The CCXT open-source library for API trading replaced the inviter ID and stole user referral commission fees. In fact, this issue has always existed; it just went unnoticed. The last time it was exposed was in April 2022, and I wrote the solution at the end of the post.

Open source does not mean secure, as 99% of developers do not review the source code of open-source libraries; developers like @sunlc_crypto are just a minority. There have been many security incidents in the history of the cryptocurrency world caused by poisoned open-source libraries/supply chain attacks.

1. April 2024: @evilcos It was revealed that an open-source quantitative system for Solana had a backdoor for stealing user API private keys.

2. October 2021: The author account of the dependency library UAparser.js for the quantitative system was hacked, and source code containing malicious code was uploaded.

3. In July 2019, the author account of the dependency library strong_password was hacked, and source code containing malicious code was uploaded.

4. In 2018: The Copay wallet author account was taken over by attackers, and source code containing malicious code was uploaded.

It can only be said that similar security data is everywhere. There are countless instances of stealing API keys, replacing referral commission IDs, even replacing transactions, implanting mining trojans, etc. The cryptocurrency world is a dark forest, and every step should be taken with caution. Even for open-source project libraries, it is best to conduct a complete review with AI. Personally, I recommend cursor + Claude-4-sonnet.

The solution to the problem of CCXT's default embedded broker ID is to override the default broker in the options parameter when creating the exchange object. For details, you can refer to Issues #12678 on GitHub.