Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Send arbitration funds to a burning address instead of BTC donation address. #135

Open
MwithM opened this issue Nov 5, 2019 · 37 comments

Comments

@MwithM
Copy link

@MwithM MwithM commented Nov 5, 2019

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Edit: Explicit proposal sent to vote on DAO at the end of this post.

Abstract

Security model for BTC donation address holder is not valid because locked bond can't cover the funds taken by a dishonest address holder. To prevent this attack, trade funds should be sent to an unspendable address.

Issue description

Since v1.2, Bisq entrusts BTC donation address owner to regularly buy BSQ with funds from BTC trading fees and trade amounts that end in arbitration. This role is bonded with 50.000 BSQ locked, which would be high enough to cover current trading fees volume and rare disputes, preventing dishonest behaviour.
This security model, based on a bonded role, relies on the supposition that trades to arbitrate are going to be very rare, as both traders don't want to see their funds lost and paying a small arbitration fee. But one of the traders could be colluding with or be the same person as BTC donation address holder, inducing disputes to end up into arbitration and sending all the 2of2 multisig funds to the address controlled by the donation address owner. Just a couple days of Bisq's XMR current trading volume would cover the BSQ bond and create profit. As timelocked transactions would be automatically triggered after a week or more, the attack would be noticed too late and there’s nothing Bisq could do to stop the transactions being sent to the attacker’s address.
This leaves Bisq on a situation of high risk. Bisq can't trust an anonymous person, without any track record of previous honest behaviour to hold and spend the funds like it's supposed to. The locked bond is tiny compared to weekly Bisq volume.

Proposal

Taking into consideration the following points:

  • Going back to previous security model doesn't remove the single point of failure of trusted arbitrators, and throwing away all the effort to bring this v1.2 is not a desirable option.
  • We need to act quickly, as security is a primary concern for Bisq.
  • Making the address multisig to distribute the risk between 2 or 3 keyholders would require them not to be anonymous, or otherwise we could risk them to be all the same person. That wouldn't even prevent collusion.

I propose as a cautionary measure to destroy all deposit and trading funds sending them to a burning address when going to arbitration. Trading fees could continue to be sent to the BTC donation address holder.

Further proposals could improve this situation, but they should be discussed on a separate proposal. The main concern of this proposal is security, so the focus must be to carry short-term actions.

@clearwater-trust

This comment has been minimized.

Copy link
Member

@clearwater-trust clearwater-trust commented Nov 5, 2019

The idea that clever coding can remove humans from fiat transactions is NONSENSE.

Attempting to solve trading issues with burned funds, arbitrator confiscation, donation addresses or other coding manipulations is a hopeless cause.

If my trade goes to arbitration as the result of an unresponsive trading peer and I do not receive back my funds and my trading peer's security deposit, Bisq becomes a ridiculous paper tiger project.

PRICE IN QUALITY DISPUTE RESOLUTION

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 5, 2019

I propose as a cautionary measure to destroy all deposit

If I understand it correctly, you suggest to renounce to reduce the supply of BSQ by buying BSQ with those BTC and burning them. Is that correct? I guess that if the disputes are rare, it wouldn´t be a big problem for BSQ supply.

@MwithM

This comment has been minimized.

Copy link
Author

@MwithM MwithM commented Nov 6, 2019

If I understand it correctly, you suggest to renounce to reduce the supply of BSQ by buying BSQ with those BTC and burning them. Is that correct? I guess that if the disputes are rare, it wouldn´t be a big problem for BSQ supply.

Yes, I'm proposing to renounce to a big part of BSQ supply reduction. Disputes going to arbitration are rare in a normal situation, because traders are not willing to momentarily lose their deposits, delay trades and paying arbitation fees.
But in this proposal, I'm talking about a possible attack from the DAO BTC address holder, or a colluding party. Attacker creates its own trades and is willing to go to arbitration letting the timelock to activate. When timelock is activated, it will send funds to DAO BTC address holder, which is the same as the attacker. In one week, or even in a couple days of this attack, the reward would be a lot higher than the 5BTC deposit that the DAO BTC address holder has locked in a BSQ bond.
What I'm proposing is a way to stop this attack from happening, which would hurt a lot the credibility of the whole project. Sending BTC to an address managed by a bonded role only works if that address is less than the amount of the bond. If the address owner is dishonest, and incentives for bad behaviour are very high, there will be an attack.

@chimp1984

This comment has been minimized.

Copy link

@chimp1984 chimp1984 commented Nov 6, 2019

I think there is no realistic risk for that case because if there are repeated cases and specially if it is the same trader the arbitrator will become suspicious and he can delay the payout as well. The human element and time delay works in our favor. I think the loss of funds (BSQ reimbursed but the BTC are gone) is a bigger problem that this "theoretical" risk. We could also increase the required bond.
Also keep in mind that those roles, specially those where there is only one are not 100% based on bond only but also on reputation. If the current address owner works correctly and earns BSQ by his work there is little risk IMO. Also the BSQ purchases should be done frequently and at least if the balance is > 50% of the bond. So any abuse can be observed realtively fast.

@xbyvee

This comment has been minimized.

Copy link

@xbyvee xbyvee commented Nov 6, 2019

I think there is a very realistic risk of funds being stolen. Over on the Bisq forum I have outlined how this would work:

-Donation address holder places a bunch of orders to sell XMR at below market price (can work on the buy side too but the donation address holder would need a lot of btc for that).
-If the price above or below market is big enough 100s of BTC worth of orders will come in within hours
-Donation address holder either doesn't pay or doesn't release the funds, at this point no one suspects anything, it could just be a trader that has lost their keys or is having technical issues etc..
-10 days elapses with no payment / release
-donation address holder publishes the timelock transaction and receives the btc (either for nothing or receives their own btc back plus the XMR that people paid them, depending on whether it is a buy order or sell order).

How does anyone stop this attack from happening at all? If the other parties have already taken the trade and paid there's absolutely nothing anyone can do to stop the donation address holder from getting a bunch of BTC after the timelock expires?

@MwithM

This comment has been minimized.

Copy link
Author

@MwithM MwithM commented Nov 6, 2019

@chimp1984 There won't be "repeated cases", there will be a lot of orders from one or different onion addresses with unresponsive peers.
Once we start to smell something wrong (which won't be before 2-3 days since the star of the attack), there's nothing we can do as timelock multisig account will be pointing to the attacker's address (the DAO holder address). Arbitrator can't do nothing, it's not necessary to receive arbitration payouts to make this attack profitable, just wait to the arrival of 2of2 funds as buyer and receive altcoins/fiat payment as seller and not releasing the funds.

I didn't know that BSQ holder wasn't really anonymous, and that's what is stopping me to freak out, because locked bond is useless compared to Bisq volume.

@chimp1984

This comment has been minimized.

Copy link

@chimp1984 chimp1984 commented Nov 6, 2019

@xbyvee Thanks for the summary, I was just following the discussion superficially before....
Yes I understand now your concerns and they are valid.
Burning the BTC would be a solution but as long we have too many arbitration cases that is too expensive.
Using a multisig address would reduce the risk. Increasing the BSQ bond would be another option.
I think we should wait to see when we get to the point that those cases are super rare and consider a burn BTC address then. That is the most safe and easiest way to deal with it.

@xbyvee

This comment has been minimized.

Copy link

@xbyvee xbyvee commented Nov 6, 2019

I think this is something that needs urgent attention right now. As it stands we have no idea who the Bisq donation address holder is right now. They are completely anonymous. Their github account was setup just days before asking to be the donation address holder.

@chimp1984

This comment has been minimized.

Copy link

@chimp1984 chimp1984 commented Nov 6, 2019

There was a DAO voting and you can be assured that a total anonymous address owner would not have been rejected by the major BSQ stake holders. So that can give you confidence that there is no realistic risk for that, but I agree it is a conceptual risk and should be addressed at some point.

@MwithM

This comment has been minimized.

Copy link
Author

@MwithM MwithM commented Nov 7, 2019

Arbitration cases are meant to be rare, so I don't think that this proposal is going to cost that much. The only reason to have a lot of disputes going to arbitration is this attack, and that really would bee too expensive. It would suppose the end of Bisq.
Timelocks could be removed or set up for longer periods. A month to trigger arbitration would assure that only real disputes end into arbitration, and not technical problems.
Arbitration now could have a higher cost for traders, considering that it's a cost for the DAO.

When I voted for this role, I assumed that the person in charge of the role was completely anonymous and the locked bond would protect Bisq from misbehaviour. Now I have to trust the address owner while I havent read anywhere that this person is not completely anonymous and should be trusted.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

I don ́t know if failed trades are already being tracked. If not Could it be possible to include in the trading statistics failed trades?

By failed trade I don ́t mean disputes or publishing the timelocked tx, I mean trades that have not completed before the time limit (i.e. 6 days for fiat, 1 day for altcoins, etc).

If the trade resolves, then it would show as "resolved" within the failing trades, so we can easily calculate a running balance of failed trades.

This failing trading statistics flux would be not visible by default on the UIs. It would be something like this:

Date/Time Price Amount BTC Amount XXX Pmt method Offer type Extended info
Nov 6 0.007 0.017 2,41 Altcoins Sell XMR Failed trade
Nov 6 0.007 0.017 2.41 Altcoins Sell XMR Resolved trade
Nov 6 0.007 0.017 2.41 Altcoins Sell XMR Normal trade

Only the last row would be shown by default. The previous two rows can be used to calculate a running balance of failed trades (“Failed” as positive, “Resolved” as negative).

Maybe it could be implemented an automatic halt of the trading in a specific trading pair or in all pairs if the balance reaches a percentage of the BSQ bond of the donation address owner. Or alternatively to warn the user about the situation before engaging in a trade.

Having an abnormal number of failing trades is not good in any case, whatever the reason. So I think it is not crazy at all to halt or refrain from trading if too many trades are failing. It would indeed be wise to stop an see what is going on before the problem is too big to handle.

@sqrrm

This comment has been minimized.

Copy link
Member

@sqrrm sqrrm commented Nov 7, 2019

@mpolavieja This information should not be available, and I don't think it is, considering it's a decentralized p2p system. There is a conflict between publishing data to be able to analyze the system and privacy. In general we don't publish anything that's not necessary for the functioning of Bisq and I think that's correct.

Funds sent to the donation address could be monitored on the blockchain, but any trade that ends with the traders agreeing on a payout from the 2of2 would not be possible to track.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

but any trade that ends with the traders agreeing on a payout from the 2of2 would not be possible to track

So these trades are not currently being published in the trading statistics as normal trades once the traders agree?

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

Ok. I realize your point now. The trade is published as soon as an offer is taken, not when the trade is completed.

@sqrrm

This comment has been minimized.

Copy link
Member

@sqrrm sqrrm commented Nov 7, 2019

Right, cause the network needs to know the offer is no longer there, but the trade process is not public knowledge and I think it should remain private.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

Well, all the information about the trade is already being disclosed. If Bisq works anyone would assume that the trade has ended succesfully, otherwise no one would be using Bisq. My proposal would only add the info about the trade not being completed wthin the established time limit (temporarily), I don't see how that info significantly reduces privacy. Specially if Bisq works well and failed trades are rare.

A different discussion is if this is possible to implement and/or worth the effort

@bodymindarts

This comment has been minimized.

Copy link

@bodymindarts bodymindarts commented Nov 7, 2019

Right, cause the network needs to know the offer is no longer there, but the trade process is not public knowledge and I think it should remain private.

Publishing the trade statistics is not required to spreading that knowledge. You may just as well publish a RemoveDataMessage. Afaict there is no place where the trade protocol depends on knowing the past trades. It is just used for displaying data on the website and in the client.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

Probably the problematic thing with my proposal is technical as the action of taking an offer leaves a trace of a BTC real tx and the event of consuming the time limit does not. I guess it could be inferred by not seeing the multisig executed in time, but that would require a daemon on all clients looking for the final BTC tx of all trades. Way too heavy computing burden...

@flix1

This comment has been minimized.

Copy link
Member

@flix1 flix1 commented Nov 7, 2019

First let me say that I consider this new 1.2 system, while imperfect, a significant improvement compared to previous trusted arbitrator system.

A possible improvement:

  1. Multisig donation address (3-of-5)
  2. Rule to buy BSQ with donated funds whenever they exceed certain amount. (% of bonds?)
@sqrrm

This comment has been minimized.

Copy link
Member

@sqrrm sqrrm commented Nov 7, 2019

@bodymindarts True, maybe the assumption that most offers lead to trades is wrong and we should stop publishing this data since it's giving away more data than necessary. It's a balance but I would keep it as is for now.

@flix1 there is already the rule that the donation address holder shall buy BSQ for the funds, not sure at what percentage or if set to a percentage.

As discussed during today's call, I think the multisig donation address is better than adding more donation addresses. An attacker could still filter through all the offers and take those that are using their address. It's a lower take but still a severe attack. I like the 3of4 multisig with 2 known contributors and two unknown as key-holders. That will make it harder to put pressure on either known contributors or for the unknown ones to abscond with the funds.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 7, 2019

Isn't it a great improvement that this kind of attack has been pushed away from traders and if it happens is something that will be resolved amongst the arbitrator, the donation address owner, and the DAO?

(assuming we are sure that the arbitrator and the donation address owner are different persons and do not collude)

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 8, 2019

  • Multisig donation address (3-of-5)
  • Rule to buy BSQ with donated funds whenever they exceed certain amount. (% of bonds?)

@flix1, @chimp1984,

What if we require that the donation address owner has to buy BSQ first in order to be able to get the BTC from a disputed trade? That is, requiring an equivalent amount of BSQ proof of burn.

If this is technically possible, then there is no need to trust the donation address owner. Is this correct? If we are able to do it at a discount, anyone would be willing to buy BSQ in the market, burn it, and get the BTC from the dispute.

@sqrrm

This comment has been minimized.

Copy link
Member

@sqrrm sqrrm commented Nov 8, 2019

@mpolavieja That's not possible. The payout transaction is already signed before sending money to the 2of2. That payout tx is ready to be broadcast as is and it's not possible to put limitation on how it can be broadcast.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 8, 2019

Yeah, I was expecting that the current payout tx would not be useful for this. I was thinking to substitute the current payout tx by some kind of pay to script tx instead, where the condition to spend the funds would be to show proof of burning a specific quantity of BSQ.

@mpolavieja

This comment has been minimized.

Copy link

@mpolavieja mpolavieja commented Nov 8, 2019

If the condition to unlock the funds could be set to "burn more than X BSQ", then it could even enable competition to bid for those BTC with higher amounts of burnt BSQ than specified in the script.

@gofastandpray

This comment has been minimized.

Copy link

@gofastandpray gofastandpray commented Nov 8, 2019

@sqrrm wrote

there is already the rule that the donation address holder shall buy BSQ for the funds, not sure at what percentage or if set to a percentage.

Curious how is this rule enforced or encouraged? This seems like a good process, could it be automated somehow in the long run (atomic swap)?

@sqrrm

This comment has been minimized.

Copy link
Member

@sqrrm sqrrm commented Nov 8, 2019

@gofastandpray Would be enforced through the DAO as it's a rule for the role owner. If the role owner doesn't follow the rule their locked funds could be confiscated by DAO voting.

@flix1

This comment has been minimized.

Copy link
Member

@flix1 flix1 commented Nov 9, 2019

Current donation address is:
https://www.blockchain.com/btc/address/3EtUWqsGThPtjwUczw27YCo6EWvQdaPUyp

Less than 0.32 BTC there right now.

But as some people pointed out in the call... an attack or several failed trades could very rapidly increase that amount with little warning.

While we think about ways to improve this mechanism, it might be a good idea for current donation address holder @burning2019 to try to keep the balance low, say below 50% of the value of the BSQ 50k bond.

And of course the more eyes that are watching the donation address the better. We still have a trusted critical component in the system, but at least it is highly transparent.

@MwithM MwithM referenced this issue Nov 11, 2019
@MwithM

This comment has been minimized.

Copy link
Author

@MwithM MwithM commented Nov 11, 2019

After thinking a little more about the attack, I've realized that electronic fiat payment methods are less vulnerable to it because of trade limits and account signing process. The attacker would need to steal an account or go through a very rigid identification system to be able to open accounts to use these payment methods. Only low volume markets could be used (making a buy offer with an invented bank account) to steal reasonable amounts (sending to DAO donation address the trade and deposit funds) because there's no trade limit.

@flix1

While we think about ways to improve this mechanism, it might be a good idea for current donation address holder @burning2019 to try to keep the balance low, say below 50% of the value of the BSQ 50k bond.
And of course the more eyes that are watching the donation address the better. We still have a trusted critical component in the system, but at least it is highly transparent.

Selling BTC below 50% of the BSQ locked bond is what the role owner should do. Transparency doesn't help much: no matter the level of vigilance to the donation address, it would only produce an alarm when it's too late. I don't think that begging an almost anonymous person to act in a honest way is the way Bisq should work. Not when we have a possibility to stop trusting a third person and eliminate a single point of failure.
Burning funds that end into arbitration is possible, easy, secure and the best option to follow Bitcoin's principles.
As long as there's security deposits for both peers, it should end disputes without a good reason. Considering that disputes ending into arbitration would be rare and for a good reason, reimbursing arbitrators with DAO's own funds is something that Bisq could afford to do. Bisq would not be the first organization ever that compensates its users when things go wrong.

So after properly discussing this proposal, I'm pushing a DAO vote on Cycle 7 for:

Sending deposit and trade's funds from altcoin, low volume fiat markets and F2F trades to an unspendable address when arbitration timelock is triggered.

Better solutions could be developed in the future, but this is the most secure way to prevent the discussed attack.

@flix1

This comment has been minimized.

Copy link
Member

@flix1 flix1 commented Nov 11, 2019

I don't think that begging an almost anonymous person to act in a honest way is the way Bisq should work. Not when we have a possibility to stop trusting a third person and eliminate a single point of failure.
Burning funds that end into arbitration is possible, easy, secure and the best option to follow Bitcoin's principles.

Your logic is sound. I have to agree.

2-of-2 multisig with mutually assured destruction is simple and has no trusted third parties.

I still get the feeling that something could go wrong here, especially if too many cases end in arbitration. But maybe the credible threat of burning is the only thing that can make this work.

@clearwater-trust

This comment has been minimized.

Copy link
Member

@clearwater-trust clearwater-trust commented Nov 11, 2019

Sending private keys outside of the app DOES NOT align with "bitcoin principles" and WILL NOT scale.

a 2 of 2 multisig that requires the market maker to find, trust, and send their private key to an arbitrator in the event of an unresponsive trader is insane.

This is insane: https://docs.bisq.network/manual-dispute-payout.html

@flix1

This comment has been minimized.

Copy link
Member

@flix1 flix1 commented Nov 11, 2019

@clearwater-trust

a 2 of 2 multisig that requires the market maker to find, trust, and send their private key to an arbitrator in the event of an unresponsive trader is insane.

What are you talking about? I thought the point of changing to 2 of 2 multisig was so that the arbitrator does NOT have a private key and is no longer a trusted third party.

The current arbitration system is one in which the arbitrator can only suggest a payout, not enforce it. Am I missing something? I admit that I have not been involved in a dispute with the new version yet...

@m52go

This comment has been minimized.

Copy link
Member

@m52go m52go commented Nov 11, 2019

Yeah that doc @clearwater-trust linked was archived precisely because it isn't relevant any more, and the reason for that is the new trade protocol.

How is it related to this proposal?

@clearwater-trust

This comment has been minimized.

Copy link
Member

@clearwater-trust clearwater-trust commented Nov 11, 2019

Sorry for the confusion. I need somebody, and apparently so does @flix1, to explain how mediation/arbitration works in the event of an unresponsive trader with a 2 of 2 multisig.

Thanks.

@m52go

This comment has been minimized.

Copy link
Member

@m52go m52go commented Nov 11, 2019

@clearwater-trust same way it always has. The responsive trader requests arbitration and the arbitrator pays BTC back to the aggrieved trader.

Process may take a bit longer, as there is a mediation step in the middle, but it's not practically any different from before.

EDIT: we should probably take this conversation elsewhere to avoid polluting this thread with discussion that's not relevant to this proposal.

@clearwater-trust

This comment has been minimized.

Copy link
Member

@clearwater-trust clearwater-trust commented Nov 11, 2019

Just to be clear. The funds locked in the 2 of 2 go to this "donation address" and I have to trust the arbitrator is playing with enough fungible [not involved in some dirty heist that can implicate me in god knows what] bitcoin to pay back the trade PLUS the trading peer's security deposit?

I am not polluting the thread. This is about funds that get sent to the donation address or burned.

@MwithM

This comment has been minimized.

Copy link
Author

@MwithM MwithM commented Nov 11, 2019

The funds locked in the 2 of 2 go to this "donation address"...

Funds locked in the 2of2 multisig only moves if one or both of the parts wants to, if mediator suggestion is not good ennough, or when timelock activates (10 days since trade start).

Feel free to message me at keybase, I'll answer questions you might have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.