u still must explain why there is a flaw.

-------------
* - BCNext reserves the right to refuse to pay a reward without any explanation. This is an anti-troll countermeasure.
Pages:
Jump to: