bisq-network / proposals

@bisq-network improvement proposals
https://bisq.wiki/Proposals
44 stars 16 forks source link

Bisq 2.0 - A simplified DEX (working title Sisq) #331

Closed flix1 closed 3 years ago

flix1 commented 3 years ago

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

This suggested new architecture uses existing Bisq features for security, while significantly reducing the need for on-chain Bitcoin transactions to reduce cost. The idea is to keep changes to a minimum for speed of development.

P2P network layer: Use existing Bisq 1.6.2 system.

Offer Book: Use existing Bisq 1.6.2 system. Add a new market (eg: LN-BTC/EUR) that allows users to publish no-fee, no-tx, 0-security deposit offers.

Direct communication channels: Use existing trader chat.

Dispute resolution service: use Bisq mediators, arbitrators, DAO refunds, etc as they are right now.

Security modules: use Bisq for multisig security deposits, security bonds in BSQ, etc...

The idea is to create a simple market for traders to create and take offers for free. Once an offer is taken, traders can agree to also make a BTC/BSQ trade to create a security deposit. This security deposit would allow traders to conduct multiple LN-BTC/EUR trades off-chain while protected from fraud by the security deposit in BSQ and by the Dispute Resolution Mechanism that the Bisq DAO already has in place.

This would allow a single BTC/BSQ trade with 2 (and eventually 1) on-chain txs to secure multiple off-chain trades.

mpolavieja commented 3 years ago

Very interesting. Should that LN-BTC/EUR market have a maximum limit per offer?

flix1 commented 3 years ago

Very interesting. Should that LN-BTC/EUR market have a maximum limit per offer?

Does it really matter? That market is just a signalling mechanism without any Bitcoin tx, fees or security deposit. The only real limitation it will probably need will be some anti-spam feature to prevent DDOS. It won't even be a binding contract, just a way for traders to get in touch and message each other...

It would basically be a P2P message board with the ability to open a direct chat to another trader.

mpolavieja commented 3 years ago

Does it really matter?

I knew you were going to answer that ;). I suggested it just to prevent very lame Bisq user (newbie) for being scammed a significant quantity. I guess that it would be really strange to happen. As of today, a user that uses Lightning Network and has installed Bisq most probably knows rather well what is he doing.... But I don't know, just in case....

flix1 commented 3 years ago

This system would require that mediators know and understand this type of trade and that it is not against the Bisq rules. Mediation would be relatively similar to what exists now:

-Proof of fiat payment would be exactly the same. -Proof of Bitcoin payment via Lightning Network is relatively easy, even compared to existing altcoins. -Mediation fees would still work the same, since the BTC/BSQ tx would still have the same system.

Of course the trade protocol would be very different and users would need to be informed that offers on the LN-BTC/EUR market are NOT binding contracts and that there are no mandatory security features and therefore Bisq takes zero responsability.

The security system (based on a BTC/BSQ trade), mediation and DAO arbitration would be voluntary.

flix1 commented 3 years ago

image

This is how easy it would be to create the Sisq order book. Literally a shared spreadsheet.

I still remember when the Bisq DAO was a shared spreadsheet... just a few years ago. Of course eventually you want a P2P network over Tor to make it uncensorable... but the point is that you can start right away and then continue to build, replacing each component with the superior version as it is done, but never having to close down the market just because one of the components is being improved.

flix1 commented 3 years ago

Thinking about it, I don't see why we should limit it to just simple exchange... we could have many types of contracts: options, futures, loans...

image

chimp1984 commented 3 years ago

That might be a good way to test out the acceptance of the base idea (having multiple flexible contracts/protocols/security tools). We could use current Bisq as one form or protocol. So there is a generic offerbook/spreadsheet where a user can post I have a BTC-EUR offer on Bisq and if one want to take that with the Bisq secruity model they both just use Bisq. If they trust each other because they exchange their twitter account they can do it off chain, eg. send fiat via paypal and use LN.

As next step after the spreadsheet, a p2p network + message board can take that role, still does not require anything else. Then new trade protocols can be added and users can use the same app for that....

Conza88 commented 3 years ago

I am A LOT happier with this than all the other proposals (besides single transaction).

Don't like the sense of splitting. Where this instead adds on.

mpolavieja commented 3 years ago

I've been always very impressed that in Argentina Bisq does not take off. There is a very big bitcoin group in facebook (and probably in other social media) where people exchange bitcoin, and it is based on trust and reputation.

As @flix1 and @chimp1984, it could be a good idea that Bisq could funnel those trades, but without the need of all the security measures if the parties trust each other. This could help to expand the user base of Bisq also for its main / core functionality of trust minimized exchanges.

mpolavieja commented 3 years ago

I also like the modular / layering approach suggested by @flix1, starting with very simple developments that could be dumped without too much shame if there is no demand for them.

chimp1984 commented 3 years ago

@flix1

If I understand your proposal right it would only work between 2 traders who use a BTC/BSQ trade to lock up the deposit, then use that lockup funds as security for other out of band trades like LN-fiat. Once a trade is done they can re-use the already locked up deposit for another trade. But that limits it to 2 users who want to repeat traded which I assume is a minor use case. To re-use the bond for other trade would have the problems of the old off-chain trade protocol idea.

Btw. How can a transfer in LN be verified? As its not on-chain I assume there is no equivalent to a block-explorer, but only the 2 wallets show the transactions which would not be a strong evidence for a mediator.

chimp1984 commented 3 years ago

Adding a refund to seller option would also allow a loan or future/option trading. Alice wants 50k USD loan for a 1 BTC collateral for an agreed time period. Alice has to pay back the 50K at that expiration date or Bob will take the 1 BTC. Alice lockes up 1.1 BTC and Bob 0.1 BTC to a MS. Bob sends 50K USD to Alice. After expiration date Alice pays back 50k USD to Bob and both unlock the MS and both get refunded their collateral. OR: If she does not send back the USD she unlocks the MS so that Bob gets the 1 BTC and both get back their 0.1 BTC security deposit (Bisq trade path).

This model could be used for multiple out of band trades back and forth. But I doubt there is much use case as its limited to a fixed trade pair. If the keys for the MS would be tradeable/transferable it would work, then traders can trade the option contract, but that cannot be done in secure way without making an on-chain tx with signatures.....

flix1 commented 3 years ago

How can a transfer in LN be verified? As its not on-chain I assume there is no equivalent to a block-explorer, but only the 2 wallets show the transactions which would not be a strong evidence for a mediator.

An LN invoice contains a preimage. If you have paid that invoice, you have the preimage. In LND thereis a listpayments command that lists lightningpayments. It contains destination node, amount, hash and preimage among other things. The preimage is shared by the destination only upon successful payment.

With LN, you always have a proof of payment in your channel history. The buyer should also have a list of generated invoices.

In Electrum for example it looks like this: image

Obviously this is not as powerful a proof as an on-chain tx, but the whole point of using LN is that on-chain is too expensive for small exchanges... so by definition this would be used for lower value trades where the risk is lower.

If it is one of many trades that together are secured by 1 BSQ/BTC Bisq trade... then since each of them will be for a small amount, the risk is mitigated by that fractioning. You don't send LN payment nº 6 until you have been paid for LN payment nº 5.

flix1 commented 3 years ago

If I understand your proposal right it would only work between 2 traders who use a BTC/BSQ trade to lock up the deposit, then use that lockup funds as security for other out of band trades like LN-fiat. Once a trade is done they can re-use the already locked up deposit for another trade. But that limits it to 2 users who want to repeat traded which I assume is a minor use case. To re-use the bond for other trade would have the problems of the old off-chain trade protocol idea.

Not exactly, you could have several use cases:

  1. Traders who use the order book to contact other traders and exchange small amounts without any security feature. This could be a very frequent use-case for small amounts.

  2. Traders who use this system for multiple trades with 1 trading partner secured by a BSQ/BTC tx

  3. Traders who use a BSQ bond (for example bonded market makers) to secure multiple trades with multiple trading partners.

For case nº 3 security would not be perfect, but the size of the bond would be a good indicator of how much you can trust a trader and a proxy for reputation. If we create the role "bonded market maker" and a trader locks up 1000 BSQ... takers of his offers would be relatively safe exchanging $50-100 worth of LN-BTC, knowing that he risks much more in having his bond burned by the DAO if he is scamming people.

ripcurlx commented 3 years ago

For case nº 3 security would not be perfect, but the size of the bond would be a good indicator of how much you can trust a trader and a proxy for reputation. If we create the role "bonded market maker" and a trader locks up 1000 BSQ... takers of his offers would be relatively safe exchanging $50-100 worth of LN-BTC, knowing that he risks much more in having his bond burned by the DAO if he is scamming people.

Of course depending on how many offers he publishes at the same time.

flix1 commented 3 years ago

Of course depending on how many offers he publishes at the same time.

Of course. Common sense should be enough to see that at a small scale. IF only if things get bigger we can add the necessary mechanisms to automatically indicate if a security measure is undercapitalized. Or if this mechanism simply does not scale... but we already have something that works for larger trades: Bisq. It's for smaller trades that we need all this effort to reduce tx fees.

The Bisq DAO bonding tool could perhaps be improved in the future... image

But right now it is already easy to check if a particular bond has a decent amount or is too small to secure a trade.

image

Since in this proposed system offers are NOT binding and traders would be in communication from the start... you could even ask your counterparty to increase or create their own bond. Or prove that a particular bond is theirs by signing a message.

chimp1984 commented 3 years ago

@flix1 Ok I understand. Yes the bond for multiple traders/trades is not secure but can be good enough or small trades. The Bonded reputation feature is made for that. So you can proof your bond in Bisq. To secure multiple trades/different traders with 1 bond was the challenge for the off-chain protocols and is considered to be not solveable without a blockchain. So we should not put hope into that anymore. But as you said there are other options if higher security is needed.

flix1 commented 3 years ago

I'm thinking we could even create a DAO inquisitor role, whose job would be to check offers secured by bonds against those bonds to hunt possible scammers. Since any successful inquisition would result in BSQ from the bond being burned, it would make sense to reward the inquisitor with a percentage of those BSQ.

Initially (say with fewer than 500 published offers) there would not be much need for this... but at a certain point (1000+ offers) hunting bond scammers could be a rewarding task. Of course the inquisitor could get tip-offs on suspicious activity from moderators, users, etc...

pazza83 commented 3 years ago

Hi @flix1 thanks for posting this. Looks interesting.

Trying to imagine how this would work but I lack imagination!

To help me understand better here are a couple of questions :)

  1. Would revenue for the DAO be created from just the voluntary on-chain BTC/BSQ trade?
  2. Could anything be traded? eg any altcoin, gold coins, physical products?
flix1 commented 3 years ago

Would revenue for the DAO be created from just the voluntary on-chain BTC/BSQ trade?

Yes. From BTC/BSQ trades and also from locked-up BSQ bonds (which increase demand for BSQ). It's a freemium model. The DAO offers value-added security services, but if you don't want them you pay nothing. Of course the DAO takes zero responsability for unsecured offers and there will be very loud disclaimers to that effect.

The advantages for the DAO of attracting new users with a very low barrier to entry should more than compensate any revenue lost on small-amount unsecured trades.

Could anything be traded? eg any altcoin, gold coins, physical products?

Eventually I don't see why not. But to keep things simple it makes sense to start with the things that the Bisq comunity already trades: Bitcoin, fiat currencies, altcoins. Even shitcoins!

flix1 commented 3 years ago

After a bit of discussion here https://github.com/bisq-network/projects/issues/51

I've modified the suggested format somewhat.

image

flix1 commented 3 years ago

Since real life is the best test, I thought that while we build something better we could play around with a Google Sheets. I know it's not the best for privacy, but I will delete it in a couple of months.

Sisq order book 0.1 just testing

Minimum viable product and iterate...

Feel free to play around!

flix1 commented 3 years ago

image

A dozen offers so far. Nice variety of payment methods, etc..

flix1 commented 3 years ago

Already a few trades reported, 20 offers and a few improvements made...

image

Considering how hard it has proven in the past to kickstart a new market on Bisq, I think it makes sense to keep all the offers in the same place.

It's also nice to see somebody already using one of the suggested security features: BSQ bonded reputation. (Read more about it here: https://github.com/bisq-network/growth/issues/243 )

Letting users fill fields however they want (without even giving options) is also giving useful information about preferred payment methods, contact channels, etc...

flix1 commented 3 years ago

My idea of a perfect #DEX is based on an open market, bazaar or souk: part improvised and spontaneous, but also part organized. Based on a complex tangle of property rights, customs and spontaneous order.

Not completely anonymous... but 99% of interactions are between strangers.

image

Most transactions are simple exchange and fully completed in an instant. No need for paperwork or identity. No need for a complex record-keeping system. Some merchants have known identity and care about reputation and return business. Others will be here today and gone tomorrow, picking up their tent and going to another market town. Interactions are visual and simple. Little knowledge is needed to enter the bazaar. A child can buy or sell as long as they understand money and prices.

Payments are instant. Buyer hands over the money, merchant hands over the goods.

Maybe there is a bit of haggling over price, discussion of the product, questions about payment method or even exchange rate (tourists)... but once the money changes hands it's done and done.

What recourse does the buyer have if unhappy with the product? Most of the time little... but they can always raise hell, make noise and scare away other clients (reputation), loudly demand restitution or even threaten to call the police... It is a bit of a miracle that it all works as well as it does tbh. There is surprisingly little need for dispute resolution in most bazaars.

Most purchases are for small value items. For larger value (a carpet? furniture?) merchant reputation becomes important.

...

Can the above be replicated online? Can Bisq 2.0 become something like this? Can your Bisq client be like your bazaar tent?

I think it could, but there are many things that need to change for that to happen:

-Flexibility: In a bazaar you don't have to ask permission to sell something new. You don't need to "create a new market". You just display it and see if anyone is interested. You can adapt to fashions, trends, technology, supply, prices very quickly. You own your shop and are not subject to a centralized authority telling you what you can and cannot sell.

-Speed: We need to adapt to instant payment systems like Lightning Network. Most trades should have the capacity to be completed in seconds.

-Reputation: Bisq already has the tools for this. Account age, account signing, bonded reputation... we just have to find the right way to use them. Learn when they are needed and when they are not.

-Simplicity: I'm no UX expert and don't know how to do this, but it is very clear to me that an 8 year old can buy an orange at a bazaar, but would struggle a LOT to buy something on Bisq. We need to work very hard on this problem. Maybe think more about the visual aspect of the market.

-Security: The DAO is a very powerful tool, as long as it does not need to be used too frequently. It needs to be the ultimate adjudicator that only needs to act in one out of 10.000 trades. Security deposits are also a very powerful tool as we have seen... but they are expensive and a barrier to entry. They should not be required until the trade value justifies the cost. You don't need a security deposit to buy a $1 orange! You might need a guarantee if you buy a $1.000 carpet. We also need a way for victims of scammers to "raise hell" and make noise about the scammer. I don't know if a "report" button would be appropiate, or a github issue, or a DAO mechanism or even just a keybase channel... but there has to be something that allows very fast communication to every market participant that a dishonest player is in town so that they can take measures to protect themselves.

chimp1984 commented 3 years ago

And such an experience is very distinct to the cold attitude of plain online-business. I think the social and colorful aspect is heavily under-utilized.

mpolavieja commented 3 years ago

What a great insight @Flix1!! I love the analogy with the bazaar and how you have analyzed it.

Regarding UX, I am no expert at all either. But I'll throw a couple ideas:

chimp1984 commented 3 years ago

@mpolavieja Regarding tx graph: That is an interesting approach to use the existing blockchain data. This data is used by chainanalysis spies anyway, so better make it explicit visible to the users so they can see the reality and act on that by either doing a coinjoin to break the chain of txs or using it for their benefit as reputation. I think that can be seen as different tools and use cases:

mpolavieja commented 3 years ago

@flix1 This website looks a lot like what you envision, just centralized in a website.

https://paxful.com/buy-bitcoin?fiat-min=100&group=bank-transfers&hasScroll=true

Almost 400 payment methods: image

A sample of offers: image

flix1 commented 3 years ago

@mpolavieja sure Paxful, Localbitcoins and other P2P websites have done an amazing job making it easy for people to buy and sell Bitcoin in almost any country... just the same as Shapeshift did a great job making it very easy to exchange cryptos back in the day... I even interviewed Jeremias Kangas (Localbitcoins) and Erik Voorhees (Shapeshift) for Bitcoin Magazine back in 2013.

But they all have the same problem: being centralized companies/websites they have all had to submit to KYC, AML and impose surveillance on their users. They have also had to censor many transactions (for example F2F cash) and block many countries. Just like most centralized exchanges.

I will not forget that the reason I support Bisq is that it is censorship resistant, private, decentralized and it keeps users in control of their funds and data.

That being said... Bisq can and should learn a lot from other P2P exchanges where it can... UX being one important area. We should copy what works and is not incompatible with Bisq's decentralized nature.

mpolavieja commented 3 years ago

Just like most centralized exchanges.

Yeah, that is the key issue. I knew about localbitcoins and shapeshift, but never used them. Did not know about paxful and I found a way lot more of payment methods than I expected.

flix1 commented 3 years ago

image

Paxful has been doing a pretty amazing job, especially in Africa and South America. See their volumes: https://coin.dance/volume

...and they have managed to work in China, something that we have had a lot of difficulty with in Bisq.

mpolavieja commented 3 years ago

I think the two layer approach might do the trick. A top p2p light layer fully decentralized where users and not so much developers lead how the software is used, and then a second layer for larger and more secure transactions.

Probably, to avoid censorship, it would be good that the top light layer is somehow unrelated or not very directly related to the secure layer (Bisq) where we have the DAO, infrastructure and people that could be targeted.

We could also learn things on how wallapop got bootstrapped. For wallapop it was local proximity (maybe too early for Bitcoin), maybe for Sisq it should be "payment method proximity"?

Professional OTC markets could also give us some hints. They heavily rely on reputation and balance sheet strength, which is not very applicable here... But maybe some other tip on how they find their trading counterparties?

Let's see what we can learn from the spreadsheet prototype...

For me the sign that the UX has been down correctly, would be to get traction in Argentina or China.

chimp1984 commented 3 years ago

I think for China you need local people to help to get the right understanding. We in the west have a very distorted and incorrect view of China. Was my experience when I visited it many years ago and get it confirmed when learning more about China from insiders (which is still very hard to find good resources - here is one: https://www.youtube.com/channel/UCTdWsl15oEt0nZZy9Z1fnhQ).

flix1 commented 3 years ago

There's been some discussion of the modular Bisq 2.0 multi-protocol idea...

But how would that work specifically for Sisq?

The idea is to keep it really simple but very flexible... so you would download the default Bisq 2.0 multiprotocol client with all the core communications, wallet, DAO functionality, offer book, etc...

image

By default Sisq would just give a simple choice of security protocol to avoid confusion when creating an offer:

  1. Default security protocol (current Bisq 2-of-2 multisig with mediation).
  2. None
  3. Other

If you choose option 1, everything is as we already know in Bisq 1.6. Nothing changes.

If you choose option 2, you get a big disclaimer that you are taking a risk and take full responsability, etc, etc... then you can publish "unsecured" offers that are resolved outside of Bisq, require no fees and no on-chain txs.

If you choose 3. other you then go to a menu of available options... initially this will be empty as no other protocols have been built. But imagine for example that a new atomic swap protocol is developed for XMR/BTC... then that option would be available for download as an add-on for Bisq and included in this menu. Or if it runs externally to Bisq you don't even need to install anything, just include an url (for example if a reputation system is public on a website) or if the security info is available on a blockchain explorer. Like it is currently being done on the test spreadsheet.

This way you can build dozens of different protocols, experiment, discard, etc. Most users will only use one or two protocols (for example atomic for altcoins and reputation for Lightning Network-fiat) But if something new comes along... anyone even external to Bisq can build it and try it.

chimp1984 commented 3 years ago

The UX challenge how to present the multiple options is an open task. I think we should try to figure out new ways like doing aa user onboarding which combines education about the context (trade offs between wallet options, blockchains, protocols,...). Ledger has done a great job with their desktop app, maybe we can find some inspiration there.

flix1 commented 3 years ago

image

The test spreadsheet will be moving very soon to something better than Google Sheets... probably https://cryptpad.fr/

We are also seeing some fun experiments with reputation systems... Localbitcoins reputation, Twitter reputation, BSQ reputation bonds... the flexibility of an open spreadsheet allows a lot of experimentation.

flix1 commented 3 years ago

New shared spreadsheet: https://cryptpad.fr/sheet/#/2/sheet/edit/tE42iuR--PZ3PsQOyayt9JFo/

mpolavieja commented 3 years ago

New shared spreadsheet: https://cryptpad.fr/sheet/#/3/sheet/edit/5646af8a67d9faa1c1a51fd37c776a59/

I am getting this error:

image

flix1 commented 3 years ago

Try this: https://cryptpad.fr/sheet/#/2/sheet/edit/tE42iuR--PZ3PsQOyayt9JFo/

image

viperperidot commented 3 years ago

I agree that adding a more social element to Bisq would be awesome if we can implement it while still allowing users who wish to remain completely anonymous the ability to trade. Maybe it would be possible to use your successful trade history as part of your reputation without discloses any trade details? We should try and port over a users account ageing into the new system in some form so they get credit for that moving forward. Another idea I thought would be cool would be to have like a 'bisq contributor' badge or something like that. I have had some short but nice conversations with trading partners on Bisq and those have been great interactions, it is cool having that sense of community while still remaining private. I think the current protocol is great and it was meant to be very strict but I think it intentionally discourages the social or chat aspect of the trade. As long as users are aware of the opsec techniques required and tradeoffs for using different new features of the application I think it could make experience more vibrant as chimp mentioned. Personally every time I trade on Bisq I find it to be a fun and exciting experience because I know I am part of something unique and importan. The things i've seen in the pipeline for Bisq 2.0 I think will take it to the next level and have a big increase in the user base, this low barrier trade protocol is one of them for sure.

flix1 commented 3 years ago

image

Some useful info from the feedback section of the spreadsheet.

Feedback poll link: https://cryptpad.fr/poll/#/2/poll/edit/4GKLiedU7uugHvSMdYL6Nw8q/embed/

csralvall commented 3 years ago

The UX challenge how to present the multiple options is an open task. I think we should try to figure out new ways like doing aa user onboarding which combines education about the context (trade offs between wallet options, blockchains, protocols,...). Ledger has done a great job with their desktop app, maybe we can find some inspiration there.

Maybe I'm misunderstanding what you mean. But I think that umbrel app framework could be a good source of inspiration to look at when trying to implement a flexible application with core functionality and multiple add-ons.

chimp1984 commented 3 years ago

Ah thanks for the link. Definitely a good inspiration. The Ledger app is also dealing well with a similar challenge.

pazza83 commented 3 years ago

Hi @flix1

Many thanks for this proposal.

I am closing this proposal as approved.

Please consider opening a project if needed to outline process, set objectives, and a budget for the development of a simplified DEX.