[bisq-network/proposals] Send arbitration funds to a burning address instead of BTC donation address. (#135)

MwithM notifications at github.com
Tue Nov 5 15:02:07 UTC 2019 

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

<!-- Please do not remove the text above. -->
### Abstract
Security model for BTC donation address holder is not valid because locked bond can't cover the funds taken by a dishonest address holder. To prevent this attack, trade funds should be sent to an unspendable address.

### Issue description

Since v1.2, Bisq entrusts [BTC donation address owner](https://github.com/bisq-network/roles/issues/80) to regularly buy BSQ with funds from BTC trading fees and trade amounts that end in arbitration. This role is bonded with 50.000 BSQ locked, which would be high enough to cover current trading fees volume and rare disputes, preventing dishonest behaviour.
This security model, based on a bonded role, relies on the supposition that trades to arbitrate are going to be [very rare](https://github.com/bisq-network/proposals/issues/52#issuecomment-433489213), as both traders don't want to see their funds lost and paying a small arbitration fee. But one of the traders could be colluding with or [be the same person](https://bisq.community/t/bisq-donation-address-huge-risk/8618?) as BTC donation address holder, inducing disputes to end up into arbitration and sending all the 2of2 multisig funds to the address controlled by the donation address owner. Just a couple days of Bisq's XMR current trading volume would cover the BSQ bond and create profit. As timelocked transactions would be automatically triggered after a week or more, the attack would be noticed too late and there’s nothing Bisq could do to stop the transactions being sent to the attacker’s address.
This leaves Bisq on a situation of high risk. Bisq can't trust an anonymous person, without any track record of previous honest behaviour to hold and spend the funds like it's supposed to. The locked bond is tiny compared to weekly Bisq volume.

### Proposal

Taking into consideration the following points:

- Going back to previous security model doesn't remove the single point of failure of trusted arbitrators, and throwing away all the effort to bring this v1.2 is not a desirable option.
- We need to act quickly, as security is a primary concern for Bisq.
- Making the address multisig to distribute the risk between 2 or 3 keyholders would require them not to be anonymous, or otherwise we could risk them to be all the same person. That wouldn't even prevent collusion.

I propose as a cautionary measure to destroy all deposit and trading funds sending them to a burning address when going to arbitration. Trading fees could continue to be sent to the BTC donation address holder.

Further proposals could improve this situation, but they should be discussed on a separate proposal. The main concern of this proposal is security, so the focus must be to carry short-term actions.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/135
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20191105/07b4ceb8/attachment.html>

More information about the bisq-github mailing list