Bitcoin Forum

Any recommendations/bug reports are still appreciated, but you will not receive any monetary reward for them

UPDATE - 2012/07/08 - liquidity providers now receive 0.55% rebate, liquidity takers pay 0.60% fee

UPDATE - 2012/05/25 - liquidity providers now receive 0.10% rebate, liquidity takers pay 0.60% fee

UPDATE
The testnet version of the site is now available for testing: https://test.bitme.com

BTC for Bugs
For the next couple weeks I will be rewarding people for trying out the testnet version of the site and to find bugs.
I will give 5 BTC for trivial, 10 BTC for minor, 20+ BTC for major bugs to the first to discover and/or describe it best for reproducibility.

Bugs Found - 127 BTC paid out

• trivial - poor alignment in bid/ask radio selection in Chrome - thanks splatster
• trivial - "commodity" typo in terms of use - thanks splatster
• trivial - unnecessary margin on order cancel button (actually is on the form element) - thanks splatster
• minor - buggy behavior when clicking "New" multiple times for an order - thanks bencoder
• trivial - clicking "Terms of Use" link on join page causes user to lose entered data - thanks bencoder
• major - even after logging out, back button of browser still shows you previous HTTPS page. - thanks flatfly
• trivial - lots of feedback on important details, user experience - thanks Sukrim
• minor - login may fail with general error message under some conditions - thanks flatfly
• trivial - prevent form double submission - thanks flatfly
• trivial - no background on password strength bar in IE - thanks flatfly
• trivial - orderbook spamming, bid/ask precision grouping - thanks bencoder
• trivial - layout issues in IE (specifically in IE8) - thanks raitoninglass
• major - easily exploitable DoS atttack vector due to JS minification/building - thanks flatfly - 20 BTC owed
• trivial - typo in terms of use, should be "...make use of personal information..." - thanks flatfly
• major - partially-executed orders are not reflected properly in orderbook - thanks EskimoBob - 20 BTC owed

Known issues

• Overlapping elements on mobile/small screens
• some functionality broken without javascript enabled
• The 'Place Order' blue button is overlapping on the next column
• Not supporting older than IE8
• Placing an order broken in IE
• Favicon 404s on testnet
• CSRF token doesn't update on order failure

==================================



tldr;
* I made an exchange called BitMe, it will launch on testnet only either this Sunday night or Monday
* I will be rewarding people to try it out and to find bugs

I will update this original post once the testnet is live.

In the works for approximately 8 months or so, through at least 2 different iterations, I am finally ready to launch the testnet version of my new exchange, BitMe. BitMe aims to be a secure and simple alternative platform that takes a forex-style approach to trading, using a base currency and counter currency, although a trading commission is taken from the receiving currency upon order execution.

For the purposes of the testnet launch a 0.50% fee will be charged for all order executions. Although this will change once launched to the realnet to reward liquidity providers.

For the next couple weeks I will be rewarding people for trying out the testnet version of the site and to find bugs.
I will give 5 BTC for trivial, 10 BTC for minor, 20+ BTC for major bugs to the first to discover and/or describe it best for reproducibility.
At my own discretion I will decide the category the bug falls into.

Known issues that I'm not interested in:
* Overlapping elements on mobile/small screens

Initially only BTC/USD will be available for buying and selling. Sorry, I don't have any plans to add any others anytime soon.

I welcome anyone who is interested to idle on #bitme on FreeNode.

~Sean Lavine (freewil)

That's a competitive market you're entering. Why would anyone use your exchange over the competition ?

Well let me address security first. While I make no guarantees about the security or safety of the software, I have completely decoupled bitcoind from the exchange itself.

• The actual bitcoins and bitcoind will not be hosted in the cloud at all
• I have made a custom daemon that acts as an intermediary between the exchange itself and bitcoind. It works as a queue processing deposits and withdraws. This allows me to add some safety triggers and it can be shutdown alltogether on certain measures like when an alert is sent out (seen by getinfo.errors). Or large transactions are seen.
  

Also, I think my exchange will be easier and simpler for people to use.

No offence, but I don't see people flocking to your exchange because of "superior security". Even if the setup sounds nifty, it is closed source and we have to trust you.

What about fees, payment methods, etc?

Most of this is yet to be determined. For the initial testnet launch all trades will be subject to a 0.50% commission on the receiving currency upon execution. This will be changed for the realnet launch to reward liquidity providers.

As far as withdraws, Dwolla will be the preferred method.

For deposits, I am currently looking into various options including MoneyPak and bank wire.

+1

Just don't allow DEPOSITS via Dwolla.  Or you will be doomed.

The testnet version of the site is now available for testing: https://test.bitme.com

Graphics get kinda screwy on an iPhone in portrait mode... with the BitMe logo getting cut off!
Also, the tables in Deposits and suchlike are not aligned right...

Here is a pic: http://db.tt/ixnDKx5T (http://db.tt/ixnDKx5T)

If this earned me some BTC... ;)
BTC address in the sig ;)

Sorry, I've already mentioned in the original post that mobile rendering is a known issue and is not currently of concern.

I've updated the original post to make this more clear (added to the top)

Ok what about the notice with USD saying:
The maximum amount is 500.0
Shouldnt that be:
The maximum amount is 500.00USD?
One decimal place seems wierd :\

boy, this is some real low-hanging fruit here - especially since this is a feature only specific to testnet. Ill send you 2 BTC for this.

Attack surface is pretty low. I can't find anything obvious through fudging with form parameters but I'll keep looking when I have time.

Couple of trivial/minor things:

You can click new multiple times and it makes many rows of the new order form. I thought this was so you could create multiple orders at the same time which I thought was a good feature - However, you can only select one of the radio buttons across the whole set so this looks like a bug. (pic: http://i50.tinypic.com/34so4du.png)
IMO, If you do make this feature there should be a button at the bottom so you can place all the orders at the same time rather than having to click the place order button on each individual row.

Very trivial thing, don't know if it's an actual issue or a conscious decision:
on Signup, the terms and condition link changes the page rather than opens in a popup so I lost the password I had entered when I hit back.
Normally I middle click those links to open them in a new tab but sometimes they are javascript links(to open the t&c in a pop-up) which means that doesn't work. If you do decide to make it a javascript pop-up, leave the link as it is, and use the onclick to open the popup and return false so it doesn't actually change the page. That makes middle click work to open the link as normal, and left click calls the onclick handler to open the popup and cancels the normal link action.

Bitcoin address, if accepted: 1GgQn4VGwv75x2bNweua4Ko34tGvZXjkNj

Privacy/security issue:

even after logging out, back button of browser still shows you previous HTTPS page.

thanks, just sent 15 BTC

Thanks for pointing this out. This was already on my todo list, but I'll give you the 20BTC anyway.

Thanks, this is really generous!

I have found another thing, but I don't know if you'll consider that a real issue or not:

in the Join page (https://test.bitme.com/join), the "confirm password" field allows clipboard pasting,
which kinda defeats its purpose... The vast majority of financial sites I have dealt with do not allow that.

I generally prefer to stay away from these type of annoying techniques which purposely break default functionality. This could quite easily interfere with something like a password manager.

Sure, I understand!

Here's a few other things by the way: 

1/ layout/cosmetic:
The 'Place Order' blue button is overlapping on the next column (in Google Chrome, Win XP)

2/ authentication
Login (either as Demo user or regular user) just fails for me in IE8.   'There was a problem logging you in, please try again'

I tested using javascript turned off (No'Script addon in Firefox)

Demo button worked so far (great!) BUT clicking on the "new" order button on the dashboard of the test user (leads to https://test.bitme.com/buy) I just get a 404.

Clicking on the "X" buttons in the Dashboard has no effect with Javascript turned off.

Maybe more cosmetical/not implemented: The US flag in the lower right corner has no tooltip or any apparent function. Could indicate english language or the USD market...?!

Open a session (Demo), middle click on a link (e.g. withdraw) to open it in a new tab, click logout there in the new tab, close the tab, click logout in the original tab (demo dashboard) --> you get a 403 forbidden page. Whats worse, you get no immediate chance to do anything there, if you don't guess/know that the header "[testnet]bitme" is a link to the main page.

There is no check if the payout address is even a valid address, I could enter "1234567890123456789012345678901234" as address in the withdraw section. It only seems to expect a string of 34 characters. Also the limit seems to be at least 0.01 BTC which is mentioned only AFTER entering any amount there.

Address for bounty (if accepted as bug): 1u774EAK5PSEhvMzKLURBFtjhJqQUpb6r

Don't worry, I greatly respect users of NoScript, plan to make the site fully functional without javascript soon!


Hmmm... I meant to put it in there just to mean that BitMe, LLC is a US-based and registered company. Good suggestion with the tooltip.


This is expected behavior since once you kill your session you can't logout again, but point taken, this could be more user-friendly!


Yes, this page could use some directions as far as the minimum withdraw amount. Also, the address validation is oversimplified here. This will be improved at somepoint, but this is not really a problem because the address will eventually be validated for real and will not be sent if bitcoind finds it to be invalid. This can easily be resolved by an admin without any loss of the BTC withdraw amount.


Thanks for all of the feedback! Most of this is expected behavior and I would call these "enhancements" rather than bugs. But I will send you 7 BTC!

This is really just poor design  ::), someone already pointed this out to me, I'll put it under "known issues"


Confirmed, I'm classifying this as minor, 10BTC

Received already! Thanks.

Wow, thanks a lot!!
:)

if, by mistake, or due to network congestion, one double-clicks (or more) on the deposit button, the deposit is performed twice (or more) - this is perhaps true of withdrawals too.

Why can't we deposit cents?

Deposit 0.25 USD:

Perhaps a bit of js magic to prevent double submission? 2 BTC

This is a testnet-only feature. It's just an arbitrary minimum amount.

Yeah, disabling the submit button on onclick or something :)

Thanks!

I was able to deposit a fraction of a USD.

1.001

I tried to withdraw money less than what was deposited and got an error that I did not have enough funds. I cancelled all pending transactions, so the money would not be tied up.
https://imgur.com/1OsY9

Expected behavior, again this is just a testnet feature to deposit arbitrary amounts of USD.

If you want to Withdraw BTC you'll have to buy or deposit some first  ;D

Hi Sean, it seems I haven't received that last bounty, could you check please?
Thanks

My bad, sent!

Excellent, thanks!

That's expected then, since you are on testnet. I Thought it might count the test funds in there. Notice where I was withdrawing to? :D

when submitting empty fields, you dont just get the empty field error message, but all other possible error messages, too.

instead of using javascrpt to disable a button i suggest using a token to prevent multiple form submits, also for preventing csrf. google synchronizer token pattern and/or read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern)

Huh? You only had USD in your account, not BTC. That's why you aren't able to withdraw any. The purpose of the fake depositing in USD is to test the execution and execution interface.

Thanks for the suggestion. I'm already using CSRF tokens, but am only generating once per session. As the article points out well, you can generate once per request, but this introduces some usability issues if the user opens multiple tabs for instance. I'm still on the fence about this.

Yes, javascript should never add features to the system. JS should be used to cosmetical things or to make some features easier to use. Therefore the javascript-method to disable multiple form sending is bad method. Should be done with confirmation page or something like that.

Also when you're adding an order, it should classify what went wrong if an error occurred in order placement (instead of "An error occurred!").

Turned javascript off after loading dashboard page, then clicked on Orders->New and it threw to Error 404 -page.

Yup, compatibility without javascript is a known issue.

Hi,

a little cosmetic issue:

The password strength meter in the Join page works, but doesn't look quite right on
IE8. (There's no background color)

https://i.imgur.com/dMu02.png

I've managed to spam the orderbook by doing tiny increments in rate and have drowned out everything on the USD side of the order book using less than 1 USD in funds. Now nobody can see what's available. I'm sure i could do the same on the BTC side if i had any left and there was anything to drown, making the orderbook useless.

I think to solve it the order book should be put into bins, so it's more a rough idea of the quantity at each rate, by combining all the quantities at the rates say between 15 and 15.01, or you shouldn't allow quite such small increments in rate. Or maybe it should be left as it is. I suppose when there's active trade across the spread it won't be an issue because those micro orders will be picked up as soon as there's a trade. But I think there should be some way to see more of the orderbook if someone does do this and while you still have low activity on there.



Not really a bug but the way the order book doesn't update even when you place an order kind of bugs me :)

confirmed, 5 BTC

I put this on my todo list as an enhancement. I think combining them into different "bins" is a good idea, but I don't want to do that without giving the user the ability to change at what precision it does this.




Me too :)

5 BTC

Looks like the current site is vulnerable to a DoS attack through the 'withdraw' method:

In the withdraw form, enter a 34-digit address and any amount of BTC (doesn't matter if you
have them or not), and quickly hit 'Enter' 30 times or more, in rapid succession. The whole site
appears to become unresponsive for at least 10 seconds.
.

In IE8,
"© 2012 BitMe, LLC
Terms of Use
#bitme on FreeNode" isn't where it's supposed to be when logged in. Also header looks different.

"Last Execution BTC / USD 0.5x @ 15" is there supposed to be 0.5x something?

Also, cosmetically site doesn't work in mobile platforms. Tested with Nokia N9, functionality was good except i couldn't deposit USD another try and it worked!

Confirmed, 5 BTC


This is the intended display, the 0.5x is the quantity and 15 is the rate. This means there was an execution of 0.5 BTC at a rate of 15 USD, (0.5 BTC was traded for 7.5 USD)


Yup, mobile platforms is on my known issues list

Trying IE7 now, many cosmetic problems. "Logout"-bar, header, Green/red info boxes bugging weirdly, deposit-page table (and tables overall (except orderbook page) are scaling to window width), footer info at wrong place (like in IE8), transaction-page bugging overall. Also can't, for example, place orders with IE7 (maybe applies to IE8 too) even with javascript turned on. Also can't see USA-flag at all with IE7.

Also, thanks! :)

EDIT: Can place orders but no notify or site changes if order placed. But if error occurs, the message will show.

Chrome's autotranslate feature seems to be have some issues, I even just tried to explicitly set the language as english via a "Content-Language" header. Google Chrome still seems to want to offer to translate the page for some reason.

https://groups.google.com/forum/#!msg/google-translate-general/IGYJ6ODH5s4/T2Jx7Dh6JbMJ (https://groups.google.com/forum/#!msg/google-translate-general/IGYJ6ODH5s4/T2Jx7Dh6JbMJ)

Yeah, looks like IE needs some work, I hadn't tested it at all in IE before.

Wasn't it 10% of web browsers are _STILL_ IE6! And think how much IE7 or IE8 there are..

Edit: Fordy, you're right that <IE7 shouldn't be on high priority list so people would get better browsers.

Even Microsoft itself hates IE6 and has launched a campaign to get rid of it: http://www.ie6countdown.com/

I'm not going to support older than IE8. I think the amount of IE users in the Bitcoin community is probably significantly lower than the general population.

Hi Sean, have you had a chance to take a look at this one? I just want to make sure you didn't miss that post due to the high activity in the thread yesterday.

Hey, sorry, I started to reply before but must have gotten distracted. I'll keep this in mind but I'm not going to worry about this too much. What this does is not really that expensive of an operation. It makes me wonder if I happened to have restarted the web server at the same time you were trying to do this. Currently, all my javascript is bundled and built the first time a user visits the site upon restart, so this could appear as a long 10second delay to that lucky user.

Actually, I did think it could be related to some JIT process or you restarting the server, but I was able to rule this out - I tried at different times of the day, and I can still reproduce the effect right now.

Anyway, I can understand that it's not a priority for you at this time, but please don't underestimate this issue,
as any script kiddie could potentially DoS (or DDOS) the site through that way - heck, a script isn't even necessarily needed to do it.

Thanks a lot for this one flatly. I noticed a problem with how I was caching the js building, so it was actually being done on every request before! I've gone ahead and fixed this and the site should be noticeably more responsive. I've run out of BTC, but I owe you 20 for this one.

Great! I'm glad I could help, and I like how you really are a man of your word.

Just a small thing: in the terms of use, it seems there's a word missing in the below sentence:


->

Hey,
Just a idea/suggestion,
in bootstrap (which I think your using), you can make navigation with the tabs, possible without changing the page,
https://i.imgur.com/VVxN7.png

Like now when I click, Deposit, another page opens and then I get the deposit address, but, you could use this js function and make the tabs really good and allow navigation without changing the page or moving the user to another page.

The main benefit of this would be that the whole profile would load up at once, after which navigating around will be smooth and this would lower the server's load / network usage also as everythings done at once.

You could see the demo / code here :
http://twitter.github.com/bootstrap/javascript.html#tabs


Thanks !

and lol, if accepted / considered : 1HR26mWBjiraHEz1qVPQP5g3LiSjcRpZNy

1) Placing a order will not refresh order book ( I had to hit F5) -  (Firefox 12)
2) After login, you display a temp username that can be used  to log in later. There is no way to see this information after I leaves the page.
3)  I can see a pair BTC / USD but it is unclear, what currency I am actually using.
3a) Rate for what? Per "btc" or for the whole trade?
4) Please add "Total" for a trade
5) Please add option to enter "market orders"
6) Enter Ask order for less than lowest Bid and it will fail.
   If I wanted to sell 1000 btc and the best Bid was 900@10, next 90@5 and next 20@2 and I enter my order at 1000@2, I was expecting it to be filled as 900@10, 90@5 and 10@2)

7) please add additional order entry form to the top of the page, above the Orderbook (less scrolling)
8) make it user configurable, how many bid/ask rows user can see in Orderbook. (imagine, if you had 100+ rows there)  

Thank you: 1HnBaKFLrbgQ1GreZ6SQ3vYQa4QBzg4KUt  

9) after order entry fails, do not close/clean the order entry form, let user fix the numbers and resubmit it (not really a bug but more like usability issue)

in transactions table last column is called Balance. This is true for deposits (and probably Withdraws) however for category Order I think a better label would be State/Status. And a filter like in excel would be useful.

on deposit display the QR code near the adress

Parts of the email can be used as password (password: example123 can be used for the account example123@adsfsa.com), this makes passwords easy to guess if you have the email.

Weak passwords from common password lists are not blocked.

You should add a CAPTCHA after too many failed password attempts, not locking users out for 30 minutes. This is annoying if you have many passwords and are trying to get the right one.

The entire top banner is ugly. At least find a nice font and make a logo with the text tool in MSpaint. And use the regular Bitcoin graphics, your coins have blurry edges.

I think the Transactions page needs more work :)

I personally like to see something like this:


As you can see, now you can have one endless list of pairs and use only one transaction list. You can split it up to currency pairs, if needed and add total balances


10) If client transfers BTC or LTC to his account, ask for average price in (USD or EUR etc) so you can do Gain/Loss calculations from trades.

Yup, this looks like another typo, 5 BTC.

Hey great suggestion, thanks!

Thanks for all the feedback, most of these issues will be addressed over time. I'm focused mostly just on bugs for the time being.

As far as 6) I will look into this sometime this week when I have time.

Thanks for your suggestions, and yes I could use some help with those blurry edges!

Yes, gain/loss calculation is something I have on my feature todo list. Thanks for the suggestions, I will revisit this post when it's time to rework the transactions page.

This was actually a bug with the display of the orderbook, rather than order execution. It was showing quantities for partially-executed orders that had already been executed. This has been fixed, I consider this major and owe you 20 BTC, which I will send out soon.

Not a serious thing, but if one happens to double-click on "Logout", a "403/Forbidden" error message is shown.
(Doesn't happen for Login, Join, and Demo buttons)

some more trivial details:

1/ inconsistent spelling:

"order book" at https://test.bitme.com/fees
"orderbook"  at https://test.bitme.com/dashboard


2/ capitalization

at https://test.bitme.com/dashboard

The info in the order creation column, such as "18 Hours Ago", should be all lowercase - currently it's capitalized
the way a title would.

3/ word(s) missing / incomplete sentence:

at https://test.bitme.com/security

Hi Sean,

any news on when you expect to be able to send the pending rewards?

Thanks!

There's no method to recover password.  At a minimum, there should be a link that explains what a user should do ... e.g., send an e-mail to support or whatever.

Is this still open?

I assume not as I had trouble signing up, but if it is:

• When signing up it is not made clear that you must verify your email before you can login (you just get an invalid user/pass msg)
• After verifying your email and logging in you get the header navbar, but a 403 body.

http://img194.imageshack.us/img194/4555/bitmeerror20120612a.jpg

VouchX reserves are low, please check back in a day or two

how often does bitme reload?

It's relevant.

"You are unable to deposit the minimum required amount at this time" as well, also 1 day limit period for deposits and withdrawals now, used to be 7. Although 1 is better, I'm not sure it's not just a bug.

uh is that for bitme to deposit into VouchX/aurumxchange?

Marked cash deposit into Bitme's Chase account: https://bitcointalk.org/index.php?topic=148078.0

can't withdraw vouchX

There was a problem communicating with VouchX system

20TH MARCH 2013POST WITH 3 NOTES
SUSPENDING OPERATIONS

BitMe is suspending operations indefinitely. The website will remain up until April 15.
Great thanks to all of our customers!
 (http://bitmex.tumblr.com/post/45831990730/suspending-operations)

How about some comments?

they're holding my $98 hostage

Yea, their goddamned withdrawl limit locked up my bitoins

now there's no aurum withdrawl at all.

give me a $95 USD gox or stamp code for my $98 and i'll be happy

just give it to me