Replace the role of Refund Agent with a new team of Arbitrators that can together publish one of several pre-signed 2 of 2 multisig timelocked payout transactions as proposed by a Mediator #220
Comments
|
I believe the naming scheme of Arbitrator and Mediator is confusing and not needed in this proposal. There is no reason to separate this group of individuals with separate roles. They should all post the same bonds and be directed under the same role. Edit for clarity: They should all be mediators and/or arbitrators. |
|
I agree with the spirit of the proposal. The new trade protocol leads to funds being locked up longer than necessary thus affecting the liquidity. But feel like this may be over-complicating things.
This can be achieved by having a payout tx sent to a 2of3 multisig made up by the traders and one of these 5 arbitrators. |
|
This proposal has potential to improve a lot of things from the current trading protocol and the only thing I dislike is that it has been seriously considered after acknowledging that refund agent does not scale. I have 2 doubts and 2 possible improvement proposals.
@huey735 Your proposal also relies on arbitrators not colluding (although it would be more difficult to take profit of collusion unless they're all colluding), and if one of them falls sick there will be delays, while wiz proposal makes possible to substitute unresponsive arbitrators. Also, sharing signature of payouts looks better in legal terms? |
|
This proposal reintroduces a trusted third party (TTP) into the trade protocol. While it looks possible to implement all this it also makes the whole complexity of the refund agent and burning man pointless. I think it would also be possible to do this as a multisig structure and return to the previous way. However, I see a trusted third party as a critical flaw in a distributed system and I don't think it's a good idea to reintroduce it, at least not as a core concept. It's an existential threat to Bisq. The idea of having several presigned payout transactions sounds like it could be a useful mechanism though. Perhaps adding this as an optional feature could work. That would possibly avoid a lot of the friction in current trades while anyone not wanting to use it could opt out, on both the trader and TTP side. There is a legal risk for anyone partaking in the TTP group but there might not be an existential risk to Bisq. The problem is the implicit requirement users could put on using this feature meaning it could become a basically forced feature. I agree there is a need to make the trade process smoother and I welcome the discussion but I'm not convinced this proposal is the way to go. |
You cannot trade FIAT without a TTP. Nature of the beast. No amount of clever coding will eliminate fiat trading risk and the requirement of a trusted third party. |
The current trading protocol does not remove the trusted third party, it just delays its activity, which, together with long timelock peridod, is bad for user experience (more than 10 days to solve altcoin disputes, 20 for fiat) and security (10 days to acknowledge lost funds). The only way we know to remove TTP is by 2of2 multisig and high security deposits (overcollateral) to allow Mutual Assured Destruction schemes, where both traders are responsible on completing a trade because both have something to lose at any step of the settlement. |
|
@MwithM That is fair, we're still using the DAO as a TTP. I'm thinking that the DAO is sufficiently distributed that there is no particular central point that carries a particular legal risk and that the DAO is not easily pressured into acting a certain way. |
|
@sqrrm as both @MwithM and @clearwater-trust mentioned above, the Third Trust Party never left and in the new protocol it was what led to the recent exploit. As of today @burningman2 can take all offers and just sit and wait for the funds to be sent to their address. @MwithM you make a great point regarding the redundancy flaw in my suggestion. I don't know much about SSSS but given that 3of5 of the arbitrators can decrypt the transactions then that's the better way.
|
|
About 2 (security model): I guess it's just that I never felt right that seller deposit is fixed to 15%, but this is working now and can be changed later. |
|
In this proposal, a team of 3 of 5 arbitrators is required to make the payout. Why are we using 5 and not the number x = total amount of individuals dealing with trade failures? Separating this workgroup is not necessary. (Mediators/Arbitrators) They should all have the same privileges and be equally invested in ALL trade disputes. x being the total number of mediators/arbitrators required to run all of Bisq’s markets. Or 2 of x. Or 5 of x. I don’t know. Within the workgroup they can designate who will be available to review and sign eachother’s payouts in the event of a trade failure. Why are you trying to separate this workgroup? Why did you make it 3 of 5 in the proposal? |
|
@clearwater-trust I don't know what @wiz had in mind but it makes sense to me to separate the two as Mediators wouldn't have keys pertaining to the multisig. They're there just to help the trades trough the process. So they have less responsibilities and the role can be scaled easier to multiple languages. |
|
They should all read, review and arbitrate failed trades. No impotent mediator slavery required. Creating a powerless mediator role is workgroup suicide. Separating the "failed trade" team into some weird hierarchy is worthless serfdom. |
|
How should the verification of the alternative payout txs work if they are encrypted and not visible / verifiable by the trade peer? This is specially a risk for the seller as he has more to lose and would open up the door for blackmail attacks when the buyer creates an invalid signature and the seller has locked up more funds in the 2of2 MS. If the peers would exchange the alternative payout txs/signatures (unencrypted) then any of them could easily publish the best outcome for them (e.g. seller gets all or buyer gets all). So I don't understand how this should work from a technical and security point of view. But beside that it would introduce again the old problem of the legacy arbitrator and just mitigate it by distributing it to a group of people instead of one person, but that would likely not lower the legal risks that this group could be interpreted as TTP. Using all team leads for that group would be an "invitation" how to shut down Bisq on the human resource side by applying legal pressure.... To use multisig and multiple arbitrators was always on the table with the old protocol as well but was considered a not substancial improvement so it never got implemented. Beside that, multisig (or SSSS) suffer from the inflexibility when members leave. I don't see the need for SSSS instead of the more convenient and Bitcoin-native Multisig instead. E.g. group of arbitrators sign payout. Considering that new protocol idea as optional would carry difficulties in UX and compatibility when one trader wants to use protocol 2 and other protocol 3. At least you would get lots of offers disabled if there is no match, and then you need to explain the users the complexity of the reasons for that -> a UX nightmare.... Giving the users the choice would also introduce a UX hurdle as they need to understand the 2 protocols. I understand the problems with the current situation but what has been done over the past months to improve the know problems?
I think on the bugs side we got some improvements and I am not sure if there is much open. For UX I think we could relatively easy add some popup or graphics to make it more clear to newbies that they have to be online and check Bisq's trade status. I assume some users are not aware of that, but its likely a very small percentage, but a problem which could be mitigated relatively easy. Regarding lazyness/carelessness: More, better notification systems would help as well as higher deposits. Ideas to combat "future trades":
I think as long those more simple steps are not implemented we should no try to do the much harder work like trying to introduce a new trade protocol. |
|
Totally dislike this proposal. A better one would be to have traders to choose if they want 2/2 or 2/3 multisig with arbitrator. |
ghost
mentioned this issue
@chimp1984 I didn't have the solution, but now I do. We can use musig-dn to verify the encrypted data: https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6 |
|
TLDR: Since after 4 years and the DAO, it's still down to proposals of 3 of 5 arbitrators - some of them known founders and devs - perhaps it's time to approach outsiders in escrow business for new ideas and arbitration diversity. There is a thread of reputable, long-standing escrow agents on BitcoinTalk; maybe some might have innovative suggestions or would even get engaged to arbitrate and free the devs for development? Perhaps, a BSQ bounty to advance over some obstacles, such as this one? (Problem seems bigger than RA issue. To ordinary outsiders, seems clear that this part of Bisq is still centralized around the same original people and so by necessity and youth is the DAO. Is the part of it with the decisive voting power and consistent engagement still not much more than the devs who made it, and rightfully continue to earn most of the BSQ? From the users' perspective, increasing protocol complexity is one of the things repelling old and new users in our experience, especially those who don't know English. All the steps, rules and limitations started making it seem like dealing with the legacy banking system and PayPal. Some payment methods have been driven out of use. So many mediocre, nothing-new exchanges appeared years after Bisq, and outscaled it within a few months or a year. If we are still trying to find a way to scale key parts, such as final arbitration, seems that either the whole idea of a decentralized exchange can't scale, or more likely some new ideas are needed from the broader cryptosphere. |
|
@initCCG @pazza83 I'm sorry, the trader doesn't remember what happened exactly. She said some kind of a list came out of what to do, and she decided not to figure it out, because the trade wasn't worth the trouble, and English is not her strong skill. I asked to try to duplicate. If she does, I will update. |
|
One of my associates brought up some data he thinks useful to support the case I tried to make that Bisq arbitrators are not under any imminent threat of attack. So, the arbitration protocol could be returned to the previous 2 of 3, until radically better idea appear. To the cryptosphere, Bisq's main bread is XMR, which is 60% of the trade volume: Let's say that's wrong, and it's far more - several %! That's still insignificant for most traders to even participate, as we well know, much less for legal and illegal criminals to attack Bisq contributors. Furthermore, behold the current report from the most organized of criminals regarding "INTERNET ORGANISED CRIME THREAT ASSESSMENT": OpenBazaar is going out of business, is centralized around the OB1 corporation, appeared around the time Bisq did, and was mentioned in the report. Bisq is not even mentioned!!! AFTER 4 YEARS! It is so insignificant, that these gangsters didn't even care to mention it as a false boogyman! The point is that until Bisq starts to get single digit volume at least on XMR, and appears on the radar of at least such organized, well-funded thugs, its founders and operators need not hide or decentralize. |
|
To go back to the old arbitration system it totally out of question. |
|
With regards @wiz's and @huey735's suggestions for New Pre-signed Payout TX Scenarios. As the security deposit percentage has been updated to be between 15-50%, would it be appropriate to discount 'security deposit' and instead replace it with a figure based on 'percentage of trade amount' 15% of 'trade amount' would represent 100% deposit I think this would be accurate based on when the proposals were made, May 2020, as at the time the security deposit was fixed to 15%? Sometimes a trader might be unable to adhere to the trade protocol in terms of timing and communication due to illness, injury, computer issues, life events etc. In these cases there losses would be limited to 7.5% of the trade amount. Setting a percentage of trade amount that both Buyers and Sellers entering the trade would be content to lose, or be in profit, if they, or their counterparty, were unable to complete the trade should be achievable. A loss of 7.5% of 'trade amount' for traders unable to adhere to trade protocol seems reasonable (eg delayed payment, unresponsive counterparty, funds sent from incorrect account, new users making mistakes due unfamiliarity with protocol) A loss of 15% of 'trade amount' for traders intentional breaching trade protocol seems reasonable (eg requesting buyer to send fund to another account, attempting arbitrage, not going ahead with trade due to their own mistake) A profit of 7.5% of 'trade amount' for traders whose counter party is unable to adhere to trade protocol seems reasonable A loss of everything for traders trying to fraud / scam / damage Bisq or their counter party is reasonable (eg adding 'payment for Bitcoin' in the bank reference!). With regards @MwithM's scenario of what if both traders are dickheads, adding to Wiz's suggestions, I would suggest:
|
I assume you refer to MuSig not the concrete blogpost about the secuirty fixes. I don't see how MuSig makes any difference here to normal MultiSig from a conceptual point of view. There is still the problem that the receiver of encrypted signatures cannot verify anything. There might be some advanced zero knowledge proof schemes to make such stuff possible, but that is beyone any realistic possibilities for us (not having the cryptgraphers capable of such and not the financial resources to get that developed). |
|
@pazza83 I don't understand your post. I think @wiz intention was to find a model where a 3rd party could release the funds without using the refund agant model. IMO this is very similar to the old 2of3 multisig arbitration which could have been extendes also to a group of arbitrators (3of5 or the like) doing the payout together. This idea was out since long but never got considered to be implemented as the coordination problem between the arbitrator would have added considerable complexity and fricton and the main problem that there is a 3rd party party partially controlling the funds (in some context) was just delegated to more entities but not solved. |
|
@chimp1984 I was attempting to make a suggestion for how trade disputes can be settled at mediation and arbitration with regards the comments about 'New Pre-signed Payout TX Scenarios.' I am not commenting about the bigger issue of 'replacing the role of Refund Agent with a new team of Arbitrators'. Consider the two following trades that are taken where the seller of BTC becomes unable to complete the trade withing the required trade period due to hospitalization, injury, computer failure etc: Trade A Trade B In the above scenarios the trade is catergorized by @wiz as:
in this instance the loss of 50% deposit represents a significant difference between even trades of the same amount in BTC (Trade A and B). The point I am was trying to make is that as the security deposit amount is now a variable (15-50%) would it be appropriate to instead define the payout as follows:
Using this methods payouts would be as follows: Trade A Trade B The above is a little more complicated and I expressed it poorly mathematically. But it does take into account the variable deposits that can be chosen. I think these have only been introduced fairly recently. My question with regards to New Pre-signed Payout TX Scenarios is: Should Trader A (trading with larger deposit) be penalized more than Trader B (trading with a smaller deposit) in the instance of them being unable to complete a trade within 24 hours? My view is that limiting any loss/gain to 7.5% of the trade amount, due to being unable to trade in a 24 hour window, is fair for both buyer and seller. |
|
@pazza83 Ah ok. I think that proposal got interpreted as something which is planned/feasible. But I don't see a way how that could be done in a secure way (encrypted signatures cannot be verified and thus cannot be trusted). See #220 (comment) The current mediation/arbitration system has 100% flexibility anyway (beside that mediators have to give at least 0.003 BTC to the losing side, to leave incentive that this peer cooperates). |
|
I see that we are back to the old TTP v MAD hard choice. I don't have the answer but I agree with @chimp1984 that going back to 2-of-3 sigs with arbitrator would be a mistake. It will never scale to millions of users. I also agree with @sqrrm that having several presigned payout transactions can be a very useful mechanism. We have not fully explored its possibilities. ...and I agree with @MwithM that a 2-of-2 MAD system would be the simplest, most scalable, most pure p2p and most uncensorable long term solution. Maybe it would make sense to try it with small amount trades (0.01 BTC ) to see if % of failures is reduced over time. |
|
Bisq will come under attack by regulators as soon as volumes become significant. That could happen as early as 2021. When that happens any person that touches funds or has any kind of control of user funds (ie: the 3rd signature) will have legal responsability and can be accused under AML regulations at least in the EU, US. Any TTP will be a central point of attack. Even devs will come under attack, but at least as open source software Bisq should be fairly resilient to devs having to quit over those concerns. We need to come up with solutions that remove those vulnerabilities for good. For some alts atomic swaps should work (especially BSQ). For fiat-BTC maybe a combination of 0.01 BTC MAD 2-of-2 trades + instant payment method + API could create a kind of payment channel... |
|
Another possible combination would be to make the Trusted Third Party itself a protocol. ie: make the arbitrator a robot that acts according to pre-established rules. That would make use of presigned payout transactions while retaining 2-of-2 multisig and pure P2P protocol. Maybe this will be possible with the API. Or the combination of a human mediator that suggests a solution (but has no control of funds) and a bot that makes the actual payout taking into account input from 1. buyer 2. seller 3. mediator. |
Establishing a named arbitrator team is basically painting a target on your back. Any regulator would immediately know who to go after when investigating Bisq. At least in the old protocol arbitrators were anonymous! Then you get arbitrators being arrested or pressured and we are back to 2-of-2 without arbitration... or worse. |
Summary
This is a proposal to modify the Bisq trade protocol so that both trade parties create a set of pre-signed 2 of 2 multisig timelocked payout transactions at the time an offer is taken, and encrypt these transactions to the public keys of members of a newly established Arbitration team so that a majority of members of the Arbitration team can cause a Mediator's suggested payout to become effective by publishing the appropriate payout transaction to the Bitcoin network.
Rationale
When Bisq v1.2 was released, the Bisq trade protocol was modified from utilizing a 2 of 3 multisig to a 2 of 2 multisig deposit address for trade funds and security deposits. This was done to improve the security and decentralization of Bisq, making it truly peer-to-peer, and to eliminate a potential attack by Legacy Arbitrators where they could collude with a trader to steal trade funds and security deposits. After changing to a 2 of 2 multisig removed the ability for trade disputes to be quickly resolved using Legacy Arbitration, the role of Refund Agent was created to resolve trade disputes.
However, the Bisq user experience was severely degraded in the event of an unresponsive trade counterparty, bugs in the Bisq application, or intentional scam attempts by a trader. Currently traders must wait 10 or 20 days to be refunded in these cases, and the Refund Agent needs to use a significant amount of his own capital to refund these traders until he can be refunded by the DAO. Trading volume has dropped, and user satisfaction has decreased.
Additionally, this has now become an urgent problem for Bisq as the current Refund Agent wishes to resign, and there is no volunteer willing or able to perform the role. This proposal aims to solve both issues at once by eliminating the need for a Refund Agent by utilizing a set of pre-signed timelocked payout TX that can be published by a majority of Arbitration team members after a shorter time period, but also retaining the current 2 of 2 multisig security model so that Bisq remains truly peer to peer.
Causes
There are many causes of a trade failing to be resolved by Mediation and requiring Arbitration, but these are the most common:
Unresponsive Trade Counterparties
Bugs in the Bisq software
Intentional scam attempts
Proposal
Currently if a Mediator makes a suggested payout, it has no effect in the above cases and is simply ignored by the defaulting party. This proposal is for developers to implement the following new pre-signed timelocked payout transactions, and to encrypt them to the public keys of 5 members of a new Arbitration Team.
Establish a new Arbitration team
Duties: Arbitrator team will consist of 5 highly trusted people who will verify any suggested payout by a Mediator and decrypt the proposed payout transaction if they agree with the Mediator and jointly publish it to the Bitcoin network
Requirements: Must currently perform at least 2 bonded roles for Bisq, and have posted bonds for those roles. Additionally, no Arbitration team member can be a mediator since it would create a conflict of interest, so they will have to resign as Mediator if becoming an Arbitration team member.
Primary Members: @sqrrm @m52go @wiz
Backup Members: @cbeams @ripcurlx
Pre-signed Payout TX for DAO Donation Address
Currently when an offer is taken, both trade parties create a pre-signed payout transaction that can be published by either party when the timelock expires. This allows funds to be donated to Bisq and the traders to request a refund from the Refund Agent. This will remain as-is, and function as a fallback mechanism in case the new Arbitration is not successful for some reason.
New Pre-signed Payout TX Scenarios
Bisq developers will need to implement several new timelock payout transactions signed by both parties, for the following potential payout scenarios. These payout TX will have a locktime of double the soft time limit for the applicable time limit, for example in the event of a BSQ trade which is 24 hours, this time limit would be 48 hours, allowing mediation to begin after 24 hours and arbitration to be completed after 48 hours.
Developers / Mediators: if you can think of other potential payout situations, please comment with suggested additional payout scenarios
Encryption to Arbitration team using SSSS
After the above new payout TX are signed, they will be encrypted to the public keys of the Arbitration team members using SSSS, so that the trade parties cannot broadcast them by themselves, and only 3 of 5 of the members of the Arbitration can decrypt them by working together. This might be best implemented in the app using the existing Arbitrator GUI with a button for Arbitration team members to approve a suggested payout by a Mediator.
Implement native OS notifications for all platforms
The final part of this proposal is to create a BSQ bounty for the successful implementation of native OS notifications for all supported platforms without adding a new jar dependency.
Feedback
Feedback requested from @sqrrm @cbeams @ripcurlx @chimp1984 @m52go @RefundAgent
The text was updated successfully, but these errors were encountered: