bisq-network / proposals

@bisq-network improvement proposals
https://bisq.wiki/Proposals
44 stars 16 forks source link

Send arbitration funds to a burning address instead of BTC donation address. #135

Closed MwithM closed 4 years ago

MwithM commented 4 years ago

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Edit: Explicit proposal sent to vote on DAO at the end of this post.

Abstract

Security model for BTC donation address holder is not valid because locked bond can't cover the funds taken by a dishonest address holder. To prevent this attack, trade funds should be sent to an unspendable address.

Issue description

Since v1.2, Bisq entrusts BTC donation address owner to regularly buy BSQ with funds from BTC trading fees and trade amounts that end in arbitration. This role is bonded with 50.000 BSQ locked, which would be high enough to cover current trading fees volume and rare disputes, preventing dishonest behaviour. This security model, based on a bonded role, relies on the supposition that trades to arbitrate are going to be very rare, as both traders don't want to see their funds lost and paying a small arbitration fee. But one of the traders could be colluding with or be the same person as BTC donation address holder, inducing disputes to end up into arbitration and sending all the 2of2 multisig funds to the address controlled by the donation address owner. Just a couple days of Bisq's XMR current trading volume would cover the BSQ bond and create profit. As timelocked transactions would be automatically triggered after a week or more, the attack would be noticed too late and there’s nothing Bisq could do to stop the transactions being sent to the attacker’s address. This leaves Bisq on a situation of high risk. Bisq can't trust an anonymous person, without any track record of previous honest behaviour to hold and spend the funds like it's supposed to. The locked bond is tiny compared to weekly Bisq volume.

Proposal

Taking into consideration the following points:

I propose as a cautionary measure to destroy all deposit and trading funds sending them to a burning address when going to arbitration. Trading fees could continue to be sent to the BTC donation address holder.

Further proposals could improve this situation, but they should be discussed on a separate proposal. The main concern of this proposal is security, so the focus must be to carry short-term actions.

clearwater-trust commented 4 years ago

The idea that clever coding can remove humans from fiat transactions is NONSENSE.

Attempting to solve trading issues with burned funds, arbitrator confiscation, donation addresses or other coding manipulations is a hopeless cause.

If my trade goes to arbitration as the result of an unresponsive trading peer and I do not receive back my funds and my trading peer's security deposit, Bisq becomes a ridiculous paper tiger project.

PRICE IN QUALITY DISPUTE RESOLUTION

mpolavieja commented 4 years ago

I propose as a cautionary measure to destroy all deposit

If I understand it correctly, you suggest to renounce to reduce the supply of BSQ by buying BSQ with those BTC and burning them. Is that correct? I guess that if the disputes are rare, it wouldn´t be a big problem for BSQ supply.

MwithM commented 4 years ago

If I understand it correctly, you suggest to renounce to reduce the supply of BSQ by buying BSQ with those BTC and burning them. Is that correct? I guess that if the disputes are rare, it wouldn´t be a big problem for BSQ supply.

Yes, I'm proposing to renounce to a big part of BSQ supply reduction. Disputes going to arbitration are rare in a normal situation, because traders are not willing to momentarily lose their deposits, delay trades and paying arbitation fees. But in this proposal, I'm talking about a possible attack from the DAO BTC address holder, or a colluding party. Attacker creates its own trades and is willing to go to arbitration letting the timelock to activate. When timelock is activated, it will send funds to DAO BTC address holder, which is the same as the attacker. In one week, or even in a couple days of this attack, the reward would be a lot higher than the 5BTC deposit that the DAO BTC address holder has locked in a BSQ bond. What I'm proposing is a way to stop this attack from happening, which would hurt a lot the credibility of the whole project. Sending BTC to an address managed by a bonded role only works if that address is less than the amount of the bond. If the address owner is dishonest, and incentives for bad behaviour are very high, there will be an attack.

chimp1984 commented 4 years ago

I think there is no realistic risk for that case because if there are repeated cases and specially if it is the same trader the arbitrator will become suspicious and he can delay the payout as well. The human element and time delay works in our favor. I think the loss of funds (BSQ reimbursed but the BTC are gone) is a bigger problem that this "theoretical" risk. We could also increase the required bond. Also keep in mind that those roles, specially those where there is only one are not 100% based on bond only but also on reputation. If the current address owner works correctly and earns BSQ by his work there is little risk IMO. Also the BSQ purchases should be done frequently and at least if the balance is > 50% of the bond. So any abuse can be observed realtively fast.

xbyvee commented 4 years ago

I think there is a very realistic risk of funds being stolen. Over on the Bisq forum I have outlined how this would work:

-Donation address holder places a bunch of orders to sell XMR at below market price (can work on the buy side too but the donation address holder would need a lot of btc for that). -If the price above or below market is big enough 100s of BTC worth of orders will come in within hours -Donation address holder either doesn't pay or doesn't release the funds, at this point no one suspects anything, it could just be a trader that has lost their keys or is having technical issues etc.. -10 days elapses with no payment / release -donation address holder publishes the timelock transaction and receives the btc (either for nothing or receives their own btc back plus the XMR that people paid them, depending on whether it is a buy order or sell order).

How does anyone stop this attack from happening at all? If the other parties have already taken the trade and paid there's absolutely nothing anyone can do to stop the donation address holder from getting a bunch of BTC after the timelock expires?

MwithM commented 4 years ago

@chimp1984 There won't be "repeated cases", there will be a lot of orders from one or different onion addresses with unresponsive peers. Once we start to smell something wrong (which won't be before 2-3 days since the star of the attack), there's nothing we can do as timelock multisig account will be pointing to the attacker's address (the DAO holder address). Arbitrator can't do nothing, it's not necessary to receive arbitration payouts to make this attack profitable, just wait to the arrival of 2of2 funds as buyer and receive altcoins/fiat payment as seller and not releasing the funds.

I didn't know that BSQ holder wasn't really anonymous, and that's what is stopping me to freak out, because locked bond is useless compared to Bisq volume.

chimp1984 commented 4 years ago

@xbyvee Thanks for the summary, I was just following the discussion superficially before.... Yes I understand now your concerns and they are valid. Burning the BTC would be a solution but as long we have too many arbitration cases that is too expensive. Using a multisig address would reduce the risk. Increasing the BSQ bond would be another option. I think we should wait to see when we get to the point that those cases are super rare and consider a burn BTC address then. That is the most safe and easiest way to deal with it.

xbyvee commented 4 years ago

I think this is something that needs urgent attention right now. As it stands we have no idea who the Bisq donation address holder is right now. They are completely anonymous. Their github account was setup just days before asking to be the donation address holder.

chimp1984 commented 4 years ago

There was a DAO voting and you can be assured that a total anonymous address owner would not have been rejected by the major BSQ stake holders. So that can give you confidence that there is no realistic risk for that, but I agree it is a conceptual risk and should be addressed at some point.

MwithM commented 4 years ago

Arbitration cases are meant to be rare, so I don't think that this proposal is going to cost that much. The only reason to have a lot of disputes going to arbitration is this attack, and that really would bee too expensive. It would suppose the end of Bisq. Timelocks could be removed or set up for longer periods. A month to trigger arbitration would assure that only real disputes end into arbitration, and not technical problems. Arbitration now could have a higher cost for traders, considering that it's a cost for the DAO.

When I voted for this role, I assumed that the person in charge of the role was completely anonymous and the locked bond would protect Bisq from misbehaviour. Now I have to trust the address owner while I havent read anywhere that this person is not completely anonymous and should be trusted.

mpolavieja commented 4 years ago

I don ́t know if failed trades are already being tracked. If not Could it be possible to include in the trading statistics failed trades?

By failed trade I don ́t mean disputes or publishing the timelocked tx, I mean trades that have not completed before the time limit (i.e. 6 days for fiat, 1 day for altcoins, etc).

If the trade resolves, then it would show as "resolved" within the failing trades, so we can easily calculate a running balance of failed trades.

This failing trading statistics flux would be not visible by default on the UIs. It would be something like this:

Date/Time Price Amount BTC Amount XXX Pmt method Offer type Extended info
Nov 6 0.007 0.017 2,41 Altcoins Sell XMR Failed trade
Nov 6 0.007 0.017 2.41 Altcoins Sell XMR Resolved trade
Nov 6 0.007 0.017 2.41 Altcoins Sell XMR Normal trade

Only the last row would be shown by default. The previous two rows can be used to calculate a running balance of failed trades (“Failed” as positive, “Resolved” as negative).

Maybe it could be implemented an automatic halt of the trading in a specific trading pair or in all pairs if the balance reaches a percentage of the BSQ bond of the donation address owner. Or alternatively to warn the user about the situation before engaging in a trade.

Having an abnormal number of failing trades is not good in any case, whatever the reason. So I think it is not crazy at all to halt or refrain from trading if too many trades are failing. It would indeed be wise to stop an see what is going on before the problem is too big to handle.

sqrrm commented 4 years ago

@mpolavieja This information should not be available, and I don't think it is, considering it's a decentralized p2p system. There is a conflict between publishing data to be able to analyze the system and privacy. In general we don't publish anything that's not necessary for the functioning of Bisq and I think that's correct.

Funds sent to the donation address could be monitored on the blockchain, but any trade that ends with the traders agreeing on a payout from the 2of2 would not be possible to track.

mpolavieja commented 4 years ago

but any trade that ends with the traders agreeing on a payout from the 2of2 would not be possible to track

So these trades are not currently being published in the trading statistics as normal trades once the traders agree?

mpolavieja commented 4 years ago

Ok. I realize your point now. The trade is published as soon as an offer is taken, not when the trade is completed.

sqrrm commented 4 years ago

Right, cause the network needs to know the offer is no longer there, but the trade process is not public knowledge and I think it should remain private.

mpolavieja commented 4 years ago

Well, all the information about the trade is already being disclosed. If Bisq works anyone would assume that the trade has ended succesfully, otherwise no one would be using Bisq. My proposal would only add the info about the trade not being completed wthin the established time limit (temporarily), I don't see how that info significantly reduces privacy. Specially if Bisq works well and failed trades are rare.

A different discussion is if this is possible to implement and/or worth the effort

bodymindarts commented 4 years ago

Right, cause the network needs to know the offer is no longer there, but the trade process is not public knowledge and I think it should remain private.

Publishing the trade statistics is not required to spreading that knowledge. You may just as well publish a RemoveDataMessage. Afaict there is no place where the trade protocol depends on knowing the past trades. It is just used for displaying data on the website and in the client.

mpolavieja commented 4 years ago

Probably the problematic thing with my proposal is technical as the action of taking an offer leaves a trace of a BTC real tx and the event of consuming the time limit does not. I guess it could be inferred by not seeing the multisig executed in time, but that would require a daemon on all clients looking for the final BTC tx of all trades. Way too heavy computing burden...

flix1 commented 4 years ago

First let me say that I consider this new 1.2 system, while imperfect, a significant improvement compared to previous trusted arbitrator system.

A possible improvement:

  1. Multisig donation address (3-of-5)
  2. Rule to buy BSQ with donated funds whenever they exceed certain amount. (% of bonds?)
sqrrm commented 4 years ago

@bodymindarts True, maybe the assumption that most offers lead to trades is wrong and we should stop publishing this data since it's giving away more data than necessary. It's a balance but I would keep it as is for now.

@flix1 there is already the rule that the donation address holder shall buy BSQ for the funds, not sure at what percentage or if set to a percentage.

As discussed during today's call, I think the multisig donation address is better than adding more donation addresses. An attacker could still filter through all the offers and take those that are using their address. It's a lower take but still a severe attack. I like the 3of4 multisig with 2 known contributors and two unknown as key-holders. That will make it harder to put pressure on either known contributors or for the unknown ones to abscond with the funds.

mpolavieja commented 4 years ago

Isn't it a great improvement that this kind of attack has been pushed away from traders and if it happens is something that will be resolved amongst the arbitrator, the donation address owner, and the DAO?

(assuming we are sure that the arbitrator and the donation address owner are different persons and do not collude)

mpolavieja commented 4 years ago
  • Multisig donation address (3-of-5)
  • Rule to buy BSQ with donated funds whenever they exceed certain amount. (% of bonds?)

@flix1, @chimp1984,

What if we require that the donation address owner has to buy BSQ first in order to be able to get the BTC from a disputed trade? That is, requiring an equivalent amount of BSQ proof of burn.

If this is technically possible, then there is no need to trust the donation address owner. Is this correct? If we are able to do it at a discount, anyone would be willing to buy BSQ in the market, burn it, and get the BTC from the dispute.

sqrrm commented 4 years ago

@mpolavieja That's not possible. The payout transaction is already signed before sending money to the 2of2. That payout tx is ready to be broadcast as is and it's not possible to put limitation on how it can be broadcast.

mpolavieja commented 4 years ago

Yeah, I was expecting that the current payout tx would not be useful for this. I was thinking to substitute the current payout tx by some kind of pay to script tx instead, where the condition to spend the funds would be to show proof of burning a specific quantity of BSQ.

mpolavieja commented 4 years ago

If the condition to unlock the funds could be set to "burn more than X BSQ", then it could even enable competition to bid for those BTC with higher amounts of burnt BSQ than specified in the script.

gofastandpray commented 4 years ago

@sqrrm wrote

there is already the rule that the donation address holder shall buy BSQ for the funds, not sure at what percentage or if set to a percentage.

Curious how is this rule enforced or encouraged? This seems like a good process, could it be automated somehow in the long run (atomic swap)?

sqrrm commented 4 years ago

@gofastandpray Would be enforced through the DAO as it's a rule for the role owner. If the role owner doesn't follow the rule their locked funds could be confiscated by DAO voting.

flix1 commented 4 years ago

Current donation address is: https://www.blockchain.com/btc/address/3EtUWqsGThPtjwUczw27YCo6EWvQdaPUyp

Less than 0.32 BTC there right now.

But as some people pointed out in the call... an attack or several failed trades could very rapidly increase that amount with little warning.

While we think about ways to improve this mechanism, it might be a good idea for current donation address holder @burning2019 to try to keep the balance low, say below 50% of the value of the BSQ 50k bond.

And of course the more eyes that are watching the donation address the better. We still have a trusted critical component in the system, but at least it is highly transparent.

MwithM commented 4 years ago

After thinking a little more about the attack, I've realized that electronic fiat payment methods are less vulnerable to it because of trade limits and account signing process. The attacker would need to steal an account or go through a very rigid identification system to be able to open accounts to use these payment methods. Only low volume markets could be used (making a buy offer with an invented bank account) to steal reasonable amounts (sending to DAO donation address the trade and deposit funds) because there's no trade limit.

@flix1

While we think about ways to improve this mechanism, it might be a good idea for current donation address holder @burning2019 to try to keep the balance low, say below 50% of the value of the BSQ 50k bond. And of course the more eyes that are watching the donation address the better. We still have a trusted critical component in the system, but at least it is highly transparent.

Selling BTC below 50% of the BSQ locked bond is what the role owner should do. Transparency doesn't help much: no matter the level of vigilance to the donation address, it would only produce an alarm when it's too late. I don't think that begging an almost anonymous person to act in a honest way is the way Bisq should work. Not when we have a possibility to stop trusting a third person and eliminate a single point of failure. Burning funds that end into arbitration is possible, easy, secure and the best option to follow Bitcoin's principles. As long as there's security deposits for both peers, it should end disputes without a good reason. Considering that disputes ending into arbitration would be rare and for a good reason, reimbursing arbitrators with DAO's own funds is something that Bisq could afford to do. Bisq would not be the first organization ever that compensates its users when things go wrong.

So after properly discussing this proposal, I'm pushing a DAO vote on Cycle 7 for:

Sending deposit and trade's funds from altcoin, low volume fiat markets and F2F trades to an unspendable address when arbitration timelock is triggered.

Better solutions could be developed in the future, but this is the most secure way to prevent the discussed attack.

flix1 commented 4 years ago

I don't think that begging an almost anonymous person to act in a honest way is the way Bisq should work. Not when we have a possibility to stop trusting a third person and eliminate a single point of failure. Burning funds that end into arbitration is possible, easy, secure and the best option to follow Bitcoin's principles.

Your logic is sound. I have to agree.

2-of-2 multisig with mutually assured destruction is simple and has no trusted third parties.

I still get the feeling that something could go wrong here, especially if too many cases end in arbitration. But maybe the credible threat of burning is the only thing that can make this work.

clearwater-trust commented 4 years ago

Sending private keys outside of the app DOES NOT align with "bitcoin principles" and WILL NOT scale.

a 2 of 2 multisig that requires the market maker to find, trust, and send their private key to an arbitrator in the event of an unresponsive trader is insane.

This is insane: https://docs.bisq.network/manual-dispute-payout.html

flix1 commented 4 years ago

@clearwater-trust

a 2 of 2 multisig that requires the market maker to find, trust, and send their private key to an arbitrator in the event of an unresponsive trader is insane.

What are you talking about? I thought the point of changing to 2 of 2 multisig was so that the arbitrator does NOT have a private key and is no longer a trusted third party.

The current arbitration system is one in which the arbitrator can only suggest a payout, not enforce it. Am I missing something? I admit that I have not been involved in a dispute with the new version yet...

m52go commented 4 years ago

Yeah that doc @clearwater-trust linked was archived precisely because it isn't relevant any more, and the reason for that is the new trade protocol.

How is it related to this proposal?

clearwater-trust commented 4 years ago

Sorry for the confusion. I need somebody, and apparently so does @flix1, to explain how mediation/arbitration works in the event of an unresponsive trader with a 2 of 2 multisig.

Thanks.

m52go commented 4 years ago

@clearwater-trust same way it always has. The responsive trader requests arbitration and the arbitrator pays BTC back to the aggrieved trader.

Process may take a bit longer, as there is a mediation step in the middle, but it's not practically any different from before.

EDIT: we should probably take this conversation elsewhere to avoid polluting this thread with discussion that's not relevant to this proposal.

clearwater-trust commented 4 years ago

Just to be clear. The funds locked in the 2 of 2 go to this "donation address" and I have to trust the arbitrator is playing with enough fungible [not involved in some dirty heist that can implicate me in god knows what] bitcoin to pay back the trade PLUS the trading peer's security deposit?

I am not polluting the thread. This is about funds that get sent to the donation address or burned.

MwithM commented 4 years ago

The funds locked in the 2 of 2 go to this "donation address"...

Funds locked in the 2of2 multisig only moves if one or both of the parts wants to, if mediator suggestion is not good ennough, or when timelock activates (10 days since trade start).

Feel free to message me at keybase, I'll answer questions you might have.

MwithM commented 4 years ago

Should go back to v1.1.7 because of severe security and safety concerns from users on daubtable proposals in v1.2.

I would rather use multisig for DAO address than going back to v1.1.7 security model.

mpolavieja commented 4 years ago

@clearwater-trust

[not involved in some dirty heist that can implicate me in god knows what]

That did also apply on version 1.1.7 to any Bisq user that is selling you BTC, or if you were the seller, to the security deposit of the buyer in case the arbitrator decided you get at least part of it

clearwater-trust commented 4 years ago

@mpolavieja No, it's not the same. In a 2 of 3, the offered trade funds were returned, not laundered through an arbitrator as is the case in the new protocol.

I have to assume the 2of3 model had some glaring security threat that is not being made clear to justify this new 2of2 system.

mpolavieja commented 4 years ago

had some glaring security threat

The arbitrator had to be trusted. Trusted third parties are security holes. Moreover it was not scalable.

clearwater-trust commented 4 years ago

I have to trust the arbitrator has enough funds to clear all of their disputes. Because in ten days, the funds are gone.

I would rather trust the arbitrator is honest. Now I have to trust the arbitrator is honest AND rich.

mpolavieja commented 4 years ago

It is not really an arbitrator anymore, it is just a broker that buys the dispute at a discount in order to get a slight profit (coming from the losing party of the dispute) when reimbursed by the DAO.

The only thing you have to trust is that his BTC are honest. But you also have to trust the BTCs from your tading peers are honest in case there is no dispute. The normal thing is that you will get way more BTC from unknown trading peers than from arbitrators.

Apart from mining, the only way you can get clean BTC is through KYC. For that you already have centralized exchanges

clearwater-trust commented 4 years ago

Does the winning party still receive the security deposit for time lost on the offer book? What is the slight profit?

I mean, it seems like you just said, "Arbitrators profit from disputes", which is a weird market dynamic that may take me awhile to understand.

mpolavieja commented 4 years ago

The winning party will receive part of the security deposit depending on the mediator proposed payout. In my opinion the mediator should leave part of the security deposits as a fee for the arbitrator, which is going to bear the risk of paying the winning party and wait to later be reimbursed in the equivalent amount of BSQ by the DAO.

In older versions, arbitrator earned also a fee, they did not work for free. In this version, the arbitrator is actually more a trader than an arbitrator. He buys the dispute at a slight discount. Users don´t have to worry about this. The only thing they see is that they are getting the BTC payout suggested by the mediator.

Regarding your concern about the BTC from the arbitrator coming from strange actitivities, again I don´t see the difference of getting the BTC from the seller if you are the buyer and won the dispute. Why would you assume that the BTCs from the seller (or from the buyer´s security deposit) are more legit than the BTC sent by the arbitrator? Why would you assume that the arbitrator thinks that the BTC from the traders are more legit than his?

clearwater-trust commented 4 years ago

Yeah. I agree. From the buyer's prospective source of funds is ambiguous. But as a maker/seller, it is noteworthy that funds received after a failed trade are not the funds offered in the trade, but instead are coming from the arbitrator.

I think the idea of a trade broker is interesting. I'll think more on this.

Thanks for taking the time to answer my questions.

Traders are going to want to know how the system works. I feel like I'm pretty plugged into Bisq but somehow the details of this change slipped through my channels.

mpolavieja commented 4 years ago

but instead are coming from the arbitrator.

In the old version, you as a seller could also receive part or the whole security deposit from the buyer. Even if you didn´t receive any, there is a trace in the blockchain where your BTCs and the security deposit from the buyer were together in a multisig.

In any case, needing a payout from an arbitrator is suposed to be a rare event compared to the much more frequent event of signing a multisig transaction with your trading partner.

xbyvee commented 4 years ago

Why can't the funds be sent to a holder address which only is payable to the trader parties by the arbitrator? This solves all problems.

Because the arbitrator (or whoever is in control of the payouts) could be one of the trading parties and just award the payment to themselves.

mpolavieja commented 4 years ago

@ExPrgrmmr

Your deeply uninformed comments are really annoying. I beg you to please inform yourself before commenting.

flix1 commented 4 years ago

There's now more than 1 BTC at the donation address: https://www.blockchain.com/btc/address/3EtUWqsGThPtjwUczw27YCo6EWvQdaPUyp