Full Disclosure mailing list archives

Live mtgox.com trade matching bug.

From: Doug Huff <mith () jrbobdobbs org>
Date: Mon, 27 Jun 2011 21:46:13 -0500

Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will 
not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

==========
Welcome <username removed> 0.00000000 ฿TC 424.44901
Buying  138468.901  0.01  Active  1384.69  06/26 15:27  cancel
==========

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have 
no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.

-- 
Douglas Huff

Attachment: smime.p7s
Description:

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Live mtgox.com trade matching bug. Doug Huff (Jun 27)
- Re: Live mtgox.com trade matching bug. coderman (Jun 28)
- <Possible follow-ups>
- Live mtgox.com trade matching bug. Doug Huff (Jun 28)