Binance Bots — A Roadmap for the Future8th September 2018
Those of you who follow me know that I’m the founder of HodlBot. We built an easy way to diversify your cryptocurrency portfolio across the top 20 coins by market cap. Right now, our platform works on top of Binance’s API.
So I was very disappointed to read that Binance had warned users “to not give any third-party service providers access to your personal API key” in an official announcement regarding the SYS incident
This kind of unilateral statement punishes both negligent trading bots as well as security conscious ones like ours.
I can understand why Binance has been unsupportive of commercial trading bots. The more people who use 3rd party bots, the more likely one will be compromised (some may even be a scam). When API keys are compromised and an attack happens, it’s not the bot that gets plastered all over the news. It’s Binance’s brand and reputation that gets put on the line.
At the same time, Binance bots are not going away anytime soon. Trading bots serve an obvious need and traders want to use them. On top of that, it’s almost impossible for Binance to distinguish whether API keys are being used by users individually or by a 3rd party bot.
Instead of condemning trading bots and turning a blind eye to them, which does absolutely nothing, Binance should look to support them by launching their own OAuth client. In doing so, Binance can actually improve trading security and mitigate the risk of future API mishaps.
What is OAuth?
OAuth is an open standard for access delegation. It’s commonly used for signing into applications via another application. I.e. logging into Spotify with your Facebook account.
You can also use OAuth to request permission to create or modify data across applications. I.e. A 3rd party application that requests for your permission to post a status on Facebook.
Why Binance should implement its own OAuth Client
Binance can screen companies that apply for access to its OAuth Client
In order to unlock this feature, trading bots would first need to obtain OAuth credentials from Binance.
Binance can use this as an opportunity to establish themselves as gatekeepers and only allow bots with legitimate business practices, responsible teams, and strong security practices to be eligible.
OAuth provides a better user experience for trading bot end-users
Trading bots with a Binance OAuth integration will have a significant competitive advantage over those who don’t.
As the founder of HodlBot, I can assure you that the highest point of friction is when a user has to create, and then copy & paste their private API keys over to the bot. Not only is this tedious for the user, it’s also a bit intimidating.
With OAuth, Binance could easily just ask “will you give this bot permission to execute trades on your behalf?”.
Trading bots can stop holding onto API Keys
Once trading bots can simply request for permissions through Binance, there’s no need to hold onto user API keys. This eliminates the risk of having users’ private keys compromised from 3rd party databases.
At HodlBot we encrypt API keys with a cryptographically secure function, but not all bots do this.
OAuth provides flexible permission mechanics
While there are no API keys to hack, the entire application could theoretically be compromised.
As an option, Binance could allow users to preview a list of requested trades that they can either approve or dismiss.
Obviously, there’s a big trade-off between security and convenience here. But the users, themselves, should be able to make that call.
There are a few users using HodlBot right now that manually disable and re-enable trade-access. Flexible permissions would make this process a lot smoother.
Better than the status quo
What I proposed would certainly take a decent chunk of work. But a large company like Binance that made over $200M in profits this quarter, can certainly spare the resources.
If Binance decides to do nothing
As long as trading bots continue to solve a real problem, people will use them. And as long as a few trading bots continue to be irresponsible or malicious, API keys will get compromised. When future attacks happen, the media will point their finger at Binance, regardless if they are actually at fault. It’s not good for Binance and it’s not good for their end-users
If Binance cracks down on 3rd party bots
It’s virtually impossible to separate API personal use vs. API used by a 3rd party. It would take significant resources & some serious machine learning chops to come up with something half-decent.
Let’s say, theoretically they could do it. Shutting down 3rd party trading bots shuts down a ton of trading volume & liquidity on Binance. It also lowers their own revenue. It’s not good for Binance, it’s not good for end-users, and it’s not good for trading bots.
Win for Users, Win for Binance, Win for Trading Bots
Rolling out OAuth would improve trading bot security and reduce friction in the user experience, making both trading bots and their end-users happy.
A healthy ecosystem of trading bots built around Binance’s API is a win for Binance as well since they stand to make more revenue via trading volume.
Having a healthy number of developers building tools on top of your API is almost always a good sign, and could turn into an aspect of long-term defensibility for Binance.
Tweet this article cz_binance if you agree!
About the Author
I quit my job recently to start HodlBot.
We automatically diversify and rebalance your cryptocurrency portfolio into the top 20 coins by market cap. Think of it as a long-term crypto-index that you can DIY on your own exchange account.
If you don’t want to index, you can also create a custom portfolio and let HodlBot rebalance it for you.
To get started all you need is a
- Binance Account
- $200 in any cryptocurrency
If you want to know how HodlBot indexes the market and completes rebalancing, check out the blog I wrote here.
Binance Bots — A Roadmap for the Future was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.