How come Bitcoin people dont know how to code?

[joschua011]

Hi I am new to this forum, altough i read a lot in the past, just signed up yesterday....

And i am really pissed off.
How come there is no Altcoin exchange that doesn't suck?
I am a programmer, and when i look at the things that happen on major exchanges
(like cases where you are able to sell the same coins twice etc. ) I think this could
never happen with a proper database. Of course a website can get slow and unresponsive
under high load, but it should never make mistakes like this.

So i looked for some Opensource Exchange to see how these things are coded,
and i found: https://github.com/r3wt/openex

This is shocking, dont use this exchange source, if the developer of this reads this post,
you have to fix a lot.

First of all:
This code uses the mysql extension
This extension is already depreciated as of Php 5.5 : http://www.php.net/manual/en/function.mysql-connect.php , for good reasons.

Second:
This code uses mysql_real_escape_string() to prevent SQL Injection
Long Story short, this is not 100% secure.

Third:
This code uses salted sha1 hashes for passwords, again, this is not secure.
use bcrypt.

Fourth:
This code does not use transactions if you trade.
This is exatly what makes it possible to spend the same coins twice when the Database server is under high load.

These are the things i noticed after a i looked through a few files. There might be more, possible XSS maybe, need to look at it again.

To the author of this exchange, dont take this too personally, i am sure you put a lot of effort into this,
and opensourcing an exchange is awesome because people can look at the code and fix it if broken,
but there is a lot to fix, and i would not use this exchange, this has some major flaws.
exchanges like this must be flawless, especially if they are opensourced.

I am considering to start coding an opensource exchange myself.....

Point is: Dont blindly trust anything that is opensource, opensource does not neccasarry mean its good, it only means everyone
knows its vulnerabilites.
opensource stuff will eventually get secure IF enough people review it, and if these people know what they are doing.

Any experienced coders here who want to start a new exchange?

[chandrew]

nice dissection of code

[r3wt]

as the author of the exchange in question:

1). sha1 was replaced by sha512, we just haven't updated the git yet.

2). you can't double spend coins on this exchange, we worked very hard to make it impossible. the base code of this exchange first existed on our first attempt at an exchange, called iceycrypt, and the main problem was double spending trades.

3). mysql may be considered deprecated, but its still much easier to use and contrary to popular belief you can prevent sql injection with mysql_* functions. i think you've been reading to much stackoverflow and been taking it as the straight gospel. prepared statements are the way to go, and once we've finished the code and have it working, we will work back through and replace our db interfacing with more secure options, such as the mysqli functions i am already using in the chat, which runs on its separate php process and database user.

4.) mysql_real_escape_string is not all that is used to prevent against database injection, its the first line of defense. maybe you should browse to the models directory and start dissecting code there. this will give you a keen understanding of how userCake handles queries.

5.) we haven't released the exchange yet. It is still a work in progress. I would gladly invite your criticism once our doors open, but this is clearly a fud attack against our exchange in an effort to hurt our business.

6.) in its present state, this exchange is superior to the 3 major exchanges currently open and operating on node.js with security vulnerabilities a plenty. I understand your frustrations with cryptsy, but taking them out on Our project isn't fair.

7.) there are functions that have been built i just havent migrated over to the exchange source yet that will prevent database overload. eventually we will move to a sharded model where reads are done from 3 slave servers and writes are done to the master db server. we have a function called optimize tables, and a cronjob that shuts the trade engine down for 5 minutes every 6 hours and performs table optimization and audit of trade history.

8.) we are working towards moving away from cron job, to a proprietary daemon based system called "alien-php". i have been working on this on the site for a few weeks. its similar to node.js in that it can deploy, activate, and deactivate servers as necessary based on system load of the main server. it also features a daemon architechture in place of cronjobs, meaning there are several long running php processes in the background handling the trade engine and maintenance functions of the exchange.

9.) as far as the future, we still have lots of work to do before the exchange is enterprise level stable, however most of the basic functionality is in place. we are very much interested in hiring a 3rd developer to be a part of our team, but talk is cheap. put up or shut up if you want in. you will get paid.

[SlidingHorn]

as the author of the exchange in question:

1). sha1 was replaced by sha512, we just haven't updated the git yet.

2). you can't double spend coins on this exchange, we worked very hard to make it impossible. the base code of this exchange first existed on our first attempt at an exchange, called iceycrypt, and the main problem was double spending trades.

3). mysql may be considered deprecated, but its still much easier to use and contrary to popular belief you can prevent sql injection with mysql_* functions. i think you've been reading to much stackoverflow and been taking it as the straight gospel. prepared statements are the way to go, and once we've finished the code and have it working, we will work back through and replace our db interfacing with more secure options, such as the mysqli functions i am already using in the chat, which runs on its separate php process and database user.

4.) mysql_real_escape_string is not all that is used to prevent against database injection, its the first line of defense. maybe you should browse to the models directory and start dissecting code there. this will give you a keen understanding of how userCake handles queries.

5.) we haven't released the exchange yet. It is still a work in progress. I would gladly invite your criticism once our doors open, but this is clearly a fud attack against our exchange in an effort to hurt our business.

6.) in its present state, this exchange is superior to the 3 major exchanges currently open and operating on node.js with security vulnerabilities a plenty. I understand your frustrations with cryptsy, but taking them out on Our project isn't fair.

7.) there are functions that have been built i just havent migrated over to the exchange source yet that will prevent database overload. eventually we will move to a sharded model where reads are done from 3 slave servers and writes are done to the master db server. we have a function called optimize tables, and a cronjob that shuts the trade engine down for 5 minutes every 6 hours and performs table optimization and audit of trade history.

8.) we are working towards moving away from cron job, to a proprietary daemon based system called "alien-php". i have been working on this on the site for a few weeks. its similar to node.js in that it can deploy, activate, and deactivate servers as necessary based on system load of the main server. it also features a daemon architechture in place of cronjobs, meaning there are several long running php processes in the background handling the trade engine and maintenance functions of the exchange.

9.) as far as the future, we still have lots of work to do before the exchange is enterprise level stable, however most of the basic functionality is in place. we are very much interested in hiring a 3rd developer to be a part of our team, but talk is cheap. put up or shut up if you want in. you will get paid.

HA!  pwnd.

[mikeybit]

As a preface, I have some coding experience. Enough to be dangerous modifying code, but not writing it from scratch.  I do, however, have plenty of trading experience.

Anyways, my question is why does everyone feel the need to make the trade engines from PHP?  Why not use something more robust? Any engine I've used has been something pre-compiled and stable such as Java or C# or the like.  When you're dealing with financial transactions, you need the system to work 100% of the time; not just be pretty and accessible from a web browser. 

I think the major downfall of any of the major exchanges right now is that they all rely on web based technology which is simply not fast enough to refresh itself when handling any sort of trade volume.  I see quotes for crossed markets on a regular basis and it drives me mad. If that ever happens on a stock, the offending exchange is taken offline and fixed.

Now all of this brings me to my next point. I've been kicking around the idea of creating a platform for trading on multiple exchanges or creating my own trade engine that actually works.  I have some really good ideas stemming from my years of experience in the financial markets, but I don't have the technical acumen to accomplish them.   

I truly feel that for crypto currencies to succeed in the mainstream, exchanges need to be able to handle the demands of more than a few thousand people. 

Do any developers out there agree with me?

[futuredracula]

Wow, quick and comprehensive reply. I'm no professional but there is an awful lot of bad coding in many BTC related projects, especially trade bots, seems like a lot of people are learning as they go along, or it's just that if you have something well put together that works and makes you money why would you give away the source?

[infinitybo]

@OP nowadays there is too much exchange anyways once your project is done just let's take a look at this.

[Wipeout2097]

I don't want to distract from the OP's suggestion regarding transactions, however he picked someone else's work in progress from github at whatever random occasion he chose and claims that Bitcoin people don't know how to code? I see.