I don't know if this is a typo. But you need to replace one letter
It was not a typo before the recent display name change from eXch.cc to eXch, because the 'eXch.cc' was always our username so it was correct, since the first link actually leads to our Bitcointalk profile.
It became a typo a week ago after the display name change.
I have a question about lightning
I see you need "Zero-amount invoices only"
I am using Aqua wallet, which has LN integrated. The minimum invoice is 1000 sats.
Will my 1000 sats invoice work?
Sorry if it is a dumb question, I have little experience with LN.
There are no dumb questions.
I am personally not aware of how Aqua wallet works since I never used it, but if you provide me with the invoice I can look it up and help you.
I recommend creating a support ticket directly with us where we provide dedicated related to LN even when the issue is not related to our exchange (free of charge), since LN is still very fresh and there are many issues, but we like the tech behind it and would like to contribute to its popularization.
I have two follow up questions.
1. If my order becomes a backorder, will eXch use the exchange rate applicable at the time the reserves fill up and my order gets processed or the rate from when my deposit transaction confirmed? I am pretty sure it's the former, but let's see.
2. What are the possible reasons why a backorder gets refunded from your side? Is it fee related? If I began the exchange at a time when the mining fees for the coin I wanted were low, but then they doubled, would eXch process the order, request more for mining fees, or return the initial deposit?
I checked your FAQ section, but it doesn't mention any of this regarding backorders you just discussed. Perhaps you should add it, so your clients know such an option exists.
1. It's the former.
2. One example I could think of is when a backorder is too big and remains too long on sight we may just revert it to REFUND REQUEST. Let's say the backorder is asking for 50000 XMR. This would take for us at least 2-3 days to fulfill (if not more) and it will also make our 'Reserves' tab to show "0" if our overall balance is below 50000 XMR, since the backordered amount also affects our available reserve. This is the only reason why we ever force-refunded such orders. In regards to mining fees - we never change order details after a deposit confirmation independently of the conditions. If they doubled - we will still proceed with the payout. We also don't let the backorders remain for too long as we usually try to acquire external liquidity for them in order to execute them as fast as possible.
Thank you for the suggestion on adding it to FAQ, it's very likely we will do so.
This is mainly why we have the message "You can start exchange without calculating and send any amount (calculation will be performed on receipt)" right to the "Exchange" button.
Since the Reserves are shown on the same page, I didn't expect this functionality when there are no reserves left.
I checked your FAQ section, but it doesn't mention any of this regarding backorders you just discussed. Perhaps you should add it, so your clients know such an option exists.
I was going to suggest the same thing
Yeah, it's indeed very unobvious for now. We have many things to improve.
Have there been any cases of USDT wallet blocking by the issuer(Tether) after an exchange on your exchange?
No.
What guarantees do you give when exchanging my BTC for your USDT?
Nobody can guarantee that and I recommend using DAI if you need such a guarantee. However, as long as we are a project that operates in a legal scope and, say, not darknet, we are fine with Tether as well as the funds coming from our address. Tether is also well-aware of our exchange.
Also a good answer here by bitmover in that regards:
https://bitcointalksearch.org/topic/m.63792374what will happen if someone sends stolen money to this USDT ETH address, and then it goes to the client from this address?
The client will receive clean funds from an entity called 'eXch' which is tagged as a centralized exchange by most address categorization engines.
Ethereum is a non-UTXO system and there is no way to tell which exactly part of the previously received funds is being sent forward. Chain analysis systems determine the clean/dirty ratio of an Ethereum address by the percentage of incoming funds and their origin. Our clean ratio is above 50%.
in my opinion, there is a greater chance of getting depeg dai than a random usdt block (for the previous owners of these usdts)
DAI has passed many depeg stress tests successfully already. It has proven itself as a very reliable stablecoin for last years. As for USDT blocks - they happen on a weekly basis. Please check this Twitter: @usdtblacklist
Our domain exch.cx was suspended by Lyubomir Gyundzhiev from Key-Systems who misread our abuse report resulting into suspension of the victim's domain instead of attacker's.
The new domain is not working.
Not even an hour has passed since the new domain was announced, and yet a DDoS attack? really?
502 Bad Gateway
The server returned an invalid or incomplete response.
It's most probably our service is currently under a DDoS attack.
exch.cx is now redirecting to exch.pw. I guess the issue is close to be solved. However, the Bad Gateway error remains here. Seems to be fixed as of 20h UTC. The redirect to exch.pw however remains.
There were some misconfigurations on our front-end servers that were fixed later. That day was pretty busy for us and everything was done with some significant delay.
Will you also create a vanity .onion name? Something that's easy to remember (partially) and very hard to reproduce. I think the way to do this is generate many vanity .onion domains, and hand-pick one that has "something extra" that rolls off the tongue nicely.
We thought about that, but the efficiency and usefulness of a such address is very questionable.
Having a vanity address won't protect from phishing independently of the invested power to generate it.
Standard security practices for remembering and visiting HSv3 appeal against relying on vanity-generated addresses or their recognizability. During Tor's transition to HSv3 addresses, this topic was widely discussed across Tor Project's discussion boards in regards to the new address format's increased exposure to phishing. Since we have an easy rememberable clearnet domain which lists our valid .onion and see no reason to use other sources other than our clearnet website and maybe this Bitcointalk thread to get the correct .onion.
Moreover, our clearnet website doesn't block Tor like most other projects out there so there is absolutely nothing that would prevent a Tor user from visiting our clearnet domain to get the .onion address. Additionally, there is KycNotMe - a project that is now considered to be the main anti-phishing directory for crypto-related services. Even the DarkNetBible - something that many DNM and Tor users consider a "holy" manual for using Tor - stopped listing crypto-related services and now directly recommends OrangeFren and KycNotMe only.
Given all this, it's a mystery to me how people still manage to get phished given that our genuine .onion is findable in 1 click from many legitimate sources, including our website.
We are also glad to inform you that our latest app's release (1.2.0) makes it possible to set reserve notifications and alerts, so there is no more need to check our website for certain coins reserve updates manually.
Wouldn't it be better to automate the reserve refill so that the balance is refilled every hour or two instead of doing it manually? This will be easier, as if I find that the DAI reserve is zero, this means that I need to wait for the next hour to find that the balance has been refilled.
Stablecoin refills are already automated via Thorchain, but there are people who constantly check our XMR reserves manually and it's not something we currently automate so app users makes it easy for people who look for XMR reserves to appear.
Any updates or estimates for adding Liquid network assets (L-BTC and L-USDT)?
Not yet.
Will you also create a vanity .onion name? Something that's easy to remember (partially) and very hard to reproduce. I think the way to do this is generate many vanity .onion domains, and hand-pick one that has "something extra" that rolls off the tongue nicely.
That's a good idea.
This could make it much harder for scammers to trick users with fake onion links.
Not at all - if you check some mixers who had/have vanity generated addresses, they were/are targeted even more with vanity-generated phishing. Phishing by typosquatting is something much more effective than email spam nowadays.
Let's say we manage to generate this address:
exchcxxxxxxxxxxxxxxxxxvjvmnwj33g4wviuxqzq47emieaxjaxxxxx.onion
It will still be overplayed with typosquatted addresses in the following example:
exchccxxxxxxxxxxxxxxxxvjvmnwj33g4wviuxqzq47emieaxjaxxxxx.onion
exchccxxxxxxxxxxxxxxxvxjvmnwj33g4wviuxqzq47emieaxjaxxxxx.onion
exchxxxxxxxxxxxxxxxxxxvjvmnwj33g4wviuxqzq47emieaxjaxxxxx.onion
exchxxxxxxxxxxxxxxxxnwj3vjvmnwj33g4wviuxqzq47emieacxxxxx.onion
exchxcxxxxxxxxxxxxxxnwj3vjvmnwj33g4wviuxqzq47emieacxxxxx.onion
exxchvvxxxnxxxxxxxxxnwj3vjvmnwj33g4wviuxqzq47emieacxxxxx.onion
exchcccxxxxxxxxxxxxxnwj3vjvmnwj33g4wviuxqzq47emieacxxxxx.onion
and so on...
Phishing is a very tricky business and will always be there for any resource doing money transfers. It targets people who have bad personal security practices. Just in the same way Ethereum-alike address/transaction poisoning works to expect an uncareful user to copy the destination address from his last transaction history which turned to work pretty efficiently and there were millions stolens already this way. Nobody can be blamed here but users themselves.
While people simply "doing it wrong" by copying .onion addresses from random sites and not official ones, it will always be their problem and we are refusing to take any responsibility for their actions.
Also note that it's absolutely nowhere we stated that we are an .onion-first exchange, since we operate in a legal space as an absolutely legal project with a registered company (unlike
some scammers who lie about having company registered in Seychelles) and have a clearnet domain that doesn't block Tor users and doesn't use Cloudflare. Please just use it, including for a purpose of finding our .onion, since it's what clearnet sites exist for.
What do you think about having a small informative banner on your website about your official pages and domains?
There are significant upcoming changes in that regards, but it won't be done this way.
OK, you have such information in the footer, many people don't even get to the footer but go directly to the exchange process. I am convinced that it would be very useful to have some kind of warning at the top of the page.
Your fight against phishing sites has only just begun, the more you grow, the more people like Animesh Roy will appear.
The word "fight" itself doesn't scare us a little bit since this whole project is already some kind of fight itself, so we were prepared for it.
What in regards to your concerns to phishing becoming more frequent - I'll slightly disagree here.
This specific phishing campaign is not like others that existed in the past (even targeting other projects) or will exist in the future any soon. You should understand that the amount of time and effort spent only to _prepare it_ are exorbital.
If you check our recent article and dig a bit yourself, you will see that the phisher himself spent a whole 2023 year to only prepare this campaign and he had results only in the recent months. There is a LOT of work he done worth far more than a salary of a full time programmer for a whole year. Phishers like this one is very rare from our experience and this guy literally just threw a year of his hard work to the bin by making us trace him, which took only 3-5 hours of investigation to catch this guy having all the recent data that he exposed about himself and his phishing operation and additional 2 hours to write an article.
From one side he looks quite skilled and creative, but from another side he is pretty dumb to spend so much time and money on something so easily traceable, because the most of his fruits were given by his clearnet domains, where everything is pretty much traceable.
I think who will fight there are phishers like Animesh themselves, in case after our disclosure someone else dares to do it of course, since we pretty much gave the sign to anyone who wish to mess with eXch Security Team to think twice before doing so. For us it will always be a very quick task to track and expose them but for them it's for sure a lot of work to setup such an efficient scheme.
What in regards to some one-time low-effort phishing sites that will only exist within the Tor indexers and not beyond - not that we would care much about it since they are barely effective and people who generally want to use some link from them actually wish to get scammed, so we can't stop them from losing their money voluntarily. They existed before this specific phishing campaign already and will exist after and they are not something that will be on our radar. We are interested in efficient campaigns like this recent one and predict everyone who is behind one ending like that guy from India.
We also won't agree on the opinion that the phishing is a result of some our mistakes - they are not and there are none. Everything you need to not get phished is just to visit our clearnet site or this thread in order to add the correct .onion to your favorites. We also had a link to our Bitcointalk thread on our website from a very relaunch of our project. It's just some Tor users who often surf darknet under the influence of chemical substances in a hurry having 100+ tabs opened simultaneously end by getting scammed due to their own negligence and we nor anybody else can help them unfortunately. The guy who got scammed for 1 ETH was this kind of user exactly, but I'd rather not to go into personalities.
Don't forget also that if we wouldn't expose this phishing campaign and start writing about it, nobody ever would even hear about it, since victims who got scammed managed to do it out of their very uncareful behaviour.
It's really very hard to get phished being an eXch user, given that we are a clearnet-first project and not some darknet site. The investigative report we published is not a sign of sympathy to phished users by the way, since as I explained before, it's *very* and again - *VERY* hard to even find and use a phishing copy of our .onion website.
