[bisq-network/proposals] Distributed reputation system (#78)

[reipichu]

I have been formulating a proposal for an alternative solution to this problem, but it still needs some issues ironing out, so I will post my preliminary thoughts here:

The proposals we currently have for distributed trust and reputation systems (such as the one described above) are quite complex, which could make analysis of possible attacks quite difficult in practice. I'm also not convinced that we should move towards a system where we rely on the arbitrators as the root of trust - even though they could do this job, if we want to move to new trade protocols that remove the need for arbitration then this proposal would be a step in the opposite direction.

Our primary issue with account aging currently is that it is only a reliable indicator of stolen account risk if we can guarantee that the aging started along with the first payment made from the account. The main problem here is that a scammer can make a fake trade to start aging, and so this is what my proposal here addresses, using the much simpler idea of BSQ bonds, which have been mentioned elsewhere but I have not seen a concrete proposal as to how they could be used.

1. Introduce the concept of "Bonded Traders." These traders have locked up a BSQ bond, and their **bonded status is relied upon solely for the truthful confirmation that a fiat transfer was indeed made** to their account following the trade rules. These users are then trusted to attest truthfully that a transfer was made.
2. New Traders start with restricted trade limits for buying, for example 0.01 BTC (total) per 30 days, and can buy only from Bonded Traders.
3. In order to start account aging, a New Trader must make a trade as a buyer with a Bonded Trader as seller. The Bonded Trader signs the Account Age Witness record with the date of the trade to indicate the start of account aging. This is performed by the client when the Bonded Trader clicks "Received Payment."
4. In the event that the New Trader initiates a chargeback within 30 days of the date of the first trade, there is no consequence to the Bonded Trader and no risk to their BSQ bond.
5. When the account age reaches >30 days, the New Trader's trading limits are increased and they are permitted to trade with any other (non-Bonded) trader.
6. In the event that the New Trader initiates a chargeback after 30 days from the date of the first trade, then the attestation of the Bonded Trader is called into question (ie. it is considered likely that they may have lied).
7. In the case of (6), the Bonded Trader must now demonstrate proof to an arbitrator that they did indeed receive the fiat transfer from the New Trader (eg. using PageSigner) corresponding to the date they signed the Account Age Witness. If they can prove this then their BSQ bond is safe. If they cannot prove it then their BSQ bond is forfeit.
8. In the case that a Bonded Trader forfeits their BSQ bond, all signatures by this trader attached to Account Age Witness data will be considered invalid.

The properties of the described system are as follows:
* Due to (2), if the scammer does not bond BSQ themselves, they are limited to only being able to steal 0.01 BTC per stolen account, per 30 days. It is very likely that the chargeback will occur within 30 days, so this becomes 0.01 BTC per stolen account in total.
* Due to (6) and (7), the economics for a scammer are such that it is only profitable for them to bond their BSQ with the intention of losing it if they are able to make trades which sum to greater value than the BSQ bond before the first chargeback occurs, at which point the bond is forfeit and associated accounts (those signed by the scammer's Bonded Trader) are blacklisted. 
* Due to (8), it is advisable for honest New Traders to perform their first trades with more than one Bonded Trader, to minimize the risk that their Account Age is reset to 0 if one of their Account Age Witness signers is blacklisted.

Using BSQ bonds as the root of trust for attesting account age leads to a similar system to that described above, but much simpler and with a clear economic disincentive to attempting to cheat the system, and an easier way for us to control that economic equation, by modifying the BSQ bond required or modifying trade limits, as necessary.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/78#issuecomment-496539979
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190528/5c4fa618/attachment.html>