[BOUNTY] - Bugs at the Kraken.com Exchange

[btcx]

Hey guys,


We've had the site in a limited beta with about 20 users for the past week testing basic functionality but now it's time to really try to break things.

EDIT:  Site now has 1000+ users and is trial mode open beta.  To access it, visit https://beta.kraken.com.  Accounts are autofunded with play money.

Bounties are anywhere from 0.05 BTC to 1.00+ BTC depending on the severity of the problem, difficulty level of discovery, thoroughness of reproduction steps.

Higher bounties will be awarded to bugs discovered with the trading engine and problems with security (potentially much higher than 1 BTC).
For reporting these types of problems, I'd appreciate it if you not post them here and PM me instead.

Lower bounties will be awarded to basic UI issues/inconsistencies/inaccuracies, anything that probably isn't impacting the service a lot but should be fixed.
For reporting these types of problems, please post them in this thread along with your BTC deposit address.


To qualify, you must:
1.  Be the first to report the problem.
2.  Be able to reproduce the problem, if even sporadically.
3.  Provide clear instructions for reproducing the problem.  If you can guess what the underlying cause of the problem is, even better.
4.  Provide your bitcoin deposit address for receiving the reward.

Any questions, just ask!

Also, if you're coming from Reddit or HN, you may PM me at u/jespow

Email may be directed to beta-support@<domain>

[dooglus]

I clicked 'signup' to try to create a 2nd account to trade with my 1st account, and it took me back to the 1st account.

I created a 2nd account using the same email address as the first one.  It told me it had created the account and would email me a confirmation code, but instead it emailed me an error message:
  "A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus."

It would be better to let me know at sign-up time that the email address I typed was already in use, and that that isn't OK, rather than pretending to accept it.  When I type the email address into the signup box it puts a green checkmark and writes "OK" - but it isn't OK.

[dooglus]

I created a 2nd account using the same email address as the first one.  It told me it had created the account and would email me a confirmation code, but instead it emailed me an error message:
  "A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus."

I just tried again, this time using a different email address.  Now it tells me "Please choose a different username".

It seems like it did actually create the 2nd account, even though it used a duplicate email address.

[dooglus]

* the login screen and the withdraw page both have fields for 'one time password' or some such.  I don't see any way of turning on the two-factor auth.

* I tried changing the settings > account > auto-logout to custom > 241 minutes (max allowed is 240).  I saw a pink rectangle at the top of the screen, but it didn't contain an error message.  It looks like it tried to tell me I picked an incorrect value, but it didn't actually show the message.

[btcx]

It would be better to let me know at sign-up time that the email address I typed was already in use, and that that isn't OK, rather than pretending to accept it.  When I type the email address into the signup box it puts a green checkmark and writes "OK" - but it isn't OK.

This would allow an attacker to determine whether someone with a particular email address had an account with us.  That'd be bad for our users' privacy, and security.

I created a 2nd account using the same email address as the first one.  It told me it had created the account and would email me a confirmation code, but instead it emailed me an error message:
  "A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus."

I just tried again, this time using a different email address.  Now it tells me "Please choose a different username".

It seems like it did actually create the 2nd account, even though it used a duplicate email address.

Yeah, even if the new account registration failed because the email was already in use on another account, the username will be reserved for a few minutes as if the registration were pending.  Once the pending registration fails to confirm in time, the username is released.

* the login screen and the withdraw page both have fields for 'one time password' or some such.  I don't see any way of turning on the two-factor auth.

Ah, sorry.. we're making some changes to two-factor right now.  The feature will probably be back tomorrow.

* I tried changing the settings > account > auto-logout to custom > 241 minutes (max allowed is 240).  I saw a pink rectangle at the top of the screen, but it didn't contain an error message.  It looks like it tried to tell me I picked an incorrect value, but it didn't actually show the message.

This is a bug!  Awesome.  You've gotta post your BTC address!

[dooglus]

This is a bug!  Awesome.  You've gotta post your BTC address!

1HPbBjityVPvkcdBnZAjH7npwg4n1Hu75x

I just tried buying 100 BTC for $131ish each on 250x leverage.  It showed 4 open positions for that single order, each at a cost of $775.  When I hit refresh it went up to 18 open orders.



Why isn't it a single order?

(Note: I know nothing about how trading on margin is meant to work)

[btcx]

This is a bug!  Awesome.  You've gotta post your BTC address!

1HPbBjityVPvkcdBnZAjH7npwg4n1Hu75x

I just tried buying 100 BTC for $131ish each on 250x leverage.  It showed 4 open positions for that single order, each at a cost of $775.  When I hit refresh it went up to 18 open orders.



Why isn't it a single order?

(Note: I know nothing about how trading on margin is meant to work)

We're reworking the Positions page.. right now it's showing you a position for each trade that makes up your order, rather than a consolidated view of the total for that order id.. definitely something we need to work on.  all non-XRP pairs are currently simulated against the mtgox orderbook so there may be some funky things happening, orders slow to fill, etc.  If you want to test orders just internally in the Kraken book, try any of the XRP pairs.

[gwillen]

The main front/signup page still has lorem ipsum text on it ... is that considered a bug? :-)

PMing for beta access.

[dooglus]

We're reworking the Positions page.. right now it's showing you a position for each trade that makes up your order, rather than a consolidated view of the total for that order id.. definitely something we need to work on.

This is especially bad when it comes to closing my position.  I have to close all 24 positions that it created one by one, and each takes 3 clicks.

One of them, when I went to close it, it popped up a message saying it had 'lost connection with server' and that 'service was unavailable at this time' or similar.  When I tried again, it told me there was no such order, so I guess it managed to close it despite the error messages.

Also, you asked me for my Bitcoin address earlier.  I posted it, but haven't seen any transaction to that address.

[btcx]

The main front/signup page still has lorem ipsum text on it ... is that considered a bug? :-)

PMing for beta access.

Not a bug

We're reworking the Positions page.. right now it's showing you a position for each trade that makes up your order, rather than a consolidated view of the total for that order id.. definitely something we need to work on.

This is especially bad when it comes to closing my position.  I have to close all 24 positions that it created one by one, and each takes 3 clicks.

One of them, when I went to close it, it popped up a message saying it had 'lost connection with server' and that 'service was unavailable at this time' or similar.  When I tried again, it told me there was no such order, so I guess it managed to close it despite the error messages.

Also, you asked me for my Bitcoin address earlier.  I posted it, but haven't seen any transaction to that address.

Yeah, the Positions interface is definitely a problem.  It may be that we restarted the service at the same time you clicked the button.  A guy's gotta sleep!

[dooglus]

Each time I try to close a position, I get this error message:



My internet connection is slow at the moment (I'm uploading a youtube video at the same time).  Could that be the problem, or is the service really disabled at the moment?

If it's an issue with my connection speed, it's misleading to say it's a problem with the service at your end.

[glub0x]

Your 404 pages is not always the same.
I'm on google chrome
When i'm logged :
https://beta.kraken.com/u/a
Plus this one has a glitch


https://beta.kraken.com/a/a



[EDIT] also i got a bug but i'm not sure it was there before ...
Just when i try to place an order now, the price that is set automatically -when loading the page end- use a coma (,) instead of a dot(.) so i have to correct it manually all the time to place the order.


feel free to tip :p
1MgiDgvf6LqBRxEghy4NXLFxeiKepbHFqK

By the way i like the clean look of the site and how you just took the right things from mtgox and adding some powerful features very nice job.

[MPOE-PR]

This would allow an attacker to determine whether someone with a particular email address had an account with us.  That'd be bad for our users' privacy, and security.

Definitely the right answer. Are you sending the request IP with the email?

[dooglus]

Definitely the right answer. Are you sending the request IP with the email?

No:

A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus.

[btcx]

Each time I try to close a position, I get this error message:



My internet connection is slow at the moment (I'm uploading a youtube video at the same time).  Could that be the problem, or is the service really disabled at the moment?

If it's an issue with my connection speed, it's misleading to say it's a problem with the service at your end.

If it says that, we've disabled the service (probably for an update) or the service crashed.  If you happen to notice that appear immediately after taking some action, and you are able to reproduce it, please let me know.

[btcx]

[EDIT] also i got a bug but i'm not sure it was there before ...
Just when i try to place an order now, the price that is set automatically -when loading the page end- use a coma (,) instead of a dot(.) so i have to correct it manually all the time to place the order.


feel free to tip :p
1MgiDgvf6LqBRxEghy4NXLFxeiKepbHFqK

By the way i like the clean look of the site and how you just took the right things from mtgox and adding some powerful features very nice job.

Thanks for the reports and I'm glad you like it.  Can you tell me what your system language is.. I'm guessing this is the source of the . or , issue.

[btcx]

Definitely the right answer. Are you sending the request IP with the email?

No:

A request was made to register with an e-mail that is already on the Kraken system.  The existing account is dooglus.

Correct.  Doing so would create a privacy/security issue on the other side, sending the IP of the new registrant (who might have just made a typo) to the owner of the existing account.

[dooglus]

When I go to close a position (by clicking an 'X' icon, which I'm not sure about the design of - that looks like a delete button to me somehow), I get this:



The 'sell' in a red rounded box looks like a verb in a button.  I click it, nothing happens.  Then I remember I have to scroll down to see the real buttons.

Gets me every time (and there are a LOT of times!)

[dooglus]

Just a small thing, but when I go to close a position, whenever I hover the mouse over any field description, the arrow changes into a pointy finger, as if I'm hovering over a link:



Clicking the mouse button does nothing however.  So why does the pointer change to a finger?

[dooglus]

I just clicked on the 2nd tab ('market data') and my computer almost ground to a halt.  It has worked for me before, but this time something went wrong:



This is chromium on ubuntu.