There’s an exploit which affects, at minimum, fiat recipients in Bisq trades that utilize Interac e-Transfer. The scenario where it works looks like this:
- Seller (who is honest) begins trade with buyer (who is dishonest)
- Buyer sends trade amount to seller, from stolen bank account; stolen bank account may easily have Interac e-transfer name modified to match name on Bisq trading account (you may verify this with your own bank)
- Seller sees name matches, assumes everything is okay, accepts buyer’s deposit, and releases their BTC. With this BTC release, the buyer has succeeded in their scam.
- Payment reversal on seller’s bank account begins either when bank suspects fraud, or when the owner of the bank account that the buyer hijacked reports funds missing.
This is an exploit. It is effectively at the expense of Bisq’s crypto-side liquidity. Given that all the attacker needs in stolen credentials, it’s probably not limited to Interac E-transfer. I will provide suggestions on how I think it could be mitigated, and eventually fixed.
The only way to completely prevent this, that I can see, is by removing the incentive that a dishonest party might have to attempt this kind of fraud.
Edit: these must be combined to be effective.
- Raise security deposit cap to at least 100%. A mediator rewarding the full 100% collateral amount is for when a buyer is left with the seller’s BTC, but the seller no longer has the buyer’s fiat.
(Modularity, as always, is preferable. Users should be able to choose the terms of the locking period. Some may only want to do ~24h, some might want to do less. Options are valuable.)
- After seller releases BTC, keep holding security deposits for some time.
(up to a week, considering weekends/holidays where some banks’ legacy fraud detection systems might not catch fraud; one cannot verify what each bank’s fraud detection system is like. the more vagueness a user prepares for, the better.)
Until this issue can be fixed with an upgraded trading scheme, it may be advisable to give users a simple, but obvious warning to wait an appreciable period of time after accepting a fiat payment before they release their crypto to the buyer.
To compliment this warning, Bisq should consider lengthening the trade period window, or resetting it after the buyer or seller has confirmed that fiat payment has been sent/received, so that sellers are guaranteed the time needed to wait for flags to be raised. If some don’t listen and they get taken advantage of, there should be no room for doubt that it’s not the fault of Bisq.
It would also be beneficial, especially given this exploit, to allow makers to reject a taker. It’s less risky to sell BTC to a signed account that’s been around for awhile; one may not want to take on the risk of selling to someone who isn’t signed.
Buyers signed for any length of time, using a bank account that’s registered in their name, would be leaving a paper trail if they were to change other bank accounts’ Interac names to the one on their signed Bisq account; the payoff (~>$3k) definitely isn’t worth the risk of jail time.
Unfortunately, trust must still fall on the arbitrator to act honestly on quality evidence. That may, at the moment, simply be the state-of-the-art, if fiat is to be involved.
In the future, technology such as Chainlink DECO may be used to produce proof of an honest seller’s payment being returned to the bank account from which the buyer sent payment, which may circumvent the need for arbitration entirely and make fiat-facing aspects of Bisq fully automated, sans development. This would be quite an achievement.
If my ideas are not acted on, I encourage your creativity in addressing this issue with the seriousness it deserves. It’s an exploit, through-and-through.
As an addendum, I’m in the middle of a failed trade (post-mediation) with someone whose bank account I could not accept money from during the trade.
I accepted deposits in other trades shortly before and after, but obviously, my trading partner cannot verify that; I’m guessing he doesn’t know who to trust.
I suspect they were a victim of this problem.
They are neither accepting the mediation, or responding to me; it feels fairly obvious that they don’t dismiss the notion that their account got frozen because I somehow tried to scam them. They have a right to suspect this—but given that I know it isn’t the case (and i don’t think was even possible, given the circumstances), and know what the real issue might’ve been, it’s frustrating.
This issue needs to come to light, to prevent friction like this in the future.