img

The Alternative to Trusting Your Exchange API Keys to Trading Bot Companies

img
valuezone 09 January 2023

The Alternative to Trusting Your Exchange API Keys to Trading Bot Companies

TL;DR

Securely storing passwords or keys that give access to clients’ funds is a gigantic challenge that no startup or even mid-sized company can ever cope with.

In this article, I briefly explain the threats involved and why these companies can NEVER win the adversarial game against hackers when such a big bounty is at play.

The article ends by offering viable alternatives to trusting keys to third parties while trading with bots: open-source platforms that run in your premises.

The Problem Is the Size of the Spoil

A database containing tens of thousands of exchange API keys represents a prime target for hackers. If successful, attackers can walk away with a formidable spoil.

Hackers have been attacking banks and traditional financial institutions from the moment those industries stepped into the Internet and started offering online services.

The challenge for hackers attacking traditional financial entities — on top of breaking into the company’s systems — is laundering the spoil money. The only way to transfer fiat money digitally out of a financial institution is through wire transfers to banks, and those transactions are 100% traceable.

However, stealing crypto is much easier.

Take, a web-based trading bots service, for example. The database containing users’ private information — including exchange API keys — was compromised. The company doesn’t custody users’ funds; they “only” custody customers’ keys that allow users’ trading bots to connect to exchanges via the exchanges’ APIs (Application Programming Interfaces).

When creating an API Key at the exchange, it is highly recommended not to give the key permissions to withdraw funds — particularly if users plan to trust the keys to a custodian. So people usually give the keys permission to trade with the associated account only.

How do hackers steal users’ funds from exchanges when all they have is an API key with trading permissions only?

Easy.

First, they buy or get invested in low-liquidity crypto coins or tokens with their own cash. Then, they use the victims’ funds at the exchange to pump those coins, so that they can cash out at the top. The operation has some challenges and is rather inefficient. Still, they walk away with huge spoils of virtually untraceable crypto funds.

Trusting API Keys to Third Parties Always Ends Bad

Cybersecurity is an extremely complex problem. Experts know that no system is unbreakable. In fact, security is often measured in time. Meaning the time required for attackers with access to certain resources to break into a system.

What kind of resources can attackers have?

Think of it this way…

Your attacker can be anyone from a teenage girl in a basement to a state-backed cyber-crime unit. In other words, the attacker may have unlimited resources.


Guess who? Photo by Deon Black on Unsplash

What makes you think that a bunch of kids in a startup can deal with such powerful attackers?

Cyber security is not just about information systems — one aspect in which a bunch of MIT kids may excel at. The weak link can be in many other places:

  • The data center, the provider of cloud services, and other third parties involved in the operation of the business.
  • The network hardware that may have back-doors — think of the concerns about Huawei.
  • Compromised employees, consultants, or contractors — allegedly
  • Insecure internal processes — think of the maintenance of software, databases, internal communications, etc.
  • Insufficient monitoring and defenses — cyber security is an adversarial game: hackers are always looking for new exploits and companies need to play a never-ending cat-and-mouse game.

Let me propose another way to look at it…

Custodial companies have unlimited threats. Every hacker in the world is a potential attacker. These companies play an extremely dangerous game. They either always win, or their customers lose everything! There is no room for error. One single mistake, and customers’ funds are wiped out. And they all fail sooner or later.

You may be able to get insurance against cyber attacks for your bank account, and a large exchange like Binance has a fund to cover attack-related losses.

But you have no protection if your trading bots company gets hacked. You are risking all the funds you have at the exchange, quite literally.

That is why trusting your exchange keys to web-based trading bot companies is a terrible idea. You’re making a bet you just can’t win. Sooner or later, the company will get hacked. It’s just a matter of time.

If you’re a trader, you need to be smarter than that and evaluate risks appropriately.

The Alternative

The alternative is not to trust your API keys to third parties.

So how do I use the web-based services of the likes?

You don’t. You stay away from commercial trading bot companies that require you to hand over your exchange API keys. Period.

What’s the alternative?

Run your bots locally, on your premises, or with your cloud service provider.

Isn’t that setup subject to attacks too?

Yes, but nobody knows you. As an individual, you’re not attractive to hackers with access to unlimited resources. If you’re a low-key trader, no one knows you exist, and the funds in your account are likely uninteresting in isolation.


Size matters! Photo by Deon Black on Unsplash

But I can’t code! I don’t know how to build bots from scratch!

You don’t need to code your bots. The solution is to use an open-source platform that you may download and run on your premises. The platform should allow you to design, build, test, and deploy strategies in a visual environment so that you don’t need to code.

Can I trust open-source software? Should I worry about malware?

Open-source offers a basic level of transparency, as the code is available for everyone to review and scrutinize. But not every open-source software is safe. Look for the leading platform that has a vibrant community. That will be the one attracting the most developers, who will certainly look into the code before even installing the software. Make sure the software has a track record and reputation. Talk to people using the software, wherever the community meets online.

Can these open-source projects disappear and leave me hanging out to dry?

Good point! You don’t want to spend time and effort setting up your strategies on a platform that may disappear the next day. Open source can be a winner-takes-all scenario in which one or two projects take the lead and attract most developers. Those are the projects that thrive and conquer their niche market. Again, find the projects that are leading the pack, those that have the larger contributors base, and those with the clearest vision of what profitable trading requires. Then see if they cater to your specific needs.

Will I get support when I need it?

That’s a good question and one more thing you need to look at when you evaluate projects. Good projects have a vibrant community willing to help onboard newcomers and walk them through the learning curve. The best projects may even offer incentives to community members that engage with support questions.

How about commercial bots that I can run on my premises?

Are you nuts? Any black box that you install on your premises can be compromised. If the code is not shipped with the software, then it’s a no-go. The software could steal your keys and even infect the whole computer looking for other spoils like crypto seeds and passwords.

Fine Mr. Expert, why don’t you just tell me which is the best open-source trading bots platform?

It depends on what you’re looking for.

I’m involved, and I believe we have the most robust, flexible, and sophisticated platform out there. We’re a five-year-old community-owned and token-incentivized open-source project that has been trading live for two years already. We’re first on Github for the “trading” search term, as well as the crypto trading and crypto trading strategies topics.


charting space

If you’re a developer, we are a safe bet. Our closest competitor catering to developers is Freqtrade, so you may want to check them too.

However, if you’re not a developer, I don’t know of any other open-source platform that can truly help you become profitable at trading.

The platform is technical, but anyone with decent computer operation skills can learn it. You don’t need to code, as the platform offers a visual trading system framework where you define conditions and formulas using built-in indicators and simple mathematical expressions. If you can code, though, the sky is the limit.

How hard is it to learn the platform?

It usually takes 15 to 20 hours for users to learn the basics and start playing with their own strategies.


Interactive tutorial

Make no mistake, trading is a complex game, and trading automation is even more complex. Don’t be fooled by the gimmicks of commercial trading bot platforms. They are in the business of extracting money from users!

Companies want to make you believe that trading is easy and offer simplistic tools that anyone can operate just to broaden their target market and have more fools to extract money from.

It’s baked into their business model!

They charge you more if you wish to run more backtests, trade more markets, deploy more bots, trade more volume, or use “special features” behind additional paywalls.

On the contrary, is a community-centric project. The user comes first because it’s the users building the platform. Users know what it takes to be profitable, so they make sure they build the right tools, not the tools that will sell subscriptions to unsuspecting wannabe traders.

I’m starting with trading but feel I don’t know enough! What’s in it for me?

If you haven’t yet been successful at building profitable strategies, you can always use the Platform to copy trade following the bots of other users.

See, the project incentivizes profitable traders in the community (with the native token) to broadcast trading signals over a peer-to-peer network. The more followers they have, the more tokens they earn. The design of incentives ensures that signal providers strive to produce profitable signals and protect their following — otherwise people would unfollow them and follow someone else!

All in all, the project is designed on a bitcoin-principles framework. The token is distributed exclusively among open-source contributors so that the community owns the project and everyone’s incentives are aligned in the same direction. There are no VCs involved, and everything is bootstrapped by the community.