CCXT Open Source Library Hides Rebate Mechanism Causing Controversy

Recently, the well-known open source quantitative trading library CCXT in the cryptocurrency field was exposed for hiding a controversial mechanism in its core code. By pre-setting rebate IDs, the software takes a portion of the exchange fee rebate income that should belong to the user without their knowledge.

This news has caused a huge stir in the crypto community, revealing not only the secret business models that may exist behind open source projects but also shocking many developers and trading teams who rely on its "free" convenience. This incident has prompted deep reflection on the trust foundation of open source software.

CCXT is a widely popular cryptocurrency trading software library that provides a unified interface for developers, traders, and financial analysts to connect and operate numerous cryptocurrency exchanges worldwide. The project was initiated by Igor Kroitor in 2016 and supports multiple programming languages, including JavaScript, Python, PHP, C#, and Go, greatly enhancing its applicability in different development environments.

By using CCXT, users can conduct market analysis, indicator development, algorithmic trading, strategy backtesting, and various other functionalities related to cryptocurrency trading. Currently, CCXT supports over 100 cryptocurrency exchanges, covering almost all mainstream trading platforms.

CCXT has over 36,000 stars on GitHub, demonstrating its wide application in the fields of quantitative trading and strategy trading. According to a report from a security company, the cumulative download count of CCXT on Python's official package manager PyPI has exceeded 93 million, reflecting that there is a large number of quantitative traders and development teams using this tool globally.

However, behind the widespread acclaim, CCXT has been exposed for having a hidden profit-making method. A blogger discovered that CCXT had added its own broker id in the source code of multiple exchanges, resulting in users unknowingly or without modification having most of their rebate fees siphoned off. The blogger claimed that approximately $15,000 was siphoned off in just two months across three exchanges.

After reviewing the Open Source code of CCXT, it was indeed found that the default brokerId parameters are pre-set in the adapters of several mainstream exchanges. Most of these parameters exist in a hard-coded form, and when users place orders directly using CCXT without explicitly setting or modifying the relevant options, these default broker Ids will be sent along with the request, attributing potential rebate fees to the accounts provided by CCXT.

This practice may have originated as early as 2018. Early on, CCXT offered a paid Pro subscription service, which later became free. In 2018, a user suggested adding an optional referral ID to support CCXT on Github, which the main maintainer welcomed. However, this seems to have marked the starting point for CCXT's profitability, as similar logic was later added to the code of most mainstream exchanges.

After the incident was exposed, the community had mixed reactions. Some users expressed support, believing that this practice goes against the Open Source spirit; others questioned this, arguing that as professional traders, one should not care about these transaction fee rebates, or that failing to notice and modify these settings while using open source code is the user's own problem.

As of now, the CCXT official has not responded to this matter, and its code continues to be updated daily but has not been modified in the relevant parts.

This event has sounded the alarm for all users: in the game-filled realm of cryptocurrency, it is essential to maintain necessary scrutiny and vigilance against any "free lunch," carefully examining every line of "trust" code, as it may be the most fundamental and critical line of defense for protecting one's rights. Because sometimes, the most expensive costs are precisely hidden beneath the guise of "free."