Should a bitcoinica clone be put online ?

[davout]

With the leak of the code I'm asking myself whether it would be a good idea to setup a bitcoinica clone.

Pros :

• Would make some good money
• There is demand for gambling margin trading
• Half the profits could go to the people who lost money because of Bitcoin Consultancy/Bitcoinica/[insert scapegoat here]
• The app itself has never been broken into (even though it's quite surprising when reading the code)

Cons :

• Needs moar reverse-engineering/fixing
• Needs moar testing
• ...

Thoughts ?

[1713558676]

1713558676

[1713558676]

1713558676

[2112]

I would suggest that everyone runs their own clone localy.

Could you post what Mac IDE you were using in your original post as well as any other steps required to make it run on a freshly out-of-the-box Mac?

I think that way many more people would join you in reverse engineering.

[davout]

Could you post what Mac IDE you were using in your original post as well as any other steps required to make it run on a freshly out-of-the-box Mac?

The IDE is Rubymine, it's the bomb.

If you're a Rails coder you won't have much trouble getting it running, you basically need to install the dependencies with bundler, launch a couple moving parts (bitcoin client, redis, resque, clockwork) and you're all set. Oh, and you need to create a MtGox API key and feed it to the code.

[markm]

I am concerned about security holes in the code. Web can be a scary attack-surface. I was thinking it might not therefore be a good idea even if I disconnect it from the money, using it just as a glorified calculator to tell me how much of what to move where and do the actual handling of the funds in Open Transactions.

However I am many years out of date on secure coding of CGI scripts and never did move on from securing CGIs to securing PHP. (And have never touched Ruby.) If someone who is really really up to date on how (or is that still "whether") PHP or Ruby can be secure can fix it up for security I expect to see lots of little MyBitcoinica sites spring up.

The suggestion of using it as a local app behind one's firewall ("everyone runs their own clone locally")  sounds cool but presumably loses the ability to bucketshop the players off against each other thus losing what is likely a huge part of how it makes money. Actually come to think, if you are the only player on your instance who are you to bet against?

I was afraid the thing would be too easily attacked thus maybe not worth in effect paying $350,000 for the code in the form of making whole the victims of Bitcoinica.

If the code is really good or can have its holes plugged pretty certainly then maybe Gox themselves might find it a good springboard to adding the functionality to their own suite of services.

-MarkM-

[Bigpiggy01]

Hmmm maybe altcoinica so peeps can get the margin devil out of their system without risking too much?

[BCB]

Code is not inherently insecure.  Coders practices create insecurities.

There is absolutely a need desire for a bitcoinica clone.  However based on recent events I believe the community would demand (but maybe not!):

1.  Clear declaration of ownership
2.  Proof/validation of security practices
3.  Regular third party financial audits.

That wouldn't be inexpensive however the evident profit margins of such a business would certainly warrant the expense.

[2112]

If you're a Rails coder you won't have much trouble getting it running

I'm not "Rails coder" and most of the people here aren't either. But we are all curious and capable of coding or at least reading code. I would suggest that your target audience shouldn't be a "Rails coder", but any curious hacker not afraid to code.

Since you've mentioned Mt.Gox API key I have another question: how difficult is to stub out the portion that queries Mt.Gox and instead plays back a stored ticker tape in the csv or any other spreadsheet-compatible format.

Many people are interested what the secret pricing algorithm did to the bid/ask spreads on Bitcoinica. This could probably be of paramount importance if any litigation comes to fuition.

And thank you for the Rubymine reference.

[davout]

Code is not inherently insecure.

I can assure you this one is.

[markm]

Hmmm maybe altcoinica so peeps can get the margin devil out of their system without risking too much?

Yes indeed. Being able to short any coin type against any other coin type would be very interesting and is where I will be heading with Open Transactions if I can actually figure out how shorting is woth implementing at all. I am still not clear on why anyone would loan an asset to someone else knowing the someone else is going to use it to lower its value so as to ideally be paying back less value than they borrowed...

Also I worry about how to ensure there are enough on the market to buy come payback time. It seemed to me there is a double cost in shorting if secured by a marketmaker who puts aside enough of what someone borrowed from someone to ensure there will be enough left on the market at payback time for the borrower to buy to pay back the loaned assets.

The more "alt" the asset the more need, it seemed to me at first glance at least, there is for a marketmaker like that because if there are none of the borrowed thing on the market there is no price available to determine how much value needs to be paid back in some different type of thing.

(If you short 1968 Coupe de Villes, and there are not Coupe de Villes on the market come payback time, how can anyone figure out how much dollars or gold or something you'd need to pay to make up for having defaulted on paying back the loan of Coupe de Villes?)

-MarkM-

[BCB]

Code is not inherently insecure.

I can assure you this one is.

I know NOTHING about ruby... but I don't doubt your assessment.  Yahoo Voice stores passwords in plaintext so don't event begin to think that any larger entity's online security practices are any better.  The bigger the entity the more money that have to throw any security breach when it happens and for now it seems that is cheaper for them then rolling out fully secured code into production.

[davout]

I'm not "Rails coder" and most of the people here aren't either. But we are all curious and capable of coding or at least reading code. I would suggest that your target audience shouldn't be a "Rails coder", but any curious hacker not afraid to code.

Understood, if you want to read the business logic it is in the app/models folder (each model is linked to a database table), and in the app/workers folder (this one contains all the periodic running tasks) the pricing logic probably resides in one of the workers.

Since you've mentioned Mt.Gox API key I have another question: how difficult is to stub out the portion that queries Mt.Gox and instead plays back a stored ticker tape in the csv or any other spreadsheet-compatible format.

I don't think it would be extremely difficult, Ruby is awesome for this kind of things, you can transparently replace code at runtime.
See pastebin below

Many people are interested what the secret pricing algorithm did to the bid/ask spreads on Bitcoinica. This could probably be of paramount importance if any litigation comes to fuition.

I've added a couple comments, but this is pretty much the raw TickingJob http://pastebin.com/4Ej858a8

And thank you for the Rubymine reference.

I love it, and JetBrains gave me a free open-source license for developing Bitcoin-Central.net

[jgarzik]

No, for reasons like this.

[davout]

No, for reasons like this.

From my understanding there are actual trades happening when users place orders, if they have a long position actual BTCs are bought for example.
I'm not really far in understanding how it actually works, until then, calling it a bucket shop (or a legitimate trading platform for the matter) is IMO a little premature.

[markm]

No, for reasons like this.

Hmm so they were a bucket-shop but just not a totally self-contained one? The use of MtGox was just a way of helping keep the bucket shop from getting caught out a little longer by at least sometimes actually buying or selling actual assets?

I have been testing Open Transactions for a year or so now and am very pleased with its progress so I am very interested in figuring out a "right" way of implementing leverage and shorting. But if "doing it wrong" is what the customers want, as evidenced by their flocking to those who "do it wrong" to avoid the costs involved in "doing it right" maybe having floods of MyBitcoinica sites springing up all over the place is going to be inevitable?

-MarkM-

[davout]

But if "doing it wrong" is what the customers want, as evidenced by their flocking to those who "do it wrong" to avoid the costs involved in "doing it right" maybe having floods of MyBitcoinica sites springing up all over the place is going to be inevitable?

Doesn't mean it's desirable

[2112]

I've added a couple comments, but this is pretty much the raw TickingJob http://pastebin.com/4Ej858a8

Ah, OK then. I was worried that you are going to waste your skill and time on doing the security audit on the cadaver.

Zhoutong's key invention was the secret semi-random pricing algorithm. I recall that somebody reverse-engineered his original pricing algorithm and posted a Python script to reliably scrape small profits (maybe that person was "macbookair"?). Then he added some randomness and it worked like catnip on all the gamblers here.

I would let other people do the necromancy and create Frankencoinica, Litecoinica, Solidcoinica and whatever else.

Actually it will probably be Биткoиницa.

[davout]

Zhoutong's key invention was the secret semi-random pricing algorithm.

How was the pricing algo an invention ?
From what I thought I understood it was simply the mtgox price at a certain depth.

[elux]

With the leak of the code I'm asking myself whether it would be a good idea to setup a bitcoinica clone.

The original code surely belongs to someone, regardless of whether it's been leaked.

Though given the leak it looks trivial to reverse engineer and write a clone from scratch.

[davout]

With the leak of the code I'm asking myself whether it would be a good idea to setup a bitcoinica clone.

The original code surely belongs to someone, regardless of whether it's been leaked.

Though given the leak it looks trivial to reverse engineer and write a clone from scratch.

Yep, so that's basically a non-issue

[kiba]

NOO! You must use emacs!