[bisq-network/proposals] Replace the role of Refund Agent with a new team of Arbitrators that can together publish one of several pre-signed 2 of 2 multisig timelocked payout transactions as proposed by a Mediator (#220)

Wed May 6 15:39:34 UTC 2020

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

# Summary

This is a proposal to modify the Bisq trade protocol so that both trade parties create a set of pre-signed 2 of 2 multisig timelocked payout transactions at the time an offer is taken, and encrypt these transactions to the public keys of members of a newly established Arbitration team so that a majority of members of the Arbitration team can cause a Mediator's suggested payout to become effective by publishing the appropriate payout transaction to the Bitcoin network.

# Rationale

When Bisq v1.2 was released, the Bisq trade protocol was modified from utilizing a 2 of 3 multisig to a 2 of 2 multisig deposit address for trade funds and security deposits. This was done to improve the security and decentralization of Bisq, making it truly peer-to-peer, and to eliminate a potential attack by Legacy Arbitrators where they could collude with a trader to steal trade funds and security deposits. After changing to a 2 of 2 multisig removed the ability for trade disputes to be quickly resolved using Legacy Arbitration, the role of Refund Agent was created to resolve trade disputes.

However, the Bisq user experience was severely degraded in the event of an unresponsive trade counterparty, bugs in the Bisq application, or intentional scam attempts by a trader. Currently traders must wait 10 or 20 days to be refunded in these cases, and the Refund Agent needs to use a significant amount of his own capital to refund these traders until he can be refunded by the DAO. Trading volume has dropped, and user satisfaction has decreased.

Additionally, this has now become an urgent problem for Bisq as the current Refund Agent wishes to resign, and there is no volunteer willing or able to perform the role. This proposal aims to solve both issues at once by eliminating the need for a Refund Agent by utilizing a set of pre-signed timelocked payout TX that can be published by a majority of Arbitration team members after a shorter time period, but also retaining the current 2 of 2 multisig security model so that Bisq remains truly peer to peer.

# Causes

There are many causes of a trade failing to be resolved by Mediation and requiring Arbitration, but these are the most common:

### Unresponsive Trade Counterparties

* Trader shuts off computer for several days and Bisq node is offline, i.e. "message is stored in user's mailbox"
* Trader has Bisq running, but lack of native OS notifications causes them to not notice any Bisq trade events

### Bugs in the Bisq software

* Trader has issues with their Bisq node, mostly due to bugs in the software, which prevent them from completing a trade

### Intentional scam attempts

* Trader attempts to scam through deception or fraud, etc.

# Proposal

Currently if a Mediator makes a suggested payout, it has no effect in the above cases and is simply ignored by the defaulting party. This proposal is for developers to implement the following new pre-signed timelocked payout transactions, and to encrypt them to the public keys of 5 members of a new Arbitration Team.

## Establish a new Arbitration team

Duties: Arbitrator team will consist of 5 highly trusted people who will verify any suggested payout by a Mediator and decrypt the proposed payout transaction if they agree with the Mediator and jointly publish it to the Bitcoin network

Requirements: Must currently perform at least 2 bonded roles for Bisq, and have posted bonds for those roles. Additionally, no Arbitration team member can be a mediator since it would create a conflict of interest, so they will have to resign as Mediator if becoming an Arbitration team member.

Primary Members: @sqrrm @m52go @wiz
Backup Members: @cbeams @ripcurlx

## Pre-signed Payout TX for DAO Donation Address

Currently when an offer is taken, both trade parties create a pre-signed payout transaction that can be published by either party when the timelock expires. This allows funds to be donated to Bisq and the traders to request a refund from the Refund Agent. This will remain as-is, and function as a fallback mechanism in case the new Arbitration is not successful for some reason.

## New Pre-signed Payout TX Scenarios

Bisq developers will need to implement several new timelock payout transactions signed by both parties, for the following potential payout scenarios. These payout TX will have a locktime of double the soft time limit for the applicable time limit, for example in the event of a BSQ trade which is 24 hours, this time limit would be 48 hours, allowing mediation to begin after 24 hours and arbitration to be completed after 48 hours.

1) Buyer does not pay or is refunded by Seller, and Parties mutually agree to cancel trade
* Seller gets trade amount
* Seller gets 100% of Seller's security deposit
* Buyer gets 100% of Buyer's security deposit

2) Mediator verifies Buyer paid as agreed, but Seller unable to confirm payment due to bug in Bisq
* Buyer gets trade amount
* Buyer gets 100% of Buyer's security deposit
* Seller gets 100% of Seller's security deposit

3) Mediator verifies Buyer paid as agreed, but Seller causes delay by neglecting to acknowledge payment, or Seller fails to respond within time limit
* Buyer gets trade amount
* Buyer gets 100% of Buyer's security deposit
* Buyer gets 50% of Seller's security deposit
* Seller gets 50% of Seller's security deposit

4) Mediator verifies Buyer did not pay, or Seller claims Buyer did not pay, and Buyer fails to provide proof of payment, or Buyer fails to respond within time limit
* Seller gets trade amount
* Seller gets 100% of Seller's security deposit
* Seller gets 50% of Buyer's security deposit
* Buyer gets 50% of Buyer's security deposit

5) Buyer intentionally breaches trade agreement due to deception or fraud
* Seller gets trade amount
* Seller gets 100% of Seller's security deposit
* Seller gets 100% of Buyer's security deposit

6) Seller intentionally breaches trade agreement due to deception or fraud
* Buyer gets trade amount
* Buyer gets 100% of Buyer's security deposit
* Buyer gets 100% of Seller's security deposit

Developers / Mediators: if you can think of other potential payout situations, please comment with suggested additional payout scenarios

### Encryption to Arbitration team using SSSS

After the above new payout TX are signed, they will be encrypted to the public keys of the Arbitration team members using [SSSS](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing), so that the trade parties cannot broadcast them by themselves, and only 3 of 5 of the members of the Arbitration can decrypt them by working together. This might be best implemented in the app using the existing Arbitrator GUI with a button for Arbitration team members to approve a suggested payout by a Mediator.

### Implement native OS notifications for all platforms

The final part of this proposal is to create a BSQ bounty for the successful implementation of native OS notifications for all supported platforms without adding a new jar dependency.

# Feedback

Feedback requested from @sqrrm @cbeams @ripcurlx @chimp1984 @m52go @refundagent 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200506/b8a0bc46/attachment-0001.html>