[BOUNTY] - Bugs at the Kraken.com Exchange

[Herodes]

We've had the site in a limited beta with about 20 users for the past week testing basic functionality but now it's time to really try to break things.

For this your use a professional security auditing firm.

[1714933545]

1714933545

[1714933545]

1714933545

[aes1]

Another bug, this time it's UI one. I have a 13" MacBook Pro laptop, this might not be as confusing on a taller screen.

I sold some bitcoins with a leverage, now I have two positions, the first one of which is:

http://cl.ly/image/1Q3g1A1P352y

Now I scroll down on this page, find "Close Position" section

http://cl.ly/image/1S180L3z2R1v

and I am greeted with a blank screen

http://cl.ly/image/0v1p2U0K2y13

After a while, I realize it's the right screen (and works ok), only it's scrolled way down.

[aes1]

On "Overview" page, the rate of my BTC balance is $0.0000 - what does that mean?

http://cl.ly/image/311C083x371C

[ymgve]

I created a market order for buying 1 BTC with 250:1 leverage. I canceled after a few minutes, and now it's been stuck in "Cancel Pending" for several minutes.

https://i.imgur.com/Vc5fE24.png

[Joost]

When trying to buy a really small amount of BTC, it gives the error message "1: Amount too low". I suspect the '1:' is some sort of error code? Perhaps it's more useful to mention the minimal amount in the error message.

EDIT: Found a more serious one now.

I set a buy order at a ridiculously large amount of a million BTC for market price, at 1:250 leverage. I had $14k in my balance. Then something weird happened: the order got executed for 250.82679898 BTC (worth exactly $25k), but my balance remained untouched. Then the order was canceled automatically (and it is now listed as 'canceled' in my 'Closed orders' list) because the 'Margin allowance exceeded'. Not everything was unchanged, though: my fee-progress-bar jumped straight through four levels, to the point where it's now nearly at 0.36%. Being able to use this in a controlled fashion would make it a very viable attack to get into cheaper fee regions

I have thus been unable to reproduce it, but I'll keep trying. Perhaps you can see more info on the back end. It's trade order OYHWZH-PXEQY-PWFHKU.

[Babylon]

Bug signing up.  I accidentally entered my password as the user name, now it will not let me enter that password. even after I changed the user name.

[Babylon]

Are Ripple meant to be something that we can trade?  Also, I notice that unlike gox you can only put in as many orders as you actually have funds, is this intended behavior?  On Gox if it eats through all your bitcoin or dollars it cancels any remaining trades.

[Babylon]

I figured out how to trade ripple, but it won't let me do so.  it always says the estimated cost is 0.  It will let me buy ripple with dollars, but not dollars with ripple.

[btcx]

When trying to buy a really small amount of BTC, it gives the error message "1: Amount too low". I suspect the '1:' is some sort of error code? Perhaps it's more useful to mention the minimal amount in the error message.

EDIT: Found a more serious one now.

I set a buy order at a ridiculously large amount of a million BTC for market price, at 1:250 leverage. I had $14k in my balance. Then something weird happened: the order got executed for 250.82679898 BTC (worth exactly $25k), but my balance remained untouched. Then the order was canceled automatically (and it is now listed as 'canceled' in my 'Closed orders' list) because the 'Margin allowance exceeded'. Not everything was unchanged, though: my fee-progress-bar jumped straight through four levels, to the point where it's now nearly at 0.36%. Being able to use this in a controlled fashion would make it a very viable attack to get into cheaper fee regions

I have thus been unable to reproduce it, but I'll keep trying. Perhaps you can see more info on the back end. It's trade order OYHWZH-PXEQY-PWFHKU.

Yeah, it would be good to actually tell you what that too low threshold is.  For BTC/USD it's an amount that would be worth less than $0.01 USD.

It looks like what happened with your 1:250 leverage order is that you hit the $25k per user cap on margin.  So, the remainder of your order got canceled after you ran out of margin and it filled $25k worth, which you should now have an open position for.  My guess is your fees were already < 0.4% when you made the order.  The margin cap per user isn't displayed anywhere so you couldn't have known and that's something we need to fix.  Thanks for the report!

Bug signing up.  I accidentally entered my password as the user name, now it will not let me enter that password. even after I changed the user name.

I'm not sure I understand you.  We don't allow you to change usernames, and we don't allow you to have your username as part of your password.  Can you clarify?

Are Ripple meant to be something that we can trade?  Also, I notice that unlike gox you can only put in as many orders as you actually have funds, is this intended behavior?  On Gox if it eats through all your bitcoin or dollars it cancels any remaining trades.

Yes, you should be able to trade XRP but the market is probably pretty shallow or nonexistent so you may want to check the order book.

Yes, setting a limit order will reserve that currency so you'll be unable to set up orders for more than you have.  You can, however, use the stop orders and conditional close to somewhat bypass those restrictions.

[Babylon]

I mean that when i filled in the signup form I accidentally put my password in the username field.  When i fixed it and took it out it would not let me use that password as my password, still giving an error that username and password were the same.

[btcx]

I mean that when i filled in the signup form I accidentally put my password in the username field.  When i fixed it and took it out it would not let me use that password as my password, still giving an error that username and password were the same.

good find.  post your btc address for a bounty.

btw, if there is anyone else who I missed the bounty for previously, please let me know.

[escrow.ms]

Alright i want to tell you about some security problems.



1 . There is a a small problem in your Two-Factor Authentication system which can be big loophole.


Let's say I am using "Password" Method for login,deposit and withdrawl.

If someone got my account's password, he can change Two-Factor Authentication password or disable it easily and withdraw all my BTC . I will get a notification mail but it will be too late, i can not get my Bitcoins back.

So better method is, if someone, even account owner tries to change or update Two-Factor authentication, He should get a verification mail first (Same as registration mail).

Same problem is with Master Key.

2. Site should block account after x invalid login and there should be a ip check feature.If someone from another ip range tries to do login, it should send a mail. I know it shows a session hijack error on site but you should know who tried to access it (IP adddress)

3. Password reset mails,I tried it once, got a "reset expired" error and after that i tried 4 times, but never got a single mail. (I am using Gmail)  (Username on kraken.com = escrowms)

[dree12]

Problems, from least to most significant:

(address: 1MLZrr1oFahTgw73AjiLTMPEdkzUCGhci6)

Cosmetic

• When one is out of money, the money label shows a negative sign briefly before the first AJAX call changes it to a regular 0. See screenshot:
  
• In margin description (available margin = equity − active margin), a '-' (hyphen) is used to represent subtraction. A minus sign ('−') is better because it is longer and more clearly subtraction.
• A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

Odd behaviour

• The "Scheduled Start" is allowed to be before the current time, but not before the current date. This should be rejected to reduce confusion.

Incorrect behaviour

• Decimal periods are not supported in the basic order page in UK English. See screenshot:
  
  Note that UK English uses the period, not the comma, as the decimal point. See: https://en.wikipedia.org/wiki/Decimal_point#Countries_using_Arabic_numerals_with_decimal_point
• If "rate" is supposed to mean the current price, it's not working. Bitcoin's rate is $0.00000 for some reason.
  

[nitrous]

1A7d7Lifp9oFkek8YQtLySnoY7LWhagibx

I am on Safari 6.0.5 on OS X 10.8.4. On an open position, when I go to set up the closing order the form gets periodically reset whenever the ajax updates. This doesn't seem to affect the new order form. It can be replicated by pressing the blue refresh button after changing any of the options in the close position form.

[Dargo]

Thanks for the input everyone - we haven't forgotten about you. I'll be addressing the stuff that's been added since May 5th, and for anyone that hasn't received their promised bounty yet please let me know.

I work for Payward (kraken.com), as vouched for by btcx here:

https://bitcointalk.org/index.php?topic=192104.0

[Dargo]

Alright i want to tell you about some security problems.



1 . There is a a small problem in your Two-Factor Authentication system which can be big loophole.


Let's say I am using "Password" Method for login,deposit and withdrawl.

If someone got my account's password, he can change Two-Factor Authentication password or disable it easily and withdraw all my BTC . I will get a notification mail but it will be too late, i can not get my Bitcoins back.

So better method is, if someone, even account owner tries to change or update Two-Factor authentication, He should get a verification mail first (Same as registration mail).

Same problem is with Master Key.

If you have two-factor enabled with the "Password" option you only get a static second passcode, so if someone gets your login info including the static code, yeah, they can login and wreak havoc. This is why you should use Google Authenticator or Yubikey for a dynamic passcode. Eventually we'll be adding a feature where you can lock your account so that two-factor settings can't be changed without requesting an unlock that would take some time to complete. In the meantime you'll get an email so you'd have a warning in case you didn't initiate the unlock request.  

2. Site should block account after x invalid login and there should be a ip check feature.If someone from another ip range tries to do login, it should send a mail. I know it shows a session hijack error on site but you should know who tried to access it (IP adddress)

Giving you the IP address for a potential hijack isn't done for privacy concerns, but we'll consider it.

3. Password reset mails,I tried it once, got a "reset expired" error and after that i tried 4 times, but never got a single mail. (I am using Gmail)  (Username on kraken.com = escrowms)

You should have gotten the emails. I'll have to check on this. Since you just have a beta account, it doesn't really matter, but for future reference, it would be better to give your public account ID (listed under "Settings") rather than your username.

Thanks escrow - please post your address for the bounty. Edit: We'll send to your tip jar.

[Dargo]

• A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

dree, could you elaborate on this one - I'm not following. Not sure what you mean by the "basic screen."

[Dargo]

1A7d7Lifp9oFkek8YQtLySnoY7LWhagibx

I am on Safari 6.0.5 on OS X 10.8.4. On an open position, when I go to set up the closing order the form gets periodically reset whenever the ajax updates. This doesn't seem to affect the new order form. It can be replicated by pressing the blue refresh button after changing any of the options in the close position form.

Nice catch nitrous - I'll arrange to have a bounty sent your way.

[Dargo]

• When one is out of money, the money label shows a negative sign briefly before the first AJAX call changes it to a regular 0. See screenshot:

Not able to reproduce this one, but it may have been fixed since you found it.

• In margin description (available margin = equity − active margin), a '-' (hyphen) is used to represent subtraction. A minus sign ('−') is better because it is longer and more clearly subtraction.

I get the same symbol for hyphen and minus sign in a variety of editors.

• The "Scheduled Start" is allowed to be before the current time, but not before the current date. This should be rejected to reduce confusion.

Good catch. Not sure that one will be high priority though.

• Decimal periods are not supported in the basic order page in UK English.

Looks like this has been fixed.

• If "rate" is supposed to mean the current price, it's not working. Bitcoin's rate is $0.00000 for some reason.

Yes, I noticed this too a while back. Good catch.

Thanks dree, will send a bounty your way, but would appreciate clarification on the one I asked you about.

[raze]

I'm not sure if I'm missing something. I assumed I was selling 5million XRP (which I didn't have) for 602BTC, but I ended up with no BTC and a lot more XRP.

Here's the before and after.