bisq-network / proposals

@bisq-network improvement proposals
https://bisq.wiki/Proposals
44 stars 16 forks source link

Enable face to face (F2F) trade in Bisq #24

Closed ManfredKarrer closed 6 years ago

ManfredKarrer commented 6 years ago

Enabling face to face (F2F) trades like offered at LocalBitcoins is an often requested feature but has not been considered to be added because Bisq has a different security model compared to LocalBitcoins and with our model we cannot provide sufficient security to make F2F trades safe. E.g. LocalBitcoins uses ID verification and reputation. Bisq uses the security deposit and the arbitrator as security protection which both would not help much in the context of a F2F trade.

Though there might be an interesting idea to allow us to support F2F trades.

Basic idea

It is based on the game theoretical idea of "mutual assured destruction" which is basically just the idea that if both traders do not come to a cooperative result both will lose all what they have put in the trade (e.g. trade amount and security deposits).

That model was actually used in the very first concept of Bisq and is used in some other projects like BitMarkets and BitHalo/Nightrader. The reason why we went away from that model was because Adam Gibson found a severe risk for a blackmail scenario. In short, there is always an asymmetry of the max. loss of each trader due to the fact of the non-atomic exchange on the fiat side. That enables that one trader could blackmail the other who has more to lose to agree to a different payout result as it was originally agreed on. An economic rational trader getting blackmailed in that way would agree to the changed payout to have less financial loss than if he would stick to the original contract and risks that his funds will be locked up forever. This risk is specially serious in the context of an anonymous global online market.

But we do not suggest a pure "mutual assured destruction" model (based on 2of2 Multisig) but rather to use our existing arbitration system to add more flexibility and to reduce the blackmail risk.

Assumptions

Physical access changes risk situation

People meeting physically have a different risk exposure compared to the anonymous online market situation. E.g. The possibility of physical access makes unscrupulous behavior less likely. We can assume that the risk of a blackmail is much lower in such a context. Of course physical access comes also with new forms of risks (robbery) but that has to be mitigated by the selection of a safe public meeting location. The general risk for violence in a certain country has to be taken in consideration as well.

Unclear strategy of arbitrators

There is no guarantee that the funds will be locked up forever as the arbitrator can do the payout as he thinks it is fair and/or at any time in the future. The threat that the funds are lock up forever is not a strong motivation anymore for the blackmailed person to agree to an altered payout. He rather would try to convince the arbitrator for his side.

If those assumptions holds we could use that model as basic protection for F2F trades.

Details

Payment method

The payment method will contain an email and/or mobile number field which will be used by the traders to exchange the details for arranging the meeting place. Beside that there will be the location data (country, city, maybe map coordinates). In a first version it should be a basic feature but could later be improved by implementing a map to set the position of the trader. Though exact positions of the traders address have to be avoided for security reasons. Maybe we should add "terms and conditions" the users can define. At LocalBitcoins they often require ID verification of the peer. That should be done only in person to avoid risk of identity theft.

Offerbook

Offers for F2F trades will display additionally the location. In a first version that can be added to the payment method info. A filter option to search for traders by country and city would be good as well. In a later version we could implement a map to look up nearby traders.

Trade process

Once an offer gets taken both traders get in touch by email or mobile and arrange a meeting place and time.

We could consider that both traders bring their laptop and do the trade process similar like with an online payment. Though the additional risk for theft if they might have more BTC on their wallet as well as the inconvenience and risk to carry the laptop represents some downsides with that simple approach.

They could alternatively meet without any laptop and just do the Fiat transfer and when back home do the confirmation in Bisq for the Fiat sent and received events. That would reduce the risk of theft to the Fiat amount but it does not feel very safe to hand over Fiat without getting immediately anything back in exchange. We could require a hand signed contract so both would have at least some form of evidence. Better would be a digital system which is integrated with the Bisq trade process. LocalBitcoins uses Secret codes to be exchanges by the traders but I am not sure if that adds really much protection. Ultimately there is no solution as the Fiat transfer is not an atomic transfer in exchange to a digital transfer of a signature. The best we can achieve is to bring the moments of both events close together.

Another approach might be to combine a repeated partial payment with repeated confirmations via a mobile app. E.g. if the trade amount is 1000 USD the BTC buyer could start to hand over 100 USD to the seller. Next step is that the seller confirms on a mobile app the receipt of 100 USD. Then the next 100 USD will be handed over and then confirmed again. That will be repeated until the final amount has been transferred. It would lower the risk that the peer can run away quickly with the money without confirming the receipt. The receipt could be done as simple email to the BTC buyer or via any messenger app. The proof is not strong but at least it adds difficulty for a potential scammer to fake those messages. Best would be a mobile App which is connected to the Bisq trade and provides signed and encrypted messages. But that is too much effort for a first version. It is also questionable if people are really that paranoid and use that repeated payment method or prefer to hand it over in one part and then do the confirmation.

That area needs more though how to deal best with it. For the most simple version lets assume there is a paper contract signed by both traders.

Dispute

The arbitrator cannot help much in case of a dispute as in most cases there will be testimony against testimony and he cannot get a reliable proof about the transaction. So the standard resolution of any F2F trade disputes will be that both traders will got frozen their funds forever. Though they have the option at any time in the future to still come to an agreement and then tell the arbitrator to do the payout according to the result both have agreed on. The arbitrator can also choose to make whatever payout he thinks is fair according to the testimonies of both traders. This option makes blackmail even less likely as there is no guarantee that the funds will be kept frozen. Also the blackmailing person will have likely higher risk to lose the case and the arbitrator decides in favor of the other peer. ID verification can be required as well from the arbitrator - a request scammers usually don't want to follow.

One problem is for sure that the dispute resolution adds much higher pressure to the arbitrator as he will not have a tamper proof evidence. But as said to not do the payout at all is a valid default option for the arbitrator. Different arbitrators might have different policies how to deal with disputes which again makes blackmail less likely as the arbitrators strategy is hard to predict.

It can be expected that real disputes are super rare (as with online trades) but most cases are caused by usability issues or bugs. For those cases the resolution process will work like any other payment methods.

Police report

In case of theft or blackmail attempt the victim can file a police report and present that to the arbitrator. This will have a lot of weight in the dispute process as it can be assumed the the scammer will unlikely go to that step to trick an innocent peer.

Security deposit

It will require more analysis how the security deposit should be set for F2F trades and it will depend on the model how the Fiat transfer will be executed.

Risks and warnings

The risks and different rules for dispute resolution have to be very clearly presented and accepted by both traders.

Test run

We could add that payment method as experimental for a test run to see how it works in reality and see how much demand exists for it. Before that it would be good to make a poll to see how much demand is really there for F2F trade. The still limited volume on Bisq will be an even bigger issue when it adds a location limitation as well.

Implementation effort

Depending on the open questions regarding the fiat exchange process the implementation effort should not be very high. It is mostly UI work and does not require any deeper changes for a fist version. For map integration though the effort will be higher but that should be left for later after a test run has shown how much demand for that payment method exists.

Request for more research

I think we should add more research about the usual issues with F2F trades on LocalBitcoins or other platforms.

If anyone can volunteer to do that research or if anyone has first-hand experience please add it below!

sqrrm commented 6 years ago

I support this proposal. Starting with a minimal effort and learn as we go seems best. I have seen there have been quite a few requests for f2f trades but I still suspect if will be hard to match these people on location.

For traders this would probably not be much more risky than any other system doing f2f trades such as localbitcoins considering the parties can choose their trade location according to local conditions. I could see a need for a feature to cancel the trade process if no trade location can be agreed upon, or include coordinates to suggested trade locations in the offer. I guess that would be what would be found out after running it for a bit though.

The risk for Bisq network seems minimal. If there are scams we can learn how to handle that and if there are robberies that still comes down on the individuals. The feature can always be severely restricted or retired if it turns out it doesn't work.

riclas commented 6 years ago

Several comments here:

cbeams commented 6 years ago

A quick response to say +1 in general and that I think F2F trading (and/or cash by mail) is the single most important feature we can implement from a privacy and censorship resistance perspective. Having the option to trade without banks and payment processors in the mix is critical to Bisq being able to fulfill its mission in truly adversarial environments.

With regard to arbitration, perhaps we could encourage or even require both parties to voice record their F2F interaction via their mobile device. Ideally these recordings would be stored locally and streamed back to the party’s (offsite) Bisq node for safe-keeping in case their device is stolen or confiscated, and the recordings would then be made available automatically to the arbitrator should a dispute be opened by either party. This kind of voice logging and streaming is something that a dedicated Bisq remote client like the one proposed in #25 could do, but obviously this isn’t a first-iteration feature.

Note that the audio could/should also be signed, with hashes exchanged between parties’ clients immediately after the recording is finished to make the recordings tamper-evident in arbitration.

meapistol commented 6 years ago

I think this will work and it is on the way to make Bisq become an arbitration court for general trades, a la Lex Mercatoria. There are still some problems, one of which is blackmail. Despite the deposits being equal and large there is an asymmetry between a rich trader and a poor trader where the rich trader still can blackmail the poor trader. Granted that the rich one risks losing his deposit but it does not hurt as much as it hurts the poor one. I doubt this type of blackmail will occur much in practise though.

ManfredKarrer commented 6 years ago

I have an additional idea how to avoid the requirement that both traders bring their laptop to the meeting. We could add a small feature to the Bisq mobile app (is close to completion state) where the BTC buyer can verify a code the seller hands him over. That code acts like a signature that the BTC seller states that he has received the Fiat. Back at home he need to unlock the BTC at the trade and if not the buyer could present the code to the arbitrator and the arbitrator can verify that the code was correct. The buyer has no way to get the code beside that the seller gives him the code.

The code gets generated at the sellers app and the hash of the code will get included in the trade contract and sent to the buyer. At the meeting after the fiat has handed over the seller need to give the code to the buyer as kind of statement that he has received the Fiat. The buyer can verify the code by scanning the QR code (the seller can print it out or has it on the mobile app). The mobile app will receive the hash of the code when the trade starts and will calculate the hash when the seller presents the QR code and then compare that calculated hash with the one from the trade contract. If it matches the buyer has a secure proof that the seller has confirmed receipt of the fiat.

The usage of the code is optional, if both traders or at least the seller brings his laptop he can release the BTC directly as well. The buyer could press the payment started button before he goes to the meeting, so no need to bring his laptop. He can verify the payout tx at any block explorer on his mobile as well.

ManfredKarrer commented 6 years ago

I just implemented a basic F2F payment method.

Here are screenshots:

screen shot 2018-07-21 at 01 02 49 screen shot 2018-07-21 at 01 02 58 screen shot 2018-07-21 at 01 05 00 screen shot 2018-07-21 at 01 05 35 screen shot 2018-07-21 at 01 06 17 screen shot 2018-07-21 at 01 11 49
ManfredKarrer commented 6 years ago

PR: https://github.com/bisq-network/bisq-desktop/pull/1607

What is missing is a docs webpage with a user guide, explanation of the rules and recommendations for F2F trade.

ManfredKarrer commented 6 years ago

Contact info can be anything (email, tel,...). Additional info can be TACs and/or public contact info of maker. In the offer the city and additional info is shown, so if a contact info is provided the taker can get in touch before taking the offer if there are questions. The makers TACs if defined are applied for the trade. The taker is agreeing by taking the offer.

BSQman commented 6 years ago

The mobile app code idea is a great starting point. Bringing a laptop to a F2F trade brings more risk. I want to minimize the attack surface in these environments, if I'm going to get robbed I want to have as little to steal as possible.

ghost commented 6 years ago

I though a bit about this F2F trade protocol. If I'm not wrong, I think this necessitates that prior to the physical encounter, the bitcoins are blocked in a manner or another (a 2-3 multisig account should do it). (If this is not the case and I'm the presumed BTC seller, I'll just use the Bisq appli as a victim search engine, come with 2 strong friends and, knowing the person with the fiat, do what necessary to rob the fiat.)

ManfredKarrer commented 6 years ago

@BSQman Yes I agree basically but I think if the meeting place is some safe place like a hotel lobby the robbery risk should be quite low. Before putting too much dev effort in it I would like to see if it will be used at all. We added some payment methods which basically have zero usage like Western Union. Also not sure if the code idea is too complicate to understand for users.

ManfredKarrer commented 6 years ago

@HarryMacfinned The trade protocol is the same like in normal trades. Physical violence is a risk here and I think it can only be mitigated by choosing a safe meeting place and maybe to negotiate upfront some security checks (e.g. share social media accounts or so some sort of ID check - but that is up to the makers to define their TACs). The release of the BTC can be done after the meeting if that is defined in the makers TACs. Also the buyer can click the payment started button before they meet and leave the laptop at home. He has nothing to loose as he wants the BTC and can pre-sign the payout tx without any risk. How we define the best trade protocol is still up for discussion here.... I just tried to implement it with the existing infrastructure (without the dependency on mobile app) and see if that is sufficiently safe that people will use it.

ghost commented 6 years ago

I completely agree that we should not expect to define a top-down optimal procedure at the first try. And if an optimal procedure can be found, it will only be thru multiple trials. But, there is also the possible case where something could badly fail, and may be used against Bisq, as a pretext. Just once may suffice. In France, we have people monitoring forums and searching for careless peoples advertising their holiday's dates, their vehicle plates, etc.

Certainly dozens of pretexts can be used to censor Bisq ... but with F2F the risk of physical violence is of course existent. It's a completely different game as sending fiat money from a bank etc. I agree that it may really be a great development path for Bisq ... but imagine a people being hurt ... this could be used very negatively against Bisq. I'm not completely confident about the "safe meeting place" guarantee. If things turn bad, you may also have just end with more people hurted.

Safety on one side, no usability killer on the other side ... what a tightrope job !

BSQman commented 6 years ago

@ManfredKarrer I agree under the assumption the scammer takes into account risk/reward. That would be a sophisticated attacker. Fortunately Bisq trades requires a BTC deposit, and that hopefully removes irrational - low time preference thieves.

Couldn't the code in the form of a QR be shown to participants on the native app, and require some type of one sided scanning upon completion of in person exchange ? I would assume that would take any complexity out of the users hands... and onto your hands. :-D

Regardless of how its implemented. The F2F exchange should be assumed to be extremely adversarial and high risk. There are so many tail risks associated with this type of interaction. People following people to their homes and robbing them, blackmail etc..

BSQman commented 6 years ago

@HarryMacfinned The downside would be purely reputational, because that kind of "social" pressure would have no effect on the P2P nature of Bisq. All bisq can and should do is iterate on the optimal procedure and warn users of risk. Otherwise its our responsibility to asses and execute the level of risky behavior. If I get stabbed and robbed during a F2F interaction, that's on me, not Bisq, regardless of them facilitating it.

ManfredKarrer commented 6 years ago

Just stumbled over an older discussion here: https://bisq.community/t/payment-face-to-face/3545/18 The idea from https://bisq.community/u/erizo to use a bank transfer as security tool was quite interesting. We could recommend the users that they do a tiny 1 EUR transfer to each other, so they know the others bank details. That gives them some sort of KYC and reduces the risk of robbery a lot IMO. As it is just a recommendation it is up to the users to do it or not. They could also perform a normal ID check but that comes with ID theft risk, so a bank transfer might be less critical.

clearwater-trust commented 6 years ago

F2F is an opportunity to bring people together. God forbid people meet ITRW! Assume the user is smart enough to take the necessary precautions. Building relationships is ultimately what the platform is for. Bring the people together!

Schnakenberg commented 6 years ago

F2F with bisq is a good idea and even safer than localbitcoin, mycelium meetups, bitcointreff etc. because of the safety deposit that is held. But it has the same pitfalls like any other F2F deal - it would be wise to get a pen from ebay (1 Euro) to check for fake bills. Because like any business accepting cash you have to be sure you are not ripped off.

chirhonul commented 6 years ago

This sounds like a really good feature which would make it much likely that I would use Bisq personally (as a user).

I think there's a typo in the isue, where it says The possibility of physical access makes scrupulous behavior less likely, based on the context I think it probably should be unscrupulous?

ManfredKarrer commented 6 years ago

@chirhonul Ah thanks. My German language background fooled me. In German its "skrupellos"

h173k commented 6 years ago

There is no other way to do it right like to secure 100% on both sides meaning if somebody sells 1 BTC he must also lock 1 BTC and same the buyer. This is obviously generating much more loss on one side but in fact you can defeat it ONLY by education. You must trade only as much as you can afford to LOSE! And this is compatible with reality. There is completely NO WAY to assess by arbitrator who is telling the truth if one part got robbed!

aejontargaryen commented 6 years ago

I was thinking the other day how if BISQ could somehow integrate ATMs it would be game over... ; )

ManfredKarrer commented 6 years ago

ATMs are a nice way but unfortunately the easiest target for regulators if they want to crack down on Bitcoin. HalCash is an interesting option in that direction but unfortunately limited to a few countries. If anyone knows more payment methods like HalCash please let us know.

cbeams commented 6 years ago

I've labeled this as approved, but am leaving the issue open for a while longer as useful conversation is ongoing.

h173k commented 6 years ago

I'm awaiting for that f2f release! This is gonna be great!

m52go commented 6 years ago

Just reading through this thread now in detail. I think the security issue is exaggerated.

Here in the US, it's common for people to meet F2F to buy relatively expensive items like computers, car wheels, etc on the spot with cash. You never know who you're going to meet, but you arrange the meeting in a way that both parties are comfortable.

As for those who worry about being robbed, they could arrange to do a credit card purchase using Square or similar. It wouldn't be anonymous, and there'd be a fee, but maybe the person prefers to pay a few bucks more to avoid the risk of carrying lots of fiat. Chargebacks would then become a potential problem, but it's really just a game of whack-a-mole because fiat can be counterfeit too. And chargebacks are already something we deal with for non-F2F trades anyway (so nothing really new).

Being followed back to my house would be my biggest concern, but I'm not sure it's any different than being followed out of a bank. Just be vigilant. Banks aren't responsible for peoples' safety after they withdraw cash or visit a safe-deposit box, so neither should Bisq (I don't like the idea of comparing Bisq to banks but I think it's appropriate here). We should take measures to make bad situations unlikely, but beyond that it's up to people.

ManfredKarrer commented 6 years ago

Yes I agree with your comments.

Regarding counterfeit: Could you add some hints which tools are recommended to detect counterfeit money (pen,...).

I would prefer to keep that proposal open a while even after we have deployed F2F as I see it a bit of work in progress where we might adjust in follow up versions, and maybe some ideas posted here would become relevant in future...

h173k commented 6 years ago

As I mentioned above. The only correct way to do F2F is to require 100% deposit over sell amount for seller and a 100% of buy amount on the buyers side. In case something goes wrong - funds must go to arbitrator. Why? Because scammer can try to convince to split funds between arbitrator and him\her. When it is known funds go to arbitrator anyway - there is no way scammer can beat that offer. Then scammer loses 100% of his deposit what makes this market not affordable for such individual for long (even if we consider excentric millionaire). This model also allows to seller to not confirm payment on the spot but go safely home and then do it without risk of being robbed right after confirmation and cash handling. Both traders are assured economically that trying tricks in this situation will result in loss on both sides - so there is no incentive to do so. Seller can easily split amount into 50/50 to satisfy 100% deposit requirement and in few hops sell nearly entire amount. Buyer can aquire small deposit amount with another method and also quickly with few hops increase funds to desired level to trade later comfortably. In crypto protocols most important thing is to eliminate trust and this proposal does it.

unixb0y commented 6 years ago

@Schnakenberg If I understand it correctly, it's not only safer than localbitcoins etc. because of the security deposit, but also because the seller actually has to publish the TX already and have it mined into the blockchain AND the buyer also already signs it. Like with every other Bisq TX, this means as soon as you get a second signature (either from seller or arbitrator), the buyer has the BTC.

chris-belcher commented 6 years ago

Regarding counterfeits, issuing central banks usually have a lot of resources to help users be their own full nodes and spot fake banknotes.

https://www.ecb.europa.eu/euro/banknotes/security/html/index.en.html https://www.uscurrency.gov/ https://www.bankofengland.co.uk/banknotes/counterfeit-banknotes/how-to-check-your-banknotes

There's some seriously detailed content there, including videos and podcasts.

ManfredKarrer commented 6 years ago

@Great thanks @chris-belcher for the links!

ManfredKarrer commented 6 years ago

I will close the proposal now as the F2F trade is implemented.