Bitcoin Forum

Hey guys,


We've had the site in a limited beta with about 20 users for the past week testing basic functionality but now it's time to really try to break things.

EDIT:  Site now has 1000+ users and is trial mode open beta.  To access it, visit https://beta.kraken.com.  Accounts are autofunded with play money.

Bounties are anywhere from 0.05 BTC to 1.00+ BTC depending on the severity of the problem, difficulty level of discovery, thoroughness of reproduction steps.

Higher bounties will be awarded to bugs discovered with the trading engine and problems with security (potentially much higher than 1 BTC).
For reporting these types of problems, I'd appreciate it if you not post them here and PM me instead.

Lower bounties will be awarded to basic UI issues/inconsistencies/inaccuracies, anything that probably isn't impacting the service a lot but should be fixed.
For reporting these types of problems, please post them in this thread along with your BTC deposit address.


To qualify, you must:
1.  Be the first to report the problem.
2.  Be able to reproduce the problem, if even sporadically.
3.  Provide clear instructions for reproducing the problem.  If you can guess what the underlying cause of the problem is, even better.
4.  Provide your bitcoin deposit address for receiving the reward.

Any questions, just ask!

Also, if you're coming from Reddit or HN, you may PM me at u/jespow

Email may be directed to beta-support@<domain>

I clicked 'signup' to try to create a 2nd account to trade with my 1st account, and it took me back to the 1st account.

I created a 2nd account using the same email address as the first one.  It told me it had created the account and would email me a confirmation code, but instead it emailed me an error message:
  "A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus."

It would be better to let me know at sign-up time that the email address I typed was already in use, and that that isn't OK, rather than pretending to accept it.  When I type the email address into the signup box it puts a green checkmark and writes "OK" - but it isn't OK.

I just tried again, this time using a different email address.  Now it tells me "Please choose a different username".

It seems like it did actually create the 2nd account, even though it used a duplicate email address.

* the login screen and the withdraw page both have fields for 'one time password' or some such.  I don't see any way of turning on the two-factor auth.

* I tried changing the settings > account > auto-logout to custom > 241 minutes (max allowed is 240).  I saw a pink rectangle at the top of the screen, but it didn't contain an error message.  It looks like it tried to tell me I picked an incorrect value, but it didn't actually show the message.

This would allow an attacker to determine whether someone with a particular email address had an account with us.  That'd be bad for our users' privacy, and security.



Yeah, even if the new account registration failed because the email was already in use on another account, the username will be reserved for a few minutes as if the registration were pending.  Once the pending registration fails to confirm in time, the username is released.


Ah, sorry.. we're making some changes to two-factor right now.  The feature will probably be back tomorrow.


This is a bug!  Awesome.  You've gotta post your BTC address!

1HPbBjityVPvkcdBnZAjH7npwg4n1Hu75x

I just tried buying 100 BTC for $131ish each on 250x leverage.  It showed 4 open positions for that single order, each at a cost of $775.  When I hit refresh it went up to 18 open orders.

https://i.imgur.com/AFro3ts.png

Why isn't it a single order?

(Note: I know nothing about how trading on margin is meant to work)

We're reworking the Positions page.. right now it's showing you a position for each trade that makes up your order, rather than a consolidated view of the total for that order id.. definitely something we need to work on.  all non-XRP pairs are currently simulated against the mtgox orderbook so there may be some funky things happening, orders slow to fill, etc.  If you want to test orders just internally in the Kraken book, try any of the XRP pairs.

The main front/signup page still has lorem ipsum text on it ... is that considered a bug? :-)

PMing for beta access.

This is especially bad when it comes to closing my position.  I have to close all 24 positions that it created one by one, and each takes 3 clicks.

One of them, when I went to close it, it popped up a message saying it had 'lost connection with server' and that 'service was unavailable at this time' or similar.  When I tried again, it told me there was no such order, so I guess it managed to close it despite the error messages.

Also, you asked me for my Bitcoin address earlier.  I posted it, but haven't seen any transaction to that address.

Not a bug :)


Yeah, the Positions interface is definitely a problem.  It may be that we restarted the service at the same time you clicked the button.  A guy's gotta sleep!

Each time I try to close a position, I get this error message:

https://i.imgur.com/KlJUHVd.png

My internet connection is slow at the moment (I'm uploading a youtube video at the same time).  Could that be the problem, or is the service really disabled at the moment?

If it's an issue with my connection speed, it's misleading to say it's a problem with the service at your end.

Your 404 pages is not always the same.
I'm on google chrome
When i'm logged :
https://beta.kraken.com/u/a
Plus this one has a glitch
http://anonymouse.org/cgi-bin/anon-www.cgi/http://anonymouse.org/cgi-bin/anon-www.cgi/http://anonymouse.org/cgi-bin/anon-www.cgi/http://img20.imageshack.us/img20/3661/capturedecran20130405a1.png

https://beta.kraken.com/a/a
http://anonymouse.org/cgi-bin/anon-www.cgi/http://anonymouse.org/cgi-bin/anon-www.cgi/http://anonymouse.org/cgi-bin/anon-www.cgi/http://img407.imageshack.us/img407/3661/capturedecran20130405a1.png


[EDIT] also i got a bug but i'm not sure it was there before ...
Just when i try to place an order now, the price that is set automatically -when loading the page end- use a coma (,) instead of a dot(.) so i have to correct it manually all the time to place the order.
http://img40.imageshack.us/img40/3661/capturedecran20130405a1.png

feel free to tip :p
1MgiDgvf6LqBRxEghy4NXLFxeiKepbHFqK

By the way i like the clean look of the site and how you just took the right things from mtgox and adding some powerful features very nice job.

Definitely the right answer. Are you sending the request IP with the email?

No:

If it says that, we've disabled the service (probably for an update) or the service crashed.  If you happen to notice that appear immediately after taking some action, and you are able to reproduce it, please let me know.

Thanks for the reports and I'm glad you like it.  Can you tell me what your system language is.. I'm guessing this is the source of the . or , issue.

Correct.  Doing so would create a privacy/security issue on the other side, sending the IP of the new registrant (who might have just made a typo) to the owner of the existing account.

When I go to close a position (by clicking an 'X' icon, which I'm not sure about the design of - that looks like a delete button to me somehow), I get this:

https://i.imgur.com/RGe9aUn.png

The 'sell' in a red rounded box looks like a verb in a button.  I click it, nothing happens.  Then I remember I have to scroll down to see the real buttons.

Gets me every time (and there are a LOT of times!)

Just a small thing, but when I go to close a position, whenever I hover the mouse over any field description, the arrow changes into a pointy finger, as if I'm hovering over a link:

https://i.imgur.com/ebq9w6k.png

Clicking the mouse button does nothing however.  So why does the pointer change to a finger?

I just clicked on the 2nd tab ('market data') and my computer almost ground to a halt.  It has worked for me before, but this time something went wrong:

https://i.imgur.com/ZdjHtPF.png

This is chromium on ubuntu.

I closed the tab and tried again.  This time the same happened, but the 'loading' progress bar froze part-way through.  That might give you a clue about what part of your code is broken I guess?

https://i.imgur.com/pSAXZqR.png

Edit: note that this has only happened since I switched from BTC/USD to BTC/XRP, so maybe that's the problem?

For anything that you can't get to repeat along the lines of the page not loading, it's probably just due to the changes we're constantly making.  If it's a security problem but you can't repeat it, that'd be worth reporting.  If it's not, don't worry about it.  I've tried the btc/usd to btc/xrp switch and haven't had any problems.

I'm in french. and yep here we use coma instead of dots.
Would be nice to allow it instead of blocking coma like every other exchange (even btc-central wich is french and sometimes have the same problem)

Ah ok, you have English (UK) as the language set on the exchange.  I see the problem.  Will be fixed soon.  Thanks!

where is the api description, i'd like to give it a try?

[EDIT] i confirm, if i change the language to english UK, i got the coma instead of dot.

Feedback:

Timezones rather limited. For instance, Amsterdam (UTC+1) is missing, and with +1 it does list Dublin and London both of which use a different time for half the year. I selected Lisbon but I am not sure this is correct. (update: Lisbon is not correct and I needed to select Zurich UTC +2, while in fact we are on UTC+1 with daylight saving time).

I created an account with a PGP public key, so the activation mail I got was encrypted (as it should be). When I decrypted the file it told me the signature was unknown which is of course to be expected because your signature isn’t in my address book. So I browsed the site and found the PGP public key. However navigating to the downloadable .asc file (https://beta.kraken.com/kraken.asc ) yields a 404.

So I used the PGP public key listed on https://beta.kraken.com/pgp , imported it and decrypted the email again. It tells me the key is NOT valid. This is incorrect of course. I retried it several times and it kept coming up with the same result. (to be clear, the message is decrypted correctly, it's just that you signature appears to be invalid).

Now I’ll PM you my username so I can test the actual trading functionality.

Amsterdam is Central Europe Summer Time (CEST) UTC+2 right now, isn't it?  Central Europe Standard Time (CET) would be UTC+1.  CET UTC+1 with DST would be CEST (UTC+2).  We've chosen to use a single city per time zone but, if you think it'd help, we could potentially include a few more major cities per time zone, and/or state the alternative time abbreviation for that region (CEST, CET).  It would be impossible to include all cities.  The Tripoli timezone, while also CEST, UTC+2 right now differs in the time the CET->CEST change occurs so it has its own entry.



Thanks for reporting the .asc.   I'm not sure why you're getting 'the key is NOT valid'.  I haven't had any problems with it and I just tried repeating the process you described, getting a new copy of the key from the site and everything, and it all looks good on my end.  Anyone else having this problem?  Maybe you can PM me and tell me what email client or program is giving you that message.

EDIT:  missing downloadable .asc file fixed.

While waiting for funds to try the trading system, here are some grammatical writing errors:

In the privacy policy, the following statement, the of is extraneous and is very confusing. :
We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

Under your TOS:
•   Website is one word (currently spelled as web site throughout your TOS) (accuracy is more professional imo)
•   Under 1. Terms, the first sentence should be “By accessing this website, you are agreeing to be bound by these Terms and Conditions of Use…” (these is extraneous)
•   Under 4. Limitations, the following phrase:  (including, without limitation, damages for loss of data or profit, or due to business interruption,) should be written as “(including, without limitation, damages for loss of data or profit due to business interruption),
o   This is assuming I understand the purpose of that statement.

In market data, the very top number of the spread graph is slightly cut off by the white border around Spread(BTC/USD)

1) Not receiving Forgot Username reminder email.
2) Not receiving Forgot Password reset email.

Checked spam folder, was not there. Did receive the activation email during signup.
Email Platform: Gmail


P.S: Please trigger a reset password email to me. Thanks.

It sounds like you haven't completed the activation process.

That could be why. But there could be a potential issue.

1) User who forgot their password before they activate are stuck.
Workaround:
When they provide the right username & password combination but wrong confirmation code, have the error message such as
- error message: Invalid username and password combination, click here to reset your password or wait x hours to register again.
- solution: Make it posibble to reset password before activation. Gives clear instruction how to proceed if you do not offer password reset before activation. (i.e, let them know how long to wait before they can register using same email & username)

When they provide invalid or expired confirmation code, have the error message such as
- error message: Invalid activation key or signup has expired. You may register using the same email again.
- solution: Let them know more clearly what can they do in this case. If your database still store their info, offer a link to resend new activation code. If not, let them know they should register again.

In my case, I'm not sure if I have my username/password combination incorrect. I have not activated the account yet and when I tried to sign in, I get the following error:
Invalid activation key or signup has expired.
I don't think the signup expired yet since it's only been a short while. I also got the activation code from email. So, I think I should havve wrong credential info. The system should be clear on this.

Please let me know how can I proceed now. Thanks!

This is a good find.  Thanks for pointing it out, and the proposed solutions.  For the time being, you will need to wait for that activation attempt to expire (8 hours), or create another account with a new email address.

Thanks. I have pm you by bitcoin address, please send the reward there.

I have mess around with a site a little and believe I may have found something and crashed the login module?

To reproduce the bug, using Account 1, under settings, change the email to the email of account 2. Before activating it, cancel the email change using the button provided under the settings page. Then change the email to email of account 2 again.

Bug: You will see that under settings of account 1, the username is blank and the email disappeared too. When I tried to logout, I was unable to. The error message was "Failed to logout".

I tried using another browser to login account 1 and account 2, both are showing:

500

Application Error

An application error has occurred.

So, I believed I may have caused that to happen because I tried it right away.

Proposed solution: I believed that when a user set to change their email and cancel, the system did not actually cancel the request. It just hides the confirmation (count down) dialog box but still wait for 8 hours before it actually expires. So, when user request for another email change, something weird happen.

Let me know if you need more info. Thanks.

Another great find!  Apologies for being out of contact.  I've just made my way to Berlin from San Francisco to take part in the Bitcoin Documentary!

This should be fixed now.  See if you can get it to happen again.  some BTC headed your way right now!  Thanks!

Found another 2 bugs. Had these two bugs before and spent a long time to find out how to reproduce it. Let me know if you need more info. You have my btc address  :)

Bug 1
To reproduce: When you have low in USD fund, buy BTC that is higher than your fund and switch the option to buy at market rate.
Bug: The system will let you proceed anyway and created an order id, however when you check the order, it is cancelled right away. You may check Order OV6OYZ-JSLCK-3DXH6O
Proposed solution: System should not waste the resource to create id if the user clearly does not have fund to complete the order. System can check the current market rate and do a calculation, compare it against user's fund and decide if a new order should be created.

Bug 2
To reproduce: From bug 1, after the system created the ID and a successful green message pop up and disappear. Try to buy btc using market or limit (set your own or auto).
Bug: You will see if you have insufficient fund, the system will show a pink box with no text it there, it is just an empty pink error box. If you navigate to another link, or if you log out and log in again. You will not be able to see the error message. Also, when you try to sell BTC after producing this bug, you will not see a success message, you will just see the pink box.
Proposed solution: Fix bug 1 and go from there. Looks like some id got missing and the message could not be displayed into the correct div.

Two-Factor Authentication has been returned to the Beta under Security Settings.  Please give it a whirl.

P.S.  I'm on my way back to SF from Berlin so I may be offline until Saturday PT.  Bitcoin Documentary is going to be awesome.

Some things to improve:

• Homepage, Line 125, you forgot to close the <div> tag.<div class="key" >Weighted Avg
• You have more than 1 H1 tag. You should change one of them to a lower heading level or put the first one between <hgroup> tags. You've got no H2 headings.
• Sometimes the search engines shows the meta description on the results page. You should change it into another more extense and accurate.
• In the FAQ, you should have a Questions List with links at the top of the section. Now there are a few example questions, but for an extense list it is very important to offer the list at the top.
• You haven't got any favicon.

These things will make you get a higher Google score and will improve the user experience, so they are quite important. There's also some bad HTML use (which I find little important) that you can find in the W3C Validator (http://validator.w3.org/check?uri=http%3A%2F%2Fkraken.com&charset=%28detect+automatically%29&doctype=Inline&group=0). You should also fix them in order to have a fully valid website (http://validator.w3.org/docs/why.html).

Hope it helped.

No problem, hope everything is going fine there. Let me know when you have gone through post #35.

* Found another 2 bugs (related to Two-Factor Authentication).

- Bug 1:
To reproduce - Set a two-factor authentication for login using a password. Log out and try login in without the authentication, you will not be able to login. Now try logging in with the authentication. After logged in, you will see on top right under your username - 1 bad login since... If you click on that, the grey background shows up weirdly, it is overlapping the top menu bar.
To fix it - This is a css issue. The padding you have as
#user-menu .dropdown-toggle {
    padding: 14px 8px;
}
did not account for the extra bad login line so the grey background overlaps the top menu bar. To fix this, simply add a max-height: 38px; or code the background differently.

- Bug 2:
To reproduce -  Setup a  two-factor authentication. Will see an extra space typo in email.
To fix it - fix "You have updated your  two-factor setting on your account.  The IP recorded was " the extra space after "You have updated your" and the space before "The IP recorded. The same goes for "You have updated your  secret two-factor setting", "You have updated your  trade two-factor setting" etc

- What is the difference between a status of "Untouched" and "Open"?  After placing a new order sometimes they would be "Open" status, and sometimes "Untouched".

- Twice I was unable to cancel my orders.  I clicked the "X" on the Orders screen but received an Unknown Order message.  References OHXHYC-7RUCJ-FJ4ILE and OWOO7Y-O5DXH-I6TOYF.

- The "Last Updated:" time at the bottom pane would occasionally default to "4 hours ago".

- You may want to place some limits on the order entry size in BTC.  If the value is too large it overflows your internal storage, which appears to have a max of 92,233,720,368.54775807.  Similarly, USD prices with more than 5 decimal places should not be allowed.  This seems to result in an "Insufficient funds" error message at the moment when entering in very small USD prices, even if the order total is less than my balance.

I placed a sell order for 99.5 BTC, which apparently went through since I only have 0.49751 BTC left (I originally had 100, I think) and lots of USD.

However, the status of the order is "Canceled":

http://f.cl.ly/items/2l0Q2c1L1X3u3x1o2k2K/Screen%20Shot%202013-04-14%20at%205.20.22%20PM.png

This is the only order I've made. My balance afterwards:

http://f.cl.ly/items/0u00403H3a1u0n3r3s0j/Screen%20Shot%202013-04-14%20at%205.21.35%20PM.png

For this your use a professional security auditing firm.

Another bug, this time it's UI one. I have a 13" MacBook Pro laptop, this might not be as confusing on a taller screen.

I sold some bitcoins with a leverage, now I have two positions, the first one of which is:

http://cl.ly/image/1Q3g1A1P352y

Now I scroll down on this page, find "Close Position" section

http://cl.ly/image/1S180L3z2R1v

and I am greeted with a blank screen

http://cl.ly/image/0v1p2U0K2y13

After a while, I realize it's the right screen (and works ok), only it's scrolled way down.

On "Overview" page, the rate of my BTC balance is $0.0000 - what does that mean?

http://cl.ly/image/311C083x371C

I created a market order for buying 1 BTC with 250:1 leverage. I canceled after a few minutes, and now it's been stuck in "Cancel Pending" for several minutes.

https://i.imgur.com/Vc5fE24.png

When trying to buy a really small amount of BTC, it gives the error message "1: Amount too low". I suspect the '1:' is some sort of error code? Perhaps it's more useful to mention the minimal amount in the error message.

EDIT: Found a more serious one now.

I set a buy order at a ridiculously large amount of a million BTC for market price, at 1:250 leverage. I had $14k in my balance. Then something weird happened: the order got executed for 250.82679898 BTC (worth exactly $25k), but my balance remained untouched. Then the order was canceled automatically (and it is now listed as 'canceled' in my 'Closed orders' list) because the 'Margin allowance exceeded'. Not everything was unchanged, though: my fee-progress-bar jumped straight through four levels, to the point where it's now nearly at 0.36%. Being able to use this in a controlled fashion would make it a very viable attack to get into cheaper fee regions :P

I have thus been unable to reproduce it, but I'll keep trying. Perhaps you can see more info on the back end. It's trade order OYHWZH-PXEQY-PWFHKU.

Bug signing up.  I accidentally entered my password as the user name, now it will not let me enter that password. even after I changed the user name.

Are Ripple meant to be something that we can trade?  Also, I notice that unlike gox you can only put in as many orders as you actually have funds, is this intended behavior?  On Gox if it eats through all your bitcoin or dollars it cancels any remaining trades.

I figured out how to trade ripple, but it won't let me do so.  it always says the estimated cost is 0.  It will let me buy ripple with dollars, but not dollars with ripple.

Yeah, it would be good to actually tell you what that too low threshold is.  For BTC/USD it's an amount that would be worth less than $0.01 USD.

It looks like what happened with your 1:250 leverage order is that you hit the $25k per user cap on margin.  So, the remainder of your order got canceled after you ran out of margin and it filled $25k worth, which you should now have an open position for.  My guess is your fees were already < 0.4% when you made the order.  The margin cap per user isn't displayed anywhere so you couldn't have known and that's something we need to fix.  Thanks for the report!



I'm not sure I understand you.  We don't allow you to change usernames, and we don't allow you to have your username as part of your password.  Can you clarify?

Yes, you should be able to trade XRP but the market is probably pretty shallow or nonexistent so you may want to check the order book.

Yes, setting a limit order will reserve that currency so you'll be unable to set up orders for more than you have.  You can, however, use the stop orders and conditional close to somewhat bypass those restrictions.

I mean that when i filled in the signup form I accidentally put my password in the username field.  When i fixed it and took it out it would not let me use that password as my password, still giving an error that username and password were the same.

good find.  post your btc address for a bounty.

btw, if there is anyone else who I missed the bounty for previously, please let me know.

Alright i want to tell you about some security problems.



1 . There is a a small problem in your Two-Factor Authentication system which can be big loophole.


Let's say I am using "Password" Method for login,deposit and withdrawl.

If someone got my account's password, he can change Two-Factor Authentication password or disable it easily and withdraw all my BTC . I will get a notification mail but it will be too late, i can not get my Bitcoins back.

So better method is, if someone, even account owner tries to change or update Two-Factor authentication, He should get a verification mail first (Same as registration mail).

Same problem is with Master Key.

2. Site should block account after x invalid login and there should be a ip check feature.If someone from another ip range tries to do login, it should send a mail. I know it shows a session hijack error on site but you should know who tried to access it (IP adddress)

3. Password reset mails,I tried it once, got a "reset expired" error and after that i tried 4 times, but never got a single mail. (I am using Gmail)  (Username on kraken.com = escrowms)

Problems, from least to most significant:

(address: 1MLZrr1oFahTgw73AjiLTMPEdkzUCGhci6)

Cosmetic

• When one is out of money, the money label shows a negative sign briefly before the first AJAX call changes it to a regular 0. See screenshot:
  https://i.imgur.com/TVLOBYu.png
• In margin description (available margin = equity − active margin), a '-' (hyphen) is used to represent subtraction. A minus sign ('−') is better because it is longer and more clearly subtraction.
• A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

Odd behaviour

• The "Scheduled Start" is allowed to be before the current time, but not before the current date. This should be rejected to reduce confusion.

Incorrect behaviour

• Decimal periods are not supported in the basic order page in UK English. See screenshot:
  https://i.imgur.com/lsbasAM.png
  Note that UK English uses the period, not the comma, as the decimal point. See: https://en.wikipedia.org/wiki/Decimal_point#Countries_using_Arabic_numerals_with_decimal_point
• If "rate" is supposed to mean the current price, it's not working. Bitcoin's rate is $0.00000 for some reason.
  https://i.imgur.com/1UtEsbL.png

1A7d7Lifp9oFkek8YQtLySnoY7LWhagibx

I am on Safari 6.0.5 on OS X 10.8.4. On an open position, when I go to set up the closing order the form gets periodically reset whenever the ajax updates. This doesn't seem to affect the new order form. It can be replicated by pressing the blue refresh button after changing any of the options in the close position form.

https://i.imgur.com/lQqLC2e.png
https://i.imgur.com/T0aGjm7.png
https://i.imgur.com/IYYlZ4K.png

Thanks for the input everyone - we haven't forgotten about you. I'll be addressing the stuff that's been added since May 5th, and for anyone that hasn't received their promised bounty yet please let me know.

I work for Payward (kraken.com), as vouched for by btcx here:

https://bitcointalk.org/index.php?topic=192104.0

If you have two-factor enabled with the "Password" option you only get a static second passcode, so if someone gets your login info including the static code, yeah, they can login and wreak havoc. This is why you should use Google Authenticator or Yubikey for a dynamic passcode. Eventually we'll be adding a feature where you can lock your account so that two-factor settings can't be changed without requesting an unlock that would take some time to complete. In the meantime you'll get an email so you'd have a warning in case you didn't initiate the unlock request.  


Giving you the IP address for a potential hijack isn't done for privacy concerns, but we'll consider it.


You should have gotten the emails. I'll have to check on this. Since you just have a beta account, it doesn't really matter, but for future reference, it would be better to give your public account ID (listed under "Settings") rather than your username.

Thanks escrow - please post your address for the bounty. Edit: We'll send to your tip jar.

dree, could you elaborate on this one - I'm not following. Not sure what you mean by the "basic screen."

Nice catch nitrous - I'll arrange to have a bounty sent your way.

Not able to reproduce this one, but it may have been fixed since you found it.
I get the same symbol for hyphen and minus sign in a variety of editors.
Good catch. Not sure that one will be high priority though.
Looks like this has been fixed.
Yes, I noticed this too a while back. Good catch.

Thanks dree, will send a bounty your way, but would appreciate clarification on the one I asked you about.

I'm not sure if I'm missing something. I assumed I was selling 5million XRP (which I didn't have) for 602BTC, but I ended up with no BTC and a lot more XRP.

Here's the before and after.

http://i42.tinypic.com/2yn1evt.png

When creating a new order and filling out the "amount" and "price" fields, submitting a character (such as "e") yields the appropriate warning "Amount must be a numeric value" or "Price must be a numeric value". Entering a "0" in either field also gives the proper error of "1: Invalid amount" or "1: Invalid price".

The problem arises when an invalid number is followed by a non-numeric value. Enter "e", click buy and the numeric value error will appear, then enter "0" and click buy, the previous error is replaced with the invalid amount error, as it should. If you follow the same process and enter an invalid number first, then a character, both errors are given but the invalid number error should no longer be there.

https://i.imgur.com/T4fRYNP.png

When both the price and amount are invalid numbers, only "1: Invalid price" is given, but both "1: Invalid price" and "1: Invalid amount" should be shown.

https://i.imgur.com/Nq9rH9f.png

If you feel this is reward worthy: 16cuSLuR3qfK4d3hkbvHzBfadJLEEgZvAJ

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got. So the order sold all your Bitcoins for XRP.

If you want to sell XRP for BTC, what you want to do is buy BTC when you have the BTC/XRP pair selected. The order button should then say "Buy BTC with XRP," and when you click that, you will get the confirmation screen which will say that you are buying BTCXRP, meaning that you are buying BTC with XRP (equivalent to selling XRP for BTC). It's a bit confusing, since we don't have an XRP/BTC pair you actually have to buy BTC/XRP in order to sell XRP. Got it?

Even though this isn't exactly a bug, I am going to submit a ticket because I'm not sure why the confirmation screen has '(XRP)' in front of 'BTCXRP'. That makes things more confusing. Also, I'm wondering if perhaps we should have some kind of check in place if someone tries to sell more of a currency than they have, especially in your case where you had 110 BTC and tried to sell 5 million BTC. At the very least I think it calls for some kind of clarification in the FAQ/Trading Guide. I'll see about a bounty and let you know, but I'll need your address to send. (Edit: nevermind I see you have it posted) Thanks raze!

Edit: Actually, the above isn't quite correct. What you did was sell BTC for XRP, but you specified the volume in XRP. So, you created an order to sell 5 million XRP worth of BTC in exchange for XRP. That's how the '(XRP)' got there - it's the (non-default) volume currency. The thing to remember is that the "Amount" field specifies the volume and the currency in which the volume is measured, but it doesn't determine what you are buying or selling - the selected currency pair determines this.   

Looks worthy of a small reward for a small issue. Thanks austin.

I can get ridiculous orders by enabling the "disabled" usd field ( 4 USD = 400btc), but the order fails if tried to place.
http://img.adamncasey.co.uk/i/170/d/o

When creating an account, the username says "OK" even if it isn't:
http://grab.by/nmmk
http://grab.by/nmmm

On "Withdraw" page, there is an error in your code:
"Cannot call method 'replace' of undefined"
Located at this line:
                    var a = typeof (b.showtab) == "string" ? b.showtab : xchg.util.hashnav.getParam(b.param), e = h.find("li.active a").attr("href").replace(/^#+/, ""), g = true, c = false, f;

Edit: Looks like this is on every page?

Not a bug, but you could probably improve the site by removing unused CSS rules.

See http://grab.by/nmmK

I disabled and enabled JS, but the site still says it's disabled.  See: http://grab.by/nmmU and http://grab.by/nmn0

EDIT: Only when inspect element open.

After above bug, CAPTCHA does not show.  See http://grab.by/nmn8.

Thanks Dargo, bounty received. :)

Can you explain how this is a bug? I'm not seeing it.

This isn't a bug. The check of the username on the signup page is just checking formal validity - i.e. at least 5 characters. It doesn't check whether the username is already taken. So the username can be deemed OK initially but later rejected.

Yes, but reloading makes this goes away. So not seeing a bug here. Reviewing the code/css points - will get back to you on these later.

This is just happening on the deposit & withdraw pages since they are disabled right now. It will change once they are enabled. But the error should only be on these two pages, so if you can show other pages with the error, this might be an issue.

The css thing isn't really an issue - since it's a large site, not every page is going to use 100% of the defined css styles (though eventually the css style sheet rules could be trimmed down a bit).

This is a bad policy IMO - invalid orders shouldn't ever make it to the matching engine. Allowing this will increase the likelihood of support requests due to misunderstanding on the part of the user.

On the order details page, you see this text:


This might be confusing, as the order is actually buying at 210! Instead, the text could be changed to:


This makes it clear that the 105.20508 is relative and not absolute.

I want to check with the devs on this, but I see your point. More tickets isn't so bad in itself, what concerns me more is the increased likelihood of ordering mistakes. If I have 10 BTC but create an order to sell 500K BTC, most likely I'm confused and creating an order that will do something I don't intend (I probably don't want to sell my 10 BTC).

Thanks for the clarification dree, I get it now. I don't think it should be "market + xxx.xx" because this isn't a market order. It's a limit order and that's why it says limit. But "limit +105" might be taken as a limit order at 105, so something more clear would be an improvement.

Yeah, I think most of the confusion stems from the value pairs combined with the ordering page. It wasn't made clear to me that I was selling BTC, which would probably make a customer using real funds a little unhappy. This should definitely be made clearer somewhere on the order page, or at least the confirmation page.

P.S I'll happily accept a tip if you decide to change it ;)

raze - you should be getting a bounty soon since your confusion about ordering showed how the order form is confusing in a sense. I take it you were looking at this

https://i.imgur.com/fbeEyal.png

and naturally thought that you were creating an order to sell 5 million XRP. After all, you were looking at something that essentially seemed to be saying "sell 5 million XRP." There was also a little message below this saying "Amount of XRP to receive." And a big red button saying "sell BTC for XRP," but still that part of the screen in the shot is misleading. I'm pushing to get this changed, but don't know when it might be. At the very least, though, I will be adding content to the FAQ/Trading Guide to address this potential confusion.

To address monsterer's point, there is a reason why orders to sell more of a currency than you have (or buy more than you can afford) make it to the matching engine. The reason is that an account may have orders executing in the background and if so there is no way to know how much of a currency is there up until the moment the order executes. So the system lets the order through and resizes to whatever you can afford. For someone who doesn't trade actively and is just doing simple order types, it would be easier to know how much currency is available. But to allow for more active traders/advanced order types this isn't easy. Again, I should probably add something to the site content to make this aspect of ordering clear. 

Hi, can you please send my bounty reward to my btc address?  :)
I only received my first reward on #29 and #31
I have posted several other bugs report at #33 #35 #38 and btcx acknowledge the find on #34 but he went to bitcoin meeting and was out of contact since.

Dargo, I see that you are in charge of this now, should I send you my btc address or you guys have it on file? Thank you.

From the thread it looks to me like btcx probably sent a single bounty for 29, 31, 33. But there's no response for 35 and 38, so I'll need to look into those. btcx probably has your address on file, but go ahead and PM it to me. Thanks for you help coinator!

Thanks for your prompt response. I'm quite positive that the one bounty I received was for #29 and followed up on #31. The reason why I remembered this is because it was one of the first few BTC I received, thanks for that! Then, I spent more time debugging the site and posted more bug report. Btcx was busy since and I did not hear back from him. Now that I know the site is still in progress, I will try and report more bugs.

Since those bugs posted was found quite some time ago, I'm not sure if it has been fixed already but I'm sure I have tried many times to find and was able to reproduce the bug that time.

I have just pm you my btc address, you may send my bounty there, thanks again.

Middle-clicking links doesn't do anything in Firefox 21.0 on Windows 8, it should open them in a new tab. Only right click -> "Open Link in New Tab" works.

14eazyBQToTfAcZsYLNcofyDMjVKjtVykh

Maybe I'm misunderstanding you here coinator, but if you create an order which you don't have the funds to complete, the system does let you proceed and will give you a partial fill for what you do have the funds for. The remaining partially completed order will be cancelled. If this is what you are talking about, it isn't a bug. If it isn't what you are talking about, please clarify.

These are pretty minor of course, but I was able to reproduce them, so I'll tell btcx to send a small bounty your way.

One bug I know of so far, is when choosing language options, English US and UK have NO difference.
Might want to remove it completely, since they are virtually the same exact thing.
EDIT:
Bug#2 in the email you receive when joining, it should be " The Kraken Team" not "The Kraken team" it looks doesn't look official when doing a deep search.
EDIT2:

Semi major one pretty much when you go to fill out a support ticket, you can upload ANY size file. I've seen this to lag websites, or even upload shells into the site.
Maybe set a limit, to 100MB and no .exe, those are just examples.
Anyways, to replicate it just go to fill a request, and you can upload ANY file.
Imagine if a 100GB file was uploading just to overdraft your hosting, or lag your website.
Also just realized that in your reply to the request you can also upload files, so try to make it a universal limit.


EDIT3(there could be a lot lol):
When receiving the request email, that pretty much confirms It you get this
"##- Please type your reply above this line -##"
That could be for you guys to fill out, but it definitely shouldn't be in the email.
Found it here: https://support.zendesk.com/entries/20378368-Customizing-your-email-templates

EDIT4:
When going to look at the ticket it just says
"Kraken User
Jun 15 02:46"
It should say your username, and it should sync with your time you selected when creating an account.
Such example of the time, is when I submitted it said 02:46
but, going back to my current set time it says 1:58, which isn't even close.

EDIT5:
http://puu.sh/3fSTG.png All the tabs except Requests by Kraken User just seem like default things you aren't going to be using.
I suggest cleaning those out unless you will use them.

EDIT6:
There should be a way to change your email, this is needed so if you need to change your email because you're making a new one, or even if the email got hacked, to be more secure.

EDIT7:
When going to request a password reset, if you just click the button without doing filling in anything, or even filling in the username field it just refreshes the page, and doesn't give any error. It should give a bug, like "Invalid email" etc.

EDIT8:
When receiving emails I notice to always get this weird file, called "signature.asp"
When opening it I get http://puu.sh/3fT7a.png which has no meaning, and could confuse some people, Googling it didn't help and the only thing I could think this relate to is http://puu.sh/3fT9N.png
1PdrhY7ngQnA7rZwtXFzC3rzS44FMk8mNy

I think I got the bounty yesterday, I don't know who else would've sent it. If so, thanks for your generosity :)

Yeah it was from us - thank *you* - the issue you raised was very helpful.  :)

Thanks, this all looks like stuff we want to change.


You can change your email under Account > Settings


I can't reproduce this - I get "Failed to update password" as the error message.


This is our PGP key, but maybe this needs explanation somewhere in the site content.

Thanks sbregar, bounty on the way.

Thanks man, I'll be sure to look for more bugs.

Also, with EDIT7 when you couldn't reproduce the issue, this is what I meant.
http://puu.sh/3gtKW.png

If I just filled that out, it didn't give me an error for no email entered, it just refreshed the page and gave me that.

EDIT1:
When going under the about section on the main website, "Payward Inc., Press, and Jobs" are all empty. Not sure if intentional or accidental.

EDIT2:
When going to Bug Bounty at the bottom of the page, it's empty. Should give an explanation of the current bounty.
https://beta.kraken.com/security/bug-bounty

EDIT3:
When going to deposit, or withdrawl it doesn't display the current time. I know they are disabled, but this could pose a issue later on.
http://puu.sh/3gugt.png

EDIT4:
When I changed my time to EST, it just gave me the hour, http://puu.sh/3gun1.png
Americans use AM and PM feature, and it should auto-configure to that, if you would change.

Just a suggestion here.
Perhaps put the margin balance and current P/L somewhere near the balance box at the top. This will make for quick reference without changing tabs.

What is the margin requirement?
At 10:1 and a starting balance of $5000, the margin balance should be $50,000. With a $100/BTC price tag, if I try to short 300BTC which would be $30,000 +fees, I get an "Insufficient margin balance" error.

The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

Hey, I didn't get my first bounty yet, be sure to check out my 2nd post of bugs also. :D

I see now.


All this is intentional, so not a bug.


I think we are going to stick with military time, so those who love the am/pm thing are going to be a bit disappointed.

We don't want things to get too crowded up there, but I agree some important numbers like P/L would be nice.


I'll have to check on this.

Can you clarify exactly which order form is refreshing automatically? I haven't run across this.

Don't worry, you'll get it.   :P

I clicked on the 'X' button of an open margin position to close it. It opens up an order form to fill out the volume, order type, price... It was the order type that reverted from limit to market, just as, or right before  I clicked the review button. I didn't see it change, just that it was a market order on the review screen, and I had set it for limit with a price of $104.

BTCX/Dargo:

http://i41.tinypic.com/6ymptd.png

I have a password set for trading and 2-factor for login.   I tried with both trading password and login 2-factor password.

I get this error message no matter what trade I do from the advanced screen. 

Tried with and without margin, and with and without condition set.  I also tested with 1 USD order, so this is not dependent on my order size.

Site is looking good, hope this helps.

I'm told we don't have an "Insufficient margin balance" error, at least not in that exact language. But the individual margin allowance is currently set at $25K USD, so the order exceeded that.

You only have the problem with the advanced screen and not with basic or intermediate?

Yes, I'm not sure what it said exactly, but that makes sense. I was trying for ~30k. Thanks for the reply! Now I know for future reference. :)

This is a different instance.
I shorted 100 BTC at $104. Set a Limit close for $60, and it closed at $108.xx with a market order
http://img842.imageshack.us/img842/2367/by8.png (http://imageshack.us/photo/my-images/842/by8.png/)

Trying to do the tournament but site is kinda broken.  Orders aren't showing in order book, recent trades aren't showing etc.

Yeah, the market data page has some issues. The devs are aware of this, but I'll check in and see how the fix is progressing.

This is a minor bug, so it's not very important, but I'll report anyway.  :)  When I try to change the auto logout time, it does not allow me to put in "2.5" or "234.5" because it always defers to an integer.  What if I wanted to logout in 2 and a half minutes!

If this does help, please send some BTC here: 1Ln598SeQcMob6Gxo3RqQrgCA4ADL81Nem
 :)

Only happens in Advance screen.  I've narrowed it down to the Conditional Close section of the Advanced interface.  If I set 'Order Type' to 'Market' or I also tried 'Limit' and 'Price' to '=', '5', 'USD'.

If I have 'Order Type' in the 'Conditional Close' section set to anything but 'None' I get 'Permission Denied' when I try to put in the order.  I don't think it has to do with my 2-factor code; more likely a bug deeper in the system that is triggering a generic error.

Thanks for the clarification but I still can't reproduce this. If you have any ideas on why it's happening for you, let me know.

I'm getting the same issue, so this definitely looks like a bug. Are you using a static passcode or a dynamic passcode from google authenitcator or yubikey? Either way, good find and bounty will be sent.

I think this is intentional, but if you can give a good reason why someone would need to set auto logout more precisely (rather than merely want to for the heck of it), let me know.

Paul - please post your address for the bounty. Thanks.

I submitted a bug via email.  Do i get a bounty?  ;D 1Q7M7CFk2VDa7DdbSh4A62p9fxeEPkoqPS

https://i.imgur.com/isacbQL.png

Pointing out a bug elsewhere doesn't disqualify you for a bounty here. But I'm not yet seeing what the bug is. It looks like you hit the rate limit, but that's intentional, not a bug. How many positions did you close?

Hi Dargo,
I tried logging into Kraken using an ipad.  The website is chaos under the iPad safari interface.  For instance … all of the order screens (simple, intermediate, advanced) appear on the same screen and it doesn’t show any of the completed orders like the website does when your in the regular PC version.  

The website appears the same under android as it does on the PC.

http://imageshack.us/a/img153/2922/o4mm.jpg



/cet

Thanks cet - Do you have javascript enabled on your ipad? It needs to be enabled for our site. There's a button to toggle it on and off in settings. Two other things that need to be enabled are cookies and the referer header. Usually all these are enabled by default, but javascript may not be on the ipad, so that's the most likely settings issue (for the other two, I wouldn't worry about them unless you disabled them). If you don't think it's a settings issue, let me know.

Brian

Thanks cet - Do you have javascript enabled on your ipad? It needs to be enabled for our site. There's a button to toggle it on and off in settings. Two other things that need to be enabled are cookies and the referer header. Usually all these are enabled by default, but javascript may not be on the ipad, so that's the most likely settings issue (for the other two, I wouldn't worry about them unless you disabled them). If you don't think it's a settings issue, let me know.

Brian
[/quote]

I do have javascript enabled.  CNN site displays fine.  I turned on debugging mode and checked the kraken site again - it shows a stack of jabascript erros 'refused to load style from ...  because of content-security-policy.

[ http://imageshack.us/a/img543/1326/djd9.jpg (http://imageshack.us/a/img543/1326/djd9.jpg)

/cet

OK - I created a ticket so we'll see what the devs have to say about it. There's a small chance it might not qualify for bounty (say if it's a known issue with ipad), but most likely it will, so post/pm your wallet address anyway.

I think there was an earlier post related to style sheets and I figure this is the impact so I'm not expecting anything.  Any BTC sent will end up finding it's way into an account on Kraken when you open.

BTC address:  1JNAd4gv7Fw6ywBWdjyNwuUgFxrDeymb9b

/cet

cet,

Do you have Safari 5 by any chance? If so, it has buggy support for CSP headers. That's the theory on our end about the issue. We've added a check for Safari 5 so CSP headers won't be output in that case. Next time we update the beta site this should be fixed. I'm arranging to have a bounty sent your way. 

 It appears that I'm running mobile safari 5.1 for iOS 5.1, javascript enabled, java 5 installed.  At least, that's what external websites are reporting, I don't seem to be able to find an about page on safari itself.

/cet

This seems wrong... there is no java on iOS

We're talking about java script, not java - two different things.

I agree, but look at what he posted:

the only way that I can find to get version number of safari is to visit a website and see what it reports.  That site reported indicated java 5 was installed.  Inside the settings I can verify that javascript is turned on, but I can't find a version number on either safari or javascript.

/cet

Thanks cet - I think we solved your issue. We were able to test the fix out on ios safari 5. But the beta site will have to be updated before you can try it out on your ipad. I'll let you know when the next update happens. Also, let me know if you don't get your bounty.

Brian

Been playing with the tool and cannot wait for it to go live!

Looks like the x-axis of the chart at the top of the page doesn't honor my time zone settings. My time zone is -07:00. In this screenshot, you can see I'm hovering over 07-18-13 00:00:00 -07:00, but the label on the x-axis under my cursor indicates Jul 18 7 AM, not midnight.

https://i.imgur.com/M1blvQ7.png

I have had some problems with the "Session Hijacked" error message popping up unexpectedly:

https://i.imgur.com/ePDV3pD.png

It seems to be more of a problem logging in at work, it could be an anomaly with my office internet. I'm pretty certain that my public ip address is not changing in the middle of my session. In fact, sometimes I get the error immediately after logging in, sometimes twice in a row. (And the monster image isn't changing when that happens.) It's hard for me to get reproducible steps, I know this isn't a good bug report. It seems to just lock me out randomly when I'm doing normal things on the site. Has this happened to anyone else?

chasetopher - Yeah, we can't wait either. Nice catch! Post/pm your address so we can send a bounty.

Strange...I'll run this by the devs and see if they have any ideas. As you say, it could be an issue with your office internet.

Not sure if this has been pointed out yet, but usernames 16 chars or more cause a little visual bug:

https://i.imgur.com/AHOVRoG.png

Thanks - this is pretty minor of course, but I see the issue. Another small bounty on it's way!

Bounty has arrived.

I also checked the beta site on ipad and the issue has been resolved.

/cet

Great - thanks for letting us know.

Acc ID AA83 N84G 0MBJ 3SDQ

May be a bug:

I had an order filled on the purchase of some bitcoins and part of the order was left open unfulfilled and labelled 'partial'.

The Bitcoins that were bought were sold shortly after and a new order was placed to buy at a lower price.
Any attempt to buy brought a message of 'insufficient funds' even though the total amount needed was well under my total $ balance.

I had to cancel the outstanding partial order and then I was able to successfully place another order.

If you are still giving bounty my address is 1Ea6cXD13LcK78WvPwHzJ5RocwSoBKps8L

Cheers

P

My withdrawal limit has become negative:
https://i.imgur.com/xCLStsQ.png

I don't know what caused this. The last time I checked it, there were no anomalies. I made some trades and deposited some Bitcoins and logged back in 2 days later to make the withdrawal.

Public account ID: AA98 N84G D6HC 43SI

Could we get some clarification on the error message 'EGeneral:Permission denied' when attempting to place an API buy or sell order. We have all permissions set correctly for this operation on the API key, yet find some accounts will allow trading and some receive this error message with the same API key permissions.

We found this message on cryptotrader.com from kraken support regarding this topic but it does not exactly answer our question.

link to reference below:  https://cryptotrader.org/topics/199880/kraken-released

"What is interesting about this "Permission denied" issue is that it only affects users from German who are running bots that use Market Order functionality. Below is a response from Kraken support regarding this issue received by one of our users:

Hello,

Germany has regulations dictating that users must have known prices, this means that for German users at this point we cannot offer trade orders where the user isn't specifying the price. We can offer the other order types eventually, but we need special licensing for it in Germany.

I don't have a ETA today on when we will be able to offer our full services in Germany, it's the only exception in EU.
I'm going to pass your feedback to our development team. I invite you to discuss our services here: https://bitcointalk....pic=290799.1720, you will find a lot of information in this thread.

I'm sorry for the inconvenience caused by our restrictions for your country. I hope you enjoy trading on Kraken even though it's restricted at this point.

Best,

Jordan
Kraken Support"


So we are not German IP or users, and run limit orders for our api orders, what am i missing here for the error?

Thanks-

Coinado Team

Reading through the older posts i see this issue may have been mentioned though not via API, let me know if this is a know issue already.

very difficult to work with kraken presently...in recent time orders are rejected most often, and today with the btc problem you get an error 520 and are unable to connect...

What is this?

Hi Supriatna,

You have Sent 210,000 Ether FROM the address 0xe853c56864a2ebe4576a807d26fdc4a0ada51919

The Ether(s) was sent TO the address 0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0

This transaction was processed at block index 4830407 on 2017-12-31 14:37:15 (UTC)

Please see https://etherscan.io/address/0xe853c56864a2ebe4576a807d26fdc4a0ada51919 for additional information.


Best Regards,

-Team Etherscan

Hi Guys. You're posting in one of our very very old (2013) bug bounty threads. This thread is no longer actively monitored by Kraken. If you need any assistance please either open a ticket (https://support.kraken.com/hc/en-us/requests/new) and/or visit our Bitcointalk thread (https://bitcointalk.org/index.php?topic=290799.0).

---

Kraken had a major trading engine upgrade (https://blog.kraken.com/post/1449/kraken-returns-with-free-trading/) in early January. Connectivity is much better and trading has been running very smoothly ever since. If you haven't tried Kraken in a while please drop by! Also, check out our new trading interface at trade.kraken.com (http://trade.kraken.com).