lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2011 21:54:05 -0500
From: Doug Huff <dhuff@...obdobbs.org>
To: full-disclosure@...ts.grok.org.uk,
 "Mt.Gox" <info@...ox.com>
Subject: Live mtgox.com trade matching bug.

Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

==========
Welcome <username removed> 0.00000000 ฿TC 424.44901
Buying  138468.901  0.01  Active  1384.69  06/26 15:27  cancel
==========

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.
-- 
Doug Huff



Download attachment "smime.p7s" of type "application/pkcs7-signature" (3737 bytes)

Download attachment "PGP.sig" of type "application/pgp-signature" (882 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists