You should know that when you write comments like this, you communicate two (bad) things:
(i) You don't know enough about appsec to be communicating things about the trustworthiness of your application.
(ii) Any feedback you're given about the threats your application faces is just going to get added to your list of "security challenges" you are aware of or have tried to address, which implies that anything anyone does to help you with your security is just going to be used to mislead others. No thanks!
I'm thrilled at the idea of a 17 year old building applications that need serious security countermeasures and would generally love to help. But not when the stakes are "other people's money".
You should pick a different project. For a variety of reasons. How about take your Bitcoin exchange and do (another) play-money exchange, like for a prediction market?
Seconding Thomas' advice. You could even write against the API of one of the existing prediction markets (thus inheriting their user base) and try to add, e.g., options to it. That will give you plenty of holes to shoot in your foot without ever causing more damage than wiping out the geek cred of someone who tried to prop trade using the knowledge that there are unlikely to be two next US presidents.
P.S. I used to participate on a prediction market. Was winning the Internet after going all in on three presidential elections. Got wiped out by JPY breaking a hundred two years too late for my contracts to pay. Did not jump out window.