Sometimes, the most expensive costs are hidden beneath the guise of "free."
Written by: Frank, PANews
Recently, the most renowned open-source quantitative trading library in the cryptocurrency field, CCXT, was revealed to have hidden secrets in its core code: by hardcoding preset rebate IDs, the software quietly siphoned off trading fee rebates that should have belonged to users without their knowledge.
This revelation was like a stone thrown into a lake, not only exposing another hidden business model under the open-source halo but also awakening countless developers and trading teams who relied on its "free" convenience to the fact that the foundation of trust may have already buried an expensive price.
Over 36,000 Stars on Github, the Most Popular Open-Source Crypto Code
CCXT (CryptoCurrency eXchange Trading Library) is a widely popular open-source software library in the cryptocurrency trading field, whose core function is to provide developers, traders, and financial analysts with a unified interface to connect and operate numerous cryptocurrency exchanges worldwide. The CCXT project was initiated by Russian developer Igor Kroitor and can be traced back to 2016. The library supports multiple programming languages, including JavaScript, Python, PHP, C#, and Go, greatly expanding its applicability and adoption in different development environments.
By deploying the CCXT open-source tool, users can perform various cryptocurrency trading-related functions such as market analysis, indicator development, algorithmic trading, strategy backtesting, and order placement. It can be said that CCXT is akin to a simplified and free version of Tradingview. As of now, CCXT supports over 100 cryptocurrency exchanges, including almost all major exchanges like Binance, OKX, Coinbase, Bybit, and Bitget, which can meet trading needs through direct access via CCXT.
This convenient open-source approach has also made CCXT quickly become the most popular tool among professional trading teams engaged in quantitative trading and strategy trading. On Github, CCXT has over 36,000 stars, surpassing the well-known open-source project QuantLib in the financial field. According to a report by security company JFrog in 2025, CCXT's cumulative download count on the official Python package manager PyPI has exceeded 93 million times. Such a massive download count reflects that thousands of quantitative traders and development teams worldwide are using CCXT. In 2024, CCXT ranked 28th on Github and was included in the list of the most popular Python projects of 2024.
The Hidden Commission Mechanism, Hardcoded Broker ID, Potentially Millions in Invisible Revenue
However, behind the acclaim, CCXT has an unknown business practice.
On May 27, blogger @sunlc_crypto exposed on social media that while using the CCXT framework, he discovered significant anomalies in the rebate fees. Subsequently, he found in the source code of several exchanges within CCXT that it had added its own broker ID, meaning it preset these exchanges' rebate accounts, causing users who were unaware and did not modify the settings to have most of their rebate fees siphoned away. CCXT claimed that it had lost about $15,000 in just two months from exchanges like Hyperliquid, Kucoin, and Bybit. Based on this estimate, CCXT may have profited over ten million or even a hundred million dollars through this method.
PANews found by examining CCXT's open-source code that the Python adapters for several exchanges, including OKX, KuCoin, Hyperliquid, Bitget, and Binance, indeed contained default brokerId settings.
Overall, CCXT has indeed preset default brokerId parameters in the adapters for several major exchanges, most of which exist in hardcoded form. When users place orders directly using CCXT without explicitly setting or modifying the relevant options, these default broker IDs will be sent along with the requests, attributing potential rebate fees to the accounts provided by CCXT. However, this point is not prominently highlighted in CCXT's official documentation.
How much profit the CCXT team has specifically gained through this method remains unknown, as most are centralized exchanges. PANews attempted to find the rebate address from Hyperliquid's source code, but since the specific address was not written in plain text in the code but used an internal interface, it was impossible to find the most direct proof.
From "Charged" to "Free," from "Optional Recommendation" to "Hidden Hardcoding" Business Practices
Looking back at CCXT's development history, PANews found that this operation may have originated as early as 2018. The early CCXT had a Pro version subscription service starting at $29 per month. Later, CCXT completely transitioned to free. In 2018, a user suggested on Github to add an optional referral ID to support CCXT, which was welcomed by the main maintainer, Kroitor, who added this code in an update. However, from the advocate's suggestion, it was mainly aimed at referral registration rewards and provided an optional choice for users to fill in CCXT or not.
But this seems to have sparked the beginning of CCXT's profit-making. Subsequently, the main maintainer evidently added this logic to most of the mainstream exchange codes, and due to the secretive coding method, most users find it difficult to detect. As of now, apart from @sunlc_crypto, who raised concerns as a whistleblower, there has been almost no discussion about this code design online.
Of course, CCXT seems to have anticipated that this phenomenon would eventually be exposed, so in CCXT's disclaimer, there is a statement: "API proxy means that CCXT's funds come from rebates from the exchange's API proxy program, and it is the official API proxy for many exchanges," which essentially subtly informs users of this profit-making method.
When @sunlc_crypto raised this issue to the community, he received support from many users. However, there were also many doubts in the comments section, with some questioning that as a strong quantitative trader, one should not care about these rebate fees. Others stated that since it is open-source code, failing to discover and modify these settings while using it is their own problem, and CCXT is not at fault. However, considering the widespread adoption of CCXT and its well-regarded reputation, this hidden coding "thoughtfulness" indeed violates the trust the community has in it.
After the incident was exposed, PANews noticed that CCXT's code continued to be updated daily, but as of May 29, there had been no modifications to the hidden hardcoded brokerId code raised by the community. CCXT's official channels have not responded to this matter on social media or Github.
Of course, compared to some open-source projects that hide backdoors and directly threaten users' capital safety, CCXT's default rebate collection is not even a bug; it can only be said that the developers have some "thoughtfulness" in their design. However, this seemingly trivial thoughtfulness may profit more than other clearly priced subscription fees. For users, on one hand, the current AI programming tools are becoming increasingly powerful, capable of quickly detecting such "malicious" designs and supporting the design of completely autonomous trading code from scratch. On the other hand, overly trusting a well-known "free" open-source library may result in paying a higher cost than ordinary subscription fees. If one hopes to safeguard their trading rebate rights, it is still necessary to perform initialization parameter operations before using similar code libraries.
This incident ultimately serves as a wake-up call for all users: in the cryptocurrency field, which is full of competition, maintaining a necessary scrutiny and vigilance towards any "free lunch," carefully checking every line of "trust" code may be the most fundamental and critical line of defense to protect one's rights—because sometimes, the most expensive costs are precisely hidden beneath the guise of "free." Trust should ultimately not be so easily coded into profit.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
