Bitcoin Forum
December 05, 2024, 08:26:23 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they believe that the creator of this topic displays some red flags which make them high-risk. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 65 »
  Print  
Author Topic: Nxt source code flaw reports  (Read 113386 times)
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:26:48 PM
Last edit: March 22, 2014, 05:44:45 PM by Come-from-Beyond
 #1

Nxt source code has been released - https://bitcointalk.org/index.php?topic=345619.msg4287127#msg4287127

The code contains 3 flaws - serious, critical and fatal. The 1st person who reports these flaws will get 1'000, 10'000 or 100'000 NXT reward accordingly.

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

If u think that u found a flaw, post here its description. Mathematical proof is not necessary, common sense should be enough. If ur guess is correct u may* get the reward, if u find a non-injected flaw then u'll be asked for more formal proof (u may get a reward too).

NB: Some guys mentioned that they would just decompile 0.4.7e binaries and compare the source codes to find the flaws. As a countermeasure against such the trick u still must explain why there is a flaw.

-------------
* - BCNext reserves the right to refuse to pay a reward without any explanation. This is an anti-troll countermeasure.
EmoneyRu
Hero Member
*****
Offline Offline

Activity: 600
Merit: 500

Nxt-kit developer


View Profile
January 03, 2014, 12:28:36 PM
 #2


ImmortAlex
Hero Member
*****
Offline Offline

Activity: 784
Merit: 501


View Profile
January 03, 2014, 12:31:09 PM
 #3

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?
intel
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
January 03, 2014, 12:32:48 PM
 #4

Ok, digging the code right now. 3rd April is too long to wait for.

[!] 24.7 NXT News Portal. Real-Time Update. Share your own news with NXT community and get FREE NXT!
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:38:03 PM
 #5

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.
salsacz
Hero Member
*****
Offline Offline

Activity: 490
Merit: 504


View Profile
January 03, 2014, 12:38:47 PM
 #6

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> to:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;
Boxxl
Hero Member
*****
Offline Offline

Activity: 800
Merit: 502



View Profile
January 03, 2014, 12:41:56 PM
Last edit: January 03, 2014, 02:48:53 PM by Boxxl
 #7

The http:// is not a real secure address:
--------------------------------------------------------
Code:
new URL("http://" + address);
--------------------------------------------------------
Code:
new URL("http://" + announcedAddress);
--------------------------------------------------------
Code:
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918

No Signature right now...
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:44:30 PM
 #8

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> to:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;

Why?
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:44:59 PM
 #9

The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918

It is secure.
luckygenough56
Legendary
*
Offline Offline

Activity: 1526
Merit: 1012



View Profile
January 03, 2014, 12:45:51 PM
 #10

another polemic to bring the prices down ?  Wink
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:46:14 PM
 #11

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price > o.price) {
            
            return -1;
            
         } else if (price < o.price) {
            
            return 1;

there should be replaced <> to:

Quote
@Override
      public int compareTo(BidOrder o) {
         
         if (price < o.price) {
            
            return -1;
            
         } else if (price > o.price) {
            
            return 1;

Why?

It's part of Asset Exchange. Looks like BCNext forgot to remove this code. Don't pay attention.
EmoneyRu
Hero Member
*****
Offline Offline

Activity: 600
Merit: 500

Nxt-kit developer


View Profile
January 03, 2014, 12:51:35 PM
 #12

Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?

lonesoul
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
January 03, 2014, 12:55:57 PM
 #13

another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.

Please click this link-> https://mcxnow.com/?r=Stuartnorth       (The link is a referral link, it costs you nothing, but provides a little bonus for me if you click through to the site. Please help feed my baby. Thanks :-) )
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 12:58:09 PM
 #14

Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.
nastybit
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
January 03, 2014, 12:59:07 PM
 #15

another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.


The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh
ImmortAlex
Hero Member
*****
Offline Offline

Activity: 784
Merit: 501


View Profile
January 03, 2014, 01:03:29 PM
 #16

Do you accept any suggestions here, or flaws only?
What if I found some potentially bad code?

Only flaws, feel free to create another thread for suggestions and post link here.

Source code analysis (QA).

Feel free everyone to post you suggestions there.
bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
January 03, 2014, 01:04:48 PM
 #17

another polemic to bring the prices down ?  Wink


how do you mean?

the code was released with the flaws so that people can see what they are working with, the flaws were added by the developer.

the flaws are in place to stop people immediately cloning the code and releasing their own version.

people will need to wait to see if all the flaws have been found before confirmation that the source is in fact in its fully working condition again.


When i first read about the code release i was a little dubious but I personally think its a great way to get the source out there for review, also gain extra interest from people because of the rewards but also the subtle way they now have multiple coders looking over their code and getting to understand it.

im assuming they aren't expecting clones to appear over night but im sure the developer realises if his code is a cut above the current code behind most of the other coins, that it will eventually take off and more "NXTLiteCoin" versions will emerge.


all in all i think its a cracking play on NXT's side and will actually help the prices rather than hurt them.

At least thats how i saw it ;-) I could have completely the wrong end of the stick - I just wish i had even the smallest understanding of the code itself so i could take part lol.


The problem with releasing a fake is that you can find something really wrong and they can say "good, we already fix this / we already changed it" etc. it cannot be verified as it's not the real complete source code, kinda useless tbh

Wrong, they have finished written statements - their hashes are posted in the first post.
hostmaster
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile WWW
January 03, 2014, 01:04:54 PM
 #18

The http:// is not a real secure address:
--------------------------------------------------------
new URL("http://" + address);
--------------------------------------------------------
new URL("http://" + announcedAddress);
--------------------------------------------------------
URL url = new URL("http://" + announcedAddress + ((new URL("http://" + announcedAddress)).getPort() < 0 ? ":7874" : "") + "/nxt");
--------------------------------------------------------
            
This should be https:// in the future..

My address: Smiley
17665579946762640918

It is secure.

https provides secured communications, otherwise it can be listened on network level and can be sniffed.
EmoneyRu
Hero Member
*****
Offline Offline

Activity: 600
Merit: 500

Nxt-kit developer


View Profile
January 03, 2014, 01:08:01 PM
 #19

Code:
(amount + fee) * 100L > account.unconfirmedBalance
That bug with overflow when (amount + fee) * 100L > int_max?

No, 100L tells that the result will be a 64-bit number.

Really? http://ideone.com/5zWQ0C

Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 03, 2014, 01:08:55 PM
 #20

https provides secured communications, otherwise it can be listened on network level and can be sniffed.

No problem with that, all data must be public anyway.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 65 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!