Can someone please correct me if I’m wrong but couldn’t an attack simply work like this:
The donation address holder puts up a bunch of XMR buy offers at above market rate, gets 100s of BTC worth of trades come in, waits for everyone to pay never releases his BTC, waits for people to publish time locked transaction and runs off with 100s of BTC worth of BTC from the Bisq donation address and the XMR.
I know the person has to put up a 50k Bisq bond but they have the potential to steal far more money than that in one day before anyone notices.
Right now I have a 0.5BTC trade that hasn’t been released and the trade expired yesterday. I have no response from the Mediator and it’s likely the trade will go into arbitration.
I have had this happen many times before with arbitrators having to release my funds.
With v1.2 and the new trade protocol there is a real risk of losing all of your BTC as a BTC buyer:
BSQ donation address holder can scam people by buying xmr and then never releasing the BTC and getting it via the timelocked transaction
BTC seller could go AWOL after you’ve sent the XMR and then BSQ donation address holder could have a computer crash and lose their private key
BTC seller could come on dump a bunch of BTC to get XMR but never come back to release the BTC and sending the BSQ donation address holder broke and then cause the BSQ price to collapse so reimbursement can’t happen that way
Those 3 scenarios above are very real and serious and probably why there has been absolutely no high value trades on the new protocol yet. At the moment I’m purposely not updating and considering leaving Bisq all together, the risks are just too high.
I really worry that this is going to seriously drive XMRBTC volume elsewhere as there are many alternatives. I think many XMRBTC traders like myself will see this new protocol as unacceptably risky. And given that XMRBTC volume is what keeps Bisq going that’s a huge risk for the whole Bisq project.
It’s understandable that you have hesitations with the new trade protocol. I don’t think all your concerns are on point though.
BSQ donation address holder can scam people by buying xmr and then never releasing the BTC and getting it via the timelocked transaction
This doesn’t seem worse than in the previous protocol where the arbitrator could collude with one party. You’re worrying about the trusted third party, arbitrator or donation address holder, which is there to alleviate worries about a pure 2of2 protocol. I agree that it is a problem so we should try to improve on it. Any ideas on this would be greatly appreciated. Please join the discussions on the off chain protocol or suggest improvements to current one. The suggestion to use a multisig donation address sounds quite reasonable for example. My personal favorite while discussing this protocol was to send the funds to a burner address, but other options were discussed, such as sending to a worthy project, such as Tor. In the end this is what we came up with to keep the money within the Bisq ecosystem.
BTC seller could go AWOL after you’ve sent the XMR and then BSQ donation address holder could have a computer crash and lose their private key
This is the same risk as in the previous protocol. BTC seller disappears and arbitrator loses their keys. It is a risk, but it seems pretty small.
BTC seller could come on dump a bunch of BTC to get XMR but never come back to release the BTC and sending the BSQ donation address holder broke and then cause the BSQ price to collapse so reimbursement can’t happen that way
I don’t see how you the donation address holder goes broke here. The XMR seller would release the BTC to the donation address which would then recycle the money back to the XMR buyer, and the BTC seller would lose their deposit.
Over all getting rid of the arbitrator as a part of the multisig greatly alleviates the regulatory risk to bisq. The main risk was for those acting as arbitrators and it was a central point that could’ve been censored. The donation address doesn’t have that issue. Some money might get lost if pressure is put on the donation address holder but it’s not a systemic risk. Bisq as a whole would stop the usage of that address and still have arbitration intact.
The thing that makes me hesitant to trade on the new protocol is that the btc donation address holder is elected by the DAO. Literally all we know about this person is that they had 50,000 BSQ to lock up. The arbitrators were at least chosen by BSQ developers which I think provided more safety.
If I were a scammer I’d see the possibility to run off with 100s of btc and definitely risk 50,000 BSQ to try on that particular scam. I’m not talking about collusion here, I’m talking about the donation address holder actively trading with the intent to scam.
Do we have any visibility of the donation address funds. ie any way to verify that a published time-locked transaction is used to pay back an XMR seller who wasn’t released? I think that would really help if we could somehow prove that any unreleased trades were being resolved by the donation address holder.
I guess if my suggested attack actually happened and lets say I took 10-20 BTC of trades in one go then I could elect to only publish one time locked transaction at a time? this would limit the benefit to the scammer but I’m guessing my funds would still be lost because the donation address holder / scammer would always have the key to that transaction so if the XMR buyer never came back that BTC would be lost forever still.
The multi sig for the time lock is a good suggestion but I’m not sure it would solve the issue because it would just mean multiple donation address holders are voted on in the DAO and it could be the same person.
I realise that not a lot has changed and we had all these risks with the old trade protocol but the big difference for me now and the thing that’s putting me off is that the donation address holder is now completely anonymous, which i’m sure is by design but it makes the whole thing a bit more risky.
Fair point with number 3, didn’t think that through, oops.
I agree that it is a problem so we should try to improve on it. Any ideas on this would be greatly appreciated.
Some money might get lost if pressure is put on the donation address holder but it’s not a systemic risk.
Make the BSQ donation address 2 out of 4 multisig and rotate it every now and then. In this scenario, there needs to be two address owners, each with one of the keys, and the other two keys need to be shared between arbitrators and trusted developers. You can make more parties in multisig if needed. I’m honestly surprised why wouldn’t anyone think of that
Another point I didn’t make before is that arbitrators were randomly chosen from 3 different people? With the new protocol just one person ends up with the funds. If arbitrators were going to scam they couldn’t guarantee that anyone taking their offers would end up with them as an arbitrator.
The donation address holder on the other hand has a guarantee that after 10 days they’ll end up with the funds.
Actually, it’s kinda easy to figure out where the funds come from if you know how to work a block explorer. So if anything funny happens, just go to your peer’s deposit/fee tx ID for BTC and follow the coins, so to speak
Another option is to ask users (offer creator) if he wants the deposit to go to the Bisq donation address, TOR foundation or to be destroyed.
The 2of2 and donation address relies that there’s little incentive going to arbitration and these cases should be rare. It think that this post makes a good point, XMR volume is high ennough and if the Bisq donation address manager wants to scam Bisq, it’s possible because there’s no bond high ennough to stop this. Multisig for the donation address is a good idea, collusion is harder when involving multiple parties.
You would just distribut the risk. If all 2 or 3 keyholders are corrupt it would be same.
The donation address owner need to continuously buy BSQ with the funds, doing that as multisig party makes this task more complicate and expensive for Bisq. As long BSQ bond is higher as BTC balance for one cycle security is intact. Beside that there is DAO voting involved. If any new contributor who has zero reputation requests that role he might not get enough votes. There is also only 1 role for that so as long a contributor exercises that role and build up reputation over time there is no reason to change that role.
Just to make clear: I don’t think that this could not be done more securely but Bisq has many open issues which need to get improoved and that is IMO on the very low end of priorities or risk.
50,000BSQ is about 5 bitcoin so less than 3 x 2BTC XMR trades. As long as the scammer has enough BTC to start they could easily steal more than that (It’s not uncommon for Bisq to do 150BTC XMR volume in one day).
The issue is that right now isn’t that exactly what has happened? The github user burning2019 was only created on the 8th of September and they seem to have had no activity at all apart from asking for the donation address holder role.
I think that there’s a real risk, with the current Bisq volumes there’s no reasonable BSQ bond that could prevent this kind of attack, that would be really profitable.
There could be 2 different roles for this task, 3 BTC Donation address holders receiving the BTC from arbitrated trades to a 2of3 multisig account, and one BSQ DAO Buyer that buys BSQ from periodical transfers from the 2of3 multisig account.
A BSQ Bond would be ennough for the BSQ DAO Buyer role, but as you noted, we would only be distributing risk for the Donation address holders. Anyhow, this would be a better situation than the current one.
In the meantime, considering that going back to the older protocol with 2of3 multisig is not an option and has its own risks anyway, I think that we should destroy the 2of2 funds, or donate them to a BTC friendly organization.
If the person in charge of the donation address is really anonymous, I would take this issue as the main priority.
I also believe that the current system is much more dangerous than the previous one, besides the possibilities explained by @eeeper, there is an excessive imbalance between what a buyer and a seller could lose so it could be beneficial to attack Bisq’s reputation, lose the security deposit but earn more shorting BSQ.
In fact, I wouldn’t discard that is currently happening.
For example I have a sale whose buyer has not made payment. The buyer could lose 0.001BTC and I, who have acted honestly, could lose fifteen times more. Of course my first reaction is to stop all new transactions at Bisq.
But for now they are only proposals and, at least from what I’ve read of the current implementation, I can’t find how to recover my BTCs if the buyer doesn’t want to.
It greatly complicates any transaction and practically eliminates all liquidity.
You’ll recover your BTC. The arbitrator will pay you from his own funds and then ask for reimbursement from the DAO.
If you’re dissatisfied with the mediator’s suggestion and sure you are entitled to a better outcome, publish the time-locked transaction as soon as it’s possible and request arbitration.
Collaborate with the arbitrator to clarify the details of your case.
If the arbitrator sides with you, they will personally reimburse you.
The arbitrator will then request reimbursement from the Bisq DAO for the reimbursements they’ve paid. This isn’t something you need to worry about as as trader, but it’s good to know how the process works on both sides.
Arbitrators are required to respond to messages within 5 days, so it may take a bit longer for them to respond than mediators (you should still respond to messages within 2 days).
It is definetively not correspondig to any standard or recognized business ethics to confiscate customers deposit and then as a detached event possibly compensate the customer by means of an employees private belongings. And from a common morality perspective it breaks norms of equality.