The address that Shakepay created for me has only one incoming and outgoing transaction that matches the transaction I made.
That's a HUGE problem. If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.
What's the problem? That's how it should be.
No, with a custodial service, it is not. The service should be pooling funds, and ONLY keeping enough funds available online to cover their short term withdrawal demands.
The incoming transaction should be OP's deposit to Shakepay (which is probably
the withdrawal made on June 25 from the forex broker) and the outgoing transaction should be the transaction made to Shakpay's wallet address from OP's deposit address.
As I've already said, there is no such thing as "from an address" with Bitcoin. Regardless, for Shakepay to be creating a transaction that uses the exact same UTXO that was created when they received the bitcoins on behalf of the OP, it means that they need to be keeping ALL bitcoins in a Hot Wallet. This is how MtGox lost hundreds of thousands of Bitcoins.
Am I missing something here?
A few things. Including, but probably not limited to:
The importance of cold storage and limited key access for custodial services.
The fact that bitcoins aren't sent from addresses.
That's a HUGE problem. If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.
Coinbase does the same thing.
You are mistaken. They don't.
There's no such thing as depositing "from a bitcoin address". That sentence doesn't make sense. You deposit TO an address (specifically, the address that the ForEx provider tells you to deposit TO). It's entirely possible AND VERY COMMON for a single transaction to contain bitcoins that were received at multiple different addresses. Which address would the ForEx broker require you to use in that case?
The forex broker has a separate BTC address for all users accounts.
Just like Shakepay, they SHOULD have a separate BTC address for every transaction. A bitcoin address is more like an invoice number than an account number. There is no good reason to re-use the address in this situation.
The transaction history of this address has only transactions that match my deposits. Of course the forex broker has custodial control over this address.
I have no disagreement about them having custodial control. They should have a new address for every time you send bitcoins to them, but since they don't the behavior you are describing is expected.
I think that the first time I made a withdrawal the broker saved that withdrawal address as the only one that can accept withdrawals in the future.
This is what I described as what I hoped happened in my earlier post here. In this case, the broker should gain a better understanding of bitcoin transactions if they are going to be accepting them and placing rules on how they can be used.
Now, after my last withdrawal it has more transactions but Shakepay and other exchanges recommend against using the same address.
Well, at least they got that part right. I'm still quite concerned that your description seems to indicate that they are keeping those keys online, and that funds aren't being pooled and moved to cold storage.
Yes the address has an incoming transaction from the FX broker and an outgoing transaction when I sold the BTC for fiat.
The outgoing transaction has nothing to do with your selling.
Exchanges usually move the fund deposited by the users to their own wallet and use that for processing withdrawals.
Therefore, even if you didn't sell your bitcoin and held it until now, you would still see that outgoing transaction.
This is what I'm saying Shakepay SHOULD be doing. However, from everything I've seen written about this set of transactions so far, it doesn't sound like Shakepay is doing that (which is why I wouldn't touch their service with a 10' pole until/unless I learned that they actually ARE doing what you've described).
