Bitcoin Forum
November 08, 2024, 11:52:41 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Exchange BTC addresses  (Read 310 times)
hosseinimr93
Legendary
*
Offline Offline

Activity: 2576
Merit: 5669



View Profile
August 02, 2021, 07:31:05 PM
 #21

The address that Shakepay created for me has only one incoming and outgoing transaction that matches the transaction I made.
That's a HUGE problem.  If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.
What's the problem? That's how it should be.
The incoming transaction should be OP's deposit to Shakepay (which is probably the withdrawal made on June 25 from the forex broker) and the outgoing transaction should be the transaction made to Shakpay's wallet address from OP's deposit address.  

Am I missing something here?

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
Surmount (OP)
Copper Member
Newbie
*
Offline Offline

Activity: 21
Merit: 5


View Profile WWW
August 02, 2021, 08:51:35 PM
 #22

That's a HUGE problem.  If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.

Coinbase does the same thing. Havn't checked if Binance does but wouldn't be surprised if they did.

There's no such thing as depositing "from a bitcoin address".  That sentence doesn't make sense.  You deposit TO an address (specifically, the address that the ForEx provider tells you to deposit TO). It's entirely possible AND VERY COMMON for a single transaction to contain bitcoins that were received at multiple different addresses.  Which address would the ForEx broker require you to use in that case?

The forex broker has a separate BTC address for all users accounts. The transaction history of this address has only transactions that match my deposits. Of course the forex broker has custodial control over this address.

I think that the first time I made a withdrawal the broker saved that withdrawal address as the only one that can accept withdrawals in the future.

The timeline must have been like this:

I deposited to the forex brokers BTC address that they created for my account.

On June 25 I withdrew some funds using my Shakepay address. The broker saved that address however Shakepay changed it once the transaction was complete.

July 29th I attempted to withdraw again using the new address that Shakepay listed on my account but it failed because it did not match the address I had used to make the first withdrawal. I expect that, had it been my first withdrawal, the transaction would have been successful.

The address that Shakepay created for me has only one incoming and outgoing transaction that matches the transaction I made.
That's a HUGE problem.  If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.
What's the problem? That's how it should be.
The incoming transaction should be OP's deposit to Shakepay (which is probably the withdrawal made on June 25 from the forex broker) and the outgoing transaction should be the transaction made to Shakpay's wallet address from OP's deposit address. 

Am I missing something here?

Yes the address has an incoming transaction from the FX broker and an outgoing transaction when I sold the BTC for fiat. Now, after my last withdrawal it has more transactions but Shakepay and other exchanges recommend against using the same address.
hosseinimr93
Legendary
*
Offline Offline

Activity: 2576
Merit: 5669



View Profile
August 02, 2021, 09:11:48 PM
 #23

Yes the address has an incoming transaction from the FX broker and an outgoing transaction when I sold the BTC for fiat.
The outgoing transaction has nothing to do with your selling. Exchanges usually move the fund deposited by the users to their own wallet and use that for processing withdrawals.
Therefore, even if you didn't sell your bitcoin and held it until now, you would still see that outgoing transaction.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4831



View Profile
August 02, 2021, 11:03:06 PM
 #24

The address that Shakepay created for me has only one incoming and outgoing transaction that matches the transaction I made.
That's a HUGE problem.  If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.
What's the problem? That's how it should be.

No, with a custodial service, it is not.  The service should be pooling funds, and ONLY keeping enough funds available online to cover their short term withdrawal demands.

The incoming transaction should be OP's deposit to Shakepay (which is probably the withdrawal made on June 25 from the forex broker) and the outgoing transaction should be the transaction made to Shakpay's wallet address from OP's deposit address.

As I've already said, there is no such thing as "from an address" with Bitcoin.  Regardless, for Shakepay to be creating a transaction that uses the exact same UTXO that was created when they received the bitcoins on behalf of the OP, it means that they need to be keeping ALL bitcoins in a Hot Wallet.  This is how MtGox lost hundreds of thousands of Bitcoins.

Am I missing something here?

A few things. Including, but probably not limited to:
The importance of cold storage and limited key access for custodial services.
The fact that bitcoins aren't sent from addresses.

That's a HUGE problem.  If this is true, I'd avoid using Shakepay until they can demonstrate that they've improved their security practices.

Coinbase does the same thing.

You are mistaken. They don't.

There's no such thing as depositing "from a bitcoin address".  That sentence doesn't make sense.  You deposit TO an address (specifically, the address that the ForEx provider tells you to deposit TO). It's entirely possible AND VERY COMMON for a single transaction to contain bitcoins that were received at multiple different addresses.  Which address would the ForEx broker require you to use in that case?

The forex broker has a separate BTC address for all users accounts.

Just like Shakepay, they SHOULD have a separate BTC address for every transaction.  A bitcoin address is more like an invoice number than an account number.  There is no good reason to re-use the address in this situation.

The transaction history of this address has only transactions that match my deposits. Of course the forex broker has custodial control over this address.

I have no disagreement about them having custodial control. They should have a new address for every time you send bitcoins to them, but since they don't the behavior you are describing is expected.

I think that the first time I made a withdrawal the broker saved that withdrawal address as the only one that can accept withdrawals in the future.

This is what I described as what I hoped happened in my earlier post here. In this case, the broker should gain a better understanding of bitcoin transactions if they are going to be accepting them and placing rules on how they can be used.

Now, after my last withdrawal it has more transactions but Shakepay and other exchanges recommend against using the same address.

Well, at least they got that part right.  I'm still quite concerned that your description seems to indicate that they are keeping those keys online, and that funds aren't being pooled and moved to cold storage.

Yes the address has an incoming transaction from the FX broker and an outgoing transaction when I sold the BTC for fiat.
The outgoing transaction has nothing to do with your selling. Exchanges usually move the fund deposited by the users to their own wallet and use that for processing withdrawals.
Therefore, even if you didn't sell your bitcoin and held it until now, you would still see that outgoing transaction.

This is what I'm saying Shakepay SHOULD be doing.  However, from everything I've seen written about this set of transactions so far, it doesn't sound like Shakepay is doing that (which is why I wouldn't touch their service with a 10' pole until/unless I learned that they actually ARE doing what you've described).
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
August 04, 2021, 06:49:00 PM
 #25

Regardless, for Shakepay to be creating a transaction that uses the exact same UTXO that was created when they received the bitcoins on behalf of the OP, it means that they need to be keeping ALL bitcoins in a Hot Wallet.
Why does it? What's stopping them from creating a bunch of offline wallets, and importing the master public keys of these wallets to their exchange servers to generate addresses for users to deposit their bitcoin to? It would require someone to manually approve and transfer all unsigned/signed transactions back and forth, but it's not impossible. I agree it is unlikely, but not impossible. However, as I explained above, Shakepay don't do this and batch their withdrawal transactions normally.
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4831



View Profile
August 04, 2021, 07:01:31 PM
 #26

as I explained above, Shakepay don't do this and batch their withdrawal transactions normally.

This is what I hope.  There have been some other things in this thread that seemed to indicate otherwise, but I suspect that those responses were written by someone that didn't really understand what they were looking at.

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!