Keeping bitcoins secure in hot wallet/ prevent getting hacked

[gravitate]

I am opening a bitcoin related site where you can buy bitcoins for Fiat.

I am thinking about using coinbase API to do this.

But how can I keep my assets secure? I mean if I allow my web app to use coinbase API to buy and send bitcoins (if thats even possible)

Then how do I prevent getting hacked?

Im a  noob to all this and paying someone to build the web app for me.

Any advice for security would be great really anything.

[1713565431]

1713565431

[1713565431]

1713565431

[OmegaStarScream]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

[Emerge]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

[OmegaStarScream]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

[gravitate]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense

[Emerge]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense

It depends on how you use the API, if you show your details too much in your use of the API, then it will be seen and may be used against you

[gravitate]

Are there any consultants who would help with this? I dont mid paying a small fee I just want them to do a frame work for my DEV to work to. My DEV is outstanding just not enough block chain tech experience as I would have liked

[OmegaStarScream]

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense

I'm not getting something ,when you said people will buy Bitcoins for fiat , that bitcoin will go directly to their personal wallets (Electrum , Bitcoin Core etc ....) or their wallets in your website ? If it's the second one then read the post above .
Now if It goes directly to their wallets , users won't be really affected by the hack but you will if you don't take the needed security measures .
If you are looking for professional developers , I'd suggest looking at oDesk or Freelancer.com .

[gravitate]

They will be stored on the web site

[gravitate]

They will be stored on the web site

Until they withdraw. So they will have a wallet online with us.

[Emerge]

They will be stored on the web site

Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

[gravitate]

They will be stored on the web site

Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

[Emerge]

They will be stored on the web site

Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

You can just send Bitcoins directly to their wallet so you'll save time, but there's always the danger of charge-backs.

[gravitate]

They will be stored on the web site

Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

You can just send Bitcoins directly to their wallet so you'll save time, but there's always the danger of charge-backs.

Yup thats why Im gonna do bank transfer.

[Mitchell]

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app

If your web app gets hacked, you are fucked. To access the Coinbase API you will have to store something on your webserver so that the web app can proof that it has access to your account and is allowed to do transactions/buy bitcoins/etc. As soon as someone gains access to your web app, they can steal that information and use it to do API calls themselves. You could obfuscate the code, but that doesn't make it harder, just more time consuming.


I would highly recommend you to not create an exchange website if you have no idea how to keep it secure. Letting someone else program it is also quite a gamble if you don't have programming experience. Who's to say that they don't include a little loophole so they can rob you later on.

EDIT: Yes, I know this is a pretty negative reaction, but I'm trying to get you to understand the risks of using an API for money related services. For faucets it's usually okay as they don't hold a lot of money, but an exchange service is a different story. I would probably setup a Bitcoin full node and use that to do Bitcoin transactions (either using customers Bitcoins or my own).

Anyway, I don't know enough about this subject to give a good opinion, so I'll shut up now.

[gravitate]

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app

If your web app gets hacked, you are fucked. To access the Coinbase API you will have to store something on your webserver so that the web app can proof that it has access to your account and is allowed to do transactions/buy bitcoins/etc. As soon as someone gains access to your web app, they can steal that information and use it to do API calls themselves. You could obfuscate the code, but that doesn't make it harder, just more time consuming.


I would highly recommend you to not create an exchange website if you have no idea how to keep it secure. Letting someone else program it is also quite a gamble if you don't have programming experience. Who's to say that they don't include a little loophole so they can rob you later on.

EDIT: Yes, I know this is a pretty negative reaction, but I'm trying to get you to understand the risks of using an API for money related services. For faucets it's usually okay as they don't hold a lot of money, but an exchange service is a different story. I would probably setup a Bitcoin full node and use that to do Bitcoin transactions (either using customers Bitcoins or my own).

Anyway, I don't know enough about this subject to give a good opinion, so I'll shut up now.

Hey YEs I understand the risks. After the answers I am going to make it much more simplified like www.bittylicious.com

I know little bits of CODE. Also I would have someone look through the site to check for this kind of loop hole.

Thanks for the advice

[gravitate]

Actually I have decided to make it a live process so I hold all the bitcoins and I receive payments.

For now. then I might automate it in the future. I will automate it with multibit so when an order comes in I just check my account balance and send the bitcoins... I can create a bot to do this for my mac I guess?

If I created a Bot to check my bank account and send bitcoins based on this and an order do you think this holds a risk also?


I want to sell ETH too as I am hooked on it with all the price fluctuation