[bisq-network/proposals] Proposal for new trade protocol without the need for arbitrators (#52)

[Manfred Karrer]

Hi @chris-belcher thanks for your feedback! 

I will add a description about the blackmail issue with 2of2 Multisig and why this proposal is not vulnerable to it as a separate post.

Here are my replies to several issues you brought up:

### Real disputes are very rare 
Maybe I need to emphasise that more and get some numbers from the current arbitrators but real disputes are super rare or nearly non existant. Of course that does not mean that they can happen and we need to prepare for that, but it can be expected that those cases which goes really to voting for reimbursements are very rare. 

As I noted on the introduction it must not be more then one or two a month or even less otherwise we need to fix that problem by adjusting the system. If there is only a request from one peer of the trade there is no investigation required as he has nothing to win (see later a more details expalination). Only in those case where both request we need a judge.
The BSQ stakeholders are not required to do the dispute resolution work by themself as that woud also carry privacy problems (you don't want to share Pagesigned docs with many stakeholders). There will be a specialized entity (medidator) who will act as semi-trusted entitiy and the stakeholders will take their word as recommendation. The details about those areas still need more thought but I think the flexibility here is a feature not a bug. It allows us to tune the sytem on demand, something which I miss with the current system. 

The stakehodlers act as execution entities not as judges. It adds separation of power to the current system where the arbitrator is judge and executor. 

### Not the lack of arbitrators is the problem but to secure that and scale that up
Currently to become an arbitrator you will receive a private key rom myself to be able to register. That is required as an arbitrator could collude with a trader and could do fraudulent payouts. So in the worst case a scammer registers as arbitrator makes many deals with a colluding peer and take out the funds to him and the colluding party. To avoid that risk we have only high trusted persons who are in fact co-founders of the project, so beside that I trust them personally the economic incentive that they act honest are aligned as they are major stakeholders in Bisq and by scamming they would hurt Bisq and their investment. With BSQ bonding we will make that even more secure but it has scaling problems. To cover the max. damage an arbitrator could cause he need to lockup that amount of BSQ bonds. First problem is that the max. damage depends both from trade volume on Bisq as well as the BTC price. Adjusting BSQ bonds frequently is problematic as they have long lock times. Beside that there are simply not be many people atm who have such high amount of BSQ and for those who have it they might be just not willing to lock up so much and do the arbitration job - which is not a fun job by the way... So to get the few arbitrators motivated we have to pay a lot. Atm they do it mostly for altruistic motivation (as far I can interpret).

Related to that is the scaling problem. We had already request from Bisq supporters in Vietnam who wanted to become arbitrator. But I would take a huge risk to give out the arbitration right to people who I don't know personally. They could even act honest for a while and then make a long con, or they could act as major market maker and being arbitrator as well, therefore having conflict of interest and Bisq would betraying those Bisq users who assume that the system is designed in the way that the arbitrator is not an active trader. So we have a scaling problem here as not many people have the required BSQ for bonding. Translation for complicate cases might be an issue, though maybe that is not the main problem.

### Legal risks
As descibed above I give out the private keys so atm I would be the choke point - even with anonymous arbitrators they cannot be 100% anonymous as I would not trust a 100% anonymous person (ok I would trust Satoshi ;-)). Even if we find a more decentralizd version for that (e.g. using BSQ bond for enabling registration - there is work going on in that direction) there are some arbitrators who don't want to hide behind anonymity and therefore would be exposed to legal risks. 

### Flexibility
An arbitrator can revoke any time but there are some problems involved:
He could have been selected in open trades and as max. trade period is 6 days he need to assume that he gets still cases for the next 1-2 weeks. Sometimes dangling cases come even much later. 
Being on sick leave is even harder to handle... Of course we can - and sometimes do - announce then on the forum that there will be longer response time as normal due special circumstances, so its not an huge problem but it still sucks...

### Atomic swaps
Atomic swaps are for sure super intersting on the technical level (I even started once working on it for Bisq) but they have 2 main issues if you want to do it in a real decentralzied way:

1. Scaling issues on the engineering side: 
You can support BTC clones quite easily but it adds much more engineering effort to get it supported with the more intersting coins like Monero, Ethereum, etc... To support 100s of coins is quite a bit of work

2. Scaling issues on the resource side:
If you run that in a similar architecture as we have in Bisq (SPV wallet) you have high resource requirements to support many altcoins. BitcoinJ can be already quite heavy with BTC alone. DOGE (when we had it als alternative base currency) for instance was much worse because of the short block time. BitcoinJ got really busy... Using different models lead either the bad usability or to centralisation. So if you require that the user runs a full node and connect via RPC you limit to a handful of coins - which can be ok as most people are only inerested in one or two trade pairs. But then the user need to have a full node for the altcoin. The other option to use something like Electrum as remote server will lead to a federated system in the best case or being fully centralized in the worst. You want at least to have the wallet managed locally so that will still add some engineering effort to support that for many coins.

Maybe there are solutions for all that or there are "just good enough" ways to do it, but at least it is a big problem where there are not clear solutions yet. 

Doing it in a server based environment (like Mercury did) would work better but then you only gain on security not on censorship resistence and I fear the added disadvantages (speed, tx fees) are not worth the gains then.

Another issue is that each trade is on-chain and costs tx fees which is not long term viable. But of course that a problem with current system as well, thats why we want to go in direction off-chain trade protocol.

But thanks for the links I will check out those scriptless script ideas. As said I am also a big fan of it and probably it will become more feasible to do it some day but as you also said the Fiat side is the more relevant and for that it does not help anyway. 

Btw: Arbitration cases with altcoins are very rare and if so they basically never are complicate as the arbitrator can look up the block explorer. Monero is an exception here but as XMR traders are very skilled usually there are also very few problems. 

I will try to get a overview about the current arbitration cases (how many, what are the reasons, how long they take, num of scam attempts,...) to give a better idea how the acutal situation is. 

### Adding more costs for dispute resolution
I think that is a good point and we should work out that area more. 

My current idea was to delegate it as far as possible to the users and as from my experience most traders act with good intenetions that should resolve 90-95% of the cases. 

Then there might be more complicate cases because of bugs or banking issues. Here a specialist is needed to help. Currently the support area in the forum acts a bit like that beside the arbitrators themselfves. I think that should be a free service to the user and we pay those support agents as contributors (like now). Specailly with bugs its not their fault and it would decrease user experience if beside running into problems they even have to pay for help.

Then there might be those very few cases where the peer is not cooperating or a scammer which will become candidates for reimbursements. If only one peer (the victim) is requesting reimbursement we don't need to do any verification or judgement as there is no incentive for him to gain something - or if so the other peer would make a request as well. 

If it is the BTC seller he has lost his trade amount in the timelocked payout to the donation receiver. So he get only 90% refunded by BSQ. Beside that he has to pay a rather high BSQ fee fro making the request (adds costs/risks for abuse attampts). 
The BTC buyer could gain something as he lost only his security deposit and could get 90% of the trade amount if he states that he has sent the Fiat. But here the seller will likely also make a reimbursement request as he has much more to lose. And then we would end up in the only real dispute case where we need a specailized entity (can be the mediator) who is doing the investigation and makes a recommendation to the stakeholders. As both have to pay a high BSQ fee (about 50 USD) a scammer would run into high risk that he does not get reimburesed and lose additionally to the buyer security deposit (which will become also higher as now - about 50-100 usd) the BSQ fee (and a lot of time and effort). So that should be enough to keep scammers out - they dont like to risk and invest money.

The mediator is a bonded role so it has some level of trust. A colluding mediator could not repeat many times as the stakeholders would probably start to question his decisions and in case they find that he colluded he risks to get burnt his BSQ bond.

The dispute resolution would be then the same what we use now in arbitration (Pagesigner, if that does not work screen sharing and ID verification - or alternatively maybe other options like setting up a BSQ bond - but that is an open discussion area). As in the Bisq arbitration such case have been super rare (I think I did only time screensharing but just because of the user using a diff. bank account, no scam attmept) it can be assumed that those will be also very rare in future.

Also we don't need to be perfect here, just good enough. If from time to time BSQ get reimbursed to a scammer it is still much cheaper as the current system and carries less systemic risks (security, legal).

One big learning from working on Bisq over the years was that we need to priotitize the problems the right way. Often we focus too much on theoretical problems (they are often much more interesting) which will not be real problems in practice but by trying to prematurely solving those we created real usability problems and those had real costs for the system. One such a case (of many) was to not support editing offers as there was no good solution for protection agains some ddos attacks. In reality we never got ddos'd but we lost many traders because they wanted to change the price without loseing the trade fee. Bisq can fail in any ways, not attracing sufficient users is the most likely (hope we are alreadt escaping that phase ;-)).

I think with the arbitration system we also need to focus on the customer care area which is 99% and not on the dispute/scam attempt areas which is nearly not existant. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/52#issuecomment-433489213
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20181026/38c87fad/attachment-0001.html>