freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 12, 2012, 07:58:12 AM Last edit: July 14, 2012, 08:34:10 AM by freewil |
|
Any recommendations/bug reports are still appreciated, but you will not receive any monetary reward for themUPDATE - 2012/07/08 - liquidity providers now receive 0.55% rebate, liquidity takers pay 0.60% fee UPDATE - 2012/05/25 - liquidity providers now receive 0.10% rebate, liquidity takers pay 0.60% feeUPDATEThe testnet version of the site is now available for testing: https://test.bitme.comBTC for BugsFor the next couple weeks I will be rewarding people for trying out the testnet version of the site and to find bugs. I will give 5 BTC for trivial, 10 BTC for minor, 20+ BTC for major bugs to the first to discover and/or describe it best for reproducibility. Bugs Found - 127 BTC paid outtrivial - poor alignment in bid/ask radio selection in Chrome - thanks splatstertrivial - "commodity" typo in terms of use - thanks splatstertrivial - unnecessary margin on order cancel button (actually is on the form element) - thanks splatsterminor - buggy behavior when clicking "New" multiple times for an order - thanks bencodertrivial - clicking "Terms of Use" link on join page causes user to lose entered data - thanks bencodermajor - even after logging out, back button of browser still shows you previous HTTPS page. - thanks flatfly- trivial - lots of feedback on important details, user experience - thanks Sukrim
minor - login may fail with general error message under some conditions - thanks flatflytrivial - prevent form double submission - thanks flatflytrivial - no background on password strength bar in IE - thanks flatfly- trivial - orderbook spamming, bid/ask precision grouping - thanks bencoder
trivial - layout issues in IE (specifically in IE8) - thanks raitoninglassmajor - easily exploitable DoS atttack vector due to JS minification/building - thanks flatfly - 20 BTC owedtrivial - typo in terms of use, should be "...make use of personal information..." - thanks flatflymajor - partially-executed orders are not reflected properly in orderbook - thanks EskimoBob - 20 BTC owed Known issues - Overlapping elements on mobile/small screens
- some functionality broken without javascript enabled
- The 'Place Order' blue button is overlapping on the next column
- Not supporting older than IE8
Placing an order broken in IE- Favicon 404s on testnet
CSRF token doesn't update on order failure
================================== tldr; * I made an exchange called BitMe, it will launch on testnet only either this Sunday night or Monday * I will be rewarding people to try it out and to find bugs I will update this original post once the testnet is live. In the works for approximately 8 months or so, through at least 2 different iterations, I am finally ready to launch the testnet version of my new exchange, BitMe. BitMe aims to be a secure and simple alternative platform that takes a forex-style approach to trading, using a base currency and counter currency, although a trading commission is taken from the receiving currency upon order execution. For the purposes of the testnet launch a 0.50% fee will be charged for all order executions. Although this will change once launched to the realnet to reward liquidity providers. For the next couple weeks I will be rewarding people for trying out the testnet version of the site and to find bugs. I will give 5 BTC for trivial, 10 BTC for minor, 20+ BTC for major bugs to the first to discover and/or describe it best for reproducibility. At my own discretion I will decide the category the bug falls into. Known issues that I'm not interested in: * Overlapping elements on mobile/small screens Initially only BTC/USD will be available for buying and selling. Sorry, I don't have any plans to add any others anytime soon. I welcome anyone who is interested to idle on #bitme on FreeNode. ~Sean Lavine (freewil)
|
|
|
|
dogisland
|
|
May 12, 2012, 09:27:55 AM |
|
That's a competitive market you're entering. Why would anyone use your exchange over the competition ?
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 12, 2012, 09:43:24 AM |
|
That's a competitive market you're entering. Why would anyone use your exchange over the competition ?
Well let me address security first. While I make no guarantees about the security or safety of the software, I have completely decoupled bitcoind from the exchange itself. - The actual bitcoins and bitcoind will not be hosted in the cloud at all
- I have made a custom daemon that acts as an intermediary between the exchange itself and bitcoind. It works as a queue processing deposits and withdraws. This allows me to add some safety triggers and it can be shutdown alltogether on certain measures like when an alert is sent out (seen by getinfo.errors). Or large transactions are seen.
Also, I think my exchange will be easier and simpler for people to use.
|
|
|
|
kangasbros
|
|
May 12, 2012, 10:43:13 AM |
|
Well let me address security first. While I make no guarantees about the security or safety of the software, I have completely decoupled bitcoind from the exchange itself. - The actual bitcoins and bitcoind will not be hosted in the cloud at all
- I have made a custom daemon that acts as an intermediary between the exchange itself and bitcoind. It works as a queue processing deposits and withdraws. This allows me to add some safety triggers and it can be shutdown alltogether on certain measures like when an alert is sent out (seen by getinfo.errors). Or large transactions are seen.
Also, I think my exchange will be easier and simpler for people to use. No offence, but I don't see people flocking to your exchange because of "superior security". Even if the setup sounds nifty, it is closed source and we have to trust you. What about fees, payment methods, etc?
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 12, 2012, 10:50:18 AM |
|
What about fees, payment methods, etc?
Most of this is yet to be determined. For the initial testnet launch all trades will be subject to a 0.50% commission on the receiving currency upon execution. This will be changed for the realnet launch to reward liquidity providers. As far as withdraws, Dwolla will be the preferred method. For deposits, I am currently looking into various options including MoneyPak and bank wire.
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
May 12, 2012, 09:18:07 PM |
|
What about fees, payment methods, etc?
As far as withdraws, Dwolla will be the preferred method. +1 Just don't allow DEPOSITS via Dwolla. Or you will be doomed.
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 14, 2012, 07:30:12 AM |
|
The testnet version of the site is now available for testing: https://test.bitme.com
|
|
|
|
whiskers75
|
|
May 14, 2012, 07:57:42 PM |
|
Graphics get kinda screwy on an iPhone in portrait mode... with the BitMe logo getting cut off! Also, the tables in Deposits and suchlike are not aligned right... Here is a pic: http://db.tt/ixnDKx5TIf this earned me some BTC... BTC address in the sig
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 14, 2012, 08:49:45 PM |
|
Graphics get kinda screwy on an iPhone in portrait mode... with the BitMe logo getting cut off! Also, the tables in Deposits and suchlike are not aligned right... Here is a pic: http://db.tt/ixnDKx5TIf this earned me some BTC... BTC address in the sig Sorry, I've already mentioned in the original post that mobile rendering is a known issue and is not currently of concern. I've updated the original post to make this more clear (added to the top)
|
|
|
|
whiskers75
|
|
May 14, 2012, 08:54:21 PM |
|
Ok what about the notice with USD saying: The maximum amount is 500.0 Shouldnt that be: The maximum amount is 500.00USD? One decimal place seems wierd :\
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 15, 2012, 06:24:34 AM |
|
Ok what about the notice with USD saying: The maximum amount is 500.0 Shouldnt that be: The maximum amount is 500.00USD? One decimal place seems wierd :\
boy, this is some real low-hanging fruit here - especially since this is a feature only specific to testnet. Ill send you 2 BTC for this.
|
|
|
|
bencoder
Member
Offline
Activity: 90
Merit: 10
|
|
May 15, 2012, 09:21:28 AM Last edit: May 15, 2012, 10:10:14 AM by bencoder |
|
Attack surface is pretty low. I can't find anything obvious through fudging with form parameters but I'll keep looking when I have time. Couple of trivial/minor things: You can click new multiple times and it makes many rows of the new order form. I thought this was so you could create multiple orders at the same time which I thought was a good feature - However, you can only select one of the radio buttons across the whole set so this looks like a bug. (pic: http://i50.tinypic.com/34so4du.png) IMO, If you do make this feature there should be a button at the bottom so you can place all the orders at the same time rather than having to click the place order button on each individual row. Very trivial thing, don't know if it's an actual issue or a conscious decision: on Signup, the terms and condition link changes the page rather than opens in a popup so I lost the password I had entered when I hit back. Normally I middle click those links to open them in a new tab but sometimes they are javascript links(to open the t&c in a pop-up) which means that doesn't work. If you do decide to make it a javascript pop-up, leave the link as it is, and use the onclick to open the popup and return false so it doesn't actually change the page. That makes middle click work to open the link as normal, and left click calls the onclick handler to open the popup and cancels the normal link action. Bitcoin address, if accepted: 1GgQn4VGwv75x2bNweua4Ko34tGvZXjkNj
|
|
|
|
flatfly
Legendary
Offline
Activity: 1092
Merit: 1016
760930
|
|
May 15, 2012, 09:48:59 AM |
|
Privacy/security issue:
even after logging out, back button of browser still shows you previous HTTPS page.
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 15, 2012, 10:52:41 AM |
|
Attack surface is pretty low. I can't find anything obvious through fudging with form parameters but I'll keep looking when I have time. Couple of trivial/minor things: You can click new multiple times and it makes many rows of the new order form. I thought this was so you could create multiple orders at the same time which I thought was a good feature - However, you can only select one of the radio buttons across the whole set so this looks like a bug. (pic: http://i50.tinypic.com/34so4du.png) IMO, If you do make this feature there should be a button at the bottom so you can place all the orders at the same time rather than having to click the place order button on each individual row. Very trivial thing, don't know if it's an actual issue or a conscious decision: on Signup, the terms and condition link changes the page rather than opens in a popup so I lost the password I had entered when I hit back. Normally I middle click those links to open them in a new tab but sometimes they are javascript links(to open the t&c in a pop-up) which means that doesn't work. If you do decide to make it a javascript pop-up, leave the link as it is, and use the onclick to open the popup and return false so it doesn't actually change the page. That makes middle click work to open the link as normal, and left click calls the onclick handler to open the popup and cancels the normal link action. Bitcoin address, if accepted: 1GgQn4VGwv75x2bNweua4Ko34tGvZXjkNj thanks, just sent 15 BTC
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 15, 2012, 11:02:23 AM |
|
Privacy/security issue:
even after logging out, back button of browser still shows you previous HTTPS page.
Thanks for pointing this out. This was already on my todo list, but I'll give you the 20BTC anyway.
|
|
|
|
flatfly
Legendary
Offline
Activity: 1092
Merit: 1016
760930
|
|
May 15, 2012, 11:16:28 AM |
|
Privacy/security issue:
even after logging out, back button of browser still shows you previous HTTPS page.
Thanks for pointing this out. This was already on my todo list, but I'll give you the 20BTC anyway. Thanks, this is really generous! I have found another thing, but I don't know if you'll consider that a real issue or not: in the Join page ( https://test.bitme.com/join), the "confirm password" field allows clipboard pasting, which kinda defeats its purpose... The vast majority of financial sites I have dealt with do not allow that.
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 15, 2012, 12:07:25 PM |
|
in the Join page ( https://test.bitme.com/join), the "confirm password" field allows clipboard pasting, which kinda defeats its purpose... The vast majority of financial sites I have dealt with do not allow that. I generally prefer to stay away from these type of annoying techniques which purposely break default functionality. This could quite easily interfere with something like a password manager.
|
|
|
|
flatfly
Legendary
Offline
Activity: 1092
Merit: 1016
760930
|
|
May 15, 2012, 01:10:39 PM |
|
in the Join page ( https://test.bitme.com/join), the "confirm password" field allows clipboard pasting, which kinda defeats its purpose... The vast majority of financial sites I have dealt with do not allow that. I generally prefer to stay away from these type of annoying techniques which purposely break default functionality. This could quite easily interfere with something like a password manager. Sure, I understand! Here's a few other things by the way: 1/ layout/cosmetic: The 'Place Order' blue button is overlapping on the next column (in Google Chrome, Win XP) 2/ authentication Login (either as Demo user or regular user) just fails for me in IE8. 'There was a problem logging you in, please try again'
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
May 15, 2012, 01:43:41 PM |
|
I tested using javascript turned off (No'Script addon in Firefox) Demo button worked so far (great!) BUT clicking on the "new" order button on the dashboard of the test user (leads to https://test.bitme.com/buy) I just get a 404. Clicking on the "X" buttons in the Dashboard has no effect with Javascript turned off. Maybe more cosmetical/not implemented: The US flag in the lower right corner has no tooltip or any apparent function. Could indicate english language or the USD market...?! Open a session (Demo), middle click on a link (e.g. withdraw) to open it in a new tab, click logout there in the new tab, close the tab, click logout in the original tab (demo dashboard) --> you get a 403 forbidden page. Whats worse, you get no immediate chance to do anything there, if you don't guess/know that the header "[testnet]bitme" is a link to the main page. There is no check if the payout address is even a valid address, I could enter "1234567890123456789012345678901234" as address in the withdraw section. It only seems to expect a string of 34 characters. Also the limit seems to be at least 0.01 BTC which is mentioned only AFTER entering any amount there. Address for bounty (if accepted as bug): 1u774EAK5PSEhvMzKLURBFtjhJqQUpb6r
|
|
|
|
freewil (OP)
Member
Offline
Activity: 92
Merit: 10
|
|
May 15, 2012, 02:43:35 PM |
|
I tested using javascript turned off (No'Script addon in Firefox) Demo button worked so far (great!) BUT clicking on the "new" order button on the dashboard of the test user (leads to https://test.bitme.com/buy) I just get a 404. Clicking on the "X" buttons in the Dashboard has no effect with Javascript turned off. Don't worry, I greatly respect users of NoScript, plan to make the site fully functional without javascript soon! Maybe more cosmetical/not implemented: The US flag in the lower right corner has no tooltip or any apparent function. Could indicate english language or the USD market...?!
Hmmm... I meant to put it in there just to mean that BitMe, LLC is a US-based and registered company. Good suggestion with the tooltip. Open a session (Demo), middle click on a link (e.g. withdraw) to open it in a new tab, click logout there in the new tab, close the tab, click logout in the original tab (demo dashboard) --> you get a 403 forbidden page. Whats worse, you get no immediate chance to do anything there, if you don't guess/know that the header "[testnet]bitme" is a link to the main page.
This is expected behavior since once you kill your session you can't logout again, but point taken, this could be more user-friendly! There is no check if the payout address is even a valid address, I could enter "1234567890123456789012345678901234" as address in the withdraw section. It only seems to expect a string of 34 characters. Also the limit seems to be at least 0.01 BTC which is mentioned only AFTER entering any amount there.
Yes, this page could use some directions as far as the minimum withdraw amount. Also, the address validation is oversimplified here. This will be improved at somepoint, but this is not really a problem because the address will eventually be validated for real and will not be sent if bitcoind finds it to be invalid. This can easily be resolved by an admin without any loss of the BTC withdraw amount. Address for bounty (if accepted as bug): 1u774EAK5PSEhvMzKLURBFtjhJqQUpb6r
Thanks for all of the feedback! Most of this is expected behavior and I would call these "enhancements" rather than bugs. But I will send you 7 BTC!
|
|
|
|
|