| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1C8EEC93-776D-46F7-8B72-62035EE7CE00@jrbobdobbs.org> Date: Mon, 27 Jun 2011 21:54:05 -0500 From: Doug Huff <dhuff@...obdobbs.org> To: full-disclosure@...ts.grok.org.uk, "Mt.Gox" <info@...ox.com> Subject: Live mtgox.com trade matching bug. Step 1: Have USD available for spending on mtgox.com. Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately. Step 3: Withdraw all USD funds. Step 4: Wait for market to fall enough to meet your order. Step 5: ...(self explanatory)... There's a bit of luck in being able to take advantage, obviously. I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute: ========== Welcome <username removed> 0.00000000 ฿TC 424.44901 Buying 138468.901 0.01 Active 1384.69 06/26 15:27 cancel ========== I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not. At the very least this could be used to influence market conditions if it is only a display bug. -- Doug Huff Download attachment "smime.p7s" of type "application/pkcs7-signature" (3737 bytes) Download attachment "PGP.sig" of type "application/pgp-signature" (882 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists