In the current trade protocol there is one Burning Man.
Burning Man is the the sole controller of the Trade Fee Address, and Donation Address.
Burning Man uses funds received in both these addresses to buy BSQ and burn it. This helps increase the liquidity of the BTC/BSQ market and therefore provides extra liquidity for contributors and BSQ holders that want to sell their BSQ.
Problems
The role of Burning Man is a potential single point of failure for Bisq.
As there is only one Burning Man they could potentially attack Bisq by taking trades themselves only to let the trades time out, go to mediation and then arbitration upon which the BTC in the multisigs would be sent to the donation address they control.
The Burning Man role is bonded at 50,000 BSQ (current value 1.897 BTC). This amount is not sufficient, Burning Man almost always has more BTC in their controlled addresses then the value of their bond.
Previous Burning Men are unbonded yet occasionally (3 times in the last ~6 months) they receive BTC to their controlled addresses. For example:
0.27994000 BTC is currently in Default donation address: 1BVxNn3T12veSK6DgqwU4Hdn7QHcDDRag7
0.02094775 BTC recently went to burningman2: 3A8Zc1XioE2HRzYfbb5P8iemCS72M6vRJV
Should Burning Man stop functioning in their role BTC from trade fees and donations will build up. In a worse case scenario the BTC would be stolen or no longer accessible.
Multiple reasons could cause a Burning Man to stop functioning / incapacitated in their role:
Death / illness
Loss of keys
Incarceration
Regulatory pressure
Moving on to other interests once role has ended
As there is only one Burning Man at the point at which it was discovered that they had stopped functioning in their role Bisq could look to introduce a new Burning Man. This would potentially limit the losses only to the funds within their addresses until a new Burning Man could be installed.
The worst case scenario of the Burning Man problem for Bisq, therefore, is a nefarious Burning Man that could steal an unlimited amount of user funds through self trading.
In summary I see the risks in the following order (most risk to least risk)
Nefarious Burning Man (low likelihood, very serious consequences)
Incapacitated Burning Man (medium likelihood, medium consequences)
Previous Burning Man still receiving funds (high likelihood, medium consequences)
As a result of this Burning Man is a trusted role. This is itself is a problem.
Worse case scenario
In the current trade protocol a Burning Man has the potential to act in a nefarious way as they are the only Burning Man.
Burning Man could take all trades on Bisq to buy BTC. Currently there are 40 BTC worth of trades on Bisq. All a nefarious Burning Man would need to get 40 BTC worth of trades (some are buy and some are sell so the amount entering multisigs would be less than 40 BTC) plus all the security deposits is take all the trades to buy BTC and sell BTC.
A rough estimate of the amount of BTC a nefarious Burning Man could steal would be:
This would be a pretty rudimentary attack, a more sophisticated attack overtime focusing on larger trades would likely result in a higher amount.
An attack like this from someone in a trusted Bisq role would cause serious harm to traders, the DAO, Bisq's reputation, and it would be difficult or impossible to recover from,
Outcomes
To mitigate the risks above it would be good for the DAO to work towards the following outcomes:
Reduce the ability of Burning Man to act in a nefarious way.
Reduce the consequences to Bisq when a Burning Man becomes incapacitated.
Stop previous Burning Men receiving BTC to their donation addresses.
Make the Burning Man role as trustless as possible.
Remove the Burning Man role being a single point of failure for Bisq
Reduce the change of Burning Man ever having more BTC in their trade fee and donation addresses combined than their BSQ bond is worth
Solution
1. Reduce the ability of Burning Man to act in a nefarious way.
A situation like the worse case scenario above is only possible because there is only one Burning Man.
When there is only one Burning Man they are guaranteed to get their security deposit back so an attack like the above is basically zero cost. You only need the BTC capital to carry out the attack as you are guaranteed to get it all back.
Every additional Burning Man introduced (assuming at this point they are separate entities adds a potential loss)
Number of Burning Men
Revenue Generated from Attack
Cost of Attack
Profit/(Loss) from Attack
1
32 BTC (100% of 30 BTC plus 100% of 4 BTC)
0 BTC
32 BTC
2
17 BTC revenue (50% of 30 BTC plus 50% of 4 BTC)
3 BTC cost of attack (pays 6 BTC gets 50% back)
11 BTC
3
11.33 BTC revenue (33% of 30 BTC plus 33% of 4 BTC)
4 BTC cost of attack (pays 6 BTC gets 33% back)
7.33 BTC
4
8.5 BTC revenue (25% of 30 BTC plus 25% of 4 BTC)
4.5 BTC cost of attack (pays 6 BTC gets 25% back)
4 BTC
5
6.8 BTC revenue (20% of 30 BTC plus 20% of 4 BTC)
4.8 BTC cost of attack (pays 6 BTC gets 20% back)
2 BTC
6
5.67 BTC revenue (16.67% of 30 BTC plus 16.67% of 4 BTC)
Having 12 Burning Men would reduce the possibility of a nefarious Burning Man as they would incur losses from any attack.
2. Reduce the consequences to Bisq when a Burning Man becomes incapacitated.
Each Burning Man would be bonded at 25,000 BSQ (this is today's price to Bond).
25,000 BSQ current value is 0.9485 BTC.
12 x 0.9485 BTC = 11.382 BTC
Currently at any one time approximately 4 BTC is contained within the Burning Men's donation addresses.
If this were to continue then the amount contained in the Bonds would be 225% over collateralized giving additional security to the DAO.
Each Burning Man would be expected to Burn their BTC by the latest their corresponding months.
Eg:
Burning Man 1 burn all BTC by end of January and June (or upon BTC value reaching two thirds of bonded amount)
Burning Man 2 burn all BTC by end of February and July (or upon BTC value reaching two thirds of bonded amount)
Burning Man 3 burn all BTC by end of March and August (or upon BTC value reaching two thirds of bonded amount)
This would mean each Burning Man is burning at least twice a year at a minimum.
Should any Burning Man not be buying BSQ and burning it with the BTC their addresses, contributors can reach out to them on GitHub requesting them to do so. If they failed to do so and the BTC in their donation address was approaching or exceeding their BSQ Bond then a a contributor could submit a request to confiscate their bond.
3. Stop previous Burning Men receiving BTC to their donation addresses.
I assume the above would require a new trading protocol. Hopefully, legacy burning men addresses would be easily removed.
One of the issues however is Bonds being able to revoked by the contributor after a given number of blocks, this could be when they are still actively completing the role OR they have completed the role but are still receiving donation address payouts due to historic trades.
An alternative to bonding could be Burning Men contributors Burn the equivalent amount of BSQ showing proof of burn and then request their BSQ back at a given point in time following completion of their role. Eg 12 months after they have resigned from role.
4. Make the Burning Man role as trustless as possible.
The idea would be for the Burning Man role to not require any trust.
Burning Man would be a bonded role or the BSQ would have been burnt. Multiple bonds would be posted. Therefore, bond/burnt amounts would be 12 x 25,000 BSQ = 300,000 BSQ. This is around 7.5% of total BSQ supply.
Should any Burning Man not fulfil there roles their BSQ could be burnt by confiscation. This would require a very high threshold as already defined in the DAO specifications.
The process of confiscating the users bond would in effect cause the required burn process.
Eg Burning Man 6 has gone AWOL. He has 0.8 BTC in his addresses and is approaching his bond limit. The DAO could vote to confiscate his bond leading to the burning of the 25,000 BSQ which would equate roughly to the amount of BSQ he would have burnt should he have traded his BTC for BSQ and burnt them. Burning Man 6 would then keep his BTC in his donation addresses if he makes a reappearance.
5. Remove the Burning Man role being a single point of failure for Bisq
Having multiple Burning Man would reduce any one being a single point of failure. It would be possible for any of the Burning Men to be incapacitated and for Bisq to continue. It would also not be possible for any one Burning Man to act nefariously in such a way that it put the entire project at risk.
6. Reduce the change of Burning Man ever having more BTC in their trade fee and donation addresses combined than their BSQ bond is worth
This is difficult to achieve with the current trade protocol.
25,000 BSQ current value is 0.9485 BTC.
The usual largest BTC amounts that can be sent to arbitration are 2.6 BTC (usually 2 BTC trades with with 15% security deposit from each trader).
Therefore possible options are:
Increase BSQ bond (would make it harder for someone to take on the role)
Have the BTC donation address payout distribute the BTC for large trades eg over 0.25 BTC to the 12 donation addresses
Decrease trade amounts (likely not popular and might decrease trade fee revenue)
Combination of the above
This proposal does not remove the possibility of a Burning Man having more in their donation addresses than their bond is worth but it does reduce the risk and distribute it over a larger number of Burning Men.
Potential negatives
These are some of the issues that would need addressing:
Burning Man currently trades directly with Reimbursed users - Maybe Reimbursed users could trade with the Burning Men directly that have the largest BTC donation address wallet sizes (to reduce their amounts building up)
Burning Man currently trades directly with Refund Agent - Maybe the current Burning Man could keep the trade fee address (less risk) and trade with Refund Agent with these funds.
More compensation requests - Ideally the role being distributed amongst more users would mean less frequent need to trade. Twice yearly per Burning Man rather than every 2 weeks as current Burning Man is doing. Therefore while costs would increase it would not be 12 times the increase.
What is the new burning men where all the same entity - I am sure this can be avoided but even it is could not be known for certain. At the very least it would increase the bond requirement from the role by a multiple of 12 providing increased security, and it would therefore be a lot better situation that it is presently.
Proposed changes to trade protocol
Considering the above I think it might be an idea to split the way trade fees and donation address payouts are handled.
I would propose:
All trade fees go to the current @burningman3
@burningman3 would use the funds sent to the trade fee address to trade directly with the Refund Agent
The trade fee address receives about ~10 BTC per year. Refund Agent requests about ~15 BTC per annum in reimbursements. If @burningman3 needed to top up their trade fee wallet they could request funds to be sent to it by one of the other burning men.
@burningman3 would still do all the Trading on Bisq with the funds from the donation addresses. The difference is they would not control the donation addresses and would have to request one of the other burning men to send funds to the trade fee address. This would be done publicly by positing a request on their role 30 days in advance of the date they wanted the funds by.
@burningman3 would keep their current compensation mechanism in place
All donation payouts are distributed to the 12 new burning men
Each donation address payout would be split equally between all 12 new Burning Men equally (maybe to save miner fees trades under say 0.1 BTC could be randomly sent to an address of the 12). Anyway the main point is to try and distribute funds to the Burning Men equally so their BSQ bond is not exceeded
The 12 new Burning Men would not have to trade their BTC on Bisq for BSQ. Instead they would send the BTC in their wallets to @burningman3 on a public request posted by them on the Burning Man GitHub role. This would make this new Burning Man role very simple. They are simply receiving payments to an address and sending payment to an address upon request.
Each Burning Man would make a request to the DAO each cycle for 200 USD. There request would include a report stating their wallet balance at the start of the cycle, the amount they have sent to @burningman3, and their wallet balance at the end of the cycle. Keeping the new Burning Men interacting with the DAO every cycle should reduce the chance of a Burning Man going AWOL. At the very least it would alert the DAO to the missing Burning Man and kick start the discussion about Bond confiscation should their wallet address be approaching the amount of their BSQ bond (eg two thirds of the amount).
The additional costs to the DAO would be 2,400 USD. Hopefully this would be worth it to move toward to outcomes above.
NB I am aware this would mean there are now 13 Burning Men but I did the tables above with assumption that the trade fees and donation payouts would be merged, but on reflection I think it would be better if they were split as in the proposed changes to trade protocol. If people think there is merit to this proposal I will rewrite it with the correct figures and from the assumption at the start that trade fees would be kept by @burningman3 and donation payouts would be split :)
I've read it a few times and it seems very feasible.
There already exists a mechanism for distributing fee payments to a set of addresses defined by the filter, the same principle could be applied for distributing delayed payouts.
You might not find that many people willing to make the bond and take on the personal risk of the role.
Ideally you would want to automate auditing the fee payments using scripting / reporting.
It may be easier to start out with a smaller number of burning men before scaling up.
Definition of Burning Man (Donation Address Holder) Role
Previous proposals related to the Burning Man problem:
Summary of Burning Man role:
In the current trade protocol there is one Burning Man.
Burning Man is the the sole controller of the Trade Fee Address, and Donation Address.
Burning Man uses funds received in both these addresses to buy BSQ and burn it. This helps increase the liquidity of the BTC/BSQ market and therefore provides extra liquidity for contributors and BSQ holders that want to sell their BSQ.
Problems
The role of Burning Man is a potential single point of failure for Bisq.
As there is only one Burning Man they could potentially attack Bisq by taking trades themselves only to let the trades time out, go to mediation and then arbitration upon which the BTC in the multisigs would be sent to the donation address they control.
The Burning Man role is bonded at 50,000 BSQ (current value 1.897 BTC). This amount is not sufficient, Burning Man almost always has more BTC in their controlled addresses then the value of their bond.
Previous Burning Men are unbonded yet occasionally (3 times in the last ~6 months) they receive BTC to their controlled addresses. For example:
Should Burning Man stop functioning in their role BTC from trade fees and donations will build up. In a worse case scenario the BTC would be stolen or no longer accessible.
Multiple reasons could cause a Burning Man to stop functioning / incapacitated in their role:
As there is only one Burning Man at the point at which it was discovered that they had stopped functioning in their role Bisq could look to introduce a new Burning Man. This would potentially limit the losses only to the funds within their addresses until a new Burning Man could be installed.
The worst case scenario of the Burning Man problem for Bisq, therefore, is a nefarious Burning Man that could steal an unlimited amount of user funds through self trading.
In summary I see the risks in the following order (most risk to least risk)
As a result of this Burning Man is a trusted role. This is itself is a problem.
Worse case scenario
In the current trade protocol a Burning Man has the potential to act in a nefarious way as they are the only Burning Man.
Burning Man could take all trades on Bisq to buy BTC. Currently there are 40 BTC worth of trades on Bisq. All a nefarious Burning Man would need to get 40 BTC worth of trades (some are buy and some are sell so the amount entering multisigs would be less than 40 BTC) plus all the security deposits is take all the trades to buy BTC and sell BTC.
A rough estimate of the amount of BTC a nefarious Burning Man could steal would be:
Sell BTC (20 BTC) + Sell BTC security deposits (4 BTC) + Buy BTC security deposits (4 BTC) + current address funds (4 BTC)= 32 BTC
This would be a pretty rudimentary attack, a more sophisticated attack overtime focusing on larger trades would likely result in a higher amount.
An attack like this from someone in a trusted Bisq role would cause serious harm to traders, the DAO, Bisq's reputation, and it would be difficult or impossible to recover from,
Outcomes
To mitigate the risks above it would be good for the DAO to work towards the following outcomes:
Solution
1. Reduce the ability of Burning Man to act in a nefarious way.
A situation like the worse case scenario above is only possible because there is only one Burning Man.
When there is only one Burning Man they are guaranteed to get their security deposit back so an attack like the above is basically zero cost. You only need the BTC capital to carry out the attack as you are guaranteed to get it all back.
Every additional Burning Man introduced (assuming at this point they are separate entities adds a potential loss)
Having 12 Burning Men would reduce the possibility of a nefarious Burning Man as they would incur losses from any attack.
2. Reduce the consequences to Bisq when a Burning Man becomes incapacitated.
Each Burning Man would be bonded at 25,000 BSQ (this is today's price to Bond).
25,000 BSQ current value is 0.9485 BTC.
12 x 0.9485 BTC = 11.382 BTC
Currently at any one time approximately 4 BTC is contained within the Burning Men's donation addresses.
If this were to continue then the amount contained in the Bonds would be 225% over collateralized giving additional security to the DAO.
Each Burning Man would be expected to Burn their BTC by the latest their corresponding months.
Eg:
This would mean each Burning Man is burning at least twice a year at a minimum.
Should any Burning Man not be buying BSQ and burning it with the BTC their addresses, contributors can reach out to them on GitHub requesting them to do so. If they failed to do so and the BTC in their donation address was approaching or exceeding their BSQ Bond then a a contributor could submit a request to confiscate their bond.
3. Stop previous Burning Men receiving BTC to their donation addresses.
I assume the above would require a new trading protocol. Hopefully, legacy burning men addresses would be easily removed.
One of the issues however is Bonds being able to revoked by the contributor after a given number of blocks, this could be when they are still actively completing the role OR they have completed the role but are still receiving donation address payouts due to historic trades.
An alternative to bonding could be Burning Men contributors Burn the equivalent amount of BSQ showing proof of burn and then request their BSQ back at a given point in time following completion of their role. Eg 12 months after they have resigned from role.
4. Make the Burning Man role as trustless as possible.
The idea would be for the Burning Man role to not require any trust.
Burning Man would be a bonded role or the BSQ would have been burnt. Multiple bonds would be posted. Therefore, bond/burnt amounts would be 12 x 25,000 BSQ = 300,000 BSQ. This is around 7.5% of total BSQ supply.
Should any Burning Man not fulfil there roles their BSQ could be burnt by confiscation. This would require a very high threshold as already defined in the DAO specifications.
The process of confiscating the users bond would in effect cause the required burn process.
Eg Burning Man 6 has gone AWOL. He has 0.8 BTC in his addresses and is approaching his bond limit. The DAO could vote to confiscate his bond leading to the burning of the 25,000 BSQ which would equate roughly to the amount of BSQ he would have burnt should he have traded his BTC for BSQ and burnt them. Burning Man 6 would then keep his BTC in his donation addresses if he makes a reappearance.
5. Remove the Burning Man role being a single point of failure for Bisq
Having multiple Burning Man would reduce any one being a single point of failure. It would be possible for any of the Burning Men to be incapacitated and for Bisq to continue. It would also not be possible for any one Burning Man to act nefariously in such a way that it put the entire project at risk.
6. Reduce the change of Burning Man ever having more BTC in their trade fee and donation addresses combined than their BSQ bond is worth
This is difficult to achieve with the current trade protocol.
25,000 BSQ current value is 0.9485 BTC.
The usual largest BTC amounts that can be sent to arbitration are 2.6 BTC (usually 2 BTC trades with with 15% security deposit from each trader).
Therefore possible options are:
This proposal does not remove the possibility of a Burning Man having more in their donation addresses than their bond is worth but it does reduce the risk and distribute it over a larger number of Burning Men.
Potential negatives
These are some of the issues that would need addressing:
Burning Man currently trades directly with Reimbursed users - Maybe Reimbursed users could trade with the Burning Men directly that have the largest BTC donation address wallet sizes (to reduce their amounts building up)
Burning Man currently trades directly with Refund Agent - Maybe the current Burning Man could keep the trade fee address (less risk) and trade with Refund Agent with these funds.
More compensation requests - Ideally the role being distributed amongst more users would mean less frequent need to trade. Twice yearly per Burning Man rather than every 2 weeks as current Burning Man is doing. Therefore while costs would increase it would not be 12 times the increase.
What is the new burning men where all the same entity - I am sure this can be avoided but even it is could not be known for certain. At the very least it would increase the bond requirement from the role by a multiple of 12 providing increased security, and it would therefore be a lot better situation that it is presently.
Proposed changes to trade protocol
Considering the above I think it might be an idea to split the way trade fees and donation address payouts are handled.
I would propose:
All trade fees go to the current @burningman3
All donation payouts are distributed to the 12 new burning men
The additional costs to the DAO would be 2,400 USD. Hopefully this would be worth it to move toward to outcomes above.
NB I am aware this would mean there are now 13 Burning Men but I did the tables above with assumption that the trade fees and donation payouts would be merged, but on reflection I think it would be better if they were split as in the proposed changes to trade protocol. If people think there is merit to this proposal I will rewrite it with the correct figures and from the assumption at the start that trade fees would be kept by @burningman3 and donation payouts would be split :)