ICBIT Derivatives Market (USD/BTC futures trading) - LIVE

[Fireball]

Good news everyone!
We just launched Bitcoin difficulty futures, DIFF-9.13
It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course.

[1715700014]

1715700014

[picobit]

Good news everyone!
We just launched Bitcoin difficulty futures, DIFF-9.13
It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course.

OK, so that is a new one, and not seen in other markets. 

But is it a financial instrument, or just betting??

[molecular]

Good news everyone!
We just launched Bitcoin difficulty futures, DIFF-9.13
It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course.

OK, so that is a new one, and not seen in other markets.  

But is it a financial instrument, or just betting??

There have been difficulty futures on mpex and bitfunder since at least early this year.

of course I welcome this move.

[Fireball]

Good news everyone!
We just launched Bitcoin difficulty futures, DIFF-9.13
It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course.

OK, so that is a new one, and not seen in other markets.  

But is it a financial instrument, or just betting??

There have been difficulty futures on mpex and bitfunder since at least early this year.

of course I welcome this move.

Could you link to the bitfunder spec/trading page regarding the difficulty futures? I can't find it.

[newminer7950]

Hi!
I recieve  error "UNABLE_TO_VERIFY_LEAF_SIGNATURE" when try to connect to your server.
This error raised only on my Ubuntu computer, but dont raise on windows (on the same javascript program in node.js). What may be a reason of this error (nearly 4 month ago I dont recieve this error on my linux computer, but then it was stop working)
Thank

[picobit]

Could you link to the bitfunder spec/trading page regarding the difficulty futures? I can't find it.

Search for iDiff, that is part of the name.  They settle significantly sooner than September, so it is not a useful indication of what the price at icbit should be

[Fireball]

A june BTC/USD futures contract (BUM3) was just settled. Open interest was 6007 contracts (or multiplying by two, 12014 total open positions). Settlement price is $101.99 (MtGox VWAP).
And, total trading volume for this contract is an amazing $1'046'060. Futures market is getting volume, finally!

Also, S&P500 futures was settled today at 1626.75 (spot price of S&P500 index reported in the moment of settlement). It's total trading volume is quite low, only 677 contracts were traded so far, however it's an important financial instrument, and has a lot of potential in it. It is replaced by the September futures, ESU3.

[Stephen Gornick]

Now, along with minor visual improvements, this page is going to require a one time password to be entered for any withdrawal operation, if you have tied Google Authenticator to your account.

I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?

[boomerlu]

I get the feeling this exchange needs more marketing.

[Fireball]

I get the feeling this exchange needs more marketing.

That's so true! ;-)

[qxzn]

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

[Fireball]

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?

[picobit]

I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?

This is serious.  That means that 2FA protection for withdrawal is nonexistent.  I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

[Fireball]

I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?

This is serious.  That means that 2FA protection for withdrawal is nonexistent.  I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

No, it's not.

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

[Stephen Gornick]

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

[qxzn]

I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?

No.

[Fireball]

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

Thanks a lot. We are in the process of fixing this by updating and improving the GA login code. I will publish results here ASAP.

[picobit]

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator

Of course the really difficult thing is to stop vulnerabilities like this, and still have a recovery path in case somebody loose their GA secret.  I just to my horror realized that on an iPhone the GA secrets are backed up in a way that they can only be restored on the same device.  Secure, but troublesome if I loose the device.

[myself]

Hey OP +Tycho did you guys considered LTC(BTCLTC) and doing the settlements in LTC and BTC ?

[ThePok]

If ICBIT starts settlement in Litecoins, i leave