-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New trade protocol #52
Comments
I want to add here some discussion regaring an alternative approach using a more complex script with 2 execution paths similar like that example in https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki:
If we could implement the time lock in the deposit tx we would not need the extra handshakes required for the timelocked payout tx as descibed in the proposal but it would be one atomic tx. But there are some drawbacks with such an approach. And here we have the problem. The donation receiver would need to actively monitor and make a tx to harvest those potential funds. If he does not do that the traders can still do the payout at any time in the future. That will destroy our feature for securing the reimbursement against scammers doing later a payout from the locked funds to themself. Another drawback is that if the donation receiver would make as soon as possible the payout there is no flexibility for the traders if they need more time to resolve the problem (E.g. bank delay and both want to continue just need more time). |
I very much like the 2-of-2 multisig approach without the arbitrator. It is simpler and requires cooperation. Complexity and support can be added outside the transaction itself: mediators, etc. However I don't see clearly if the advantages of the the second part outweigh the added complexity. By creating the timelocked tx to a donation address and the insurance/reimbursement by the DAO in BSQ you are adding many different players, uncertain outcomes and complex incentives. Maybe it is the best way to do it... but I think it needs more explanation/testing. Scalability is also an issue... we cannot have the DAO voting on 100s of reimbursements a month when Bisq grows to 1000+ trades per day. I see how replacing arbitrators with DAO voting solves legal issues... but the ideal solution lies in eliminating the need for arbitration, be it through atomic swaps or P2P 2-of-2 multisig enforced cooperation, not by decentralizing the arbitrator. |
I see that the donation aspect carries some concerns for some and it might be true that it make incentive stucture a bit more complex. But as that donation address can be set to anything by voting we can set it to a burner address as well and therefore change to a burn BTC model if needed. The scaling issue is for sure an open risk. The suggestion has the limitation that it much not exceed a handful of requests per month. If it does we need to solve the reason why so many cases end up in non-cooperation. I am not too worries about that as we have learned that real disputes are super rare. Sure atomic swaps would be nice and once fiat is replaced by pegged coins that might become more feasible. But there is stil a long way to go and who knows maybe we are earlier at the point that there is no need for fiat anymore and then the problem has been solved as well ;-). The added complexity with the locked timeout tx is valid concern as well, specially it adds extra rounds for handshakes and increases the risk that the take-offer process fails. But maybe we find a way without that locked timeout tx but use a conditional script as described in the other comment. |
Hi, I am new to bisq so these are just thoughts from a newbie What if both seller and buyer request to be reimbursed? How do BSQ stakeholders know who is the victim? |
@oscarguindzberg Thanks for your input and a pretty good question! In earlier versions of the idea we had the requirement that the victim need to deliver some proof to the mediator (we us PageSigner/TLSNotary [1] which gives you a cryptographic proof if a bank transfer happened or not). But with the timelocked payout we don't need that anymore as there is no way the user can gain from a scam. The case that both users request would only make sense if they have a real dispute and could not resolve it. I would suggest that they need to consult a mediator first who can request proofs from both sides for their statement in a similar fashion as it is done now in arbitration cases: First try PageSigner, if that is not available/possible make screensharing and ID verification (I know that causes a lot of criticism, but in reality it was used 1 or 2 times) and if even that does not lead to a clear result make a payout according to what the arbitrator sees the most fair outcome or do not make any payout at all. So we coould use a mediator for that role and his suggestion will be taken as base for the decision of the stakeholders. There is also a fee in BSQ to be paid for making a request. If the request gets declined that fee is still lost, so that helps as well to keep out scammers as they risk money to lose. Another idea we had earlier was to use BSQ bonding. Scammers do not want to invest and risk money (thats probably why we have nearly no scammers as with the security deposit in a Bisq trade they need to invest/risk something). So if we require a long term BSQ bond from anyone who wants to get reimbursed we keep most scammers out. But that requirement became also obsolete with the new model with the timelocked payout. But maybe we could still use it for such edge cases that the stakeholders require something extra to filter out the scammers. E.g. if both request they have to put up a BSQ bond which is locked up for a long time to provide some sort of "reputation". Just some ideas, nothing perfect, maybe something better can be found. But I think/hope such cases will be super rare as they are now. |
How does the 2of2 wallet provide the mediator any authority over the trade? How are the mediators selected? As the user base grows the trade disputes will increase and be more complex. I think the bonded arbitrator is the best idea. Requiring a BSQ trade bond is almost like requiring all trade fees to be paid in BSQ. Maybe this would provide a closed loop for the BSQ economy? Maybe I'm in error to think the BSQ market needs to be a closed loop system? |
The mediator has no authority over the trade! That is the important change to the current arbitration system. The details are still up for discussion but I would suggest that by default the users try to resolve their problem and only in case they cannot find a solution they request a mediator. How the seltion will be done is still open but I would prefer that its up to the traders who they choose. The bonds still will exist for all other trusted roles and will be used for the off-chain trade protocol. Just the arbitration will get removed as it is the most centralized and risk carrying element in the current system. |
I really like the idea of burning (or perhaps donating) the output before asking for reimbursement. That makes this scheme viable and I would support that if we go this way. It's a nice way to get around the arbitrators and the incentives seem to align quite nicely. Using an atomic setup tx would be nice but I don't see how that could work with the current bitcoin scripting as you mention. It doesn't seem possible to avoid relying on the target address, or in fact impossible in the case of burning the BTC. The main question is for me if this is worth implementing and pushing out if there is going to be another big change to the trade protocol using bonds. Perhaps they could work in parallel as not everyone will want to use the bonded way. This proposal seems like the fastest way to get rid of the arbitrator however and that is a good thing. |
Here are some of my random thoughts, feel free to ignore. If I may be so bold as to summarize: This proposal replaces the single arbitrator with a bureaucratic democracy of the DAO. If so, then it seems worse to me as voting has its own problems; Each member of the DAO would have to spend their time, attention and energy on learning about all the reimbursement cases so they can vote properly, and they would have less incentive to do this. It seems more incentive-aligned to have a single person be the arbitrator, who does the work in return for their arbitration fee. Obviously I'd need to analyze what I just said more to flesh out the incentives, right now it's just a feeling. This proposal would benefit by explaining more about exactly how this new 2of2 multisig method avoids the blackmail problems of the old 2of2 method. If there are a lack of arbitrators then they should get paid more. This would incentivize more people to become arbitrators. Just throwing some numbers out: if an arbitrator gets involved in a deal they should earn a high fixed fee plus 20% of the trade amount, costs paid by the loser. If they don't get involved then they earn nothing. The best analogy to look at is the judicial system in normal business. Going to a courtroom and paying for lawyers is very expensive so is only used as a last resort, more than 99% of all business contracts are actually settled cooperatively without one side suing the other. Judges and lawyers are highly skilled and highly paid professionals, and they are avoided if the contract is settled cooperatively. Similarly in bisq arbitrators must be high-knowledge, but if a buyer and seller agree then they don't even need to pay an arbitrator, their two private keys are enough. Thinking this way should drastically reduce the workload on arbitrators, and allow a small number of highly-knowledgable arbitrators to serve the entire bisq system. Mediators could be introduced into the 2of3 model as well. The high cost of arbitration incentivizes the buyer and seller to come to an agreement, they could look for third-party mediators to help them and figure out issues with bugs, banking problems and user mistakes. The buyer and seller could together even pay a mediator they find, which would incentivize mediators and still be cheaper than using arbitrators, and wouldn't burden the arbirators with more workload. Some other thoughts about the problems of arbitrators:
Thoughts on altcoins and fiat:
|
Hi @chris-belcher thanks for your feedback! I will add a description about the blackmail issue with 2of2 Multisig and why this proposal is not vulnerable to it as a separate post. Here are my replies to several issues you brought up: Real disputes are very rareMaybe I need to emphasise that more and get some numbers from the current arbitrators but real disputes are super rare or nearly non existant. Of course that does not mean that they can happen and we need to prepare for that, but it can be expected that those cases which goes really to voting for reimbursements are very rare. As I noted on the introduction it must not be more then one or two a month or even less otherwise we need to fix that problem by adjusting the system. If there is only a request from one peer of the trade there is no investigation required as he has nothing to win (see later a more details expalination). Only in those case where both request we need a judge. The stakehodlers act as execution entities not as judges. It adds separation of power to the current system where the arbitrator is judge and executor. Not the lack of arbitrators is the problem but to secure that and scale that upCurrently to become an arbitrator you will receive a private key rom myself to be able to register. That is required as an arbitrator could collude with a trader and could do fraudulent payouts. So in the worst case a scammer registers as arbitrator makes many deals with a colluding peer and take out the funds to him and the colluding party. To avoid that risk we have only high trusted persons who are in fact co-founders of the project, so beside that I trust them personally the economic incentive that they act honest are aligned as they are major stakeholders in Bisq and by scamming they would hurt Bisq and their investment. With BSQ bonding we will make that even more secure but it has scaling problems. To cover the max. damage an arbitrator could cause he need to lockup that amount of BSQ bonds. First problem is that the max. damage depends both from trade volume on Bisq as well as the BTC price. Adjusting BSQ bonds frequently is problematic as they have long lock times. Beside that there are simply not be many people atm who have such high amount of BSQ and for those who have it they might be just not willing to lock up so much and do the arbitration job - which is not a fun job by the way... So to get the few arbitrators motivated we have to pay a lot. Atm they do it mostly for altruistic motivation (as far I can interpret). Related to that is the scaling problem. We had already request from Bisq supporters in Vietnam who wanted to become arbitrator. But I would take a huge risk to give out the arbitration right to people who I don't know personally. They could even act honest for a while and then make a long con, or they could act as major market maker and being arbitrator as well, therefore having conflict of interest and Bisq would betraying those Bisq users who assume that the system is designed in the way that the arbitrator is not an active trader. So we have a scaling problem here as not many people have the required BSQ for bonding. Translation for complicate cases might be an issue, though maybe that is not the main problem. Legal risksAs descibed above I give out the private keys so atm I would be the choke point - even with anonymous arbitrators they cannot be 100% anonymous as I would not trust a 100% anonymous person (ok I would trust Satoshi ;-)). Even if we find a more decentralizd version for that (e.g. using BSQ bond for enabling registration - there is work going on in that direction) there are some arbitrators who don't want to hide behind anonymity and therefore would be exposed to legal risks. FlexibilityAn arbitrator can revoke any time but there are some problems involved: Atomic swapsAtomic swaps are for sure super intersting on the technical level (I even started once working on it for Bisq) but they have 2 main issues if you want to do it in a real decentralzied way:
Maybe there are solutions for all that or there are "just good enough" ways to do it, but at least it is a big problem where there are not clear solutions yet. Doing it in a server based environment (like Mercury did) would work better but then you only gain on security not on censorship resistence and I fear the added disadvantages (speed, tx fees) are not worth the gains then. Another issue is that each trade is on-chain and costs tx fees which is not long term viable. But of course that a problem with current system as well, thats why we want to go in direction off-chain trade protocol. But thanks for the links I will check out those scriptless script ideas. As said I am also a big fan of it and probably it will become more feasible to do it some day but as you also said the Fiat side is the more relevant and for that it does not help anyway. Btw: Arbitration cases with altcoins are very rare and if so they basically never are complicate as the arbitrator can look up the block explorer. Monero is an exception here but as XMR traders are very skilled usually there are also very few problems. I will try to get a overview about the current arbitration cases (how many, what are the reasons, how long they take, num of scam attempts,...) to give a better idea how the acutal situation is. Adding more costs for dispute resolutionI think that is a good point and we should work out that area more. My current idea was to delegate it as far as possible to the users and as from my experience most traders act with good intenetions that should resolve 90-95% of the cases. Then there might be more complicate cases because of bugs or banking issues. Here a specialist is needed to help. Currently the support area in the forum acts a bit like that beside the arbitrators themselfves. I think that should be a free service to the user and we pay those support agents as contributors (like now). Specailly with bugs its not their fault and it would decrease user experience if beside running into problems they even have to pay for help. Then there might be those very few cases where the peer is not cooperating or a scammer which will become candidates for reimbursements. If only one peer (the victim) is requesting reimbursement we don't need to do any verification or judgement as there is no incentive for him to gain something - or if so the other peer would make a request as well. If it is the BTC seller he has lost his trade amount in the timelocked payout to the donation receiver. So he get only 90% refunded by BSQ. Beside that he has to pay a rather high BSQ fee fro making the request (adds costs/risks for abuse attampts). The mediator is a bonded role so it has some level of trust. A colluding mediator could not repeat many times as the stakeholders would probably start to question his decisions and in case they find that he colluded he risks to get burnt his BSQ bond. The dispute resolution would be then the same what we use now in arbitration (Pagesigner, if that does not work screen sharing and ID verification - or alternatively maybe other options like setting up a BSQ bond - but that is an open discussion area). As in the Bisq arbitration such case have been super rare (I think I did only time screensharing but just because of the user using a diff. bank account, no scam attmept) it can be assumed that those will be also very rare in future. Also we don't need to be perfect here, just good enough. If from time to time BSQ get reimbursed to a scammer it is still much cheaper as the current system and carries less systemic risks (security, legal). One big learning from working on Bisq over the years was that we need to priotitize the problems the right way. Often we focus too much on theoretical problems (they are often much more interesting) which will not be real problems in practice but by trying to prematurely solving those we created real usability problems and those had real costs for the system. One such a case (of many) was to not support editing offers as there was no good solution for protection agains some ddos attacks. In reality we never got ddos'd but we lost many traders because they wanted to change the price without loseing the trade fee. Bisq can fail in any ways, not attracing sufficient users is the most likely (hope we are alreadt escaping that phase ;-)). I think with the arbitration system we also need to focus on the customer care area which is 99% and not on the dispute/scam attempt areas which is nearly not existant. |
Description about the blackmail risk with pure 2of2 MultiSig and why that proposal is not vulnerable to itBlackmail risk with pure 2of2 MultiSigIn a trade protocol with pure 2of2 MultiSig (as intended in the first Bisq concept) one peer has always more to lose then the other at a certain point of time in the trade process. The security deposit cannot be set so that it will have a symmetry before and after the transfer of the fiat/altcoin payment. This asymmetry can be exploited by a scammer to request an alternaitive payout as defined in the trade contract where he gets a part of the max. loss of the peer in case the scammer deny to cooperate to complete the trade. Let's give an example to make it more concrete with USD rate of 6000 BTC/USD: If the seller is the scammer he would wait until he has received the fiat and then the buyer has more to lose as he has now sent 6000 USD + locked up 0.1 BTC. The seller has already received the 6000 USD for his 1 BTC trade amount so that cancels out to zero and only his security deposit is at risk to get lost in case there is no cooperation. So he can tell now the buyer, let's make an alternative payout where you receive only 0.6 instead of 1.1 BTC otherwise you will not get anything and lose additional to your 6000 USD the 0.1 BTC security deposit. An economic rational buyer would agree to the blackmail. Some people argue that the security deposit can be set in a way that there is no risk for blackmail but that is not true as the fiat transfer is non atomic with the deposit tx. So the situation swaps before and after the fiat transfer. E.g. If you set securit deposit to 1.1 BTC for buyer and 0.1 for seller then initially it would be symmetric: Both have to lose 1.1 BTC. So the first case that the buyer can extort the seller will not work anymore. But after the buyer has sent the Fiat it is even worse for him as now he can lose 6000 USD + 1.1 BTC. The seller has only 0.1 BTC at risk. There are 2 other ways which limits the effectivity of that blackmail but both are not sufficient to build a exchange on top of it with scale in mind.
The most intersting approach for a protection was found by Dan Smith (TLSNotary dev). It is that both traders sign initially the payout tx as defined in the trade but delete afterwards their keys. That way the blackmailer cannot make a new alternative payout tx as there are no keys anymore for signing it. One problem here is that nobody can proof that they have deleted it and game-theoretically (as Adam Gibson argued) there is incentive to keep the key secretly. I am not 100% sure if the technical requirements to change the software to keep the keys is a good enough hurdle for the huge majority that the scammer cannot count on that. So in practive that might work good enough, bu tnot sure how well it would work in bigger scale? There is alos another problem here: The blackmailer could also request an alternative payment which is not related to the trade tx. Asking the peer to send 0.6 BTC to his address otherwise he will not cooperate. But this has one big disadvantage for the blackmailer: The victim has no guarantee that the scammer will stick to his word after he sent the BTC. In fact there is no reason to trust him at all. So all in all it was a complicate system which could not be built with solid security. It can still work in small scale (Bitmarkets used that but it never took off), but building a system with such a security risk is not a good idea. Why that proposal is not vulnerable to blackmailIn that proposal the blackmailer cannot success as the victim will have the alternative option to request reimburesment. By doing that he need to broadcast the time locked payout to the donation receiver, thus guaranteeing that the scammer will never get out any BTC. If the scammer does not request for reimburesment as well, the victim has very high chances to get the refund even without the need to proof anything. If the scammer is so naughty to also ask for reimbursement he risks that he will lose even more money (the request costs some fee in BSQ) and both need to deliver some proof to a mediator. In case the cryptographic proof with PageSigner cannot be made, they need to provide something alternative to gain more trust fo their version (ID verification or BSQ bond,...). If the victim can prrof with PageSigner and the scammer not he has lost already. He does not know in advance if the victim will/can deliver a PageSigner based proof. So it is not very attractive for a scammer to try to get reimbursed as if he cannot convince the mediator and stakeholders he risks to lose even more (security deposit, BSQ fee, time and effort). Btw: Alternatively to ID verification we might be able to use the bank account data to avoid repeated scams (similar to account age witness or proposal #27 ). But I assume both will be not be required as scammers don't even try it with so little chance of success. |
@cbeams just reminded me on one important function of the arbitrator which might get lost in the new system: That the arbitrators enforce the trade protocol rules and by adjusting the payout they can fine-tune the "punishement" for violations. There are certain cases of light violations and we have to take care that user learn from their mistakes and don't repeat those.
One way we could support that function in the new model would be to have a list of suggested "fines" for such violations. Most are pretty clear and if that list says "Paying from a different account" costs 50% of the security deposit (or a fix btc value) there should not be much discussion left to the traders to apply that rule to their payout. The traders have themself the option to change the payout. Both need to agree on that and only then both sign the payout tx. By that we would delegate that punishment to the traders themself. If the wrongdoer would not agree it can lead in the worst case to the timelocked payout to the donation receiver and the trader who acted correctly can request for reimbursement. The wrongdoer will have little chance to get reimbursed if the case was clear. Of course there will be a grey area and if traders are very non-cooperative such cases might become messy. But both risk that the mediator and stakeholders make a jedgement against them. For instance in case one trader has paid one day too late and can proof that his bank had issues or it was a long bank weekend holiday and the other trader show zero tolerance to that and require the full "punishment" and it lead to a real dispute, the one who show zero tolerance is also risking that the mediator and stakeholder are in favor of the one who paid too late. It will be hard to predict and find rules for all such possible cases and we need to trust a bit on common sense and good intentions. Worst case we will have such cases from time to time and might lose traders because of a bad experience. That can also happen now if the arbitrator enforces a rule and one of the peer is not accepting it mentally and leaves Bisq because he felt unfairly treated (I am not aware of such a case but is possible it has happened). From my experience as arbitrator there have been much more cases of very nice behaviour where the wrongdoer suggested by himself to give a part of the deposit to the peer than intolerant or aggressive behaviour. And if we would lose such kind of user it would be not a problem for Bisq IMO. Beside the financial punishment there might be other possibilities to ensure the trade protocol rules are followed. We could emphasize some sort of reputation system. Again the #27 reputation proposal might be one option here to add reputation based on negative score. Traders who are repeating violations will have it harder to find trading peers. Moving from the current model where the arbitrator is the authority which issues the punishment to a model where the peers need to come to a consensus of what is a fair punishment can be considered a positive change. But of course things can become more blurry and the "human factor" creeps in more here. But Bisq is not built to eleminate the human factor but rather to tame it for increasing social cooperation. It is important to note here that the core protocol is not related to those "detail problems". This flexibility to find solutions around the core protocol which to the whole process more smooth is a big advantage. Even if we don't get it right from the start we can adjust it over time without the need to change the protocol. |
Some more thougths regarding the off-chain trade protocol and the question if we should skip that current propsal and go directly to the off-chain trade protocol. The off-chain trade protocol is heavily based on the Bisq DAO and the trust, maturity and stability of BSQ. For that reason it will be not feasible to move to that model too early. Also we will need to support both protocols as we don't want to force users into using the BSQ system as well we would have a chicken and egg problem (how to get your BSQ if you need it for BSQ bonding). One main motivation for the off-chain trade protocol was to get rid of the arbitrators as well. This can be solved now with that proposal, so the big pressure factor is removed. The other advantages like:
|
@ManfredKarrer For the enforcement we could let the mediator set the payout structure and the local clients would do the payout according to the mediator settings. Most normal users would not be able or willing to invest the time to modify the software for a different payout structure. |
@sqrrm Ah good idea. We could leave normal not modified payout to the users and if they want a diff. payout they have to get the mediator involved and he acts as authority here. As both need to agree to the result modified software would only work if both users would do that, so I think that is a non-issue. |
I got from the arbitrators feedback about number of disputes and the rough distribution of the reasons. Number of cases that month: 127 out of 1539 trades which is about 8% (-> still too high) Reasons:
So we see that so far it has worked out well that the protection mechanisms in place kept scammers out. I think it is a reasonable assuption for the new protocol as well that we do not need to focus too much on the abuse cases if the system is designed in a way that it is not attractive for those. |
@ManfredKarrer , I presume the (not broadcasted tx) reason is included in the Bugs: 40% ? |
So this means the victim will have to wait one month before being able to do that ? |
@HarryMacfinned
Yes
Yes, even longer as first the timelocked payout need to be done and then he has to request. |
@ManfredKarrer wrote:
... but a scammer will very probably use a different BTC address and a different onion each time. In which case it's impossible to detect that it's the same guy scamming. But I imagine 100% safety is unachievable and a rational compromise has to be built between protecting against rare case and protection costs for everybody/everyday usability. On the general way I find this proposal very interesting on several angles. Thanks for all the thinking ! |
If both traders request then PageSigner or in case of altcoins ID verification is needed. So a scammer will not be able to repeat. If only one of the peers request it can be assumed that the not requesting one acted incorrectly (scammer), so no need to verify anything. |
@ManfredKarrer wrote:
This is imo really a good way to go. |
Yes, the good thing is that we will be very flexible what to use, its not part of the protocol. |
I like the simplicity of having only two parties and the idea of building up online reputation. I'm a little concerned if money can be lost due to software bugs, where the arbitrator otherwise would have the ability to take action. Donations sounds cool, though imo first priority should be to ensure the value of the Bsq token won't crash too hard, say for example around the 1st of each month or aften the token release. And right now overall 'debt' is around 3 mill if I'm correct. Of course a lot of 'debt' will be hodled by stake holders, I just stress the importance of sustainable economic housekeeping, before doing beautiful gestures like donations. This thread was quite a long read, maybe we could divide it into more issues each based on a conclusion or resume of a topic discussed here? |
From reading the proposal, the time-locked refund transaction pays out to a donation address of a trusted entity (e.g. Tor), but the reimbursement comes from the Bisq DAO. So that means that every time a dispute happens then Tor would gain money and the DAO would lose money? (Presumably this would be expressed by the BSQ token falling in price) Would it be possible that if the rate of disputes is too high then the DAO would somehow go bankrupt? Could it make sense to have the 2of2 refund transaction pay to an address owned by the DAO itself instead? I feel like I'm missing something, thanks in advance to anyone that explains. |
@chris-belcher The assumption is that those reimbursements are very rare. This assumption is based on experience with current arbitration system -> 99% of the cases could be solved by either the peers themself or with a mediator helping. Nr. of real disputes was zero. There are also quite high costs for Bisq for operating the arbitration system, so even if we have a few cases per months it will be still much cheaper. The stakeholders don't need to agree to the reimbursement, if there are too may cases we need to fix the reason for that. The donation could go to the Bisq BTC donation address, but that comes with centralization issues. You cannot distribute the BTC in the same decentralized way as BSQ. Burning the BTC might be another option. The receiver address can be cahnge by voting so the Tor example is just one possible option. |
I was listening to the dev call about the new trade protocol and it caught my attention the problem of one of the trading peers becoming totally unavailable. Would it make any sense that apart from the timelock tx to the Bisq donation address, the peers make also a timelock "Undo" tx with an execution date after the donation address one, which would pay the security deposits and the trade amount to the other peer? So if one of the traders is not available during 1 month, the online trader could choose not to publish the tx to the donation address and publish the tx where he would get the traded BTC amount plus the security deposits without having to go through all the DAO voting and reimbursment process (and the pseudo-arbitration / underwriting process). It could happen that if the online trader is the seller he gets everything if he intentionally does not confirm the payment reception and plays the game of the other peer not being available so he gets back his BTC after one month, but he would be very recklessly risking his security deposit. If the buyer does not initiate a dispute and does not care about publishing the donation address tx, well, then it is reasonable to assume that he is not going to claim any reimbursment anyway. In any other case where the fiat / alt-coin payment did not happen, I don´t see the problem if the other peer did not care at all during one month, so he deserves to lose his security deposit. EDIT: Another possibility is that the tx only pays the security deposits to the other peer and the BTC always goes back to the seller. This would make the protocol lean to protect more the BTC seller than to buyer, this is specially interesting for fiat pairs, and also to eliminate the risk of a race to publish the "Undo" tx once the date of the donation address tx is reached. |
@mpolavieja Actually I think we could just add 2 more txs which gets signed by both and have a timelock further in the future than the donation address tx. Those 2 txs are spending all funds to one part. |
Yes, it would be 2 tx signed by both. But I think it would be best that both tx give back always the BTC to the seller, and the security deposits to the other peer. In case of disagreement and both online, yes, any of the traders needs to publish the normal donation tx. If the unresponsive trader is the BTC seller, I think the buyer would always also want to publish the normal donation tx, because if the BTC seller is dishonest and is faster publishing his "undo tx", the seller will scam the buyer. But if it is the buyer who is unresponsive (which I understand is the more likely scenario), the BTC seller is better off by waiting and publishing the "undo tx" instead of going through all the dispute nightmare. |
@mpolavieja Good point, just reverting to the original state will at least cover the case of the non responsive buyer. Both are then ok with the BTC going back to the seller (assuming the buyer didn't send any fiat). I think it can work as an extra protection for sellers. |
@mpolavieja Good point with the case that both could wait and then have a mining fee race for publishing at same block. So my suggestion would not work. If seller gets it the buyer has no incentive for doing that and I agree it is more likely the buyer who has less at stake and forget about the trade. I think it could be also added later probably without much backward compatibility problems, so we could keep it as an optional addition for later if we see it becomes a problem. |
Actually it might add a new kind of risk: The seller could try to attack the buyers app via the p2p network. If the buyers app becomes not available due ddos he might not be able to act and the seller gets all the funds additional to the fiat/altcoin payment. |
Maybe this could be solved if the buyer "undo tx" is scheduled 2 or 3 blocks ahead of the seller´s? So the buyer will also prefer to publish the "undo tx" better than going to the dispute / reimbursment process? |
Yes, I didn´t mention it but I was always thinking of it as a possible later improvement (if it is worth it)
Agree on that. I don´t know how likely it is that kind of ddos attack to be successful. In any case my major concern is to avoid the DAO being involved in the reimbursment process. Not because of scalability but because of legal problems. |
This could be mostly solved if the "undo tx" of the buyer is automatically published when the buyer clicks the send payment button (before seeing the payment details) |
Don't understand that. Can you describe more in details? Payment details are exchanged in take offer process. A timelocke tx which is not valid yet will not be relayed by Bitcoin nodes. |
Yes. I did not realize that. It would not work. |
Don´t we have somehow this kind risk already? For example if a BTC seller receives a payment and does not confirm it, he can ddos the buyer so he is unable to open a dispute / publish the donation tx. So after one month the BTC seller is in a position to blackmail the buyer and get for example half of his BTC back (Of course, he would be risking his security deposit). So isn´t there a need for a manual procedure outside of Bisq to publish the donation tx (or whatever emergency tx)? |
Creating a hierarchical support structure: Mediators and Arbitrators.The problem with hierarchical support structures is that arbitrators will be compensated more, even-though mediators have more contact with the customer and have the same knowledge and skill. Creating this kind of “bureaucracy is probably necessary?” But is it? The Arbitrator’s knowledge and skill can be substituted with a Mediator’s knowledge and skill without disruption. So this is a paid position of power. That doesn’t sound cool to me. Bisq creates opportunity for real DAO employment. This is clearly the future. What is the driving force to create Mediator/Arbitrator derision?Why not have all Mediators or all Arbitrators? We cannot allow discussions of law practice influence the innovation of the platform.If we decide to split the work they should be compensated the same? If you say compensation should be different, why do you think it should be different? |
The big difference is, that Arbitrators have not only the legal risk, but mainly also the risk of doing everything right with the payout otherwise they have to pay it from their own pocket. The reason for introducing different levels of support is not to introduce bureaucracy, but more to make Bisq more scalable on a human level as well. E.g. to provide native speaking support won't be possible with pure arbitrators. |
New Mediator/Arbitrator System and Coinlockers. What is a coinlocker? A coinlocker is somebody that locks a trader's funds in escrow either as an option trade (if the price moves in their favor they may pay) OR somebody that locks funds in escrow so their trade appears on the order book in place of a competing offer OR for simple spite, envy, (insert other terrible humanoid characteristic here). The new dispute protocol invites this terrible market trashing behavior as the arbitrator/mediator time has been drastically increased. Funds locked in this process of arbitrator/mediator baton passing increases the potential for abandoned, incomplete, bullshit, failed trades. If we decide to continue with this system, arbitrators must be QUICK TO RESOLVE and REWARD security deposits when applicable to discourage COINLOCKING. |
See #129 (comment) |
You misunderstand the arbitration role. Core goal was to remove the 3rd key from the multisig as that could cause legal risks as well as security risks and prevented to scale up arbitration.
See other comment. I don't see any reason for worry and there is no big change to current protocol in that regards. |
@mpolavieja I think we can close this proposal as complete. |
UPDATE:
We have altered the initial idea to keep the arbitration as option. Details will get added soon.
TL;DR for the initiated
Here is a short summary of the key points of that proposal:
Overview
We suggest a change of the current Bisq trade protocol which is based on a 2-of-3 MultiSig deposit transaction where an arbitrator is the 3rd key holder who helps in case of disputes and can make the payout transaction with one of the traders. The new protocol would be based on a 2-of-2 MultiSig deposit tx where only the 2 traders are the key holders. We would delegate the dispute resolution (which in fact is 99.9% customer care work and no real disputes) to the users as first step and if they cannot resolve the issue themselfes to mediators. In case the peers do not cooperate to sign the payout transaction as defined in the trade contract there is an option for the victim of getting reimbursed for the lost BTC amount by the BSQ stakeholders. If the request gets accepted in DAO voting by the stakeholders he get issued the amount of BSQ which is equivalent to the lost BTC. To avoid abuse we introduce a time locked transaction which will send the fund from the 2-of-2 MultiSig deposit tx to the receiver of the Bisq donations (see #48). Before being able to request for reimbursement that timelocked payout tx to the donation receiver need to be confirmed.
This model actually is an insurance model where in case of damage for one trader he can get compensated by the BSQ stakeholders. For the BSQ stakeholders it still is much cheaper than spending lots of funds on arbitrators. It is assumed and need to be achieved that reimbursement requests are rather rare (not more then a few a month - or even less). The system is flexible and there is no automatation which leads to reimbursements, so it can be adjusted over time to optimize the results.
Problem with current arbitration system
The current arbitration system comes with several problems:
Solution: Get rid of the arbitrators
Bisq actually started with the idea of a 2-of-2 Multisig deposit tx and only after concerns regarding potential blackmail risks in such a scenario we dropped that idea and introduced the arbitration system with the 2-of-3 Multisig.
2-of-2 Multisig transaction
The trade protocol is similar like now just that there is no 3rd key in the Multisig deposit tx. the 2 traders are the only keyholders. In case the trade gets successfully completed both traders sign the payout transaction as defined in the trade contract.
Timelocked payout transaction to donation receiver
After the traders have created the 2of2 Multisig deposit tx they will additionally create a payout transaction which is timelocked for about 1 month and where the receiver is the donation address defined by the Bisq DAO (see #48). In case both traders do not cooperate to make a normal payout any of the 2 traders can (but don't need to) publish that transaction and therefor spending the funds from the deposit transaction to the donation receiver address. If both agree they can still wait longer and can still create a normal payout at any time. But any of the 2 traders have the power to terminate the trade by publishing the alternative tx. This will be the requirement for requesting a reimbursement.
The technical details which form of timelock (nLocktime, CLTV) we will use is up for discussion and need more investigation.
There is a non-atomic process of the co-signing of the timelocked payout tx (TLP). The seller has more to lose (as he has the trade amount added in the deposit tx) so we will let him be in the role of the deposit tx publisher. He will hold back the fully signed deposit tx before he has received the fully signed TLP tx.
Here is a rough sketch of the protocol:
The seller has the security that his trade amount is only locked in the deposit tx if he has the fully signed TLP tx which would enable him to request for reimbursement in case the buyer do not cooperate.
The buyer will only send the fiat/altcoin payment if the seller has followed the protocol and sent him the TLP tx. If the seller would have broadcast the deposit tx without a TLP tx the buyer would not start the payment. The seller cannot request the reimbursement as there is no TLP signed by both. In such a case the buyer would also lose his deposit but the seller has much more to lose, so it would be an economically irrational strategy.
Conflict resolution
From our experience as arbitrators we have seen that the huge majority of cases are no disputes but cases with bugs, banking problems or usability issues/user mistakes. Real disputes have been maybe 1 or 2 - I even can't remember any. Sometimes a user does not respond and with the currently short tolerance of 2 days response time such cases get closed then in favor to the other trader. Other cases are "future trades" - in times of high price volatility the trader who would have a disadvantage by completing the trade with the "old" price "cancels" the trade by not completing it. Only the BTC buyer can do that. This is the reason why we have a higher security deposit for the buyer (which he loses in such cases).
We need to increase that security deposit to make such cases very rare.
We want to delegate most of the conflict resolution process to the traders and if needed to mediators. There will be a direct in-app messaging system (like the current one in the arbitration system) which provides encrypted and signed communication. This is important to be able to proof abuse (trolls, scam attampts in chat,...). This communication will be on a per-trade base, so with each trade you can see the history of the messages.
The mediator is basically a customer care agent who can help if needed. The details of that need more discussion but it should be implemented with scalability and flexibility in mind. It should be easy to become a mediator. The current support section in the Bisq Forum is close to such a goal. It is open if that need to be a bonded role but likely it will be. Mediator migh play a role for applying negative reputation score (#27) in case of misbehaviour.
The whole traders communication and mediator area needs more discussion and refinement.
Traders defined alternative payouts
The traders can agree to change the normal payout as defined in the contract in case something went wrong or if a peer violated the trade protocol. We got several cases of such "light" violations: Paying too late, using a different bank account as defined in Bisq or using BTC in the reference field, etc. Such "light" cases could be resolved by the traders agreeing to an alternative payout (e.g. a part of the security deposit goes to the other peer). Another scenario is that the fiat transfer failed (e.g. banking problems) and the seller need to get the refund.
The process would be that the peers agree on a payout and then send their signed payout tx to the other peer who will then broadcast the tx.
Reimbursement
In case a trade does not get completed because the peer is either not willing to complete, not responding or a scammer, the victim can make a request for reimbursement of his lost BTC.
He need to broadcast first the timelocked payout transaction where the funds goes to the donation address (can only be done after the lock time has passed). In the voting phase the stakeholders will vote on that request and if it gets sufficient support he will get the BSQ issued which are the equivalent amount to his lost BTC. To avoid abuse we might set the reimburesement rate a bit lower (e.g. only 90% get reimbursed).
Risks for abuse
With the requirement that the funds in the deposit tx are spent to the donation address we avoid that a scammer could run 2 Bisq nodes, trade with himself, simulate that he got scammed and request a reimbursement. After he received the BSQ he could make the payout to himself and thus have gained the BSQ without haveing lost any BTC. As we require that the funds are spent to the donation address this attack is not possible. Furthermore we add a small loss by only reimbursing 90%. Beside that it requires time and effort to get the reimbursement which should limit it to those rare cases where the traders cannot come to a cooperation.
It is assumed that the donation receiver address is a NGO-like organisation (e.g. Tor,...) or personality with a very high reputation (like Andreas Antonopoulos,...) and that those donation receivers will change from time to time via voting. Thus the theoretical risk that the donation receiver is the scammer (or colluding) and doing reimbursement requests as described above is very low. Beside that, the BSQ staekholders do not need to accept requests and if they are too frequent or there is some suspicious for abuse they can decline it. They can also change the donation receiver if there is any reason for doubt.
Non goal
It is not intende to be used for those cases where makers or taker lose the trade fee because of technical problems. We will continue to reimburse those in a non-beaurocratic way and those amounts are too low to justify the friction and costs it would create to use the reimburesemnet request model.
Deployment
This change will be a kind of hard fork on the trade protocol level. We could support both protocols in parallel but probably it is better to make a hard change. Old client will still be able to trade between other old clients but all those who will update are moving to the new protocol. We should also have a defined timeout for not supporting the old protocol anymore and to make it possible to revoke all arbitrators. We should try to implement a conversion of existing offers to the new protocol so the makers are not losing already paid maker fees.
Details about the deployment need further discussion.
Relation to other proposals
There are several other open proposals and we need to consider if we should combine those if do a bigger change and a "hard fork":
The text was updated successfully, but these errors were encountered: