Binance Exchange

This blog was created by HodlBot — the world’s smartest cryptocurrency trading bot. HodlBot helps cryptocurrency investors automate portfolio creation, indexing, and rebalancing. HodlBot is currently available to users on Binance, Kraken, Bittrex, and KuCoin. It’s free to try for the first 7 days. Paid monthly subscriptions start at $3/month.

Credit to John Wu for this illustration

Those of you who follow me know that I’m the founder of HodlBot. We built an easy way to diversify your cryptocurrency portfolio across the top 20 coins by market cap. Right now, our platform works on top of Binance’s API.

So I was very disappointed to read that Binance had warned users “to not give any third-party service providers access to your personal API key” in an official announcement regarding the SYS incident

This kind of unilateral statement punishes both negligent trading bots as well as security conscious ones like ours.

I can understand why Binance has been unsupportive of commercial trading bots. The more people who use 3rd party bots, the more likely one will be compromised (some may even be a scam). When API keys are compromised and an attack happens, it’s not the bot that gets plastered all over the news. It’s Binance’s brand and reputation that gets put on the line.

At the same time, Binance bots are not going away anytime soon. Trading bots serve an obvious need and traders want to use them. On top of that, it’s almost impossible for Binance to distinguish whether API keys are being used by users individually or by a 3rd party bot.

Instead of condemning trading bots and turning a blind eye to them, which does absolutely nothing, Binance should look to support them by launching their own OAuth client. In doing so, Binance can actually improve trading security and mitigate the risk of future API mishaps.

What is OAuth?

OAuth is an open standard for access delegation. It’s commonly used for signing into applications via another application. I.e. logging into Spotify with your Facebook account.

Example of logging in via OAuth

You can also use OAuth to request permission to create or modify data across applications. I.e. A 3rd party application that requests for your permission to post a status on Facebook.

Example of OAuth requesting for permissions

Why Binance should implement its own OAuth Client

Binance can screen companies that apply for access to its OAuth Client

In order to unlock this feature, trading bots would first need to obtain OAuth credentials from Binance.

Binance can use this as an opportunity to establish themselves as gatekeepers and only allow bots with legitimate business practices, responsible teams, and strong security practices to be eligible.

OAuth provides a better user experience for trading bot end-users

Trading bots with a Binance OAuth integration will have a significant competitive advantage over those who don’t.

As the founder of HodlBot, I can assure you that the highest point of friction is when a user has to create, and then copy & paste their private API keys over to the bot. Not only is this tedious for the user, it’s also a bit intimidating.

With OAuth, Binance could easily just ask “will you give this bot permission to execute trades on your behalf?”.

Trading bots can stop holding onto API Keys

Once trading bots can simply request for permissions through Binance, there’s no need to hold onto user API keys. This eliminates the risk of having users’ private keys compromised from 3rd party databases.

At HodlBot we encrypt API keys with a cryptographically secure function, but not all bots do this.

OAuth provides flexible permission mechanics

While there are no API keys to hack, the entire application could theoretically be compromised.

As an option, Binance could allow users to preview a list of requested trades that they can either approve or dismiss.

Obviously, there’s a big trade-off between security and convenience here. But the users, themselves, should be able to make that call.

There are a few users using HodlBot right now that manually disable and re-enable trade-access. Flexible permissions would make this process a lot smoother.

Better than the status quo

What I proposed would certainly take a decent chunk of work. But a large company like Binance that made over $200M in profits this quarter, can certainly spare the resources.

If Binance decides to do nothing

As long as trading bots continue to solve a real problem, people will use them. And as long as a few trading bots continue to be irresponsible or malicious, API keys will get compromised. When future attacks happen, the media will point their finger at Binance, regardless if they are actually at fault. It’s not good for Binance and it’s not good for their end-users

If Binance cracks down on 3rd party bots

It’s virtually impossible to separate API personal use vs. API used by a 3rd party. It would take significant resources & some serious machine learning chops to come up with something half-decent.

Let’s say, theoretically they could do it. Shutting down 3rd party trading bots shuts down a ton of trading volume & liquidity on Binance. It also lowers their own revenue. It’s not good for Binance, it’s not good for end-users, and it’s not good for trading bots.

Win for Users, Win for Binance, Win for Trading Bots

Rolling out OAuth would improve trading bot security and reduce friction in the user experience, making both trading bots and their end-users happy.

A healthy ecosystem of trading bots built around Binance’s API is a win for Binance as well since they stand to make more revenue via trading volume.

Having a healthy number of developers building tools on top of your API is almost always a good sign, and could turn into an aspect of long-term defensibility for Binance.

Tweet this article cz_binance if you agree!

About the Author

Written by Anthony Xie

I’m the founder of HodlBot.

I’m a big data nerd. I like to talk about all things data, finance, and crypto. You can find me on Twitter here.

At HodlBot, we make it easy to automatically create diversified cryptocurrency portfolios.

We created HODL10, HODL20, HODL30 indices and the first ever application that allows you to create your own personalized cryptocurrency index fund.

To get started all you need is a