Help me understand something. I just downloaded Bisq and checked out a wide variety of offers, and a lot of them seem to have a deposit of ~15% of the trade amount. How exactly does that provide a safety measure? If either party follows through on their part of the deal, then that means the other party benefits from simply not going through with theirs, and rather allowing the deposit to be lost. The only way I’ve been able to solve this problem when thinking about it is to have deposits of at least as much (100%) of what’s being traded, and preferably as much as possible (i.e. ~200-300%, or even as much as ~1000% or more, although that is perhaps not as realistic). Is there something fundamental I’m missing here?
BTC seller deposits trade amount alongside security deposit, so 115 - 150% of capital is tied to the trade.
https://bisq.wiki/Security_deposit
I still don’t quite see how that solves it; I’m talking about how it should be necessary for 200% or more of the capital to be tied down (i.e. both the value of the trade, and at least an additional 100%), but perhaps there’s still something I don’t understand. What about the buyer? They don’t have to make any deposit? Maybe I’m misunderstanding something really fundamental here. What exactly are the conditions for the deposits to be burned?
EDIT: Never mind; I just realized that Bisq has “dispute resolution” with “arbitration” as an ultimate security measure. In other words, it’s not really any better than a trusted third party, and in my view completely useless. I guess that solves that.
BTC buyer sends a 15-50% trade amount security deposit. BTC seller 100% trade amount + 15-50% security deposit. If there is a dispute, the part at fault will loose the security deposit which will be used to compensate the part that acted rightfully. The trade amount will be awarded to the part who deserves it (BTC buyer if buyer sent fiat, BTC seller if fiat was not sent).
Funds are sent to a 2of2 multisig, and both buyer and seller need to agree on a payout from this address. Arbitration is opened only if one of the peers wants to . Bisq does not have control of this funds, only buyers and sellers do.
https://bisq.wiki/Dispute_resolution
See, the problem here is the “if there is a dispute, the part at fault will loose the security deposit”; this involves a trusted third party working as an arbiter. That’s a total no-go.
The only way I know to completely remove a third party of a trade is Mutual Assured Destruction, which is that both parts lose the security deposit if the trade does not go on.
There’s no market for it, and traders could try to blackmail the part who loses more.
Yes, that was indeed my point, I assumed Bisq was operating with that, since that’s the only way to actually achieve decentralized and trustless exchange.
What Bisq is doing is just setting itself up as a glorified arbiter. Into the trash it goes!
If you find a better alternative for your data and funds, please let me know.
I’ve won two disputes and so far, lost none, I can say Bisq mediators are doing a great job.
I had two disputes on Bisq in the past. One was my fault (bank problems), the other one was the fault of the taker (no bank transfer). The mediator was very good and very fast, he did a great job in both cases!
I can confirm that under my knowledge no payment was made to the above two users in order to get the positive reviews they left, and in fact I also think our mediators are nice and reasonable chaps
This is a serious issue; I couldn’t agree more. High-value, undercollateralized trades—which nearly every fiat-inclusive trade on Bisq is—are opportunities for malicious parties to guarantee substantial sums of money in their pockets through dishonest behavior.
Once the buyer has the seller’s BTC, they’re home-free; the most they stand to lose past that point is 50% of the trade value, and that’s if the arbitrator ultimately rules in favor of the seller.
A dishonest buyer wins big upon the seller releasing their BTC, every time—and this, rightly, will ultimately push participation away from Bisq fiat markets.
First:
By the nature of the two assets being exchanged—BTC and fiat—the seller is the one assuming nearly all of the risk in a transaction (but critically, not all; see PS), because they’re the one receiving fiat from another party; fiat is reversible money, it is freezable money, it is opaque money, it is centrally-controlled money, it is trusted money. Native BTC, and many other blockchain assets traded in Bisq, are far less any one of these things by nature.
It’s always dangerous to accept fiat from an unknown party, which is generally not the case with BTC (rarely ever will a terrorist or whatever send you BTC—and if you’re concerned about getting implicated in something you would never want any part in, then at minimum, there’s XMR). Understanding this, we can move forward.
Moving forward:
If a seller (the risk-facing party) enters a trade with a buyer who uses illicit funds to pay the seller (money from a bank account that is not the buyer’s—a bank account that the buyer hijacked from someone else, for instance), the buyer’s path to guaranteeing that they gain value through any current Bisq trade, which are all undercollateralized, looks like this:
- BTC buyer pays seller with illicit funds; seller has no sure-fire way to know that these funds are illicit, because fiat is opaque money
- BTC seller receives illicit funds, releases BTC to buyer (point of no return)
- Bank freezes seller’s bank account, initiates process to reverse buyer’s fraudulent payment; seller, let’s say, is left completely in the dark by bank, bank refuses to verify anything up until now
- End of trade except for final release of collateral; BTC seller is left without the buyer’s fiat, and without their initial BTC. BTC buyer is guaranteed to leave the trade with at least 50% of the BTC that the seller sent them, because the maximum that the seller could demand the buyer put up as collateral, still in the trade contract and still up to the arbitrator to handle, was half of the trade value.
If the buyer does this, again and again and with multiple different stolen bank accounts, then they’re able to indefinitely use Bisq to scam sellers out of their BTC for a minimum of 50% of the trade value for as long as it takes everyone to take notice that this keeps happening. There’s a lot of illicitly-obtainable, and illicitly-lost BTC in this. This is bad.
At the very least, a malicious party going into a trade where they stand to lose 100% of the trade value, if their dishonest behavior is observed and acted upon, means that observable malicious behavior wouldn’t net them any value.
Having even higher collateralization ratios may be beneficial in some cases, but I would be cautious dealing with someone who wants over ~110%; in the case of a dispute, everything currently comes down to the arbitrator, and the arbitrator may have bad—or even worse, corrupted—judgement (500% the value of any given typical Bisq trade is pretty good money, but it’s also the kind of money that a true victim would raise an alarm of foul play over; this may lead to criminal prosecution, criminal arbitrators pretty please beware).
The solution for the undercollateralization issue is to simply remove the collateral cap; 50% isn’t enough. Even 100% doesn’t compensate for sheer hassle that a malicious party brings, but I’d personally be weary going into a trade with someone who wants (a lot) more—at least, if there is a trusted arbitrator making the final call. It’s your judgement, though, and I support the idea of removing the cap entirely.
Additional (mostly ways to improve the value that Bisq offers users)
One solution for the arbitration problem that becomes evident when examining all of this would (might) be Kleros court, kind sirs. I couldn’t insist on it, because I have no experience using it—only a general idea of what it’s supposed to do. Data privacy might be an issue; ask Kleros. Regardless, in the event of Bisq’s expansion, having a larger network of randomized arbitrators on-hand can never hurt. (i don’t even hold kleros; i think the memes are funny.)
Alternatively—and preferably, I would strongly argue—Chainlink oracles could be used to trustlessly verify whether, for instance, an e-transfer payment was made or not, but this would require Interac or at least one party (preferably more) with access to Interac’s portal[source] to:
- Take the e-transfer reference number from the buyer/seller trying to prove their case
- Run it through the portal
- Return the results, which would hopefully include a timestamp, payment amount, and the name that the buyer presented to Interac, in addition to any other helpful details that may or may not indicate foul play
This would help to bring Bisq one step closer to full trustlessness, which is highly desirable for all honest users.
An honest seller might, thus, be able to have the fiat payment provider themselves prove that a dishonest buyer made a payment from a bank account that this buyer cannot provide sufficient evidence that they’re supposed to have access to.
A potential issue with implementing this is that trust would fall on the responding oracle networks to behave honestly, and then Interac and its network to not be tampered with by an inside party; in the case of the oracles, you can just get more oracles providing what should be the same data—easy fix—but in the case of Interac’s internal data, it might be trustworthy for a few years, but eventually, actors who wish to exploit exploitable systems will. Interac probably needs blockchain—and, of course, this isn’t up to us.
It’s worth noting that additional tech from Chainlink (i.e. DECO) would, with service from the right oracles, enable a seller/buyer to link any current, unmodified bank account to Bisq, and then verify the case they make for themselves (that their bisq-linked bank account is under their name, that it did or didn’t make or receive a payment, and that they are able to log back into this account that still has the same name and send transfers without any flags being raised three weeks later), without revealing any other facts about themselves; these are hypotheticals at the moment, as DECO isn’t yet in production, but it would be impressive to see this in action—especially with something as cool, cool, fucking cool as Bisq.
Ultimately, if we’re talking immediate fixes, finding and implementing less opaque fiat payment systems (i.e., transfers are viewable, but only by someone who holds a reference number) is probably the best current solution to sealing up gaps in Bisq where trust becomes a factor; such systems may already exist, but I don’t know of them.
(PS: A dishonest seller can claim that the buyer didn’t initiate fiat payment when they did, but an honest buyer has plenty of recourse in this case; they could, in theory, so much as have their bank forward proof of their payment to the email that the seller provided in bisq to a mediator.
On the other hand, if a dishonest seller tries to frame an honest buyer for initiating a fraudulent payment that they didn’t make, the buyer cannot prove something they didn’t do—they can only insist to the mediator that the trade effectively be cancelled. If the buyer wants to do this, but they’re already sent fiat to the seller, they can get their bank to verify that they made payment, and the amount can be taken from the seller’s collateral.
It must be said—if a bank is unwilling to verify, for their client, that they initiated an E-transfer, then it’s probably time for the buyer to get a new bank.)
yhat was my post, t.hanks for reading :v)
Security deposits can’t protect a user from a chargeback if they proceed with the chargeback after the BTC are released, no matter how big are they. The only reason why security deposit were raised from 5 to 15 and then 50% is to prevent future trading (not settling the trade to buy BTC if the price plunges).
This is a different issue. Verifying if a payment was made or not is necessary for mediation. The way to do this depends a lot on the payment method used.
You mean, a fiat chargeback? If security deposits for a trade were set to 100%, then in the event that a buyer successfully pulls their fiat payment from the seller after a seller has released their BTC (but security deposits have not been released), the seller is able to make this dishonest buyer face recourse that meets the full value of the trade. Any less, and the buyer is guaranteed to gain at the expense of the seller.
The bottom line of my post is, if security deposits are lower than 100%, then a dishonest buyer is always guaranteed to gain value from dishonest behavior; the scheme that I detail (one where a dishonest buyer has hijacked someone else’s bank account and uses that bank account to pay the honest seller) is one that I am certain, for a fact, has already played out on Bisq—and it has probably already played out again, because it is essentially free money to a dishonest buyer. It’s a way for them to take illicit funds that they would otherwise not be able to use anywhere else, and get value out of it—completely at the seller’s expense.
The damage it does to Bisq and its honest users is real, and a certainty.
Verifying that a fraudulent payment was made—i.e., a payment from a bank account that the buyer, at minimum, cannot prove is theirs (names don’t match up, buyer cannot pass 2FA (if present), bank account put on freeze when buyer tries to send test ~$0.01 e-transfer)—may be useful for mediation. In cases where bank accounts are not relevant—e.g. gift cards, etc.—then bank-enforced chargebacks to an honest seller are indeed not relevant.
It’s already over 100%.
BTC seller deposits security deposit from 15 to 50% of trade amount, plus trade amount. So basically, BTC seller deposits 115 - 150% of trade amount.
Bisq allows only payment methods that are hard to chargeback, but you never know when a transaction in fiat banking is completely settled.
(scroll down for tl;dr)
No—I mean, if each user had to deposit 100% of the trade value as a security deposit (so, combined security deposits, because there’s two parties in the trade, equals 200% the value of the traded amount).
This would be the only way for either party to guarantee full recourse to the other in the event that one attempts to defraud the other, post-release of trade BTC.
(I should note—If Bisq doesn’t currently keep the security deposits in a state where they may be subject to mediation after the release of the trade BTC but prior to final closing of the trade, that’s another problem that should be fixed. I stress—this is a real, dangerous, and serious issue. Bad actors have already exploited this, and it has already hurt Bisq users.)
Because one user is able to scam the other out of the full traded amount value in a variety of ways, the fact that any combined security deposit figure:
- is equal deposits from either trade party, and critically,
- currently may only add up to a max of 100%
strictly means that any current Bisq trade is prone to exploit. One user would always explicitly benefit more from practicing dishonest behavior than they would behaving honestly.
Any combined security deposit figure less than [trade value x n users] is insufficient to render a dishonest party’s fraud attempts completely pointless. (There’s still the potential for mediator failure, but one advancement at a time)
50% of the security deposit total represents the deposit that either one of the parties is required to put up, out of their own pocket. This means that an honest user getting 100% of the combined security deposit figure would be getting their own money as “reimbursement” for losing twice that much to a dishonest party; they’re really only getting 50% of the money they lose back, and that’s if they set collateralization to the current maximum of 50%.
To put things into DeFi terms, Bisq currently works in a way vaguely similar to how AAVE would work if users were able to borrow double the amount on their deposits; some parties will behave honestly, but some will inevitably just take the protocol for all it’s worth. In Bisq, this translates to “honest users WILL get ripped off and have no recourse”, which translates to “honest Bisq users WILL eventually lose faith in Bisq”. 100% collateralization, per-user, is a necessity to prevent this.
It really doesn’t matter what the security deposits between users in a trade add up to, perhaps other than to reflect on the fact that [cost of mitigating trust between n parties regarding trade] ≥ [trade value x n]; trust is a bloody expensive thing to mitigate, by its nature.
What does matter is “how much can one user scam the other for”—in this case, it’s 100% of the value of the trade, ideally minus one trader’s security deposit. A dishonest user knows this, and knows that the maximum they currently stand to lose from dishonest behavior is only the 50% of the trade value that they were required to put up; dishonest users can effectively spend $250 to make $500, and if they’re using stolen bank accounts, Bisq is one of the best ways for them to do this because their identities are never once at risk of being exposed, and money from stolen bank accounts is very difficult to get any value out of otherwise.
These dishonest parties are using Bisq, strictly to our detriment. We have to stop them if Bisq is to grow, period.
tl;dr
Bisq needs to
- Remove collateral caps, or at minimum raise the cap to 100% (per user)
- Hold security deposits for mediation, especially after the seller has released the BTC, if this isn’t already done; maybe have a suggested waiting period, and advise bank fiat recipients to ensure they can still access their bank when a few hours passes.
This is the only way to remove the incentive that dishonest parties have to engage in endless sybil attacks where they use stolen bank accounts (from which payments are not immediately reversed, but will be) to pay sellers. Given that your users’ wealth is essentially Bisq’s liquidity, It’s exactly like a liquidity drain—and it’s happening, right now.
I strongly encourage you to run my comments past and discuss this subject with everyone on the developer side at Bisq, though I will try to reach them; this issue needs to be fixed in order for Bisq to be a truly robust product.
You have a basic misunderstanding of how security deposits work, @bats , as once the seller releases BTC, deposits are also contextually released to their respective owners.
Once a trade is finalized, it is finalized.
So in your example, if a buyer managed to chargeback, say, a SEPA payment even after the 6day trade period (extremely unlikely, cannot say impossible as I don’t work in a bank… or I do, but they don’t tell me enough… or I know enough, but I just need to cover my bases) then there is no deposit to access, nor any dispute can be raised, because trade is complete.
Another very simple thing to consider: we just don’t get these situations where the things you mentioned above, happen. Yes, there have been reports, they are very few and far apart, and if compared to the volume of trades happening on Bisq they are just not enough to warrant such a large change to the trading system.
Yet another point to the discussion: if security deposits were 100%, or even if 50% was more widely spread, I know for a fact I would not trade as much, if at all, and I suppose the same would happen with most of Bisq’s userbase.