[ANN] KRAKEN.COM - US-based Exchange w/ Margin Trading - OPEN BETA

[btcx]

In light of recent events, we just wanted you guys to know that we’re on the motherfucker.  Go back in there, chill out and wait for the cavalry which should be coming directly:  https://beta.kraken.com

Target launch for real trading is mid next week.  Beta accounts are auto-funded with funny money and will be wiped at launch.  Actual deposits/withdrawals are disabled.  Address support issues to beta-support@<domain>

[1714663140]

1714663140

[Kluge]

You're on the motherfucker...? 

ETA: heeey, that's pretty slick.

[Seth Otterstad]

This interface is great.  Best in the business.  Which bank(s) are you using?  Dwolla support?  Also I'm just going to paste the questions that Stephen Gornick usually asks new exchanges:

- Does Kraken use cold storage (an offline wallet that cannot be accessed should the exchange's service become compromised)

If so, then there are other questions:

 - Is there a target as to how much of customer's funds are kept in cold storage?  (e.g., percent of total, or perhaps relative to recent withdrawal requirements)?

 - Do new deposits go to cold storage?  (if the hot wallet is compromised, new deposits made (e.g., automated payouts by mining pools) would still be secure)

 - Does the offline wallet where the cold storage resides remain protected due to an "air gap" (no access to it electronically, not connected to the network)?


And I have other questions that I'd like to know the answers to:

 - Does Kraken maintain full reserve?  (i.e., Kraken controls bank accounts with all customer funds (fiat, USD, EUR, ?) and controls wallets with 100% of BTC funds.  i.e., none of these amounts loaned out.)

 - Does Kraken maintain offsite backups of its accounts and transactions?  If for some reason the exchange's primary account database were lost due to a security breach, what information (and how recent) is still available from backup or archives?

 - If there is a security breach and Kraken cannot meet withdrawal requests of its customers, what is the withdrawal preference that Kraken would follow?  Various preferences are:
 - -  A.) All deposited funds are of equal standing with bitcoins being valued at their market rate at the time of the loss,
 - -  B.) Withdrawals of USD funds, if not impacted by the breach, are made available to those customers who held a USD balance. in full.
 - -  Do customer deposits have preference over any other creditor claims?  (i.e., a contract stating so such that they don't become unsecured creditors ending up in the same pool as the landlord for office space and hosting bill.)
 - -  or is there some other approach?


If there are other security-related details that are relevant that you would be will to share  (e.g., physicall security, staff background checks, dead man's switch for wallet, etc.) feel free to do so.

[epetroel]

This interface is great.  Best in the business.  Which bank(s) are you using?  Dwolla support?  Also I'm just going to paste the questions that Stephen Gornick usually asks new exchanges:

I got a chance to play around with the beta a week or so ago.  I agree that this looks very promising.

I seem to remember seeing a "Dwolla" option in the dummy withdrawal page, so I'm guessing they will be launching with Dwolla support (or are planning to have it at some point).

[Schrankwand]

In light of recent events, we just wanted you guys to know that we’re on the motherfucker.  Go back in there, chill out and wait for the cavalry which should be coming directly:  https://beta.kraken.com

Target launch for real trading is mid next week.  Beta accounts are auto-funded with funny money and will be wiped at launch.  Actual deposits/withdrawals are disabled.  Address support issues to beta-support@<domain>

Please do, interface looks awesome, name is geeky funny, everything else looks professional, based in western country.

Shut up and take my fees.

[btcx]

This interface is great.  Best in the business.  Which bank(s) are you using?  Dwolla support?  Also I'm just going to paste the questions that Stephen Gornick usually asks new exchanges:

Thanks!  Given Dwolla's history of screwing over Bitcoin exchanges, like our friends at TradeHill, we won't be supporting them.  We'll announce our banking partner at the time we open the site up for real deposits.

- Does Kraken use cold storage (an offline wallet that cannot be accessed should the exchange's service become compromised)

Most definitely.  A small percentage of the funds are kept in a hot wallet for withdrawals but the vast majority are kept in cold storage, offline.

If so, then there are other questions:

 - Is there a target as to how much of customer's funds are kept in cold storage?  (e.g., percent of total, or perhaps relative to recent withdrawal requirements)?

 - Do new deposits go to cold storage?  (if the hot wallet is compromised, new deposits made (e.g., automated payouts by mining pools) would still be secure)

 - Does the offline wallet where the cold storage resides remain protected due to an "air gap" (no access to it electronically, not connected to the network)?

1.  We don't have enough (any) experience here to give solid numbers.  It's going to depend on our daily withdrawal requirements.  My feeling is that if you need to withdraw a lot of BTC at once, you can probably wait a bit so it's better to sacrifice a little convenience for better security and only keep what is likely to be necessary in the hot wallet.

2.  Yes, all new deposits go directly to cold storage, for exactly that reason.

3.  Yes, cold storage is completely offline.

And I have other questions that I'd like to know the answers to:

 - Does Kraken maintain full reserve?  (i.e., Kraken controls bank accounts with all customer funds (fiat, USD, EUR, ?) and controls wallets with 100% of BTC funds.  i.e., none of these amounts loaned out.)

 - Does Kraken maintain offsite backups of its accounts and transactions?  If for some reason the exchange's primary account database were lost due to a security breach, what information (and how recent) is still available from backup or archives?

 - If there is a security breach and Kraken cannot meet withdrawal requests of its customers, what is the withdrawal preference that Kraken would follow?  Various preferences are:
 - -  A.) All deposited funds are of equal standing with bitcoins being valued at their market rate at the time of the loss,
 - -  B.) Withdrawals of USD funds, if not impacted by the breach, are made available to those customers who held a USD balance. in full.
 - -  Do customer deposits have preference over any other creditor claims?  (i.e., a contract stating so such that they don't become unsecured creditors ending up in the same pool as the landlord for office space and hosting bill.)
 - -  or is there some other approach?

4.  Yes, Kraken maintains full reserves.  Customer funds reside in a bank account separate from our operations account and fees are pulled across on a daily basis.  Payward does not borrow customer funds for operations and we do not lend customer funds, even for margin trading within our own exchange.  Funds offered for margin are acquired from other sources.

5.  At the moment, backups are onsite but unless a meteor destroys the data center, we should be ok.  We'll expand to offsite shortly.  Data is replicated in real time and backed up on a daily basis.  If only the primary account database were lost, everything would still be available in backups.

6.  Good questions.  We just had a chat about this so please do not take this as the final word but here's what we're thinking:

A USD value would be assigned to all the losses and remaining balances.  All deposited funds are of equal standing up to a cap and beyond the cap are distributed pro rata.  So, if the cap were $100k and we had 10 users, 9 of which had $50k balances and 1 of which had a $1m balance ($1,450,000 total) and we lost $600k ($850k left), 9 guys would receive their $50k back and 1 guy would receive $400k back.  If you want to keep some exorbitant amount of money on the exchange, you take the risk or maybe we can find a way to insure it (which we have not had luck with so far).  This is if we are actually legally able to decide.  It may very well be that all funds must be redistributed pro rata without any sort of cap.  It may also be that funds held as USD have some extra legal protections that BTC do not.  More research and consideration is required.  We'd like to hear community thoughts on this matter.

As far as we understand, according to law and without the need to specify this (though we can to make our position clear), depositors would have preference over ordinary business debt.  You have given us your money to hold for safe keeping on your behalf and that money never touches our operations account, which should be the only account up for grabs by non-depositor creditors--it's not our money to take.  If for any reason Payward ever has less than full reserves, it should immediately transfer money from its operations account, even liquidate assets in order to return to full reserves.  The question is what happens in some catastrophic hack where even after liquidating all the company's assets we are still not able to make the depositors whole and we also have some other business debt.  The depositors would receive everything and the other creditors would be out of luck.

If there are other security-related details that are relevant that you would be will to share  (e.g., physicall security, staff background checks, dead man's switch for wallet, etc.) feel free to do so.

I hope you'll understand that we don't want to give too much away here.  If an intruder breaches our security, it'd be better for us (and you) if they did not know what to expect.

We've spent over $150k on our own hardware.  Our servers reside in locked racks in a private cage in an expensive top tier data center with armed guards, retina scans, video surveillance, etc.
Staff have all been thoroughly reviewed and for anything dangerous, multiple signatures are required.
Data is encrypted wherever possible and systems are both redundant and isolated from each other such that if someone were to gain access to one machine, they would likely not gain anything useful.
Customer service and verification systems are modeled somewhat after PCI compliance standards.  The office is wired on separate networks for separate purposes.  The systems that agents access your uploaded verification docs on cannot do anything but access those docs.  They'd use a different system for answering tickets.
The user interface takes better security over better UX in many instances, not giving you any error messages that might allow you to find accounts, emails, etc.
Two factor authentication is available with more advanced security features to come.
The API allows for two-factor on keys and quite granular permissions.

[teek]

In light of recent events, we just wanted you guys to know that we’re on the motherfucker.  Go back in there, chill out and wait for the cavalry which should be coming directly:  https://beta.kraken.com

man... you guys are sending the wolf???  shieeeeeeeet,  that's all you had to say.

for real though, please tell me this new exchange (and others like it) are coming to save us from this ridiculous situation we are in,  definitely going to check it out.

[Schrankwand]

Hi Kraken guys,



I have another idea. One that might not sit too well with everyone, but considering the recent events of buy and sell walling, I think it might be a good one:

And order cancellation fee of 10% of the usual fee. On other exchanges you see sometimes people deliberately manipulating the markets. And your exchange needs something that is absolutely different and a game changer. And that would be cancellation fees.

IN my bank's stock order book I pay similarly a fee for setting an order that is also being paid if i recall the order. And with this setup, you would create stability in a sea of insanity. Don't make it too big. Bring it to 10%. You don't want little investors to notice it, but deliberatley manipulating wall moving people should know what is coming to them.-

[Koekiemonster]

Watching.

[cerebellum]

What's your status on an API for trading and market data?
I assume it will be available eventually, but you should release it as soon as possible to give developmers of trading utilities and bots a headstart, so they can use the beta site to test their own tools/products and have them ready when you go into production.

[epetroel]

What's your status on an API for trading and market data?
I assume it will be available eventually, but you should release it as soon as possible to give developmers of trading utilities and bots a headstart, so they can use the beta site to test their own tools/products and have them ready when you go into production.

They do have an API, but no official docs yet.  Here's some unofficial documentation that they sent me last week.  Note that this isn't final and also doesn't cover any of the trading functions.  Should give you some idea of how it will work though (similar to Gox and other exchanges out there now)

API:

Public methods can use either GET or POST

Private methods must use POST and be set up as follows:

HTTP header:
API-Key = API key
API-Sign = Message signature using HMAC-SHA512 of the URI path and POST data and base64 decoded secret API key

POST data:
nonce = always increasing unsigned 64 bit integer

Note: There is no way to reset the nonce to a lower value so be sure to use a nonce generation method that won't generate
numbers less than the previous nonce. A persistent counter or the current time in hundredths of a second precision or higher is suggested.

Public market data
Get server time
URL: https://api.beta.kraken.com/0/public/Time

Result: Server's time

unixtime = as unix timestamp
rfc1123 = as RFC 1123 time format

Note: This is to aid in approximating the skew time between the server and client.

Get tradeable asset pairs
URL: https://api.beta.kraken.com/0/public/AssetPairs

Result: array of pair names and their info

<pair-name> = pair name (ISO-4217-A3-X names)
altname = alternate pair name (ISO-4217-A3 names)
aclass-base = asset class of base component
base = asset id of base component
aclass-quote = asset class of quote component
quote = asset id of quote component
lot = lot size
leverage = array of leverage amounts available

Get ticker information
URL: https://api.beta.kraken.com/0/public/Ticker

Input:
pair = comma delimited list of asset pairs to get info on

Result: array of pair names and their ticker info

<pair-name> = pair name (ISO-4217-A3-X names)
ask = ask array(<price>, <lot volume>),
bid = bid array(<price>, <lot volume>),
last = last array(<price>, <lot volume>),
volume = volume array(<today>, <last 24 hours>),
vwap = volume weighted average price array(<today>, <last 24 hours>),
trades = number of trades array(<today>, <last 24 hours>),
low = low array(<today>, <last 24 hours>),
high = high array(<today>, <last 24 hours>),
open = today's opening price

Get order book
URL: https://api.beta.kraken.com/0/public/Depth

Input:
pair = asset pair to get market depth for

Result: array of pair name and market depth

<pair-name> = pair name (ISO-4217-A3-X names)
asks = ask side array of array entries(<price>, <volume>, <timestamp>)
bids = bid side array of array entries(<price>, <volume>, <timestamp>)

Get recent trades
URL: https://api.beta.kraken.com/0/public/Trades

Input:
pair = asset pair to get trade data for
since = return trade data since given id (exclusive)

Result: array of pair name and recent trade data

<pair-name> = pair name (ISO-4217-A3-X names)
array of array entries(<price>, <volume>, <time>, <buy/sell>, <market/limit>, <miscellaneous>)
last = id to be used as since when polling for new trade data

Get recent spread data
URL: https://api.beta.kraken.com/0/public/Spread

Input:
pair = asset pair to get spread data for
since = return spread data since given id (inclusive)

Result: array of pair name and recent spread data

<pair-name> = pair name (ISO-4217-A3-X names)
array of array entries(<time>, <ask>, <bid>)
last = id to be used as since when polling for new spread data

Note: "since" is inclusive so any returned data with the same time as the previous set should overwrite all of the previous set's entries at that time

[Rampion]

Beta testing!

[Apocalyptic]

- Does Kraken use cold storage (an offline wallet that cannot be accessed should the exchange's service become compromised)

Most definitely.  A small percentage of the funds are kept in a hot wallet for withdrawals but the vast majority are kept in cold storage, offline.

If so, then there are other questions:

 - Is there a target as to how much of customer's funds are kept in cold storage?  (e.g., percent of total, or perhaps relative to recent withdrawal requirements)?

 - Do new deposits go to cold storage?  (if the hot wallet is compromised, new deposits made (e.g., automated payouts by mining pools) would still be secure)

 - Does the offline wallet where the cold storage resides remain protected due to an "air gap" (no access to it electronically, not connected to the network)?

1.  We don't have enough (any) experience here to give solid numbers.  It's going to depend on our daily withdrawal requirements.  My feeling is that if you need to withdraw a lot of BTC at once, you can probably wait a bit so it's better to sacrifice a little convenience for better security and only keep what is likely to be necessary in the hot wallet.

2.  Yes, all new deposits go directly to cold storage, for exactly that reason.

3.  Yes, cold storage is completely offline.

Hum, that seems too perfect to be true. You are stating cold storage is completely offline. When refilling the hotwallet, at some point you have to broadcast the transaction to the network (be online). I guess you are signing the transaction offline then and broadcasting it from a connected node. What software do you use to perform such a task ? (the only one I know of is Armory available at https://bitcoinarmory.com/get-armory/ which is no longer usable for most of computers) Is it a self-made solution ? Are you using the native API calls createrawtransaction and signrawtransaction ? (which are tricky to manipulate because of local change addresses and require an in-depth understanding of the bitcoin protocol). I would love to see such an implementation if that's the case.

Otherwise, no chance your cold storage is completely offline.

For the new deposits security issues, one can argue it's not completely true. Since compromising the hotwallet generally means compromising the webserver, an attacker can then just modify the deposit addresses shown and new deposits will go right into his pocket. (Of course deposits to old addresses will still be secure)

Good luck guys, your project seems solid and looks like it may be the one serious professional-grade exchange the community is desperatly looking for.

[btcx]

1.  We don't have enough (any) experience here to give solid numbers.  It's going to depend on our daily withdrawal requirements.  My feeling is that if you need to withdraw a lot of BTC at once, you can probably wait a bit so it's better to sacrifice a little convenience for better security and only keep what is likely to be necessary in the hot wallet.

2.  Yes, all new deposits go directly to cold storage, for exactly that reason.

3.  Yes, cold storage is completely offline.

Hum, that seems too perfect to be true. You are stating cold storage is completely offline. When refilling the hotwallet, at some point you have to broadcast the transaction to the network (be online). I guess you are signing the transaction offline then and broadcasting it from a connected node. What software do you use to perform such a task ? (the only one I know of is Armory available at https://bitcoinarmory.com/get-armory/ which is no longer usable for most of computers) Is it a self-made solution ? Are you using the native API calls createrawtransaction and signrawtransaction ? (which are tricky to manipulate because of local change addresses and require an in-depth understanding of the bitcoin protocol). I would love to see such an implementation if that's the case.

Otherwise, no chance your cold storage is completely offline.

For the new deposits security issues, one can argue it's not completely true. Since compromising the hotwallet generally means compromising the webserver, an attacker can then just modify the deposit addresses shown and new deposits will go right into his pocket. (Of course deposits to old addresses will still be secure)

Good luck guys, your project seems solid and looks like it may be the one serious professional-grade exchange the community is desperatly looking for.

There are multiple cold wallets, each with limited funds and, yes, they remain completely offline until they need to be used.  Currently, we have some semi cold storage as well so tapping the cold storage doesn't have to happen as often.  Soon we'll be upgrading to a custom system more like what you've described with Armory.  Fortunately, we've got a team with a very deep understanding of the protocol.

About the address injection, you're right but we have things in place to make it harder to succeed.  If someone were successful, it'd likely be noticed within a few deposits when customers come asking why they haven't been credited their coins.  The exchange would have to eat that loss but it's unlikely to be a huge amount of btc.

Thanks for the fond wishes and I hope we can live up to expectations!

[chsados]

Would you mind commenting on this reddit post Kraken?

Payward, Inc. is a Delaware corporation, but there doesn't appear to be any "Payward, Inc." registered in California, either domestically or as a foreign corporation (formed outside of California), as required by California Law, since you are claiming that your company's governing law is California. There is no registration of "Kraken" as a trade name in either California or Delaware.

There is no contact information for this company on the Kraken web site, specifically no address or actual human beings associated with the company.

It appears as though Payward been soliciting investment online in violation of US securities laws (specifically the Securities Act of 1933) since you aren't registered with the SEC. This is also a violation of Delaware’s Securities Act.

http://imgur.com/18KPZPS

Payward is not registered with FinCEN.

Payward is not registered as a Money Transmitter Business in California.

Sorry, I just can't trust a web site that has terms of service that are obviously not in any way reviewed by an attorney:

Governing Law

Any claim relating to Payward, Inc.'s web site shall be governed by the laws of the State of California without regard to its conflict of law provisions.

General Terms and Conditions applicable to Use of a Web Site.

Yes, that's right, a cut and paste "General Terms and Conditions applicable to Use of a Web Site."

This should be a warning to EVERYONE. Don’t trust a company that blatantly violates multiple laws. This place WILL be shut down sooner or later, it’s only a matter of time.

[btcx]

Would you mind commenting on this reddit post Kraken?

Done: 

Today Payward is a software company. The public has been invited to test Payward's exchange software at beta.kraken.com. More about the company's employees, legal structure and position will be revealed if and when we ask you to trust us, which is not now. Chill out.

[chsados]

Would you mind commenting on this reddit post Kraken?

Done: 

Today Payward is a software company. The public has been invited to test Payward's exchange software at beta.kraken.com. More about the company's employees, legal structure and position will be revealed if and when we ask you to trust us, which is not now. Chill out.

... I am chill.  I love your beta site.  I was just offering you to put everyone's worries to rest - which you just did (at least for me).

[btcx]

Would you mind commenting on this reddit post Kraken?

Done: 

Today Payward is a software company. The public has been invited to test Payward's exchange software at beta.kraken.com. More about the company's employees, legal structure and position will be revealed if and when we ask you to trust us, which is not now. Chill out.

... I am chill.  I love your beta site.  I was just offering you to put everyone's worries to rest - which you just did (at least for me).

Right on.  Thanks

[EvilLizardApparel]

Looks amazing, great work, very promising.

[gnar1ta$]

In light of more recent events, hurry the krak up!