Nxt source code flaw reports - page 65.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: hostmaster on January 03, 2014, 09:04:54 AM

https provides secured communications, otherwise it can be listened on network level and can be sniffed.

No problem with that, all data must be public anyway.

EmoneyRu

hero member

Activity: 600

Merit: 500

Nxt-kit developer

Quote from: Come-from-Beyond on January 03, 2014, 08:58:09 AM

Quote from: EmoneyRu on January 03, 2014, 08:51:35 AM

Code:

(amount + fee) * 100L > account.unconfirmedBalance

That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.

Really? http://ideone.com/5zWQ0C

hostmaster

sr. member

Activity: 266

Merit: 250

Quote from: Come-from-Beyond on January 03, 2014, 08:44:59 AM

Quote from: Boxxl on January 03, 2014, 08:41:56 AM

The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------

This should be https:// in the future..

My address:

17665579946762640918

It is secure.

https provides secured communications, otherwise it can be listened on network level and can be sniffed.

bitcoinpaul

hero member

Activity: 910

Merit: 1000

Quote from: nastybit on January 03, 2014, 08:59:07 AM

Quote from: lonesoul on January 03, 2014, 08:55:57 AM

Quote from: luckygenough56 on January 03, 2014, 08:45:51 AM

another polemic to bring the prices down ? Wink

how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.

When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.

all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.

The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh

Wrong, they have finished written statements - their hashes are posted in the first post.

ImmortAlex

hero member

Activity: 784

Merit: 501

Quote from: Come-from-Beyond on January 03, 2014, 08:38:03 AM

Quote from: ImmortAlex on January 03, 2014, 08:31:09 AM

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.

Source code analysis (QA).

Feel free everyone to post you suggestions there.

nastybit

newbie

Activity: 42

Merit: 0

Quote from: lonesoul on January 03, 2014, 08:55:57 AM

Quote from: luckygenough56 on January 03, 2014, 08:45:51 AM

another polemic to bring the prices down ? Wink

how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.

When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.

all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.

The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: EmoneyRu on January 03, 2014, 08:51:35 AM

Code:

(amount + fee) * 100L > account.unconfirmedBalance

That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.

lonesoul

sr. member

Activity: 308

Merit: 250

Quote from: luckygenough56 on January 03, 2014, 08:45:51 AM

another polemic to bring the prices down ? Wink

how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.

When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.

all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.

EmoneyRu

hero member

Activity: 600

Merit: 500

Nxt-kit developer

Code:

(amount + fee) * 100L > account.unconfirmedBalance

That bug with overflow when (amount + fee) * 100L > int_max?

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: Come-from-Beyond on January 03, 2014, 08:44:30 AM

Quote from: salsacz on January 03, 2014, 08:38:47 AM

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price > o.price) {

            return -1;

         } else if (price < o.price) {

            return 1;

there should be replaced <> tο:

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price < o.price) {

            return -1;

         } else if (price > o.price) {

            return 1;

Why?

It's part of Asset Exchange. Looks like BCNext forgot to remove this code. Don't pay attention.

luckygenough56

legendary

Activity: 1526

Merit: 1012

another polemic to bring the prices down ? Wink

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: Boxxl on January 03, 2014, 08:41:56 AM

The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------

This should be https:// in the future..

My address:

17665579946762640918

It is secure.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: salsacz on January 03, 2014, 08:38:47 AM

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price > o.price) {

            return -1;

         } else if (price < o.price) {

            return 1;

there should be replaced <> tο:

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price < o.price) {

            return -1;

         } else if (price > o.price) {

            return 1;

Why?

Boxxl

hero member

Activity: 800

Merit: 502

The http:// is not a real secure address:
--------------------------------------------------------

Code:

new URL("http://" + address);

--------------------------------------------------------

Code:

new URL("http://" + announcedAddress);

--------------------------------------------------------

Code:

URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");

--------------------------------------------------------

This should be https:// in the future..

My address:

17665579946762640918

salsacz

hero member

Activity: 490

Merit: 504

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price > o.price) {

            return -1;

         } else if (price < o.price) {

            return 1;

there should be replaced <> tο:

Quote

@Override
      public int compareTo(BidOrder o) {

         if (price < o.price) {

            return -1;

         } else if (price > o.price) {

            return 1;

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: ImmortAlex on January 03, 2014, 08:31:09 AM

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.

intel

member

Activity: 98

Merit: 10

Ok, digging the code right now. 3rd April is too long to wait for.

ImmortAlex

hero member

Activity: 784

Merit: 501

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

EmoneyRu

hero member

Activity: 600

Merit: 500

Nxt-kit developer

Quote from: EmoneyRu on January 03, 2014, 08:17:18 AM

Forked

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Nxt source code has been released - https://bitcointalksearch.org/topic/m.4287127

The code contains 3 flaws - serious, critical and fatal. The 1st person who reports these flaws will get 1'000, 10'000 or 100'000 NXT reward accordingly.

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

~~bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward~~
~~888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward~~
~~f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward~~

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

If u think that u found a flaw, post here its description. Mathematical proof is not necessary, common sense should be enough. If ur guess is correct u may* get the reward, if u find a non-injected flaw then u'll be asked for more formal proof (u may get a reward too).

NB: Some guys mentioned that they would just decompile 0.4.7e binaries and compare the source codes to find the flaws. As a countermeasure against such the trick u still must explain why there is a flaw.

-------------
* - BCNext reserves the right to refuse to pay a reward without any explanation. This is an anti-troll countermeasure.

Topic: Nxt source code flaw reports - page 65. (Read 113359 times)