[BOUNTY] - Bugs at the Kraken.com Exchange

[Dargo]

This isn't exactly a bug. You did in fact sell BTC for XRP. What you did was submit an order to sell 5,000,000 (!) BTC for XRP. If you submit an order to sell more of a currency than you have, the system gives you a partial fill by selling what you've got.

This is a bad policy IMO - invalid orders shouldn't ever make it to the matching engine. Allowing this will increase the likelihood of support requests due to misunderstanding on the part of the user.

I want to check with the devs on this, but I see your point. More tickets isn't so bad in itself, what concerns me more is the increased likelihood of ordering mistakes. If I have 10 BTC but create an order to sell 500K BTC, most likely I'm confused and creating an order that will do something I don't intend (I probably don't want to sell my 10 BTC).

Yeah, I think most of the confusion stems from the value pairs combined with the ordering page. It wasn't made clear to me that I was selling BTC, which would probably make a customer using real funds a little unhappy. This should definitely be made clearer somewhere on the order page, or at least the confirmation page.

P.S I'll happily accept a tip if you decide to change it

raze - you should be getting a bounty soon since your confusion about ordering showed how the order form is confusing in a sense. I take it you were looking at this



and naturally thought that you were creating an order to sell 5 million XRP. After all, you were looking at something that essentially seemed to be saying "sell 5 million XRP." There was also a little message below this saying "Amount of XRP to receive." And a big red button saying "sell BTC for XRP," but still that part of the screen in the shot is misleading. I'm pushing to get this changed, but don't know when it might be. At the very least, though, I will be adding content to the FAQ/Trading Guide to address this potential confusion.

To address monsterer's point, there is a reason why orders to sell more of a currency than you have (or buy more than you can afford) make it to the matching engine. The reason is that an account may have orders executing in the background and if so there is no way to know how much of a currency is there up until the moment the order executes. So the system lets the order through and resizes to whatever you can afford. For someone who doesn't trade actively and is just doing simple order types, it would be easier to know how much currency is available. But to allow for more active traders/advanced order types this isn't easy. Again, I should probably add something to the site content to make this aspect of ordering clear. 

[coinator]

Hi, can you please send my bounty reward to my btc address? 
I only received my first reward on #29 and #31
I have posted several other bugs report at #33 #35 #38 and btcx acknowledge the find on #34 but he went to bitcoin meeting and was out of contact since.

Dargo, I see that you are in charge of this now, should I send you my btc address or you guys have it on file? Thank you.

[Dargo]

Hi, can you please send my bounty reward to my btc address? 
I only received my first reward on #29 and #31
I have posted several other bugs report at #33 #35 #38 and btcx acknowledge the find on #34 but he went to bitcoin meeting and was out of contact since.

Dargo, I see that you are in charge of this now, should I send you my btc address or you guys have it on file? Thank you.

From the thread it looks to me like btcx probably sent a single bounty for 29, 31, 33. But there's no response for 35 and 38, so I'll need to look into those. btcx probably has your address on file, but go ahead and PM it to me. Thanks for you help coinator!

[coinator]

Thanks for your prompt response. I'm quite positive that the one bounty I received was for #29 and followed up on #31. The reason why I remembered this is because it was one of the first few BTC I received, thanks for that! Then, I spent more time debugging the site and posted more bug report. Btcx was busy since and I did not hear back from him. Now that I know the site is still in progress, I will try and report more bugs.

Since those bugs posted was found quite some time ago, I'm not sure if it has been fixed already but I'm sure I have tried many times to find and was able to reproduce the bug that time.

I have just pm you my btc address, you may send my bounty there, thanks again.

[Emergenz]

Middle-clicking links doesn't do anything in Firefox 21.0 on Windows 8, it should open them in a new tab. Only right click -> "Open Link in New Tab" works.

14eazyBQToTfAcZsYLNcofyDMjVKjtVykh

[Dargo]

Found another 2 bugs. Had these two bugs before and spent a long time to find out how to reproduce it. Let me know if you need more info. You have my btc address 

Bug 1
To reproduce: When you have low in USD fund, buy BTC that is higher than your fund and switch the option to buy at market rate.
Bug: The system will let you proceed anyway and created an order id, however when you check the order, it is cancelled right away. You may check Order OV6OYZ-JSLCK-3DXH6O
Proposed solution: System should not waste the resource to create id if the user clearly does not have fund to complete the order. System can check the current market rate and do a calculation, compare it against user's fund and decide if a new order should be created.

Maybe I'm misunderstanding you here coinator, but if you create an order which you don't have the funds to complete, the system does let you proceed and will give you a partial fill for what you do have the funds for. The remaining partially completed order will be cancelled. If this is what you are talking about, it isn't a bug. If it isn't what you are talking about, please clarify.

[Dargo]

* Found another 2 bugs (related to Two-Factor Authentication).

- Bug 1:
To reproduce - Set a two-factor authentication for login using a password. Log out and try login in without the authentication, you will not be able to login. Now try logging in with the authentication. After logged in, you will see on top right under your username - 1 bad login since... If you click on that, the grey background shows up weirdly, it is overlapping the top menu bar.
To fix it - This is a css issue. The padding you have as
#user-menu .dropdown-toggle {
    padding: 14px 8px;
}
did not account for the extra bad login line so the grey background overlaps the top menu bar. To fix this, simply add a max-height: 38px; or code the background differently.

- Bug 2:
To reproduce -  Setup a  two-factor authentication. Will see an extra space typo in email.
To fix it - fix "You have updated your  two-factor setting on your account.  The IP recorded was " the extra space after "You have updated your" and the space before "The IP recorded. The same goes for "You have updated your  secret two-factor setting", "You have updated your  trade two-factor setting" etc

These are pretty minor of course, but I was able to reproduce them, so I'll tell btcx to send a small bounty your way.

[sbregar97]

One bug I know of so far, is when choosing language options, English US and UK have NO difference.
Might want to remove it completely, since they are virtually the same exact thing.
EDIT:
Bug#2 in the email you receive when joining, it should be " The Kraken Team" not "The Kraken team" it looks doesn't look official when doing a deep search.
EDIT2:

Semi major one pretty much when you go to fill out a support ticket, you can upload ANY size file. I've seen this to lag websites, or even upload shells into the site.
Maybe set a limit, to 100MB and no .exe, those are just examples.
Anyways, to replicate it just go to fill a request, and you can upload ANY file.
Imagine if a 100GB file was uploading just to overdraft your hosting, or lag your website.
Also just realized that in your reply to the request you can also upload files, so try to make it a universal limit.


EDIT3(there could be a lot lol):
When receiving the request email, that pretty much confirms It you get this
"##- Please type your reply above this line -##"
That could be for you guys to fill out, but it definitely shouldn't be in the email.
Found it here: https://support.zendesk.com/entries/20378368-Customizing-your-email-templates

EDIT4:
When going to look at the ticket it just says
"Kraken User
Jun 15 02:46"
It should say your username, and it should sync with your time you selected when creating an account.
Such example of the time, is when I submitted it said 02:46
but, going back to my current set time it says 1:58, which isn't even close.

EDIT5:
http://puu.sh/3fSTG.png All the tabs except Requests by Kraken User just seem like default things you aren't going to be using.
I suggest cleaning those out unless you will use them.

EDIT6:
There should be a way to change your email, this is needed so if you need to change your email because you're making a new one, or even if the email got hacked, to be more secure.

EDIT7:
When going to request a password reset, if you just click the button without doing filling in anything, or even filling in the username field it just refreshes the page, and doesn't give any error. It should give a bug, like "Invalid email" etc.

EDIT8:
When receiving emails I notice to always get this weird file, called "signature.asp"
When opening it I get http://puu.sh/3fT7a.png which has no meaning, and could confuse some people, Googling it didn't help and the only thing I could think this relate to is http://puu.sh/3fT9N.png
1PdrhY7ngQnA7rZwtXFzC3rzS44FMk8mNy

[raze]

I think I got the bounty yesterday, I don't know who else would've sent it. If so, thanks for your generosity

[Dargo]

I think I got the bounty yesterday, I don't know who else would've sent it. If so, thanks for your generosity

Yeah it was from us - thank *you* - the issue you raised was very helpful. 

[Dargo]

One bug I know of so far, is when choosing language options, English US and UK have NO difference.
Might want to remove it completely, since they are virtually the same exact thing.
EDIT:
Bug#2 in the email you receive when joining, it should be " The Kraken Team" not "The Kraken team" it looks doesn't look official when doing a deep search.
EDIT2:

Semi major one pretty much when you go to fill out a support ticket, you can upload ANY size file. I've seen this to lag websites, or even upload shells into the site.
Maybe set a limit, to 100MB and no .exe, those are just examples.
Anyways, to replicate it just go to fill a request, and you can upload ANY file.
Imagine if a 100GB file was uploading just to overdraft your hosting, or lag your website.
Also just realized that in your reply to the request you can also upload files, so try to make it a universal limit.


EDIT3(there could be a lot lol):
When receiving the request email, that pretty much confirms It you get this
"##- Please type your reply above this line -##"
That could be for you guys to fill out, but it definitely shouldn't be in the email.
Found it here: https://support.zendesk.com/entries/20378368-Customizing-your-email-templates

EDIT4:
When going to look at the ticket it just says
"Kraken User
Jun 15 02:46"
It should say your username, and it should sync with your time you selected when creating an account.
Such example of the time, is when I submitted it said 02:46
but, going back to my current set time it says 1:58, which isn't even close.

EDIT5:
http://puu.sh/3fSTG.png All the tabs except Requests by Kraken User just seem like default things you aren't going to be using.
I suggest cleaning those out unless you will use them.

Thanks, this all looks like stuff we want to change.

EDIT6:
There should be a way to change your email, this is needed so if you need to change your email because you're making a new one, or even if the email got hacked, to be more secure.

You can change your email under Account > Settings

EDIT7:
When going to request a password reset, if you just click the button without doing filling in anything, or even filling in the username field it just refreshes the page, and doesn't give any error. It should give a bug, like "Invalid email" etc.

I can't reproduce this - I get "Failed to update password" as the error message.

EDIT8:
When receiving emails I notice to always get this weird file, called "signature.asp"
When opening it I get http://puu.sh/3fT7a.png which has no meaning, and could confuse some people, Googling it didn't help and the only thing I could think this relate to is http://puu.sh/3fT9N.png
1PdS1neSpqQB6TEKjvuF9rsGHcqZz9fy5X

This is our PGP key, but maybe this needs explanation somewhere in the site content.

Thanks sbregar, bounty on the way.

[sbregar97]

Thanks man, I'll be sure to look for more bugs.

Also, with EDIT7 when you couldn't reproduce the issue, this is what I meant.
http://puu.sh/3gtKW.png

If I just filled that out, it didn't give me an error for no email entered, it just refreshed the page and gave me that.

EDIT1:
When going under the about section on the main website, "Payward Inc., Press, and Jobs" are all empty. Not sure if intentional or accidental.

EDIT2:
When going to Bug Bounty at the bottom of the page, it's empty. Should give an explanation of the current bounty.
https://beta.kraken.com/security/bug-bounty

EDIT3:
When going to deposit, or withdrawl it doesn't display the current time. I know they are disabled, but this could pose a issue later on.
http://puu.sh/3gugt.png

EDIT4:
When I changed my time to EST, it just gave me the hour, http://puu.sh/3gun1.png
Americans use AM and PM feature, and it should auto-configure to that, if you would change.

[RyNinDaCleM]

Just a suggestion here.
Perhaps put the margin balance and current P/L somewhere near the balance box at the top. This will make for quick reference without changing tabs.

What is the margin requirement?
At 10:1 and a starting balance of $5000, the margin balance should be $50,000. With a $100/BTC price tag, if I try to short 300BTC which would be $30,000 +fees, I get an "Insufficient margin balance" error.

[RyNinDaCleM]

The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

[sbregar97]

Hey, I didn't get my first bounty yet, be sure to check out my 2nd post of bugs also.

[Dargo]

Thanks man, I'll be sure to look for more bugs.

Also, with EDIT7 when you couldn't reproduce the issue, this is what I meant.
http://puu.sh/3gtKW.png

If I just filled that out, it didn't give me an error for no email entered, it just refreshed the page and gave me that.

I see now.

EDIT1:
When going under the about section on the main website, "Payward Inc., Press, and Jobs" are all empty. Not sure if intentional or accidental.

EDIT2:
When going to Bug Bounty at the bottom of the page, it's empty. Should give an explanation of the current bounty.
https://beta.kraken.com/security/bug-bounty

EDIT3:
When going to deposit, or withdrawl it doesn't display the current time. I know they are disabled, but this could pose a issue later on.
http://puu.sh/3gugt.png

All this is intentional, so not a bug.

EDIT4:
When I changed my time to EST, it just gave me the hour, http://puu.sh/3gun1.png
Americans use AM and PM feature, and it should auto-configure to that, if you would change.

I think we are going to stick with military time, so those who love the am/pm thing are going to be a bit disappointed.

[Dargo]

Just a suggestion here.
Perhaps put the margin balance and current P/L somewhere near the balance box at the top. This will make for quick reference without changing tabs.

We don't want things to get too crowded up there, but I agree some important numbers like P/L would be nice.

What is the margin requirement?
At 10:1 and a starting balance of $5000, the margin balance should be $50,000. With a $100/BTC price tag, if I try to short 300BTC which would be $30,000 +fees, I get an "Insufficient margin balance" error.

I'll have to check on this.

[Dargo]

The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

Can you clarify exactly which order form is refreshing automatically? I haven't run across this.

[Dargo]

Hey, I didn't get my first bounty yet, be sure to check out my 2nd post of bugs also.

Don't worry, you'll get it.   

[RyNinDaCleM]

The auto refresh is cool and all, but in the middle of filling out the order form it will just go back to the default and potentially cause orders to execute in an unexpected way.

What happened was, I set a limit sell to close a position. Set the price and volume, and clicked on the review button. It defaulted back as I hit the review order button. If you are quick to click the accept button on the review page, you wouldn't realize that you were about to sell at market and lose profits or even net a loss. That is a big deal when you are trying to get a good price during quick moves

Can you clarify exactly which order form is refreshing automatically? I haven't run across this.

I clicked on the 'X' button of an open margin position to close it. It opens up an order form to fill out the volume, order type, price... It was the order type that reverted from limit to market, just as, or right before  I clicked the review button. I didn't see it change, just that it was a market order on the review screen, and I had set it for limit with a price of $104.