using open source software is never about "you" personally having the skills to review it.
Actually.. in this case, where one wants to build an exchange.. it is.
Either you or some payed security expert has to review it.
the point of open source is that the source is open for everyone to see and if the project is popular enough you can be sure that others have reviewed it specially if it is sensitive and deals with lots of money, and then you can trust it doesn't have any backdoors.
Just because some open-source exchange doesn't have a
sendPrivatekeysToServer() function, it doesn't mean that there is no backdoor.
Do you think you (or one of the 100 others who liked/forked such an open-source exchange) do have an excellent clue about IT security ?
Do you really think they would find a vulnerability which has been placed on purpose ?
I mean.. hell.. OpenSSL has been reviewed by countless people.. still it took more than 3 years to find heartbleed.
One of the most obvious vulnerabilities (after the discovery).
Some well-hidden vulnerability definitely won't be found by some simple code reviews.
The other question is.. why open-source an exchange if you can earn multiple 100k dollars with it when done right (not talking about running an exchange, but selling the software) ?
What's their business model? Giving aways valuable software for free because why not?
IMO, if someone wants to run an exchange.. invest multiple 10k's or 100k's of $ into a good software, get some professional security consultants and perform regular penetration tests.