Hi I am new to this forum, altough i read a lot in the past, just signed up yesterday....
And i am really pissed off.
How come there is no Altcoin exchange that doesn't suck?
I am a programmer, and when i look at the things that happen on major exchanges
(like cases where you are able to sell the same coins twice etc. ) I think this could
never happen with a proper database. Of course a website can get slow and unresponsive
under high load, but it should never make mistakes like this.
So i looked for some Opensource Exchange to see how these things are coded,
and i found:
https://github.com/r3wt/openexThis is shocking, dont use this exchange source, if the developer of this reads this post,
you have to fix a lot.
First of all:
This code uses the mysql extension
This extension is already depreciated as of Php 5.5 :
http://www.php.net/manual/en/function.mysql-connect.php , for good reasons.
Second:
This code uses mysql_real_escape_string() to prevent SQL Injection
Long Story short, this is not 100% secure.
Third:
This code uses salted sha1 hashes for passwords, again, this is not secure.
use bcrypt.
Fourth:
This code does not use
transactions if you trade.
This is exatly what makes it possible to spend the same coins twice when the Database server is under high load.
These are the things i noticed after a i looked through a few files. There might be more, possible XSS maybe, need to look at it again.
To the author of this exchange, dont take this too personally, i am sure you put a lot of effort into this,
and opensourcing an exchange is awesome because people can look at the code and fix it if broken,
but there is a lot to fix, and i would not use this exchange, this has some major flaws.
exchanges like this must be flawless, especially if they are opensourced.
I am considering to start coding an opensource exchange myself.....
Point is: Dont blindly trust anything that is opensource, opensource does not neccasarry mean its good, it only means everyone
knows its vulnerabilites.
opensource stuff will eventually get secure IF enough people review it, and if these people know what they are doing.
Any experienced coders here who want to start a new exchange?