Reimburse victims of the security incident using the DAO via a Special Refund Agent

[wiz]

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Summary

This proposal is an alternate proposal to https://github.com/bisq-network/proposals/issues/205 - instead of modifying the Bisq code to change the Bisq donation address to the victim's Bitcoin addresses to compensate them for their losses, it proposes to use the DAO to approve issuance BSQ in 12 monthly payments to a Special Refund Agent, which would sell the BSQ to the Burning Man and send the BTC to the victims.

Proposal

Our current estimate is that there are 6 victims with a total loss about $240K USD. After we finalize the investigation of the incident and come to an agreement wth the victims, I propose the DAO reimburse the victims the equivalent USD amount they were owed at the time of the incident as follows:

1) The DAO will reimburse the victims what they are owed in 12 equal monthly payments. For example, if the total is $240K and we split this across 12 payments, it would come out to $20K per month. This would be exempt from the monthly budget (currently $60K).

2) A temporary role will be created called the Special Refund Agent. The SRA will make a BSQ reimbursement proposal each cycle for the monthly payment due to the victims using the BSQ issuance rate (denominated in USD) displayed in the screenshot for the current cycle's issuance rate, as defined each cycle by the Compensation Maintainer.

3) The SRA will sell this BSQ to the Burning Man, at a fixed rate which is equal to the same rate as the BSQ issuance rate (denominated in BTC) displayed in the screenshot for the current cycle's issuance rate, as defined each cycle by the Compensation Maintainer. The Burning Man will prioritize these trades buying BSQ from the SRA.

4) The SRA will pay out BTC to the victims and post proof of his transactions in his monthly report, similar to how the Burning Man posts a Proof of Burn transaction in his monthly reports.

5) After the 12 cycles are completed, the victims will be repaid in full and the SRA role will be terminated.

6) The security incident victims would all need to agree to this proposal, as well as a full vote by the DAO stakeholders for it to be considered approved.

[ifarnung]

This seems like a reasonable process to follow, I like the overall idea of it.

I would like to get @Cbeams and others idea about what the right amount of monthly budget to allocate. The $20K number just being an opening estimate...

Also at some point it should be discussed how to calculate the sum lost as it was mostly XMR, right? The BTC/$ price could look very different in a year.

Let's see some discussion. :)

[invertedbobb]

I think the basic idea is fine. But i strongly disagree with using USD in this calculation. Us victims were positioned in BTC or XMR, this is what i want back. In a highly volatile market using USD to calculate crypto reimbursement can become extremely unfair for both parties, in this case i think it's considerably much more likely the victims would become, well, victims again.

I lost BTC, not USD, not EUR, not JPY. The same amount of BTC is what i would like to get reimbursed in.

I don't want to sound too harsh, my apologies if i come across that way. My tension levels have been through the roof over the past week.

[danielv1234]

I agree with you, we should not use USD or BSQ.

[invertedbobb]

BSQ can be used as tool as proposed, but the final amount that is reimbursed should not be calculated in a different asset.

[AndyBisq]

Hello, should I make a counter proposal in Bisq./DAO to limit the reimbursement to $10,000 per transaction because I think a trading amount of $240,000 / 7 means abusing Bisq ? That volume does not fit with the philosophy of Bisq.

[danielv1234]

In this case, max transaction using Bisq should be limited to $10k not 2 btc.

[chimp1984]

@invertedbobb I agree that the exchange rate risk adds more risks to either party (one lose, one wins). That is one reason why I tried to avoid to include BSQ in the calculation as we get another exchange rate and volatility risk with it.

@wiz Why not use the victims themselves to make the reimbursement request? Adding another centralized, trusted (and bonded) role seems not necessary and should be avoided if there are other options IMO.

The volatility risk is considerable. BTC/USD moved from 3000 to 14 000 USD over the last year and in currently troubled times it could be even higher. BSQ/BTC had also a high volatility over the past 6 months. I think we should sketch out all the extreme scenarios and see how the model works in such situations. BSQ got into a deadly negative spiral recently (and luckily recovered now) and the refund agent made a quite big loss (maybe the main reason why he is leaving now) because of volatility risks (and his lack of accounting). So we should not underestimate that risk.

Using BTC itself could cause severe problems as well. If the total BTC amount of the loss is 30 BTC now but BTC goes up to 100K USD in 6 months (not unreasonable if USD will crash) Bisq will have a hard time to pay that as revenues in BTC will go down (users trade smaller amounts). If on the other hand BTC price crashes to 1000 USD because governments restrict exchanges to not get BTC as competitor for a dying USD (more reasonable scenario IMO) the victims get only a portion of their todays loss. As USD itself might become very volatile soon that would not be a good alternative as well. The only solution to volatility risk is to shorten time exposure. So if we reimburse it on one go but achieve a mechanism that the victims cannot sell it at once and therefore crash the BSQ market we could avoid the risk. It still would add some risk to the victims as they are forced to wait to convert BSQ to BTC (and then maybe to XMR or USD). But I think there is likely no perfect solution here. One alternative might be a "basket" of currencies and use that as kind of "stable" orientation value. But thats probably too complex and hard to find the right balances.

For doing the reimbursement on one go but avoid an instant sell-off there are 2 potential solutions:

• One special role (like your SRA) makes the reimbursement and then transfers each months a part of the BSQ to the victims. Downside: Trusted role, uncertain legal implications (he acts as custodial)
• Maybe its possible to hack a reimbursement request where the output is locked and the address is the victims address. This would not need a code change to be rolled out, only one dev make that requests with the target address and lock. Not sure if its doable and adds some risk to the DAO.

A middle ground could be that the reimbursement happens in 3 parts and after the BSQ is received the victim need to promise to lock up the BSQ as agreed. If he does not do it he will not be accepted for the remaining reimbursements. The last reimbursement will lack that "soft enforcement" power but then the max. damage from sell off is likely limited to 1 or 2 defaulting victims with 30% of their funds.

[danielv1234]

For me ,as a victim, i don't care if BTC goes to $1000 or $100 . I just want to recover my btc units, regardless the price.

[chimp1984]

@danielv1234 You might not care but Bisq might not be able to refund you in BTC in 6 months if BTC is worth 100K USD and revenue will not go up as well by that magnitude.

[chimp1984]

Additional idea how to make BSQ lock-up connected to reimbursement. We could require that the victim locks up first the amount of BSQ he gets reimbursed. Only after lockup was proven the reimbursement will be accepted. I am aware that this had the disadvantage that they need to buy BSQ first (potentially driving up price) and later when they get reimbursed might sell off (crashing the price). Also they might not be willing to make that upfront investment. So might not be a good idea, but wanted to share as it would not require any code change.

I looked to the possibilities to lockup the reimbursement directly and its not possible consensus-wise. It would have been an extra feature which is not implemented.

[danielv1234]

Is hard to make calculations in the future. Process can be adjusted each month based on income and votes. Also we don't need to put pressure on bisq coin, but if i will use platform in the future, i would need to buy bisq for fees too. I was catched in Nicehash hack too, and they refund as much as they can, 60% in one year. https://news.bitcoin.com/nicehash-returns-60-of-coins-stolen-in-the-hack/

[cbeams]

Please see https://github.com/bisq-network/proposals/issues/205#issuecomment-612824408 where I've written up my my thoughts about both of the current proposals.

[cbeams]

@wiz, since alternative proposal #209 was approved in Cycle 12, I suggest we close this one as superseded. Do you agree? Please go ahead if so, thanks.