[BOUNTY] - Bugs at the Kraken.com Exchange

[austin]

When creating a new order and filling out the "amount" and "price" fields, submitting a character (such as "e") yields the appropriate warning "Amount must be a numeric value" or "Price must be a numeric value". Entering a "0" in either field also gives the proper error of "1: Invalid amount" or "1: Invalid price".

The problem arises when an invalid number is followed by a non-numeric value. Enter "e", click buy and the numeric value error will appear, then enter "0" and click buy, the previous error is replaced with the invalid amount error, as it should. If you follow the same process and enter an invalid number first, then a character, both errors are given but the invalid number error should no longer be there.



When both the price and amount are invalid numbers, only "1: Invalid price" is given, but both "1: Invalid price" and "1: Invalid amount" should be shown.



If you feel this is reward worthy: 16cuSLuR3qfK4d3hkbvHzBfadJLEEgZvAJ

[1714905981]

1714905981

[1714905981]

1714905981

[Dargo]

I'm not sure if I'm missing something. I assumed I was selling 5million XRP (which I didn't have) for 602BTC, but I ended up with no BTC and a lot more XRP.

Here's the before and after.

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got. So the order sold all your Bitcoins for XRP.

If you want to sell XRP for BTC, what you want to do is buy BTC when you have the BTC/XRP pair selected. The order button should then say "Buy BTC with XRP," and when you click that, you will get the confirmation screen which will say that you are buying BTCXRP, meaning that you are buying BTC with XRP (equivalent to selling XRP for BTC). It's a bit confusing, since we don't have an XRP/BTC pair you actually have to buy BTC/XRP in order to sell XRP. Got it?

Even though this isn't exactly a bug, I am going to submit a ticket because I'm not sure why the confirmation screen has '(XRP)' in front of 'BTCXRP'. That makes things more confusing. Also, I'm wondering if perhaps we should have some kind of check in place if someone tries to sell more of a currency than they have, especially in your case where you had 110 BTC and tried to sell 5 million BTC. At the very least I think it calls for some kind of clarification in the FAQ/Trading Guide. I'll see about a bounty and let you know, but I'll need your address to send. (Edit: nevermind I see you have it posted) Thanks raze!

Edit: Actually, the above isn't quite correct. What you did was sell BTC for XRP, but you specified the volume in XRP. So, you created an order to sell 5 million XRP worth of BTC in exchange for XRP. That's how the '(XRP)' got there - it's the (non-default) volume currency. The thing to remember is that the "Amount" field specifies the volume and the currency in which the volume is measured, but it doesn't determine what you are buying or selling - the selected currency pair determines this.   

[Dargo]

When creating a new order and filling out the "amount" and "price" fields, submitting a character (such as "e") yields the appropriate warning "Amount must be a numeric value" or "Price must be a numeric value". Entering a "0" in either field also gives the proper error of "1: Invalid amount" or "1: Invalid price".

The problem arises when an invalid number is followed by a non-numeric value. Enter "e", click buy and the numeric value error will appear, then enter "0" and click buy, the previous error is replaced with the invalid amount error, as it should. If you follow the same process and enter an invalid number first, then a character, both errors are given but the invalid number error should no longer be there.

When both the price and amount are invalid numbers, only "1: Invalid price" is given, but both "1: Invalid price" and "1: Invalid amount" should be shown.

If you feel this is reward worthy: 16cuSLuR3qfK4d3hkbvHzBfadJLEEgZvAJ

Looks worthy of a small reward for a small issue. Thanks austin.

[torba]

I can get ridiculous orders by enabling the "disabled" usd field ( 4 USD = 400btc), but the order fails if tried to place.
http://img.adamncasey.co.uk/i/170/d/o

[danieldaniel]

When creating an account, the username says "OK" even if it isn't:
http://grab.by/nmmk
http://grab.by/nmmm

[danieldaniel]

On "Withdraw" page, there is an error in your code:
"Cannot call method 'replace' of undefined"
Located at this line:
                    var a = typeof (b.showtab) == "string" ? b.showtab : xchg.util.hashnav.getParam(b.param), e = h.find("li.active a").attr("href").replace(/^#+/, ""), g = true, c = false, f;

Edit: Looks like this is on every page?

[danieldaniel]

Not a bug, but you could probably improve the site by removing unused CSS rules.

See http://grab.by/nmmK

[danieldaniel]

I disabled and enabled JS, but the site still says it's disabled.  See: http://grab.by/nmmU and http://grab.by/nmn0

EDIT: Only when inspect element open.

[danieldaniel]

After above bug, CAPTCHA does not show.  See http://grab.by/nmn8.

[escrow.ms]

Thanks escrow - please post your address for the bounty. Edit: We'll send to your tip jar.

Thanks Dargo, bounty received.

[Dargo]

I can get ridiculous orders by enabling the "disabled" usd field ( 4 USD = 400btc), but the order fails if tried to place.
http://img.adamncasey.co.uk/i/170/d/o

Can you explain how this is a bug? I'm not seeing it.

[Dargo]

When creating an account, the username says "OK" even if it isn't:
http://grab.by/nmmk
http://grab.by/nmmm

This isn't a bug. The check of the username on the signup page is just checking formal validity - i.e. at least 5 characters. It doesn't check whether the username is already taken. So the username can be deemed OK initially but later rejected.

[Dargo]

I disabled and enabled JS, but the site still says it's disabled.  See: http://grab.by/nmmU and http://grab.by/nmn0

EDIT: Only when inspect element open.

Yes, but reloading makes this goes away. So not seeing a bug here. Reviewing the code/css points - will get back to you on these later.

[Dargo]

On "Withdraw" page, there is an error in your code:
"Cannot call method 'replace' of undefined"
Located at this line:
                    var a = typeof (b.showtab) == "string" ? b.showtab : xchg.util.hashnav.getParam(b.param), e = h.find("li.active a").attr("href").replace(/^#+/, ""), g = true, c = false, f;

Edit: Looks like this is on every page?

This is just happening on the deposit & withdraw pages since they are disabled right now. It will change once they are enabled. But the error should only be on these two pages, so if you can show other pages with the error, this might be an issue.

[Dargo]

Not a bug, but you could probably improve the site by removing unused CSS rules.

See http://grab.by/nmmK

The css thing isn't really an issue - since it's a large site, not every page is going to use 100% of the defined css styles (though eventually the css style sheet rules could be trimmed down a bit).

[monsterer]

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got.

This is a bad policy IMO - invalid orders shouldn't ever make it to the matching engine. Allowing this will increase the likelihood of support requests due to misunderstanding on the part of the user.

[dree12]

• A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

dree, could you elaborate on this one - I'm not following. Not sure what you mean by the "basic screen."

On the order details page, you see this text:

buy 1.00000000 BTCUSD @ limit +105.20508

This might be confusing, as the order is actually buying at 210! Instead, the text could be changed to:

buy 1.00000000 BTCUSD @ market +105.20508

This makes it clear that the 105.20508 is relative and not absolute.

[Dargo]

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got.

This is a bad policy IMO - invalid orders shouldn't ever make it to the matching engine. Allowing this will increase the likelihood of support requests due to misunderstanding on the part of the user.

I want to check with the devs on this, but I see your point. More tickets isn't so bad in itself, what concerns me more is the increased likelihood of ordering mistakes. If I have 10 BTC but create an order to sell 500K BTC, most likely I'm confused and creating an order that will do something I don't intend (I probably don't want to sell my 10 BTC).

[Dargo]

• A positive or negative number in the basic screen could be confusing. With a plus or minus sign, the order is treated as a relative order. However, the description still reads "+XXX". This would be better if it were "market+XXX".

dree, could you elaborate on this one - I'm not following. Not sure what you mean by the "basic screen."

On the order details page, you see this text:

buy 1.00000000 BTCUSD @ limit +105.20508

This might be confusing, as the order is actually buying at 210! Instead, the text could be changed to:

buy 1.00000000 BTCUSD @ market +105.20508

This makes it clear that the 105.20508 is relative and not absolute.

Thanks for the clarification dree, I get it now. I don't think it should be "market + xxx.xx" because this isn't a market order. It's a limit order and that's why it says limit. But "limit +105" might be taken as a limit order at 105, so something more clear would be an improvement.

[raze]

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got.

This is a bad policy IMO - invalid orders shouldn't ever make it to the matching engine. Allowing this will increase the likelihood of support requests due to misunderstanding on the part of the user.

I want to check with the devs on this, but I see your point. More tickets isn't so bad in itself, what concerns me more is the increased likelihood of ordering mistakes. If I have 10 BTC but create an order to sell 500K BTC, most likely I'm confused and creating an order that will do something I don't intend (I probably don't want to sell my 10 BTC).

Yeah, I think most of the confusion stems from the value pairs combined with the ordering page. It wasn't made clear to me that I was selling BTC, which would probably make a customer using real funds a little unhappy. This should definitely be made clearer somewhere on the order page, or at least the confirmation page.

P.S I'll happily accept a tip if you decide to change it