Closed MwithM closed 4 years ago
There's now almost 4 BTC in the donation address: https://www.blockchain.com/btc/address/3EtUWqsGThPtjwUczw27YCo6EWvQdaPUyp
To be precise 3.65 BTC which at today's prices (7500) is $27,375. That is well over 50% of the value of the 50,000 BSQ bond.
In fact at current BSQ price of $0.49, the bond would be worth $24,500.
ping @burning2019
@flix1 What are you proposing by highlighting the funds sent to the 'donation address'? Are you saying the bond should be more? The funds should be burned? Or, you don't wish to donate failed trades to a stranger? We can expect the 'donation address' balance to increase dramatically each time the price moves DOWN as buyers refuse to pay for their trades.
I understand that @flix1 suggests that the owner of the donation address should not let the balance go that high. The owner of the donation address should use Bitcoin to buy BSQ and burn them.
Looking at BSQ volume traded it looks like donation account owner is working as required and has spent the funds buying BSQ over the past few days.
The proposal has been rejected in the last DAO voting. I would suggest that we close it.
Rejected in DAO voting Cycle 7
Edit: Explicit proposal sent to vote on DAO at the end of this post.
Abstract
Security model for BTC donation address holder is not valid because locked bond can't cover the funds taken by a dishonest address holder. To prevent this attack, trade funds should be sent to an unspendable address.
Issue description
Since v1.2, Bisq entrusts BTC donation address owner to regularly buy BSQ with funds from BTC trading fees and trade amounts that end in arbitration. This role is bonded with 50.000 BSQ locked, which would be high enough to cover current trading fees volume and rare disputes, preventing dishonest behaviour. This security model, based on a bonded role, relies on the supposition that trades to arbitrate are going to be very rare, as both traders don't want to see their funds lost and paying a small arbitration fee. But one of the traders could be colluding with or be the same person as BTC donation address holder, inducing disputes to end up into arbitration and sending all the 2of2 multisig funds to the address controlled by the donation address owner. Just a couple days of Bisq's XMR current trading volume would cover the BSQ bond and create profit. As timelocked transactions would be automatically triggered after a week or more, the attack would be noticed too late and there’s nothing Bisq could do to stop the transactions being sent to the attacker’s address. This leaves Bisq on a situation of high risk. Bisq can't trust an anonymous person, without any track record of previous honest behaviour to hold and spend the funds like it's supposed to. The locked bond is tiny compared to weekly Bisq volume.
Proposal
Taking into consideration the following points:
I propose as a cautionary measure to destroy all deposit and trading funds sending them to a burning address when going to arbitration. Trading fees could continue to be sent to the BTC donation address holder.
Further proposals could improve this situation, but they should be discussed on a separate proposal. The main concern of this proposal is security, so the focus must be to carry short-term actions.