Send arbitration funds to a burning address instead of BTC donation address. #135
Comments
|
The idea that clever coding can remove humans from fiat transactions is NONSENSE. Attempting to solve trading issues with burned funds, arbitrator confiscation, donation addresses or other coding manipulations is a hopeless cause. If my trade goes to arbitration as the result of an unresponsive trading peer and I do not receive back my funds and my trading peer's security deposit, Bisq becomes a ridiculous paper tiger project.PRICE IN QUALITY DISPUTE RESOLUTION |
If I understand it correctly, you suggest to renounce to reduce the supply of BSQ by buying BSQ with those BTC and burning them. Is that correct? I guess that if the disputes are rare, it wouldn´t be a big problem for BSQ supply. |
Yes, I'm proposing to renounce to a big part of BSQ supply reduction. Disputes going to arbitration are rare in a normal situation, because traders are not willing to momentarily lose their deposits, delay trades and paying arbitation fees. |
|
I think there is no realistic risk for that case because if there are repeated cases and specially if it is the same trader the arbitrator will become suspicious and he can delay the payout as well. The human element and time delay works in our favor. I think the loss of funds (BSQ reimbursed but the BTC are gone) is a bigger problem that this "theoretical" risk. We could also increase the required bond. |
|
I think there is a very realistic risk of funds being stolen. Over on the Bisq forum I have outlined how this would work: -Donation address holder places a bunch of orders to sell XMR at below market price (can work on the buy side too but the donation address holder would need a lot of btc for that). How does anyone stop this attack from happening at all? If the other parties have already taken the trade and paid there's absolutely nothing anyone can do to stop the donation address holder from getting a bunch of BTC after the timelock expires? |
|
@chimp1984 There won't be "repeated cases", there will be a lot of orders from one or different onion addresses with unresponsive peers. I didn't know that BSQ holder wasn't really anonymous, and that's what is stopping me to freak out, because locked bond is useless compared to Bisq volume. |
|
@xbyvee Thanks for the summary, I was just following the discussion superficially before.... |
|
I think this is something that needs urgent attention right now. As it stands we have no idea who the Bisq donation address holder is right now. They are completely anonymous. Their github account was setup just days before asking to be the donation address holder. |
|
There was a DAO voting and you can be assured that a total anonymous address owner would not have been rejected by the major BSQ stake holders. So that can give you confidence that there is no realistic risk for that, but I agree it is a conceptual risk and should be addressed at some point. |
|
Arbitration cases are meant to be rare, so I don't think that this proposal is going to cost that much. The only reason to have a lot of disputes going to arbitration is this attack, and that really would bee too expensive. It would suppose the end of Bisq. When I voted for this role, I assumed that the person in charge of the role was completely anonymous and the locked bond would protect Bisq from misbehaviour. Now I have to trust the address owner while I havent read anywhere that this person is not completely anonymous and should be trusted. |
|
I don ́t know if failed trades are already being tracked. If not Could it be possible to include in the trading statistics failed trades? By failed trade I don ́t mean disputes or publishing the timelocked tx, I mean trades that have not completed before the time limit (i.e. 6 days for fiat, 1 day for altcoins, etc). If the trade resolves, then it would show as "resolved" within the failing trades, so we can easily calculate a running balance of failed trades. This failing trading statistics flux would be not visible by default on the UIs. It would be something like this:
Only the last row would be shown by default. The previous two rows can be used to calculate a running balance of failed trades (“Failed” as positive, “Resolved” as negative). Maybe it could be implemented an automatic halt of the trading in a specific trading pair or in all pairs if the balance reaches a percentage of the BSQ bond of the donation address owner. Or alternatively to warn the user about the situation before engaging in a trade. Having an abnormal number of failing trades is not good in any case, whatever the reason. So I think it is not crazy at all to halt or refrain from trading if too many trades are failing. It would indeed be wise to stop an see what is going on before the problem is too big to handle. |
|
@mpolavieja This information should not be available, and I don't think it is, considering it's a decentralized p2p system. There is a conflict between publishing data to be able to analyze the system and privacy. In general we don't publish anything that's not necessary for the functioning of Bisq and I think that's correct. Funds sent to the donation address could be monitored on the blockchain, but any trade that ends with the traders agreeing on a payout from the 2of2 would not be possible to track. |
So these trades are not currently being published in the trading statistics as normal trades once the traders agree? |
|
Ok. I realize your point now. The trade is published as soon as an offer is taken, not when the trade is completed. |
|
Right, cause the network needs to know the offer is no longer there, but the trade process is not public knowledge and I think it should remain private. |
|
Well, all the information about the trade is already being disclosed. If Bisq works anyone would assume that the trade has ended succesfully, otherwise no one would be using Bisq. My proposal would only add the info about the trade not being completed wthin the established time limit (temporarily), I don't see how that info significantly reduces privacy. Specially if Bisq works well and failed trades are rare. A different discussion is if this is possible to implement and/or worth the effort |
Publishing the trade statistics is not required to spreading that knowledge. You may just as well publish a |
|
Probably the problematic thing with my proposal is technical as the action of taking an offer leaves a trace of a BTC real tx and the event of consuming the time limit does not. I guess it could be inferred by not seeing the multisig executed in time, but that would require a daemon on all clients looking for the final BTC tx of all trades. Way too heavy computing burden... |
|
First let me say that I consider this new 1.2 system, while imperfect, a significant improvement compared to previous trusted arbitrator system. A possible improvement:
|
|
@bodymindarts True, maybe the assumption that most offers lead to trades is wrong and we should stop publishing this data since it's giving away more data than necessary. It's a balance but I would keep it as is for now. @flix1 there is already the rule that the donation address holder shall buy BSQ for the funds, not sure at what percentage or if set to a percentage. As discussed during today's call, I think the multisig donation address is better than adding more donation addresses. An attacker could still filter through all the offers and take those that are using their address. It's a lower take but still a severe attack. I like the 3of4 multisig with 2 known contributors and two unknown as key-holders. That will make it harder to put pressure on either known contributors or for the unknown ones to abscond with the funds. |
|
Isn't it a great improvement that this kind of attack has been pushed away from traders and if it happens is something that will be resolved amongst the arbitrator, the donation address owner, and the DAO? (assuming we are sure that the arbitrator and the donation address owner are different persons and do not collude) |
What if we require that the donation address owner has to buy BSQ first in order to be able to get the BTC from a disputed trade? That is, requiring an equivalent amount of BSQ proof of burn. If this is technically possible, then there is no need to trust the donation address owner. Is this correct? If we are able to do it at a discount, anyone would be willing to buy BSQ in the market, burn it, and get the BTC from the dispute. |
|
@mpolavieja That's not possible. The payout transaction is already signed before sending money to the 2of2. That payout tx is ready to be broadcast as is and it's not possible to put limitation on how it can be broadcast. |
|
Yeah, I was expecting that the current payout tx would not be useful for this. I was thinking to substitute the current payout tx by some kind of pay to script tx instead, where the condition to spend the funds would be to show proof of burning a specific quantity of BSQ. |
|
If the condition to unlock the funds could be set to "burn more than X BSQ", then it could even enable competition to bid for those BTC with higher amounts of burnt BSQ than specified in the script. |
|
@sqrrm wrote
Curious how is this rule enforced or encouraged? This seems like a good process, could it be automated somehow in the long run (atomic swap)? |
|
@gofastandpray Would be enforced through the DAO as it's a rule for the role owner. If the role owner doesn't follow the rule their locked funds could be confiscated by DAO voting. |
|
Current donation address is: Less than 0.32 BTC there right now. But as some people pointed out in the call... an attack or several failed trades could very rapidly increase that amount with little warning. While we think about ways to improve this mechanism, it might be a good idea for current donation address holder @burning2019 to try to keep the balance low, say below 50% of the value of the BSQ 50k bond. And of course the more eyes that are watching the donation address the better. We still have a trusted critical component in the system, but at least it is highly transparent. |
What are you talking about? I thought the point of changing to 2 of 2 multisig was so that the arbitrator does NOT have a private key and is no longer a trusted third party. The current arbitration system is one in which the arbitrator can only suggest a payout, not enforce it. Am I missing something? I admit that I have not been involved in a dispute with the new version yet... |
|
Yeah that doc @clearwater-trust linked was archived precisely because it isn't relevant any more, and the reason for that is the new trade protocol. How is it related to this proposal? |
|
Sorry for the confusion. I need somebody, and apparently so does @flix1, to explain how mediation/arbitration works in the event of an unresponsive trader with a 2 of 2 multisig. Thanks. |
|
@clearwater-trust same way it always has. The responsive trader requests arbitration and the arbitrator pays BTC back to the aggrieved trader. Process may take a bit longer, as there is a mediation step in the middle, but it's not practically any different from before. EDIT: we should probably take this conversation elsewhere to avoid polluting this thread with discussion that's not relevant to this proposal. |
|
Just to be clear. The funds locked in the 2 of 2 go to this "donation address" and I have to trust the arbitrator is playing with enough fungible [not involved in some dirty heist that can implicate me in god knows what] bitcoin to pay back the trade PLUS the trading peer's security deposit? I am not polluting the thread. This is about funds that get sent to the donation address or burned. |
Funds locked in the 2of2 multisig only moves if one or both of the parts wants to, if mediator suggestion is not good ennough, or when timelock activates (10 days since trade start). Feel free to message me at keybase, I'll answer questions you might have. |
I would rather use multisig for DAO address than going back to v1.1.7 security model. |
That did also apply on version 1.1.7 to any Bisq user that is selling you BTC, or if you were the seller, to the security deposit of the buyer in case the arbitrator decided you get at least part of it |
|
@mpolavieja No, it's not the same. In a 2 of 3, the offered trade funds were returned, not laundered through an arbitrator as is the case in the new protocol. I have to assume the 2of3 model had some glaring security threat that is not being made clear to justify this new 2of2 system. |
The arbitrator had to be trusted. Trusted third parties are security holes. Moreover it was not scalable. |
|
I have to trust the arbitrator has enough funds to clear all of their disputes. I would rather trust the arbitrator is honest. |
|
It is not really an arbitrator anymore, it is just a broker that buys the dispute at a discount in order to get a slight profit (coming from the losing party of the dispute) when reimbursed by the DAO. The only thing you have to trust is that his BTC are honest. But you also have to trust the BTCs from your tading peers are honest in case there is no dispute. The normal thing is that you will get way more BTC from unknown trading peers than from arbitrators. Apart from mining, the only way you can get clean BTC is through KYC. For that you already have centralized exchanges |
|
Does the winning party still receive the security deposit for time lost on the offer book? I mean, it seems like you just said, "Arbitrators profit from disputes", which is a weird market dynamic that may take me awhile to understand. |
|
The winning party will receive part of the security deposit depending on the mediator proposed payout. In my opinion the mediator should leave part of the security deposits as a fee for the arbitrator, which is going to bear the risk of paying the winning party and wait to later be reimbursed in the equivalent amount of BSQ by the DAO. In older versions, arbitrator earned also a fee, they did not work for free. In this version, the arbitrator is actually more a trader than an arbitrator. He buys the dispute at a slight discount. Users don´t have to worry about this. The only thing they see is that they are getting the BTC payout suggested by the mediator. Regarding your concern about the BTC from the arbitrator coming from strange actitivities, again I don´t see the difference of getting the BTC from the seller if you are the buyer and won the dispute. |
|
Yeah. I agree. From the buyer's prospective source of funds is ambiguous. But as a maker/seller, it is noteworthy that funds received after a failed trade are not the funds offered in the trade, but instead are coming from the arbitrator. I think the idea of a trade broker is interesting. I'll think more on this. Thanks for taking the time to answer my questions. Traders are going to want to know how the system works. I feel like I'm pretty plugged into Bisq but somehow the details of this change slipped through my channels. |
In the old version, you as a seller could also receive part or the whole security deposit from the buyer. Even if you didn´t receive any, there is a trace in the blockchain where your BTCs and the security deposit from the buyer were together in a multisig. In any case, needing a payout from an arbitrator is suposed to be a rare event compared to the much more frequent event of signing a multisig transaction with your trading partner. |
Because the arbitrator (or whoever is in control of the payouts) could be one of the trading parties and just award the payment to themselves. |
|
@ExPrgrmmr Your deeply uninformed comments are really annoying. I beg you to please inform yourself before commenting. |
|
There's now more than 1 BTC at the donation address: |
|
There's now almost 4 BTC in the donation address: To be precise 3.65 BTC which at today's prices (7500) is $27,375. That is well over 50% of the value of the 50,000 BSQ bond. In fact at current BSQ price of $0.49, the bond would be worth $24,500. ping @burning2019 |
|
@flix1 What are you proposing by highlighting the funds sent to the 'donation address'? Are you saying the bond should be more? The funds should be burned? Or, you don't wish to donate failed trades to a stranger? We can expect the 'donation address' balance to increase dramatically each time the price moves DOWN as buyers refuse to pay for their trades. |
|
I understand that @flix1 suggests that the owner of the donation address should not let the balance go that high. The owner of the donation address should use Bitcoin to buy BSQ and burn them. |
|
Looking at BSQ volume traded it looks like donation account owner is working as required and has spent the funds buying BSQ over the past few days. |
|
The proposal has been rejected in the last DAO voting. I would suggest that we close it. |
|
Rejected in DAO voting Cycle 7 |
and others
Edit: Explicit proposal sent to vote on DAO at the end of this post.
Abstract
Security model for BTC donation address holder is not valid because locked bond can't cover the funds taken by a dishonest address holder. To prevent this attack, trade funds should be sent to an unspendable address.
Issue description
Since v1.2, Bisq entrusts BTC donation address owner to regularly buy BSQ with funds from BTC trading fees and trade amounts that end in arbitration. This role is bonded with 50.000 BSQ locked, which would be high enough to cover current trading fees volume and rare disputes, preventing dishonest behaviour.
This security model, based on a bonded role, relies on the supposition that trades to arbitrate are going to be very rare, as both traders don't want to see their funds lost and paying a small arbitration fee. But one of the traders could be colluding with or be the same person as BTC donation address holder, inducing disputes to end up into arbitration and sending all the 2of2 multisig funds to the address controlled by the donation address owner. Just a couple days of Bisq's XMR current trading volume would cover the BSQ bond and create profit. As timelocked transactions would be automatically triggered after a week or more, the attack would be noticed too late and there’s nothing Bisq could do to stop the transactions being sent to the attacker’s address.
This leaves Bisq on a situation of high risk. Bisq can't trust an anonymous person, without any track record of previous honest behaviour to hold and spend the funds like it's supposed to. The locked bond is tiny compared to weekly Bisq volume.
Proposal
Taking into consideration the following points:
I propose as a cautionary measure to destroy all deposit and trading funds sending them to a burning address when going to arbitration. Trading fees could continue to be sent to the BTC donation address holder.
Further proposals could improve this situation, but they should be discussed on a separate proposal. The main concern of this proposal is security, so the focus must be to carry short-term actions.
The text was updated successfully, but these errors were encountered: