[bisq-network/bisq] Bisq nodes leak TXID of every offer in P2P trade protocol messages (#3894)

wiz notifications at github.com
Sun Jan 12 12:31:49 UTC 2020


### Background
When a Bisq trade offer is created, the maker's Bisq node broadcasts a P2P message to the network to announce his offer.

<img width="740" alt="Screen Shot 2020-01-12 at 21 27 07" src="https://user-images.githubusercontent.com/232186/72218793-579aba00-3582-11ea-877c-69ddbfba6bdc.png">

### Issue
The offer data object contains excessive metadata about the trade, specifically the on-chain TXID of the maker's deposit TX. Unfortunately, because the offerId of every Bisq trade is mapped to the on-chain Bitcoin depositTxID, this allows malicious blockchain analysis of all Bisq trades.

Example data object:
```
  {
    "currency": "JPY", 
    "direction": "SELL",
    "tradePrice": 8791986900,
    "tradeAmount": 10000, 
    "tradeDate": 1578784489149,
    "paymentMethod": "F2F", 
    "offerDate": 1578784398352,
    "useMarketBasedPrice": true,
    "marketPriceMargin": 0.0,
    "offerAmount": 10000, 
    "offerMinAmount": 10000, 
    "offerId": "12635-224f7143-3366-46e7-9e14-7fa6f39fcb2b-125",
    "depositTxId": "9c67453e57cfc80e2c121caf54f8f739cef6c5d7e9afdceec7843436a920f9d8",
    "currencyPair": "BTC/JPY",
    "primaryMarketDirection": "SELL",
    "primaryMarketTradePrice": 87919869000000,
    "primaryMarketTradeAmount": 10000, 
    "primaryMarketTradeVolume": 8791980000
  },
```

Example blockchain analysis of this trade:
https://blockstream.info/tx/9c67453e57cfc80e2c121caf54f8f739cef6c5d7e9afdceec7843436a920f9d8?expand

### How to Reproduce
1. Start Bisq with `--dumpStatistics=true` option enabled
2. After a few minutes, a `offers_statistics.db` file will be generated in your `$HOME/.bisq/btc_mainnet/db/` datadir.
3. Extract the mapping of offer ID and deposit TXID by `grep -i id offers_statistics.json`
4. Paste any Bitcoin TXID into any Bitcoin Block Explorer

### Expected Result
Bisq should not reveal the on-chain Bitcoin TXID for each offer.

### Actual Result
A full mapping of offer IDs to Bitcoin TXIDs for the current offers on Bisq is generated. Snippet:
```
    "id": "PVQSMV-90593c20-9984-440f-8f83-dc98c9decdfd-124",
    "offerFeeTxID": "875b94ce60bc4540cbf8a2c238d08eff54d1ee96b216fa2b3369ad4dd8665013",
    "id": "aAPLmh98-2d03accc-ba6b-4efa-ba6d-c53ed02a2173-111",
    "offerFeeTxID": "44b00de808d0145f9a948fe1b020c5d4173402ba0b5a5ba69124c67e371bca18",
    "id": "CX9zlV6g-a4231013-692a-4c58-a4df-e352aeaa5a52-124",
    "offerFeeTxID": "779fca348fcb28de906ad75a4c0f752b52abba9a9274935a2c14b3ec375658fa",
    "id": "qoodj-9026c051-c175-4c09-8eae-d5b7ebae13d1-125",
    "offerFeeTxID": "c068b933c7d3192e3799e77c0c0ec6abee28497a80dcef0b30caafbaa63b9e0f",
    "id": "7266425-98a588a2-bcdd-4437-acf2-2fb444f6a617-124",
    "offerFeeTxID": "9e4c35cc558e84151f151877aff07f509c847833a9665d2d58bd0a1ae3d2b3f8",
    "id": "5630195-4d8caa6e-2376-4db2-9c7a-bb30a36c0dde-124",
    "offerFeeTxID": "78ac815121acc90107317621928308e54d39d806c46557603a3d36cf68ce3544",
    "id": "tubtgpda-143cc765-ef4b-4e0e-99bd-a3d409a14e51-116",
    "offerFeeTxID": "cee365b8d9b09a69f55c5b59e96494742e0ee8815a57c8b34958d842a4145f56",
```

### Severity
🚨🚨🚨

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/issues/3894
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200112/877b913b/attachment.html>


More information about the bisq-github mailing list