Topic: [ANN]First online MPEx brokerage now in public beta (Read 4872 times)

Full functionality just restored. Any deposits made yesterday or today got merely delayed, there was no reason to prevent new ones.

Thanks for your patience!

Any word on when CoinBR will stop being read-only?

Also, can I deposit funds while the site is in this status? There are no warnings on the deposit page, I just can't trade.


Thanks.

What risk it needs to be hedged against? The options are fully covered regardless how many of them there are. And if you mean hedging against BTCUSD, how would open interest help in that?

If the volume is known there would be no trouble in calculating the OI at all.
Do you have the db with each and every tx or you don't? How do you hedge your risk then?

For derivative markets OI is essential, it's the key value to analyze, not the volume..

Okay I get it now. But it isn't clear at all how would that apply to MPOE options. Only total traded volume is known and published, without analyzing each transaction it is hard to discern how many options MPOE bot bought back that were issued by itself (and thus effectively decreased open interest). Not even taking into account other users that recently started to do the same as MPOE. Number of option exercises in the course of month isn't known, too.

Moreover, already happened several times that 80% of all trade was near beginning or end of the month and total amount of options changed wildly in matter of hours.

Any proposals how to come up with meaningful numbers in this situation are welcome.

http://en.wikipedia.org/wiki/Open_interest

These numbers should be available to anyone..

I don't understand what do you mean, can you please explain?

Naturally we need to be aware of the open interest for every option contract listed.. Please reveal..

We have now our own support & discussion board on bitcoinforum: http://www.bitcoinforum.com/coinbr-com/ . Of course, we will keep responding here as well. But we can have our own place there and I really like it, OpenID support for quick registration, live chat, micropayments and other goodies

I think the manual withdrawals are a good thing for a brokerage to have.  It's one of those things that are great for security.  I wish I could do manual withdrawals on my sites, not enough time in the day unfortunately.

One consideration though.  There should be a backup plan in case anything happens to the broker.

Cheers.

A small majority.

How many hot wallets need to be stolen before we agree that manual withdrawls are an essential security practice?

Like the service but manual deposits and withdrawals are really annoying and makes you less trustworthy.

Can you (or anyone else) please elaborate on how this could be done? I don't use blockchain.info wallet, what function do you have in mind?

AFAIK most we can do is to issue signed account statements to make assets 'titled' in user's name - that's toward the user. Other than that, unlike bitcoins, all assets on mpex account are completely fungible and no sub-account support is planned. Thus, protecting the backend from frontend... hard to do much more than set limits for suspicious behavior. Even if we figure out something better, the details shall remain known to pentesters at most. Did any other exchange publish such details?

Yes, I think one of the main issues is the assets being 'titled' in CoinBR's name and not the user's.

Think there is a way to tie the MPEx trade receipt to the public key wallet address provided at signup so the assets are 'titled' to the user? Perhaps have a Blockchain.info type functionality.

As we had two outages, and the last one very serious in December, we decided to waive 50% of account management fee for December (0.045 BTC instead of 0.09).

Happy New Year to everyone!

Replying via PM.  We're pretty OT now.

Cheers.

Not much difference. Only that I consider common decency for rants from irc to not be used as kinda evidence elsewhere. But that's my own fault I started them at all.

Silent = away.  I'm not tethered to IRC.

What difference does it make where you typed it?  It was relevant to this conversation.

Cheers.

That whole quoted irc session was me joking and ranting. I knew burnside is in the channel and was curious what he's going to make from it, he decided to stay silent there and instead paste it here.

I'm not going to explain the jokes, just maybe can improve that quote, to make the point clearer:

I have one piece of advice for anyone who wants to take it. If youre previously "not legit" bitcoin site starts talking about "going legit" you are about to be fucked in the ass.

There is no "going legit" so either start out that way or embrace the dark side.


You should have done that before opening the brokerage.

Because if you do it now and the lawyers tell you its illegal your clients will be glbse'd

That would definitely be very lame, if that were all it was.


The part in bold applies pretty much across the board.  I think all the exchanges have the wallets on backend boxes.

You're definitely going where noone has gone before.  Hopefully you're a breakthrough success. 

Cheers.

This isn't about jurisdiction. Did anyone ever got saved by that lame "for educational purposes only" excuse?


Since the bitcoins can't be withdrawn without hacking also backend server, the portfolio can be rebuilt with small loss, MPEx is liquid enough for that. I am not going to bother MPEx asking to reverse transactions in this case. Maaaybe if the hacker does something utterly stupid like spend everything by buying some options and exercising them worthless, then maybe it will be possible to work together with MPEx to revert the txs, as this would be is much simpler case both for them to undo and for us to prove. We really don't see a need to draw some "what if" agreeements with MPEx, rather prefer to focus on doing our stuff right and this will be plugged too, just it takes some time.

lol.   


It's common knowledge that bitcoin is a virtual commodity.  Brokers are not limited to trading cash. 


I thought what I was saying was clear, I'll attempt to re-word it:

(a) If BTC-TC / Cryptostocks / MPEx is compromised people lose the BTC in their wallet on the exchange.  Any securities compromised can be restored by the site admins.
(b) If CoinBr is compromised people lose all their securities.  You claim zero liability, the trades happen on an exchange out of your control, so your clients are just shit out of luck.
(c) Keep in mind, we're talking asset exchanges, NOT currency exchanges.

Doing the math.  Where do you think the larger exposure is?

(a) A few BTC in a wallet?  Or;
(b) A person's entire portfolio of securities?



I'll leave ya be from here on out.  I don't think stirring the pot is going to help matters.  Best of luck with your brokerage.   

TBH, when I was initially asking, I was kind of hoping you were going to say that you were manually processing the orders.

I'm going to have to disagree with how big an issue it is.  The hacker doesn't have to benefit for it to be a huge blow to CoinBr.  All the hacker has to do is sell off all of your holdings and you're in trouble.  (you have to buy them back at potentially painful prices to cover your users)  A huge part of the problem is that you're not the authority on who owns what, MPEx is.  So any mistakes you make are far harder to fix than if you were running your own exchange where you probably would eat a BTC loss out of the wallet but could easily revert to a previous backup.

For being honest about it, thank you.  I suspect you're going to need to setup your backend to not trust your frontend, maybe the backend can verify orders on a per-user basis using a hash of the users auth data or something similar?  I see lots of coding in your future. 

Cheers.

I know what it lacking and am honest about it, but this is not a big issue. The frontend (webserver) attacker would be able to only trade, not push or withdraw anything (MPExAgent does not support these functions at all). So possible damage for this attack vector is limited. The connection to backend is protected by VPN and backend server itself is highly secured with minimal services running. And it will not stay like this forever, it is being continuously improved. BTW, I am also owner of simpleshell.com , which is running for several years already with minimal maintenance and no major problems, something unheard of for linux shell server.

I was worried about that.  Quoting that page:


Absolutely.

Cheers.

GPG key is stored on backend servers (one at the moment, there will be more soon for higher availability) that are physically safely located - not even colocated, they don't need very fast connection. Passphrase is held in memory and must be entered by hand when server starts. The software used is open source.

The assets are yours, by all definitions broker is someone who only facilitates the trade.

I described the precautions in this thread already. MPEx issues GPG signed message - receipt that an asset was bought/sold and CoinBr makes the receipt immediately available to you on order page - like in the screenshot. (It will be also sent by email, this is under development, together with GPG-signed daily account statements). It can be used as a proof that this trade was done on your behalf.

We use CoinBr MPEx account exclusively for client's transactions, and if client goes broke it only affects his account in CoinBr database, nobody else. For speculation (like the loans I took) and testing different personal account is used.

Thank you both for inquisitive questions. I'm looking forward to you requesting such transparency from other exchanges or MPEx brokers/passthrough operators.

It is not.  I read the thread before posting, thanks.

Details.  Please.  Where is the GPG key stored?  Where does the passphrase come from?  If you want users to trust the platform, you're going to have to be a little more transparent.

Cheers.

I think this has enough details:

If I use such a broker, will assets formally be issued to me, or to the broker?

I guess that MPex will GPG sign that the asset was issued to the broker, so if the broker goes broke, do I have a problem?

A lot of the irc servers have policy against publicly quoting the conversation logs.  I don't like that very much.  What is freenode's policy?

Cheers.

You know, irc won't bite.

I'm considering using CoinBr to trade MPEx assets.

Can you walk me through the trade process between CoinBr and MPEx?

IE, I place an order.  What steps does CoinBr take to execute that order?  Details please.

Thanks!

Password reset function is now available, 2FA for withdrawals is next. We plan to provide two methods:

• BTC address sign message (same as password reset)
• HMAC, most likely Google Authenticator - preferable if you have offline wallet backup and want to keep its usage to minimum.

One poor man's solution to the 2fa problem might be something stolen from gribble: if a withdrawal over a set amount is requested, user receives via email a challenge, which is a gpg string they have to decode. If the user fails to respond with the correct string the withdrawal isn't processed. Maybe have these expire in a set interval (24 - 48 hours?), and also allow the user himself to set the trigger amount (and don't display it anywhere on the user pages, so an attacker can't learn it).

Thanks for feedback.

The project focused to start with most often used functions, which, hopefully, password reset isn't. The form for that, using "sign message" function of the bitcoin address you have provided on registration is fully specified and will be done. Until that time, in case the need arises, we can resort to using GPG encrypted e-mail or similar method.

As for two factor authentication, we agree it is important and can't even think to go out of beta without it. The withdrawal form already has some weak protection by one-time token and by the time the withdrawal is processed (while the balance is subtracted immediately, so user has some time to react). We still aren't decided which method to implement with our limited budget - even the thread you recommend did not agree on best way how to do it. It discusses mostly browser session hijacking, against which the browsers are increasingly patched, but not phishing or hacking GMail account.

There doesn't currently appear to be any way to change my password when logged in.   Sometimes minimally viable product site builders will say that functionality exists through the "forgot my password" / reset capability but I don't see that capability either.

Also, there is no multi-factor authentication option for login.

Or more importantly, for there is no way to require multi-factor authentication for withdrawal:

A plea to exchanges ... lets do 2 factor right!
 - https://bitcointalksearch.org/topic/a-plea-to-exchanges-lets-do-2-factor-right-109424

Damn I was looking for A++ I guess I'll jeep looking...

What are bitcoin credit ratings (and who are you again)?

Bitcoin Credit Ratings

This thread has received a B- rating.

OP provides good explanations, and probably won't run away with your coins. Good business plan.

The funding is processed manually because of technical reasons. MPEx does not provide any explicit feedback when the bitcoins arrive to the account, only implicitly that the balance changed (it may have changed for any other reason). Moreover, if users fund their account indirectly via CoinBr, it may be necessary to move the funds to MPEx first.
For direct deposits, this is non-issue. For funding via CoinBr, funds are moved to MPEx account as soon as any significant amount gathers in the wallet. So that sufficient liquidity is ensured at all times even if all users decide to place buy orders all at once.
At the moment, order is placed immediately when you click "Save". (It may be shown in "Queued" state but it means it waits for next STAT call to process further.) You can GPG-verify the receipt on the order detail page that it was placed exactly with the same parameters as you requested. Maybe later it will be necessary to really queue orders before submitting to MPEx to improve latency, but we'll always strive to place them asap.
We will either pay out to BTC address you provided on registration or move all assets to another broker.  If the closing will be catastrophical and CoinBr will be completely defunct (unlikely, there are continuously updated database backups on multiple physical locations), you will still have MPEx receipts that allow for reconstruction of your account. Sending them also by email is under development.
I cooperate with people that do have the experience and, as stated on the about page, we're open for working together with more people from community. We can hardly ask for any licenses when MPEx itself is strictly against regulation. You don't expose yourself to bigger legal headache than, for example, when downloading "pirated" intellectual property or playing in unlicensed online casino like SatoshiDICE. Unless you plan to hand yourself in, like Nefario did.
We're aligned with MPEx opinion that Bitcoin (and any securities based on it) is akin to virtual game money and are thus exempt from regulation at the moment. Should any government use irrational suppressive measures, we plan to react similarly like MPEx, too.
We assume no liability beyond one implied by law.

Also should ask,

Do you accept unlimited liability for clients account holdings?

A few questions:

Funding page says it may be delayed up to 48 hours, why is this and are any risks associated with this process?

Do funds remain on your system, how are they protected? Will you be acquiring deposit insurance or limiting liquid funds/transfers?

What is the flow for an MPEx order through your site? Please include information on how the BTC flows as well as the order requests an confirmation.

Will I have my MPEx assets in a usable format if your brokerage closes? How about any BTC in my account?

Do you have any securities trading experience or licenses? Am I exposing myself to yet another legal headache, or are you?

You are not asking for any AML/KYC information, have you determined that this is not needed? Have you talked to a lawyer?

https://coinbr.com allows everyone to trade on MPEx without creating MPEx account. Currently supported operations:

• Placing Buy/Sell orders
• Receiving dividends
• Option exercises
• BTC Funding*/Withdrawal** of any amount

All orders have signed MPEx receipts attached and there is detailed transaction/balance history available. Moreover, CoinBr offers referrals - you can earn commissions from trades of people you invite. More information on our page.

NEW(February 1, 2013): Double factor authorization for withdrawals, choice possible between Google Authenticator (google account not necessary) and bitcoin signatures.

If you already have MPEx account, you may be interested in our MPEx parser/JSONRPC proxy source code.

* Initial funding must be at least 1 BTC to unlock trading/referral functions.
** You can withdraw any amount, but withdrawal fee is to be considered.