
Show HN: Bitcoinica - Advanced Bitcoin Trading Platform - zhoutong
https://www.bitcoinica.com
======
zhoutong
Hi HN,

I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm
only 17.

Please try it out. (I can pay $1 for you if you're not willing/able to
deposit, email me at info@bitcoinica.com. :-D ) You can leave any suggestions,
comments, bug reports and feature requests here. I'll look through every
single comment. Thanks!

~~~
mootothemax
_I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm
only 17._

You're 17 and you've already created something like this? I see a _very_
bright future ahead of you :) Well done, great work!

~~~
dkersten
This is true, I expect him (or her?) to go far!

Unfortunately, seeing his age put me off depositing money into the account I
just created. When dealing with my money, I want a team of people with a lot
of experience in security and dealing with problems under pressure. He may
have this, but at 17 its unlikely. My quick evaluation may be unfair, but I'm
unwilling to take that chance with money, especially after MtGox showed us all
what kind of problems could occur if not enough work is put into preventing
potential problems.

So, at least for now, I'll pass. Having said that, the site looks great and I
wish the creator the best of luck and lots of success!

~~~
zhoutong
When I first decided to disclose my age, I have considered this problem.
Actually this is a psychological paradox: proving myself honest doesn't always
make me more trustworthy.

It's just like the warranty of your gadgets. Getting a wonderful repair
service may make you feel better than having no problem at all.

I have no problems with this kind of thinking. It really doesn't matter to me.
I'll prove my competency with time.

Your judgement is actually fair. Thanks for that!

~~~
jerf
To be honest, your age isn't a problem, because the average above-average
developer is _still_ not competent to write this sort of software. If you had
been doing security and financial software _since birth_ , I _might_ consider
putting a bit of trust in the kitty to start.

I'm going to pitch a different take than a few others: Yes, great initiative,
please keep trying things and building things, but _end this project now_.
There are no probable outcomes where you do not end up having to explain where
thousands of dollars of other people's money went to some angry people.
There's also _very_ nontrivial odds of being on the wrong end of armed Federal
agents, based on some of the other comments you've made here. This is a
horrible, horrible first-project sort of project.

Let me put it this way: Would you be willing to convert the BitCoins in your
system into cash, put it in your front window, and post daily pictures of the
pile of cash to your Facebook account, set to public visibility? Because
that's roughly what you're doing.

~~~
ScottBurson
Sadly, I have to agree with this.

You're very smart, zhoutong, and your eager and polite acceptance of feedback
does you great credit. But I would not attempt what you're doing, and I know a
fair amount about both trading infrastructure and security.

And though your site is very impressive, I immediately spot a major omission:
you say nothing about your margin call policy. Do you have one? What will you
do when one of your users' accounts goes to zero, and then negative?

~~~
zhoutong
Yes, we have. I admit that I didn't make it visible on the site itself. But
the system checks every single user every 5 seconds.

We have two metrics: net value and minimum net value. When NV < MNV, all
positions are immediately liquidated. When NV < 2MNV, a warning is visible on
trading panel. (Future feature: margin call email)

These metrics are completely transparent, showing in different colors to
represent health status. Once you give it a try you will know.

------
JoachimSchipper
This seems far more advanced than usual for Bitcoin. Nice!

I have little insight into the security of your software, but I hope you have
also considered the peculiarities of Bitcoin. To name just one thing that
would be far harder in a normal market: open a Bitcoinica account, deposit $10
000, buy $50 000 in Bitcoin, sell BTC really expensively at Mt Gox as the
system frantically tries to rebalance. Given the volatility of BTC, this may
be profitable even if[1] you subsequently abandon the Bitcoinica account
(which is likely to hold $-40 000 in dollars and less than $40 000 in BTC at
un-spiked prices...)

[1] EDIT: Actually, it's _only_ profitable if you can get the Bitcoinica
account into the red. But given enough ability to move the market, that's
definitely possible.

~~~
zhoutong
Thanks for your wonderful suggestion!

Honestly speaking, I haven't considered this because at first, it's hard to
find anyone willing and able to deposit $10,000 (Mt. Gox limits withdrawals,
including redeemable codes. Can be lifted though.) Even if that happens in
reality, I have already designed some counter-measures:

\- The system will automatically break large orders down to 50 BTC increments
in a chain. Execution of new orders in the chain will require validation of
status of previous rebalance process.

\- Limit orders won't be executed further, because the price must increase.

\- Market orders will be executed at higher and higher prices, and due to low
liquidity, the spread will be larger too.

\- The user will run out of margin very soon.

Since I mention that Bitcoinica guarantees liquidity, measures like this must
be implemented. Hopefully they are useful to counter malicious trading
attempts too.

I'll think about this in detail though. Will further refine my algorithms
before the launch of Trading API (which is very dangerous if the algorithms
are problematic).

Edit: line breaks

~~~
JoachimSchipper
Well, wonderful suggestion - I'm trying to break your scheme for my own
amusement. ;-)

Note that the attack works fine if the system allows me to keep buying BTC at,
say, Mt Gox' price plus 10%. (For values of "works fine" which handwave a lot
of practical issues, like paying you untraceably and making sure that I don't
get undercut at Mt Gox too often.)

Maybe you should switch to 1:1 leverage for all accounts once the total
balance goes over $1000 until you've had some time to think this kind of thing
through?

EDIT: you also want a security@ account and a PGP key. I'm also happy to
remove this discussion if you'd prefer that; I arguably shouldn't have posted
the first post publicly.

~~~
zhoutong
Thanks for that! Really.

I will consider this and focus on my algorithm design further.

I don't mind if you leave the discussion here. Hiding a problem is never the
solution. :-)

------
ByteMuse
I like the site. A few notes:

\- Running on Heroku is not really an asset security wise. I would put
something more significant to ensure users that your site is secure.

\- Make sure your site is secure; it will be attacked often and by
professionals. Consider hiring an expert.

\- The highlighting is kind of distracting and busy.

\- You should be able to access some charts and see the going rate without
signing up and loggin in.

\- What is a Mt. Gox Redeemable code?

\- There are laws in most countries that regulate banks in regards to
leverage. Have you considered any of this?

\- Margin trading is risky and some people will lose more than they bargained
for, expect some repercussion.

Best of luck!

~~~
tptacek
There is zero chance that someone who believes they are getting security out
of hosting on Heroku and using Rails (because it has force_ssl and
protect_from_forgery) is going to build a secure trading application.

I admire the ambition and for this stage of his career he's obviously cleared
the bar, but it's also good for him to learn that in the real world security
isn't graded on a curve, and people with more time and experience than him
have failed to secure Rails apps.

------
mkramlich
A brand new financial trading platform written by a lone teenager in China?
Here let me give you lots of my money! Not. :-)

Somewhat tongue in cheek. I wish you luck and admire your effort, but advise
you to be humble about your skills and pay massive attention to the security
aspects of your creation, and certainly engage outside experts who have much
more experience in this area. Otherwise you are likely heading to a big public
security/financial mishap.

------
jonpaul
The site looks great! However, what I'd really love to see in a platform is
not advance trading features, but an easy way to convert USD to BTC and vice
versa. I realize that this is a real challenge given the anonymity provided by
the Bitcoin network and the only real instant transfer of money is through
credit cards (which like to chargeback). If someone would solve this problem,
you have a winner.

~~~
apsec112
That's _exactly_ what we thought, and so we started a site to allow easy
conversion of USD/BTC:

<https://www.get-bitcoin.com>

We've been in business for a few months now, and don't want this to sound too
sales-pitchy, but our customers all love us because converting used to be such
a headache. For payment methods, we don't accept credit cards (for chargeback
reasons as you mentioned), but we do accept prepaid debit cards, and we have
Dwolla, MoneyPak and Western Union as "instant" payment options.

~~~
cjy
This is a bit off topic, but the FAQs on your website recommend that people
insure shipments of cash. As I understand it, UPS/USPS/Fedex will not insure
cash or cash-like items. You should look into this so that you don't misguide
your customers.

~~~
apsec112
USPS will insure cash up to $5,000 for standard domestic mail, and up to
$25,000 for registered mail:

<http://www.snopes.com/legal/postal/sendcash.asp>

~~~
cjy
Thanks for the correction. I was at the UPS store the other day and this guy
wanted to insure $10,000 in cash he was mailing to his nephew. He wanted to
mail the cash to keep it off the record and out of the view of the IRS. The
people working there said UPS and FedEx wouldn't insure cash. But, apparently
the government will.

------
steve8918
Very very cool! The idea is great and the interface looks slick!

However, what do you do in terms of protecting people's accounts? You say that
the money is stored in your account? Gasp! How do we know you can't turn
around and take all the money?

Also, what do you do to protect the accounts from a single rogue trader? If
someone deposits money, margins up and loses a bunch of money, how do you
protect the rest of the accounts?

~~~
zhoutong
I have replied several comments about the security issues. Maybe you can take
a look at them.

For the margin trading problem, we liquidate positions by force when the
user's net value falls below maintenance. All data is transparent and you can
see how far you are from being taken over.

------
steve8918
I already mentioned below that I thought your site was nicely done. But you
didn't answer my questions directly which makes me a bit wary.

My questions aren't site security questions per se, they deal more with the
business of your site. Also, my questions are blunt, but not disrespectful, so
don't be offended.

1) How do I trust _you_? How do I know you're not going to run away with all
my money? Who are you?

Registered brokerage accounts have segregated funds, so that brokerages can't
get access to my money in case the brokerage goes under. You are saying
everything is in one giant account. In the case you suffer a catastrophic
loss, how do I know my money is safe? Also, how do I know you're not Madoff
and won't run away with all the money?

2) How are you affording the ability to margin people's accounts? Where are
you getting the money?

3) You say you check for margin requirements every 5 seconds? If I were a
market manipulator, I would wait for the order book on BTC to thin out, then I
would massively short the markets. This would hopefully trigger massive margin
calls on your end, and forced liquidation. Since the order book is thin, I
would probably be able to cover at rock bottom prices. Also, presumably you
(the site) would suffer tremendous losses.

How do you protect your customers from this?

~~~
zhoutong
1\. We can almost never be a registered broker for Bitcoin trading. There's
almost no law regulating this market either. If you can't trust me now, it's
all okay. I have never asked for trust. What I do is to write apps in the way
that people feel trustworthy and reliable. If after, say, 3 months, my site
grows larger with no known security issues, then the time will make it more
trustworthy.

2\. Not all people are doing long or short at the same time. Not all people
are utilizing their margin fully at the same time. Not all people have active
positions at the same time. We have a pool of money to make this possible.

3\. Bitcoinica is not an Exchange. We don't match orders ourselves. The rates
you see are inclusive of liquidity concerns. If there's excess positions, we
trade them in Mt. Gox to balance our portfolio. When the order book is so thin
that you can already move the market with your short positions, chances are
the forced liquidation has already taken place. (Thin order book -> larger
spread -> lower buying rate)

------
arkitaip
Considering all the security issues with the Bitcoin ecosystem and the
resulting mistrust, I think you need to be very explicit about your security.

~~~
zhoutong
Yeah, I understand your concern. Bitcoinica has several
features/characteristics that make itself like no other:

\- There's no Bitcoin wallet. Most incidents happen with stolen or lost
wallets. Bitcoinica holds all the money and coins in traditional banks and
other exchanges (currently only Mt. Gox).

\- Bitcoinica runs on Heroku. Generally apps hosted in the cloud are more
secure. Ruby on Rails itself is very secure too. (protect_from_forgery, html
escape, force_ssl, etc)

\- No account minimums. If you're unsure, you can deposit $1 first and try to
do some trades.

\- Margin trading. This reduces risks. You don't have to deposit 100 BTC worth
of USD when you want to long/short a 100 BTC position. 20 BTC is enough. Only
when you lose a lot, you can consider adding more margin.

I think trust is a common problem for all websites like Bitcoinica. That's why
we designed the platform in the way that attempts to solve the fundamental
problems.

There's instant deposit and withdrawal too. You can transfer money from Mt.
Gox when you want to trade and transfer it back after you close your position.
(Assume that you trust Mt. Gox.)

~~~
michael_dorfman
_Bitcoinica runs on Heroku. Generally apps hosted in the cloud are more
secure. Ruby on Rails itself is very secure too. (protect_from_forgery, html
escape, force_ssl, etc)_

Uh-oh. Ruby on Rails has a lot of default settings that are decidedly _not_
secure; our own Patio11 wrote an article on this topic for the CACM not too
long ago.

You might want to sit down with a security professional before too long, and
get an outside opinion on your code.

~~~
zhoutong
Currently our only non-trivial security challenges are as follows:

\- SQL Injection

\- Source being viewed

\- Financial attacks

I believe that Rails has no problems with SQL injection? All my database
queries are going through ActiveRecord.

Heroku protects everything nicely. Even the filesystem is read-only. There's
virtually no way to control the server provided Heroku's 3-layer architecture
(Varnish, Nginx and Thin).

We don't operate a Bitcoin wallet. Basically hackers have nothing to steal.
Even if we are totally owned, the most that hackers can do is to get some free
money and make some trades. After all, we can obviously identify and not to
approve withdrawals (for unusual and large-amount ones).

~~~
tptacek
You should know that when you write comments like this, you communicate two
(bad) things:

(i) You don't know enough about appsec to be communicating things about the
trustworthiness of your application.

(ii) Any feedback you're given about the threats your application faces is
just going to get added to your list of "security challenges" you are aware of
or have tried to address, which implies that anything anyone does to help you
with your security is just going to be used to mislead others. No thanks!

I'm thrilled at the idea of a 17 year old building applications that need
serious security countermeasures and would generally love to help. But not
when the stakes are "other people's money".

You should pick a different project. For a variety of reasons. How about take
your Bitcoin exchange and do (another) play-money exchange, like for a
prediction market?

~~~
patio11
Seconding Thomas' advice. You could even write against the API of one of the
existing prediction markets (thus inheriting their user base) and try to add,
e.g., options to it. That will give you plenty of holes to shoot in your foot
without ever causing more damage than wiping out the geek cred of someone who
tried to prop trade using the knowledge that there are unlikely to be two next
US presidents.

P.S. I used to participate on a prediction market. Was winning the Internet
after going all in on three presidential elections. Got wiped out by JPY
breaking a hundred two years too late for my contracts to pay. Did not jump
out window.

------
dclaysmith
Question for @zhoutong ...

When did you start working on this project and have the negative events (guy
losing 500K, MtGox hacking, etc) of the last few months affected your
development and outlook?

Site looks great. Twitter bootstrap?

~~~
zhoutong
I only started working a week ago. I'm currently in school holiday, so I can
afford long hours. And since this is a solo project, I have no communication
problems. I can just do what I have planned and thought.

These negative events are actually quite normal. Actually they present us with
all kinds of problems. Every entrepreneur's task is to solve problems. And now
we have more problems to solve.

Being optimistic,

Positive events == opportunities

Negative events == opportunities (for those who are smart)

You can look through some of my comments here. I have explained how I solve
the security problem.

Yes, I'm using Twitter Bootstrap. It's very easy to get started for a non-
designer like me.

~~~
dclaysmith
Wow. Hell of a weeks work. I agree about Twitter Bootstrap... Using it on a
project I'm working on now. Loving LESS...

------
Joakal
Looks pretty cool. I dislike the random pink highlighting, it's noisy. Avoid
smiles, as cool as it is, you must look professional in business ;)

That said, maybe a security section would be great. eg encryption, security,
independent audits, etc. Here's an example: <http://help.github.com/security/>

~~~
zhoutong
Thanks. Yes, I have a long to-do list for these now:

\- Tour

\- Terms of Service

\- Privacy Policy

\- Security

\- Help (probably)

A lot of writing work! I'm a non-native English user though.

~~~
davedx
I'd be happy to proof read your copy, just drop me an email davedx@gmail.com
:)

------
rb2k_
That's a great site and will help people that haven't got any trading
experience to 'play' a little bit without having to do all sorts of things in
the 'real' money market

A little feedback: Tooltip texts for some of the interface elements would be
nice. I had to think a bit before figuring out that "P/L ($)" is supposed to
be profit/loss.

~~~
zhoutong
Thank you for your feedback!

It's easy to make tooltips with Twitter Bootstrap. I have written Javascript
to enable all the "title" attributes.

I will definitely put more tooltips here and there and launch a new version in
probably a few days.

------
ianpurton
It looks great. It's good to see more things appear in the Bitcoin space.

I would add a tour page, perhaps with screenshots so people can see how it
works without signing up.

~~~
zhoutong
Thank you for your suggestion.

Yes, I will definitely do that if the test run is successful. Probably I will
launch the Tour together with Trading API.

------
vessenes
Can you explain your margin fees somewhere on the site?

Thanks!

------
ArchD
How do I logout without a logout button?

~~~
Kudos
Delete your session cookie. Or he could add a logout button.

~~~
WA
Deleting a session cookie is not the same as a logout button, because the
session needs to be terminated server-sided as well, otherwise it is still
active and anyone with access to the session ID could restore the session
(until the natural session timeout occurs - which entirely depends on the
server's configuration).

------
Estragon
Spread seems high.

~~~
zhoutong
If you compare to Forex brokerages, yes. But consider the volatility of
BTCUSD, you can make profits despite the high spreads.

Usually BTCUSD can fluctuate 5% - 20% everyday, and the spread is only about
0.5% - 2% (one side).

