Recently, a trending topic has flooded the internet: the widely known open-source quantitative trading library ccxt has been exposed for secretly embedding a rebate mechanism in its code. In simple terms, when users place orders using ccxt, the trading exchange rebates they would normally receive are quietly taken by the ccxt team. Once this was revealed, the entire community exploded.

How popular is the ccxt project? Over 36k stars on GitHub, and over 93 million downloads on the official Python package manager. Basically, most quantitative trading teams worldwide are using this tool. It supports over 100 exchanges, equivalent to a free TradingView, with incredibly powerful features. The project was initiated by Russian developer Igor Kroitor in 2016, supporting multiple programming languages including JavaScript, Python, PHP, C#, and Go, no wonder it’s so popular.

But the problem lies in this 'free' aspect. Some users discovered their rebate amounts were abnormally high, and after inspecting ccxt’s source code, they found that in the adapters for some mainstream exchanges, ccxt had hardcoded its own brokerId. That is, if users didn’t actively modify this parameter, the exchange rebates would directly go into the ccxt team’s account. Someone calculated that in just two months, $15k had been 'skimmed off'; at this rate, ccxt might have profited millions or even billions of dollars through this method.

What’s even more heartbreaking is that this operation can be traced back to 2018. At that time, ccxt had a paid Pro version, which later transitioned to being completely free. In 2018, a user suggested adding an optional referral ID to support projects. The original idea was to let users choose voluntarily, but later the ccxt team turned this 'optional' into a 'covert hardcoded' feature, embedding this logic into the code of multiple mainstream exchanges.

ccxt’s disclaimer does mention that API proxy funds come from exchange rebate programs. But this statement is buried so deep that most users never notice it. After someone exposed this issue, the ccxt team did not make any public response, nor did they modify the code; they just continued updating as usual every day.

The discussion sparked by this incident is quite interesting. Some say that since it’s open-source code, users should check for themselves. Others question whether such a well-known project doing this violates the spirit of open source and user trust. But regardless, this incident serves as a wake-up call: so-called 'free' tools may hide costs far greater than subscription fees. In the crypto field full of strategic battles, we must remain vigilant about any 'free lunch' and scrutinize every line of code. Because sometimes, the most expensive price is hidden behind the guise of 'free.'