Bitcoin7 a new exchange

[Bitcoin7.com]

Tolsi,

We are experiencing some problems with the LR integration at the moment.
Funds are not lost, but a bit delayed.
I am sure they should be in your account by the time you will be reading this.

We hope next LR transactions will occur much faster.

[1714116283]

1714116283

[1714116283]

1714116283

[Tolsi]

Tolsi,

We are experiencing some problems with the LR integration at the moment.
Funds are not lost, but a bit delayed.
I am sure they should be in your account by the time you will be reading this.

We hope next LR transactions will occur much faster.

The money came, sorry, a little scared Good luck in your business

[davout]

we will keep even more exact decimals on our records

You do not understand the difference between float and decimal do you ?

[Bitcoin7.com]

Davout, I think we understand it pretty good, but I will gladly hear what you mean over PM. Also if your feedback is valuable I can assure you it will
come live on the site within hours. I don't want to spam the topic about our new exchange with such information.

Just FYI, we keep the records according to the IEEE 754 decimal32 format - I am sure you are familiar with it if you are asking us about it

[wizzard0]

Davout, I think we understand it pretty good, but I will gladly hear what you mean over PM. Also if your feedback is valuable I can assure you it will
come live on the site within hours. I don't want to spam the topic about our new exchange with such information.

Just FYI, we keep the records according to the IEEE 754 decimal32 format - I am sure you are familiar with it if you are asking us about it

IEEE 754 decimal32 is a single-precision floating-point number occupying 32 bits. Tell me I am wrong. Because if I'm not - this is horrible.

Do you know that adding 0.00000001 BTC to 1 BTC will result in 1 BTC, and adding 0.00000021 will result in 1.00000024 BTC with this precision?

[davout]

Just FYI, we keep the records according to the IEEE 754 decimal32 format - I am sure you are familiar with it if you are asking us about it

So that's what I thought, you don't have the slightest clue about how to properly handle currency amounts in professionnal applications.
Go check the source-code of bitcoin-central.net, that's how the real pros do it baby

[Sukrim]

I would strongly advise you as #1 priority to take 2 developers to independently go through the whole backend code and remove ANY floating point number that occurs there. It's nice and fine if you want to have more than 8 decimal places, but for the love of god or whatever you believe in, don't ever use floats in financial software again!

Sorry to be so harsh, but this is something nearly every programmer should learn in their first semester.

[FooDSt4mP]

I would strongly advise you as #1 priority to take 2 developers to independently go through the whole backend code and remove ANY floating point number that occurs there. It's nice and fine if you want to have more than 8 decimal places, but for the love of god or whatever you believe in, don't ever use floats in financial software again!

Sorry to be so harsh, but this is something nearly every programmer should learn in their first semester.

+1

You will definitely not be seeing any of my funds until this is fixed.

[Bitcoin7.com]

Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
We are now working on something we can show the forum, hoping to close this discussion and continue to further
improvements of the site or trade options.

[davout]

Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.

you are an amateur.

We are now working on something we can show the forum,

some professionalism maybe ?

[sturle]

Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.

Isn't it incredible how much a simple sentence can reveal?

It is impossible to represent integers accurately in floating point, no matter what precision one use.  Any mediocre programmer will know that.  And if one doesn't know that Bitcoins are integers, one should probably not operate an exchange in the first place.  This simple sentence tells us that the exchange is written by an incompetent programmer who hasn't got much clue about Bitcoin either.

Even if it looks like it works on first sight, it is probably insecure.  I wouldn't trust it with a bitcent, or 0.009999999776482582092285156250 BTC at Bitcoin7, probably rounded in the user interface.  Would I be able to withdraw the bitcent again, or would I have insufficient funds?  I'll let someone else find out, and have fun profiting from rounding errors.

[shakaru]

You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later

[Sukrim]

You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later

I haven't yet tried sending any (I just transferred some USD from MtGox to buy the cheap 18 USD Bitcoins, that were unfortunately gone until my USD got credited) - but generally you should just mouse over the bitcoin amount in the top right corner and click "Add Bitcoins"... does this not work?!

Edit:
"You have successfully withdrawn x.xxxxxxxx42 BTC to your Bitcoin wallet"
I wonder if the .42 Satoshis show up! 

So far every trade went fine though and once (if...) the floats are fixed, I might even use the exchange. Sofia is a nice city anyways and I won't have to go to a bank/exchange to get BGN this way.

[cuddlefish]

Bitcoin7.com...
you have a GIANT CSRF vulnerability on the Withdrawals page.

Fix it.

[Bitcoin7.com]

@ Cuddlefish, I PMed you for more details.

[davout]

@ Cuddlefish, I PMed you for more details.

That's ridiculous, the CSRF exploit is trivial, someone logged into your site, visiting a malicious site can have all his funds withdrawn at a whim.

something along the lines of this :

Code:

<form id="maliciousForm" method="post" action="theWithdrawPage">
  <input name="amount" value="42" />
  <!-- other fields in your form -->
</form>

<script type="text/javascript">
  $('maliciousForm').submit();
</script>

And that's only the first thing that has been spotted.

Advice : shut down your site, get some professionnals, open it back up when it's finished and secure.

[cuddlefish]

In the interests of getting to to SHUT DOWN EVERYTHING... you need to.

http://pastehtml.com/!!!!view/axb1k7j2w.html

remove the !!!! if you really want to attack yourself.
Ta-da. Your coins are now in instawallet.org/w/foo.

Security is no joke.

[Bitcoin7.com]

Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

[cuddlefish]

http://pastehtml.com/!!!!view/axb1k7j2w.html

sells 1 coin at $0.5.

At this point, I'd have to say, kill your webserver until you can get a professional auditor in. This site shouldn't be handling money.

[davout]

Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.

* davout heads to bitcoin-central.net to add a PIN code