[bisq-network/proposals] Proposal for new trade protocol without the need for arbitrators (#52)

[Manfred Karrer]

## Description about the blackmail risk with pure 2of2 MultiSig and why that proposal is not vulnerable to it

### Blackmail risk with pure 2of2 MultiSig
In a trade protocol with pure 2of2 MultiSig (as intended in the first Bisq concept) one peer has always more to lose then the other at a certain point of time in the trade process. The security deposit cannot be set so that it will have a symmetry before and after the transfer of the fiat/altcoin payment. This asymmetry can be exploited by a scammer to request an alternaitive payout as defined in the trade contract where he gets a part of the max. loss of the peer in case the scammer deny to cooperate to complete the trade. 

Let's give an example to make it more concrete with USD rate of 6000 BTC/USD:
The BTC buyer put in 0.1 BTC security deposit and seller put in 1 BTC trade amount + 0.1 BTC security deposit in the 2of2 MultiSig deposit tx. Before the buyer sends the fiat the seller has more to lose so the buyer could exploit that to blackmail the seller and tell him: Let's make a payout of 0.6 BTC to each of us otherwise you will never get out anything of your locked 1.1 BTC. An economic rational seller would agree to the blackmail. 

If the seller is the scammer he would wait until he has received the fiat and then the buyer has more to lose as he has now sent 6000 USD + locked up 0.1 BTC. The seller has already received the 6000 USD for his 1 BTC trade amount so that cancels out to zero and only his security deposit is at risk to get lost in case there is no cooperation. So he can tell now the buyer, let's make an alternative payout where you receive only 0.6 instead of 1.1 BTC otherwise you will not get anything and lose additional to your 6000 USD the 0.1 BTC security deposit. An economic rational buyer would agree to the blackmail. 

Some people argue that the security deposit can be set in a way that there is no risk for blackmail but that is not true as the fiat transfer is non atomic with the deposit tx. So the situation swaps before and after the fiat transfer.

E.g. If you set securit deposit to 1.1 BTC for buyer and 0.1 for seller then initially it would be symmetric: Both have to lose 1.1 BTC. So the first case that the buyer can extort the seller will not work anymore. But after the buyer has sent the Fiat it is even worse for him as now he can lose 6000 USD + 1.1 BTC. The seller has only 0.1 BTC at risk.
Similar problem is the case if you try to secure the second part of the trade. It makes things just worse. Only way would be to reduce the difference if the security deposit for both is much larger then the trade amount but who want to lock up 100 BTC for a 1 BTC trade? And even that would be not secure just the relation of gain and risk would be better.

There are 2 other ways which limits the effectivity of that blackmail but both are not sufficient to build a exchange on top of it with scale in mind.
1. If you avoid that the traders can communicate directly (as it is basically the case in Bisq) the blackmailer has not way to get in touch with the peer. But that is weak as the scammer could use a public forum etc. to post information for the victim to get contacted. With financial loss at risk the victim will likely find the way to the scammer.
2. Some people will not agree to a blackmail just by principle even if they suffer financial loss (not econimical rations, but emotional/ethical motivated). That might be true for certain amounts but I assume everybody has a limit here. Even if the BTC stays locked for years, some day if BTC is worth 1M they will change their mind....

The most intersting approach for a protection was found by Dan Smith (TLSNotary dev). It is that both traders sign initially the payout tx as defined in the trade but delete afterwards their keys. That way the blackmailer cannot make a new alternative payout tx as there are no keys anymore for signing it. One problem here is that nobody can proof that they have deleted it and game-theoretically (as Adam Gibson argued) there is incentive to keep the key secretly. I am not 100% sure if the technical requirements to change the software to keep the keys is a good enough hurdle for the huge majority that the scammer cannot count on that. So in practive that might work good enough, bu tnot sure how well it would work in bigger scale?

There is alos another problem here: The blackmailer could also request an alternative payment which is not related to the trade tx. Asking the peer to send 0.6 BTC to his address otherwise he will not cooperate. But this has one big disadvantage for the blackmailer: The victim has no guarantee that the scammer will stick to his word after he sent the BTC. In fact there is no reason to trust him at all. 

So all in all it was a complicate system which could not be built with solid security. It can still work in small scale (Bitmarkets used that but it never took off), but building a system with such a security risk is not a good idea.

### Why that proposal is not vulnerable to blackmail
In that proposal the blackmailer cannot success as the victim will have the alternative option to request reimburesment. By doing that he need to broadcast the time locked payout to the donation receiver, thus guaranteeing that the scammer will never get out any BTC. If the scammer does not request for reimburesment as well, the victim has very high chances to get the refund even without the need to proof anything. If the scammer is so naughty to also ask for reimbursement he risks that he will lose even more money (the request costs some fee in BSQ) and both need to deliver some proof to a mediator. In case the cryptographic proof with PageSigner cannot be made, they need to provide something alternative to gain more trust fo their version (ID verification or BSQ bond,...). If the victim can prrof with PageSigner and the scammer not he has lost already. He does not know in advance if the victim will/can deliver a PageSigner based proof.

So it is not very attractive for a scammer to try to get reimbursed as if he cannot convince the mediator and stakeholders he risks to lose even more (security deposit, BSQ fee, time and effort).
Even if he would succeed, it will be hard to repeat such scams as stakeholders will become more critical if there are more cases specially if that would be the same person. repeated reimbursements to the same person will be taken very seriously and have high chance to get rejected.     

Btw: Alternatively to ID verification we might be able to use the bank account data to avoid repeated scams (similar to account age witness or proposal #27 ). But I assume both will be not be required as scammers don't even try it with so little chance of success.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/52#issuecomment-433531234
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20181026/1e18df53/attachment-0001.html>