Boxman90



Offline



Activity: 518

Merit: 500







Hero MemberActivity: 518Merit: 500 Bitstamp TX Fee Exploit - Fee 1.16% instead of 0.2% [Bitstamp Fixes on May 15th] May 06, 2014, 11:07:34 AM

Last edit: May 09, 2014, 10:39:38 AM by Boxman90 #1 Edit 09-05-2014: Bitstamp is increasing their trading limit to $5 on May 15th, after which the exploit as described in this post will no longer be possible.



After a response from Bitstamp, this post has been slightly edited. Bitstamp replied to my inquiry and I will discuss Bitstamp's response at the end of this post.



-----------------------------------------------------------------------------------------

I want to bring this all to your attention, because everyone trading at Bitstamp is affected negatively by a faulty implementation of the Transaction Fee Calculation on Bitstamp's side, which by definition always favors Bitstamp. At the moment this bug appears to be 'by design', but can be easily fixed.

-----------------------------------------------------------------------------------------



Bitstamp rounds their transaction fee off to the nearest cent decimal upwards. If you have a transaction of $11, the fee (0.002*13) is $0.022, which gets rounded off as $0.03. This is mentioned clearly in ther Terms of Service and I think that's okay.



The bug/faulty implementation:

The essence of this bug lies with the minimum order limit in combination with their fee rounding policy. Bitstamp's minimum order limit is $1. Because it is possible to place an order at 20% above market price, the effective minimum order limit is $0.86. A $0.86 order at 0.2% fee should be charged 0.002*0.86= $0.00172, which, due to their rounding, gets rounded off to $0.01. This is almost 6 times the actual fee. The problem is that this stacks up, leading to an actual exploit that always favors Bitstamp:



The actual exploit:

You place a sell wall at a certain price, agreeing upon 0.2% fee over that entire sell wall. A system/bot repeatedly makes many of the tiny buys into your BTC sell wall. Each of that buys is charged with 6 times the accepted fee. When this continues untill your sell order is completed, you will have effectively paid 6 times the fee over the entire sell order, instead of the 0.2% you thought.







Hypothetical Example:



When I put in a sell order of 20 bitcoins at $432.01, and some bot for some reason makes a LOT of mini tiny buys into it, you get an enormous fee percentage as a result. It is important to note that I as a seller have no control over the way somebody buys into my order! I am powerless then, and moreover I did not consent to having my order bought in increments that are so small that it disadvantages me while it sends 6 times the fee to Bitstamp. This system makes that fee 1.16% instead of 0.2%. This problem affects everyone.



I just had a 20 BTC sell order there. This bot for some reason buys into it with many tiny buys, each buy worth 0.86 USD. Every one of them get's a transaction fee of 0.01 USD because of their rounding. The proof is below. This example is hypothetical because I did not let the bot eat my entire wall that way, I pulled the order before he got that far.



In essence this 'trick' makes me pay a fee of 0.86/0.01*100% = 1.16 PERCENT. While I'm entitled to a transaction fee of 0.2%.



Everyone affected by these tiny buys/sells is charged almost 6 times the money. Let that sink in guys. A transaction fee of 1.16 percent because their system allows too small orders. They force this upon you and essentially, (by intentional design or not, it doesn't matter, you are at heavy disadvantage) take your money illegitimately due to this transaction fee bug/misimplementation.



--------------------------------------

Hypothetical calculation example:

--------------------------------------

Say I wanted to sell 20 BTC at $432.01, and it is bought completely by these mini buys:



The fee of this transaction should be 0.002*20*432.01 = $17.28

Due to the trick, actual fee is: 0.0116*20*432.01 = $100.23



Fee I agreed on when putting in sell order: $17.28

Actual fee that would be paid due to the exploit: $100.23



Bitstamp illegitimately takes 83 dollars in this scenario

---------------------------------------



As I said, I didn't let it come that far, I pulled my order before it could eat through my order that way.



Picture below is proof of the behavior.



Proposed fix: Make $5 orders the minimum for both API and Web interface. Preferebly $6 to also avoid exploits through setting orders above 20% of current market price. Then all problems are solved









---------------------------------------------------



Bitstamp did reply to my inquiry about their transaction fee calculation.



Quote



Bitstamp does not sell or buy bitcoins nor does it manipulate how orders are executed. If a sell was executed for one client (you in this case) this means that another Bitstamp client had his buy order executed on the opposite side of the trade.



As you are probably aware that "If you try to commit an order with price greater or lower than 20% of the current market price, our system will ask you for additional confirmation." (available in our FAQ: The rounding up which occurred in your case was in accordance with our notice provided in the Fee schedule section of our website. Fiat currencies, unlike Bitcoin, have two decimal places, therefore the smallest fee Bitstamp can charge for its services can never be below $0.01.Bitstamp does not sell or buy bitcoins nor does it manipulate how orders are executed. If a sell was executed for one client (you in this case) this means that another Bitstamp client had his buy order executed on the opposite side of the trade.As you are probably aware that "If you try to commit an order with price greater or lower than 20% of the current market price, our system will ask you for additional confirmation." (available in our FAQ: https://www.bitstamp.net/faq/ ). Due to such actions, it is sometimes possible that a user can perform a trade which is lower than $1 in value when placing an order which is higher than the market price at the time when it was executed.

They further explain their rounding policy, which is fine, but did not explain (yet) why the order limit is then not $5 so that the exploit as mentioned in this post cannot happen. The fact remains that an order limit of $1 in combination with the rounding off to $0.01 causes any order of $1 or smaller to be charged five times the fee.



Whether or not the low $1 order limit is intentional in order to harvest these fees or not, I will leave upon you (the community) to decide. The willingness of Bitstamp to change the order limit will show us as a community if it is intentional or not.



---------------------------------------------------



Edit 09-05-2014: Bitstamp is increasing their trading limit to $5 on May 15th, after which the exploit as described in this post will no longer be possible. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Bitstamp rounds their transaction fee off to the nearest cent decimal upwards. If you have a transaction of $11, the fee (0.002*13) is $0.022, which gets rounded off as $0.03. This is mentioned clearly in ther Terms of Service and I think that's okay.The essence of this bug lies with the minimum order limit in combination with their fee rounding policy. Bitstamp's minimum order limit is $1. Because it is possible to place an order at 20% above market price, the effective minimum order limit is $0.86. Aorder at 0.2% fee should be charged 0.002*0.86=, which, due to their rounding, gets rounded off to. This is almostthe actual fee. The problem is that this stacks up, leading to an actual exploit that always favors Bitstamp:You place a sell wall at a certain price, agreeing upon 0.2% fee over that entire sell wall. A system/bot repeatedly makes many of the tiny buys into your BTC sell wall. Each of that buys is charged with 6 times the accepted fee. When this continues untill your sell order is completed, you will have effectively paid 6 times the fee over the entire sell order, instead of the 0.2% you thought.Hypothetical Example:When I put in a sell order of 20 bitcoins at $432.01, and some bot for some reason makes a LOT of mini tiny buys into it, you get an enormous fee percentage as a result.I am powerless then, and moreover I did not consent to having my order bought in increments that are so small that it disadvantages me while it sends 6 times the fee to Bitstamp. This system makes that fee 1.16% instead of 0.2%. This problemI just had a 20 BTC sell order there. This bot for some reason buys into it with many tiny buys, each buy worth 0.86 USD. Every one of them get's a transaction fee of 0.01 USD because of their rounding. The proof is below. This example is hypothetical because I did not let the bot eat my entire wall that way, I pulled the order before he got that far.While I'm entitled to a transaction fee ofEveryone affected by these tiny buys/sells is chargedthe money. Let that sink in guys. A transaction fee of 1.16 percent because their system allows too small orders. They force this upon you and essentially,take your money illegitimately due to this transaction fee bug/misimplementation.----------------------------------------------------------------------------Say I wanted to sell 20 BTC at $432.01, and it is bought completely by these mini buys:The fee of this transaction should be 0.002*20*432.01 = $17.28Due to the trick, actual fee is: 0.0116*20*432.01 = $100.23Bitstamp illegitimately takes 83 dollars in this scenario---------------------------------------As I said, I didn't let it come that far, I pulled my order before it could eat through my order that way.Picture below is proof of the behavior.---------------------------------------------------Bitstamp did reply to my inquiry about their transaction fee calculation.They further explain their rounding policy, which is fine, but did not explain (yet) why the order limit is then not $5 so that the exploit as mentioned in this post cannot happen. The fact remains that an order limit of $1 in combination with the rounding off to $0.01 causes any order of $1 or smaller to be charged five times the fee.Whether or not the low $1 order limit is intentional in order to harvest these fees or not, I will leave upon you (the community) to decide. The willingness of Bitstamp to change the order limit will show us as a community if it is intentional or not.---------------------------------------------------Edit 09-05-2014: Bitstamp is increasing their trading limit to $5 on May 15th, after which the exploit as described in this post will no longer be possible. LTC: LKKy4eDWyVtSrQAJy7Qmmz61RaFY91D9yC BTC: 18fzdnCkuUNthCD8hM36UBGopFa9ij78gG