pazza83 / Bisq

Bisq
0 stars 0 forks source link

DRAFT: The 12 Burning Men of Bisq - Idea to mitigate Burning Man as a single point of failure for Bisq #2

Open pazza83 opened 2 years ago

pazza83 commented 2 years ago

Definition of Burning Man (Donation Address Holder) Role

Previous proposals related to the Burning Man problem:

Summary of Burning Man role:

In the current trade protocol there is one Burning Man.

Burning Man is the the sole controller of the Trade Fee Address, and Donation Address.

Burning Man uses funds received in both these addresses to buy BSQ and burn it. This helps increase the liquidity of the BTC/BSQ market and therefore provides extra liquidity for contributors and BSQ holders that want to sell their BSQ.

Problems

The role of Burning Man is a potential single point of failure for Bisq.

As there is only one Burning Man they could potentially attack Bisq by taking trades themselves only to let the trades time out, go to mediation and then arbitration upon which the BTC in the multisigs would be sent to the donation address they control.

The Burning Man role is bonded at 50,000 BSQ (current value 1.897 BTC). This amount is not sufficient, Burning Man almost always has more BTC in their controlled addresses then the value of their bond.

Previous Burning Men are unbonded yet occasionally (3 times in the last ~6 months) they receive BTC to their controlled addresses. For example:

Should Burning Man stop functioning in their role BTC from trade fees and donations will build up. In a worse case scenario the BTC would be stolen or no longer accessible.

Multiple reasons could cause a Burning Man to stop functioning / incapacitated in their role:

As there is only one Burning Man at the point at which it was discovered that they had stopped functioning in their role Bisq could look to introduce a new Burning Man. This would potentially limit the losses only to the funds within their addresses until a new Burning Man could be installed.

The worst case scenario of the Burning Man problem for Bisq, therefore, is a nefarious Burning Man that could steal an unlimited amount of user funds through self trading.

In summary I see the risks in the following order (most risk to least risk)

  1. Nefarious Burning Man (low likelihood, very serious consequences)
  2. Incapacitated Burning Man (medium likelihood, medium consequences)
  3. Previous Burning Man still receiving funds (high likelihood, medium consequences)

As a result of this Burning Man is a trusted role. This is itself is a problem.

Worse case scenario

In the current trade protocol a Burning Man has the potential to act in a nefarious way as they are the only Burning Man.

Burning Man could take all trades on Bisq to buy BTC. Currently there are 40 BTC worth of trades on Bisq. All a nefarious Burning Man would need to get 40 BTC worth of trades (some are buy and some are sell so the amount entering multisigs would be less than 40 BTC) plus all the security deposits is take all the trades to buy BTC and sell BTC.

A rough estimate of the amount of BTC a nefarious Burning Man could steal would be:

Sell BTC (20 BTC) + Sell BTC security deposits (4 BTC) + Buy BTC security deposits (4 BTC) + current address funds (4 BTC)= 32 BTC

This would be a pretty rudimentary attack, a more sophisticated attack overtime focusing on larger trades would likely result in a higher amount.

An attack like this from someone in a trusted Bisq role would cause serious harm to traders, the DAO, Bisq's reputation, and it would be difficult or impossible to recover from,

Outcomes

To mitigate the risks above it would be good for the DAO to work towards the following outcomes:

  1. Reduce the ability of Burning Man to act in a nefarious way.
  2. Reduce the consequences to Bisq when a Burning Man becomes incapacitated.
  3. Stop previous Burning Men receiving BTC to their donation addresses.
  4. Make the Burning Man role as trustless as possible.
  5. Remove the Burning Man role being a single point of failure for Bisq
  6. Reduce the change of Burning Man ever having more BTC in their trade fee and donation addresses combined than their BSQ bond is worth

Solution

1. Reduce the ability of Burning Man to act in a nefarious way.

A situation like the worse case scenario above is only possible because there is only one Burning Man.

When there is only one Burning Man they are guaranteed to get their security deposit back so an attack like the above is basically zero cost. You only need the BTC capital to carry out the attack as you are guaranteed to get it all back.

Every additional Burning Man introduced (assuming at this point they are separate entities adds a potential loss)

Number of Burning Men Revenue Generated from Attack Cost of Attack Profit/(Loss) from Attack
1 32 BTC (100% of 30 BTC plus 100% of 4 BTC) 0 BTC 32 BTC
2 17 BTC revenue (50% of 30 BTC plus 50% of 4 BTC) 3 BTC cost of attack (pays 6 BTC gets 50% back) 11 BTC
3 11.33 BTC revenue (33% of 30 BTC plus 33% of 4 BTC) 4 BTC cost of attack (pays 6 BTC gets 33% back) 7.33 BTC
4 8.5 BTC revenue (25% of 30 BTC plus 25% of 4 BTC) 4.5 BTC cost of attack (pays 6 BTC gets 25% back) 4 BTC
5 6.8 BTC revenue (20% of 30 BTC plus 20% of 4 BTC) 4.8 BTC cost of attack (pays 6 BTC gets 20% back) 2 BTC
6 5.67 BTC revenue (16.67% of 30 BTC plus 16.67% of 4 BTC) 5 BTC cost of attack (pays 6 BTC gets 16.67% back) 0.67 BTC
7 4.86 BTC revenue (14.29% of 30 BTC plus 14.29% of 4 BTC) 5.14 BTC cost of attack (pays 6 BTC gets 14.29% back) (0.28 BTC)
8 4.25 BTC revenue (12.5% of 30 BTC plus 12.5% of 4 BTC) 5.25 BTC cost of attack (pays 6 BTC gets 12.5% back) (1 BTC)
9 3.77 BTC revenue (11.11% of 30 BTC plus 11.11% of 4 BTC) 5.33 BTC cost of attack (pays 6 BTC gets 11.11% back) (1.56 BTC)
10 3.4 BTC revenue (10% of 30 BTC plus 10% of 4 BTC) 5.4 BTC cost of attack (pays 6 BTC gets 10% back) (2 BTC)
11 3.09 BTC revenue (9.09% of 30 BTC plus 9.09% of 4 BTC) 5.45 BTC cost of attack (pays 6 BTC gets 9.09% back) (2.36 BTC)
12 2.83 BTC revenue (8.33% of 30 BTC plus 8.33% of 4 BTC) 5.5 BTC cost of attack (pays 6 BTC gets 8.33% back) (2.67 BTC)

Having 12 Burning Men would reduce the possibility of a nefarious Burning Man as they would incur losses from any attack.

2. Reduce the consequences to Bisq when a Burning Man becomes incapacitated.

Each Burning Man would be bonded at 25,000 BSQ (this is today's price to Bond).

25,000 BSQ current value is 0.9485 BTC.

12 x 0.9485 BTC = 11.382 BTC

Currently at any one time approximately 4 BTC is contained within the Burning Men's donation addresses.

If this were to continue then the amount contained in the Bonds would be 225% over collateralized giving additional security to the DAO.

Each Burning Man would be expected to Burn their BTC by the latest their corresponding months.

Eg:

Should any Burning Man not be buying BSQ and burning it with the BTC their addresses, contributors can reach out to them on GitHub requesting them to do so. If they failed to do so and the BTC in their donation address was approaching or exceeding their BSQ Bond then a a contributor could submit a request to confiscate their bond.

3. Stop previous Burning Men receiving BTC to their donation addresses.

I assume the above would require a new trading protocol. Hopefully, legacy burning men addresses would be easily removed.

One of the issues however is Bonds being able to revoked by the contributor after a given number of blocks, this could be when they are still actively completing the role OR they have completed the role but are still receiving donation address payouts due to historic trades.

An alternative to bonding could be Burning Men contributors Burn the equivalent amount of BSQ showing proof of burn and then request their BSQ back at a given point in time following completion of their role. Eg 12 months after they have resigned from role.

4. Make the Burning Man role as trustless as possible.

The idea would be for the Burning Man role to not require any trust.

Burning Man would be a bonded role or the BSQ would have been burnt. Multiple bonds would be posted. Therefore, bond/burnt amounts would be 12 x 25,000 BSQ = 300,000 BSQ. This is around 7.5% of total BSQ supply.

Should any Burning Man not fulfil there roles their BSQ could be burnt by confiscation. This would require a very high threshold as already defined in the DAO specifications.

The process of confiscating the users bond would in effect cause the required burn process.

Eg Burning Man 6 has gone AWOL. He has 0.8 BTC in his addresses and is approaching his bond limit. The DAO could vote to confiscate his bond leading to the burning of the 25,000 BSQ which would equate roughly to the amount of BSQ he would have burnt should he have traded his BTC for BSQ and burnt them. Burning Man 6 would then keep his BTC in his donation addresses if he makes a reappearance.

5. Remove the Burning Man role being a single point of failure for Bisq

Having multiple Burning Man would reduce any one being a single point of failure. It would be possible for any of the Burning Men to be incapacitated and for Bisq to continue. It would also not be possible for any one Burning Man to act nefariously in such a way that it put the entire project at risk.

6. Reduce the change of Burning Man ever having more BTC in their trade fee and donation addresses combined than their BSQ bond is worth

This is difficult to achieve with the current trade protocol.

25,000 BSQ current value is 0.9485 BTC.

The usual largest BTC amounts that can be sent to arbitration are 2.6 BTC (usually 2 BTC trades with with 15% security deposit from each trader).

Therefore possible options are:

This proposal does not remove the possibility of a Burning Man having more in their donation addresses than their bond is worth but it does reduce the risk and distribute it over a larger number of Burning Men.

Potential negatives

These are some of the issues that would need addressing:

Burning Man currently trades directly with Reimbursed users - Maybe Reimbursed users could trade with the Burning Men directly that have the largest BTC donation address wallet sizes (to reduce their amounts building up)

Burning Man currently trades directly with Refund Agent - Maybe the current Burning Man could keep the trade fee address (less risk) and trade with Refund Agent with these funds.

More compensation requests - Ideally the role being distributed amongst more users would mean less frequent need to trade. Twice yearly per Burning Man rather than every 2 weeks as current Burning Man is doing. Therefore while costs would increase it would not be 12 times the increase.

What is the new burning men where all the same entity - I am sure this can be avoided but even it is could not be known for certain. At the very least it would increase the bond requirement from the role by a multiple of 12 providing increased security, and it would therefore be a lot better situation that it is presently.

Proposed changes to trade protocol

Considering the above I think it might be an idea to split the way trade fees and donation address payouts are handled.

I would propose:

The additional costs to the DAO would be 2,400 USD. Hopefully this would be worth it to move toward to outcomes above.

NB I am aware this would mean there are now 13 Burning Men but I did the tables above with assumption that the trade fees and donation payouts would be merged, but on reflection I think it would be better if they were split as in the proposed changes to trade protocol. If people think there is merit to this proposal I will rewrite it with the correct figures and from the assumption at the start that trade fees would be kept by @burningman3 and donation payouts would be split :)

ghost commented 2 years ago

I've read it a few times and it seems very feasible.