using open source software is never about "you" personally having the skills to review it.
Actually.. in this case, where one wants to build an exchange.. it is.
Either you or some payed security expert has to review it.
well, every project starts from somewhere. bitcoin wasn't this trusted or even secure when it first came out. bitcoin-QT (now known as bitcoin-core) had many bugs in it and after years if reviewing got fixed. and at first there weren't really that many even looking at the code!
the point of open source is that the source is open for everyone to see and if the project is popular enough you can be sure that others have reviewed it specially if it is sensitive and deals with lots of money, and then you can trust it doesn't have any backdoors.
Just because some open-source exchange doesn't have a
sendPrivatekeysToServer() function, it doesn't mean that there is no backdoor.
Do you think you (or one of the 100 others who liked/forked such an open-source exchange) do have an excellent clue about IT security ?
Do you really think they would find a vulnerability which has been placed on purpose ?
[/quote]
we can't put aside open source (decentralized) exchanges just because of a possibility of them not being reviewed by experts at first. the alternative is closed sourced centralized exchanges that are getting hacked every day!
I mean.. hell.. OpenSSL has been reviewed by countless people.. still it took more than 3 years to find heartbleed.
One of the most obvious vulnerabilities (after the discovery).
Some well-hidden vulnerability definitely won't be found by some simple code reviews.
now that is a different discussion. there is a difference between having a bug (which is normal and literary any code that has ever been written has them) and [intentional] backdoors put in the code with malicious intent.
The other question is.. why open-source an exchange if you can earn multiple 100k dollars with it when done right (not talking about running an exchange, but selling the software) ?
What's their business model? Giving aways valuable software for free because why not?
such projects usually work on donations, fund raising,... and remain open. and generally speaking the open source community doesn't work for money and is the contribution of many developers to one project.
i'd personally donate a good amount to a decentralized open source exchange if i can find a good one not to mention i would contribute to the code itself as i have done to many other open source projects.