is/was Bitcoinica a shady business...?

[Ichthyo]

Hi all,

maybe someone might help to clarify that question...?

I am interested in the finance-technical side of that question. We all know that the site might have used better IT security measures. But anyone in the IT business (like myself) also knows that implementing IT security is expensive (especially in development time). And the stunning thing with Bitcoinica is for sure how fast it was implemented, operational and financially successfull (at least until the desaster happened...).

So my question is rather about the "financial mechanics". Several people claimed in this forum that a margin trading platform is impossible in such a shallow marked as Bitcoin is currently. And that a business like Bitcoinica is bound to fail and collapse.

Can someone please clarify what risks Bitcoinica was actually taking?


In my understanding, the only risk Bitcoinica was taking is that the rates move away between the time point when a position is force liquidated (you get zouthonged) and the time point when these closing orders are actually executed at market price. Because, as I understand it, they used the (margin) value of the currency accounts plus the initial spread added on every new position to back the liquidity given out as loan. And when that liquidity wasn't sufficient, the starfish would appear and no further active positions could be opened.

So please, explain why a margin trading platform with this construction might be financially unsound.

Thanks
--Ichthyo

[1713998757]

1713998757

[1713998757]

1713998757

[1713998757]

1713998757

[1713998757]

1713998757

[1713998757]

1713998757

[Stephen Gornick]

Can someone please clarify what risks Bitcoinica was actually taking?

Your question is worded as if the only risk taker is Bitcoinica.  The fact that a users balance can be below their margin requirement, or negative even (where funds are owed to Bitcoinica) proves that trading risks extend to those who hold leveraged positions as well.

This is one of those situations where the algorithm makes sense when things work as expected.  There are dependencies however and when things go wrong, they go horribly wrong.

When Bitcoinica does forced liquidations it must trade those on an external market. The only one it trades on is Mt. Gox, as far as I know.  Any bot trader will tell you that the automated trading API there has "less than six sigma reliability".  Add in the situation where Bitcoinica was responsible for half or more of the volume at Mt. Gox (particularly during times where there was a big selloff or a price spike) and you have instability all over the place -- something an algorithm cannot be programmed to compensate for.

So, as a result, the spread is set wider than would seem necessary and this gives added protection for Bitcoinica.  On the other side, Bitcoinica does not cover for the account holder and instead passes on the trading losses as liquidations happen at levels where the price has moved further than they were at the time the triggering event occurred.

Because the accounts can be opened using without submitting identifying documents, there can be many accounts controlled by a single operator.  With 10X leverage and a large number of Bitcoinica accounts ("sockpuppets"), the market at Mt. Gox can be manipulated by a single operator or with the help of momentum traders piling on.

The manipulator in many scenarios is not worried that forced liquidations could potentially cause the account to result in a negative balance because the accounts were opened and funded anonymously.

So this system allows the winner to keep the gains, but the losses then either gets absorbed by Bitcoinica or gets passed on to the other customers in the form of higher spread.

So Bitcoinica itself doesn't need to be "shady", but its current form allows shady business a place to operate.

[Ichthyo]

Your question is worded as if the only risk taker is Bitcoinica.  The fact that a users balance can be below their margin requirement, or negative even (where funds are owed to Bitcoinica) proves that trading risks extend to those who hold leveraged positions as well.

This is one of those situations where the algorithm makes sense when things work as expected.  There are dependencies however and when things go wrong, they go horribly wrong.

Hi Stephen, thanks for your explanation.

So basically this looks like any kind of banking business, but without the official assurance to cover customers funds when the bank collapses. Bitcoinica seems to take some risks and puts some algorithmic means into place to alleviate those risk. Yet still there remains the possibility of a finnancial "meltdown". And when we choose(d) to trade on Bitcoinica, basically we were just taking that kind of counterparty risk.

So Bitcoinica itself doesn't need to be "shady", but its current form allows shady business a place to operate.

This might be the most important question to ponder. If we really want the Bitcoin market to be that free/uncontrolled entity, only regulated by demand and supply, then it seems we've inevitably to accept the fact that surprising / upsettling / destructive actions occur within that market. On the other hand, if we want some kind of regulation, we should again think of building up centralised institutions, which turns us back into all those unsolved questions our current governmental and regulatory systems are suffering from.

-- Ichthyo

[terrytibbs]

http://en.wikipedia.org/wiki/Bucket_shop_(stock_market)

[cryptoanarchist]

This might be the most important question to ponder. If we really want the Bitcoin market to be that free/uncontrolled entity, only regulated by demand and supply, then it seems we've inevitably to accept the fact that surprising / upsettling / destructive actions occur within that market. On the other hand, if we want some kind of regulation, we should again think of building up centralised institutions, which turns us back into all those unsolved questions our current governmental and regulatory systems are suffering from.

In the free/uncontrolled market, those destructive actions that occur are good and allow the market to correct itself (ie. I know I'm not trading there anymore).

[Ichthyo]

http://en.wikipedia.org/wiki/Bucket_shop_(stock_market)

...interesting read indeed.

Just to play "advocatus diaboli": Isnt, by that definition, a fractional reserve banking based business a "bucket shop": handing out paper money, assuming there was an actual transaction in the underlying currency, while actually they are just shoveling around virtual positions "in the bucket"?

okok -- I know, fractional reseve is official and there are laws, supervision and monitoring. But, to translate that into the world of Bitcoin, where there is no central authority: What exactly could be the criteria to define a business to be "shady" or "clean", "acceptable" or "being frowned upon" ?

-- Ichthyo

[Stephen Gornick]

So basically this looks like any kind of banking business,

Well, this really has little to do with "banking".  Bitcoinica operates a type of contract for difference (CFD) marketplace.  In the U.S. for instance, CFD markets are not allowed due to OTC market restrictions by the SEC.  The foreign exchange that is offered in the U.S. differs from CFDs because cash is used to settle gains or losses from price movements of the CFDs whereas with forex spot, swap and futures transactions there is essentially a delivery requirement for the underlying asset.

[Ichthyo]

Well, this really has little to do with "banking".  Bitcoinica operates a type of contract for difference (CFD) marketplace.  In the U.S. for instance, CFD markets are not allowed due to OTC market restrictions by the SEC.  The foreign exchange that is offered in the U.S. differs from CFDs because cash is used to settle gains or losses from price movements of the CFDs whereas with forex spot, swap and futures transactions there is essentially a delivery requirement for the underlying asset.

if we accept those regulations as set in stone and dont question anything ever, then yes, there might be a difference somewhere in the formal definitions.

But my question actually aims at something more fundamental. We have Bitcoin, which is not regulated and not supposed to be just a carbon copy of an existing economy. There is no point hiding behind some U.S. regulations. I am asking about the essence of things.

Why is it shady, when there is just a virtual ballance
and why ist it "claean" when there is a promise of delivery (which is also just the promise to deliver something virtually, electronically).

What is the difference when Bitcoinica delivers the final gains as BTC redeemable code?
When I get a loan from my favorite real world bank, all I get is a redeemable code.

Why is the one thing "good" and "beneficial", while the other thing is "questionable"?

I am not trolling, I want to understand what makes the difference in the essence of things, when stripping away all that funny legislative and finanical terminology.

--Ichthyo

[doldgigger]

So Bitcoinica itself doesn't need to be "shady", but its current form allows shady business a place to operate.

This might be the most important question to ponder. If we really want the Bitcoin market to be that free/uncontrolled entity, only regulated by demand and supply, then it seems we've inevitably to accept the fact that surprising / upsettling / destructive actions occur within that market. On the other hand, if we want some kind of regulation, we should again think of building up centralised institutions, which turns us back into all those unsolved questions our current governmental and regulatory systems are suffering from.

I really like your thread. Yesterday I ws thinking about how much implicit democratic momentum bitcoin gives us without requiring any explicit regulation through laws etc. (see here: https://bitcointalk.org/index.php?topic=81367.0). Now the thoughts from this thread make me want to expand on this because it seems like bitcoin's nature, together with internet anonymity, creates yet another form of implicit regulation. If a company (be it bitcoinica or someone else) does something too risky, they will just go down when anonymity makes sure that there is no one they can blame or seek compensation from. This creates an incentive to build up solid business models and might prevent some avalanche effects we have (and experienced during the near past) on traditional financial markets.

My bottom line is: When a bitcoin company can afford to offer their service to anonymous users (ideally without any backdooring, like trying to lock out Tor proxies) and stays alive for a long time, their business model could probably be considered robust.

[doldgigger]

But anyone in the IT business (like myself) also knows that implementing IT security is expensive (especially in development time).

I think these costs are exaggerated most of the time. When building software with security in mind from the beginning, the required extra development time is almost negligible. The problem lies in many existing libraries and framework which are insecure by design, or where security was not considered during development. When these are used, securing the whole system becomes prohibitively expensive.

[Stephen Gornick]

I am not trolling, I want to understand what makes the difference in the essence of things, when stripping away all that funny legislative and finanical terminology.

Let's say I rent out bicycles in a tourist area.  You as a tourist pay the deposit ... $100 deposit for an $80 bike.    While eating at at a restaurant the bike gets stolen from the bike rack out front.     All the locals know this happens.  I had nothing to do with the theft, but I knew it happens pretty often and didn't warn you.

Is what I did shady?

[Ichthyo]

But anyone in the IT business (like myself) also knows that implementing IT security is expensive (especially in development time).

I think these costs are exaggerated most of the time. When building software with security in mind from the beginning, the required extra development time is almost negligible. The problem lies in many existing libraries and framework which are insecure by design, or where security was not considered during development. When these are used, securing the whole system becomes prohibitively expensive.

When thinking somewhat about that issue, it seems to be an instance of the same problem we're discussing here. Let me explain.

If Zhoutong and his friends had been "old style" coders, they'd picked a general purpose language and just some very basic libraries and built the whole distributed Bitcoinica application from ground up. And when considering the use of some additional framework, the'd spend days to weeks to understand that framework in and out. For example, they'd probably dissected the source code of the standard bitcoin daemon and replaced the Berkely DB by another database fitting better into the general picture. As an by-product the resulting system would have a reasonable amount of security built right into the core. Just brilliant -- now we're talking rather about several man months of work. 

But that's probably not what they did. (note, the following is just a guess. I might be wrong here!) They happened to know how to apply some web application toolkit set plus they happened to know how to use some cloud hosting service. So this was just a perfetly suitably skill set, allowing them to concentrate on coding up the finance mathematical part of the business. Thus, while the "proper coding craftsman" would still be dissecting other people's framework code and bothering about possible sublte concurrency and security issues, they where allready making money.

This is exactly the equivalent to trading on leverage. You achieve an impressively amplified effect by relying on borrowed knowledge and skills (living in the toolkits and services you use to code up your App). And according to the predominant opinion in the open source culture, that is actually the right thing to do. You know, the cathedral and the bazar.

And now something nasty happened and some script kiddy used a blatant security weakness to hack Bitcoinica. And all of a sudden, everyone yells and points with fingers upon both Zhoutong and the Bitcoin Consultancy, calling them unprofessional, sketchy and harmful for the Bitcoin idea.

So what are the criteria, and who judges?

--Ichthyo

[Ichthyo]

Let's say I rent out bicycles in a tourist area.  You as a tourist pay the deposit ... $100 deposit for an $80 bike.    While eating at at a restaurant the bike gets stolen from the bike rack out front.     All the locals know this happens.  I had nothing to do with the theft, but I knew it happens pretty often and didn't warn you.

Is what I did shady?

Hey, cool example.

Now, to apply the anarchistic decentral Bitcoin philosophy: then it was not shady, because the deaf average tourist could have just employed his f**ing common sense and either watch the rented bike better or not use and support your business. And when the majority of tourists just choose to ignore that danger and continue to rent your bikes, then, by definition your business would be acceptable. 

[JusticeForYou]

I am not trolling, I want to understand what makes the difference in the essence of things, when stripping away all that funny legislative and finanical terminology.

Place your bets. Is the terminology. You have 1:1 Odds to 10:1 Odds with the spread going to the House.

[cryptoanarchist]

I think they're shady, but for different reasons.

I suspect anyone that talks about regulating bitcoin. The whole point of bitcoin is to NOT be regulated. If people want to be "regis_tered" and "regulated", they can go be part of the current financial system.

If bitcoin is for real, there is no doubt in my mind that the powers that be would be placing their people to control it. They have the resources to start large exchanges and other 3rd party services. They can make themselves the "hero members" on here very easily. Then use their pull in the community to start suggesting regulations and other bullshit to completely destroy the purpose of bitcoin.

Combined with the fact that the way they lost this last batch of coins is suspicious to say the least and their crappy communication about what happened, leads me to believe that the whole thing is a false flag and a way to rip people off.

[unclescrooge]

I think they're shady, but for different reasons.

I suspect anyone that talks about regulating bitcoin. The whole point of bitcoin is to NOT be regulated. If people want to be "regis_tered" and "regulated", they can go be part of the current financial system.

Yeah but so many people lives in a fairy tale where governments serves people's interest.

When I see core members pushing for the law to recognize bitcoin... such a waste of energy...

[doldgigger]

But anyone in the IT business (like myself) also knows that implementing IT security is expensive (especially in development time).

I think these costs are exaggerated most of the time. When building software with security in mind from the beginning, the required extra development time is almost negligible. The problem lies in many existing libraries and framework which are insecure by design, or where security was not considered during development. When these are used, securing the whole system becomes prohibitively expensive.

When thinking somewhat about that issue, it seems to be an instance of the same problem we're discussing here. Let me explain.

If Zhoutong and his friends had been "old style" coders, they'd picked a general purpose language and just some very basic libraries and built the whole distributed Bitcoinica application from ground up. And when considering the use of some additional framework, the'd spend days to weeks to understand that framework in and out. For example, they'd probably dissected the source code of the standard bitcoin daemon and replaced the Berkely DB by another database fitting better into the general picture. As an by-product the resulting system would have a reasonable amount of security built right into the core. Just brilliant -- now we're talking rather about several man months of work. 

But that's probably not what they did. (note, the following is just a guess. I might be wrong here!) They happened to know how to apply some web application toolkit set plus they happened to know how to use some cloud hosting service. So this was just a perfetly suitably skill set, allowing them to concentrate on coding up the finance mathematical part of the business. Thus, while the "proper coding craftsman" would still be dissecting other people's framework code and bothering about possible sublte concurrency and security issues, they where allready making money.

This is exactly the equivalent to trading on leverage. You achieve an impressively amplified effect by relying on borrowed knowledge and skills (living in the toolkits and services you use to code up your App). And according to the predominant opinion in the open source culture, that is actually the right thing to do. You know, the cathedral and the bazar.

And now something nasty happened and some script kiddy used a blatant security weakness to hack Bitcoinica. And all of a sudden, everyone yells and points with fingers upon both Zhoutong and the Bitcoin Consultancy, calling them unprofessional, sketchy and harmful for the Bitcoin idea.

So what are the criteria, and who judges?

--Ichthyo

At first, we should probably define what you mean by "old style coders". Does it mean that they refuse to use libraries in order to avoid duplicating effort? If so, I'd rather call these people "students", because that's what the typical student will do: Re-implementing something just for the sake of learning how it works. Not a bad decision for personal progress, but (as you stated correctly) not useful on a competitive market as it will take many extra months.

But this is not what I was talking about. A good coder who is serious about security does not refuse to use libraries. But he will choose secure libraries (also, secure programming languages, secure frameworks etc.) in order to get his stuff done. This may mean a little bit of extra time once in your life (at the point where you have to research what tool to use the first time), but when it comes to actually implementing a project, the extra time needed becomes negligible.

I think it is dangerous to spread the rumour that security is expensive or time-intensive because it leads to a "don't care" mentality in executives which would not be necessary if they were working with the right people.

However, I will not engage in speculations about how this relates to bitcoinica. It might well be that the developers used perfectly secure programming frameworks, and wrote their code diligently, having security breached by a mistake from their hosting platform, for example.

[doldgigger]

I think they're shady, but for different reasons.

I suspect anyone that talks about regulating bitcoin. The whole point of bitcoin is to NOT be regulated. If people want to be "regis_tered" and "regulated", they can go be part of the current financial system.

Yeah but so many people lives in a fairy tale where governments serves people's interest.

When I see core members pushing for the law to recognize bitcoin... such a waste of energy...

Governments had to (and still have to) learn the hard way that they are not stronger than the internet, and that they have to bend to its mechanisms in order to stay in today's game. The same is happening with bitcoin right now. Like the internet, it is sufficiently self-regulating to succeed, and works more efficiently than the traditional mechanisms it replaces.

I think there is nothing wrong with working with the governments so they can understand bitcoin better. In fact, they need people willing to do that if they don't want to fail miserably. But when it comes to pushing for the law to recognize bitcoin, I must ask: Recognize it as what? Do we want it to be recognized as finance (and thus be subject to the same laws) even though it lacks many deficiencies traditional finance (as recognized by law) has? Can't we rather inherit the positive things from traditional finance, leave out the negative things, and just wait for what laws they think will be applicable for this new technology?

[doldgigger]

So what are the criteria, and who judges?

This one is simple, I think. The idea can be judged by its success. If it was a bad idea, it will fail sooner or later. I think we can go with such simple criteria because, due to bitcoin's open nature, scamming is much harder than with the traditional money system, thus people which don't do some useful service to the community will fail.

[JusticeForYou]

But anyone in the IT business (like myself) also knows that implementing IT security is expensive (especially in development time).

I think these costs are exaggerated most of the time. When building software with security in mind from the beginning, the required extra development time is almost negligible. The problem lies in many existing libraries and framework which are insecure by design, or where security was not considered during development. When these are used, securing the whole system becomes prohibitively expensive.

When thinking somewhat about that issue, it seems to be an instance of the same problem we're discussing here. Let me explain.

If Zhoutong and his friends had been "old style" coders, they'd picked a general purpose language and just some very basic libraries and built the whole distributed Bitcoinica application from ground up. And when considering the use of some additional framework, the'd spend days to weeks to understand that framework in and out. For example, they'd probably dissected the source code of the standard bitcoin daemon and replaced the Berkely DB by another database fitting better into the general picture. As an by-product the resulting system would have a reasonable amount of security built right into the core. Just brilliant -- now we're talking rather about several man months of work. 

But that's probably not what they did. (note, the following is just a guess. I might be wrong here!) They happened to know how to apply some web application toolkit set plus they happened to know how to use some cloud hosting service. So this was just a perfetly suitably skill set, allowing them to concentrate on coding up the finance mathematical part of the business. Thus, while the "proper coding craftsman" would still be dissecting other people's framework code and bothering about possible sublte concurrency and security issues, they where allready making money.

This is exactly the equivalent to trading on leverage. You achieve an impressively amplified effect by relying on borrowed knowledge and skills (living in the toolkits and services you use to code up your App). And according to the predominant opinion in the open source culture, that is actually the right thing to do. You know, the cathedral and the bazar.

And now something nasty happened and some script kiddy used a blatant security weakness to hack Bitcoinica. And all of a sudden, everyone yells and points with fingers upon both Zhoutong and the Bitcoin Consultancy, calling them unprofessional, sketchy and harmful for the Bitcoin idea.

So what are the criteria, and who judges?

--Ichthyo

At first, we should probably define what you mean by "old style coders". Does it mean that they refuse to use libraries in order to avoid duplicating effort? If so, I'd rather call these people "students", because that's what the typical student will do: Re-implementing something just for the sake of learning how it works. Not a bad decision for personal progress, but (as you stated correctly) not useful on a competitive market as it will take many extra months.

But this is not what I was talking about. A good coder who is serious about security does not refuse to use libraries. But he will choose secure libraries (also, secure programming languages, secure frameworks etc.) in order to get his stuff done. This may mean a little bit of extra time once in your life (at the point where you have to research what tool to use the first time), but when it comes to actually implementing a project, the extra time needed becomes negligible.

I think it is dangerous to spread the rumour that security is expensive or time-intensive because it leads to a "don't care" mentality in executives which would not be necessary if they were working with the right people.

However, I will not engage in speculations about how this relates to bitcoinica. It might well be that the developers used perfectly secure programming frameworks, and wrote their code diligently, having security breached by a mistake from their hosting platform, for example.

There are programs where it must be written from scratch, no libraries allowed.

A long time ago, a class was to come up with a challenge for the programming class. I suggested why not write the Sqrt algo. The teacher/professor said you could just use the sqrt command and that would be to easy. I guess the professor thought that the letters themselves in the Sqrt command was the algo.

Knowledge is being lost or diminished because of the reliance and trust in other people's work.

There are different ways of solving sqrt. Which method is your algo using?