It is the World's biggest according to the volume it announces, and it is China's safest accroding to their own login page's Chinese header banner (this very page is produced with (IMHO insecure) phpBB, link see below discussion)
1. The frontpage Chinese advertisement is "your trust is much more worthy to us than the trading fee". Sound like a scam, right?
Put it in a Chinese context it
doesn't say for sure it is scam, because if you are honest and say why you don't charge, that involve a clause (in grammar sense), whatever that clause is, it is too complicated to market. In Chinese advertising we say Only short-and-simple phrase works (e.g. "Buy this." and not "Buy this because..."). The similiar short suspecious sloan worked before: e.g. alipay's: "Turst made it simple"因为信任所以简单 -- it didn't say why you should trust 马云 Ma Yun's company with your deposite, just that "please simply trust me" - sounds like scam too but turns out not, and it worked better than the competitor's lengthy consumer protection policies.
2. The website is often down and have a lot of technical problems.
The server runs HTTPS, but the redirection from HTTP to HTTPS is often broken. And the primary webserver is also often down, even worse, the email validation link still points to the primary web server
www.btcchina.com when it is replaced by secondary web server www2.btcchina.com. Do they have a reason not to use DNS to bring up the second web server (a.k.a. assign the same domain name but different IP address) and not to use a variable in email activation content generation? There are other bugs, e.g. when you login on www2.btcchina.com front page, it authenticates you and redirect you to
www.btcchina.com, which is down of course - you have to manually replace www2 with www on the URL to go to.
Consider they have to buy a separate SSL license for www2.btcchina.com, this all feel weird.
3. Could they be faking trade volume?
I always wanted to verify their trade volume with a repeated-inquiry script, but never had the time, but if they fake it or not means a lot to others, this work should be done.
4. Strange API access.
They don't offer API for public access like market price and market depth. This is the only exchange that I know of only offering this to the user as a private feature. (it belongs to private request to check market price), and you can only check market depth, not directly inquire lowest ask and highest bid.
I tested their example python API access code directly from their document, dispite a syntax problem (
print "reason:".response.reason
should be
print "reason:",response.reason
) it was denied from my host in NY (US) with a simple "unauthorized" but the same code works on my host in Plano, TX (US).
In general, everything feels weird.
Skip this last minor point if you wish: the API returns 'result' which is a boolean -- the normal way is to either return 'success' which is a boolean, or returns 'result' which may be 'success' (text string). A 'result' as boolean is weird, what do you mean "True" as a result? Is it a success or failure? In Unix a zero/false result is success. This is however found on all Chinese exchanges, perhaps this is a convention among Chinese programmers circle (new to me even that I am Chinese).
5. Their authentication and session management is through a forum software.
This is evident if you check this URI:
https://www2.btcchina.com/bbs/index.php(or
https://btcchina.com/bbs/index.php when they fixed the primary web server)
The security level required by a forum software PHPBB and an exchange is ... different. For example bitcointalk.org uses forum software and was hacked, that didn't spark any worry in bitcoin circle, an exchange if hacked would be a disaster.
6. Their website look like this on my PC. That only demonstrate poor QA:
7. Other technical problems. e.g. when I ask to withdraw bitcoin, I was told to check my mobile phone SMS, and the SMS I receive is this:
'lang_account_sendvcode_withdrawbtc' and there is no code of whatever sort in it. When I feel this is because I defaulted to English before withdraw, I switched to Chinese, and when attempt withdraw I was told in Chinese "System Error, contact System Administrator" (系统错误请联系管理员). A logout-and-login-again works around the problem.
Now I don't have a hard evidence that they have any security problem, but I ask myself: if I see a programmer put his socks and empty coke bottles on his desk, is his code safe and tight? I feel not. And I can certainly feel the socks and empty coke bottles flying around when I use BTCChina. It doesn't even have the look that they wish to run this business for a decade. The more I use it, the more I worry about my money on it. I am withdrawing 10Bitcoin per day (maximum allowed) to withdraw in the coming days. This is not a FUD, because I don't think there are many customers of BTCChina on this forum (also consider they use QQ instant messener for customer service, not even having a support tracker, support form or support email address - typical taste for Chinese, means they probably only have Chinese customers). I wrote because I think people on this forum are interested in knowing what's happening in China - and I wish to have good feedback on my reading.
