[bisq-network/proposals] Reduce trade protocol to 1 single transaction (#279)

chimp1984 notifications at github.com
Sat Apr 24 05:04:09 CEST 2021


@sqrrm @stejbac
I tried to recap the whole concept. Please let me know if my conclusion is correct and if it represents the latest state of the discussion. 
There has been some discussion to use private keys instead of the nonces but I am not sure if a solution has been found with that approach.

## Preparation:
Alice: 
Creates nonce: N_a 
Sends hash h(N_a) = h_a to Bob

Bob: 
Creates nonce: N_b
Sends hash h(N_b) = h_b to Alice

## Deposit tx:
We want to keep the utxos for both traders separate so that they can spend it independently anytime later, thus not requireing a payout tx. The utxo can be used for funding the next deposit tx. 
If one has spent their utxo they reveal their nonce so the peer can spend as well their utxo even if they failed to exchange the nonce.
The second path (the 'else' in bitcoin script) is being used to get spent by the staged delayed payout transactions.

We let Alice selling 1 BTC and use 0.1 BTC security deposit for both sides.

Deposit tx:
Input 1: Alice 1.1 BTC
Input 2: Bob 0.1 BTC
Output 1: 0.1 BTC 	Path 1: both nonces are known and funds go to address of Alice
				Path 2: 2of2 Multisig
Output 2: 1.1 BTC 	Path 1: both nonces are known and funds go to address of Bob
				Path 2: 2of2 Multisig


## Trade protocol:
1. After deposit tx is confirmed Bob sends fiat/altcoin to Alice. She also sends her nonce to Alice. If Alice would use the nonce he would learn her nonce as well.
2. After Alice has received fiat/altcoin she sends her nonce to Bob.

If anyone does not send the nonce to the peer they can either wait until the peer spends the utxo and reveal the nonce or publish the staged delayed payout txs, thus putting pressure on the peer to react or bringing it to arbitration.

If both have revealed their nonce they can leave their output unspent until needed, but they have to observe the blockchain that the peer is not starting to publish the staged delayed payout txs.


## Staged delayed payout tx:
To avoid that one triggers a delayed payout tx to the burningman while both have exchanged the nonce and are just keeping the output unspent we can use a staged chain of txs.
The first is to signal the peer that they need to act. They have to observe the blockchain to get notified and if they spot an announcement tx they can either spend the utxo with the nonces, thus rendering all follow up txs invalid by consuming the utxo, or use the burn tx to send the funds to the burningman if they don't have the nonces.
This protects against getting the funds burned after a completed trade at the cost of needing to publish the tx earlier as intented.
If any party does not respond the active peer can avoid the need to go through arbitration and DAO refund by publishing the refund tx to themself. 


#### Staged txs for avoiding burningman/arbitration
Alice's announce tx: Txa1
Input 1: depositTx:0 path 2
Input 2: depositTx:1 path 2
Output 1: 0.1 BTC 	Path 1: both nonces are known and funds go to address of Alice
				Path 2: 2of2 Multisig
Output 2: 1.1 BTC 	Path 1: both nonces are known and funds go to address of Bob
				Path 2: 2of2 Multisig
Timelock: 10 days

Bobs announce tx: Txb1
Input 1: depositTx:0 path 2
Input 2: depositTx:1 path 2
Output 1: 0.1 BTC 	Path 1: both nonces are known and funds go to address of Alice
				Path 2: 2of2 Multisig
Output 2: 1.1 BTC 	Path 1: both nonces are known and funds go to address of Bob
				Path 2: 2of2 Multisig
Timelock: 10 days


#### Trader takes all if other does not react in time
Alice takes all tx: Txa2
Input 1: Txa1:0 path 2
Input 2: Txa1:1 path 2
Output: Alice address
Timelock: relative 5 days after Txa1

Bob takes all tx: Txb2
Input 1: Txb1:0 path 2
Input 2: Txb1:1 path 2
Output: Bobs address
Timelock: relative 5 days after Txb1


#### Avoid the peer takes all and got to arbitration
Bobs intercept tx: Txb3
Input 1: Txa1:0 path 2
Input 2: Txa1:1 path 2
Output: donation address
No timelock

Alice intercept tx: Txa3
Input 1: Txb1:0 path 2
Input 2: Txb1:1 path 2
Output: donation address
No timelock


## Conclusion
If we do not find a way to construct the deposit tx so that it is significantly smaller I fear the size will be maybe even bigger or at least not much smaller like using a payout tx. The added complexity would be only justified if the reduction in miner fees is big enough.

The staged delayed payout transactions adds also quite a bit of complexity and the sequence of the signature exchange in the protocol is a critical element to consider as well (to mitigate risk if one peer stops cooperating the the process of constructing the full tx chain). If the txs need to be created in sequence it would add several roundtrip messages to the protocol increasing risks and slowing the process down. 

The requirement to observe the blockchain also adds a serious risk and complexity. In fact there is an incentive to try to steal the funds by going the announcement path and if the peer fails to react in time to consume all funds. Removing the option to send to one self would make it more safe. But even then it could be problematic if the user is offline for an extended time as they would miss communication with the arbitrator which might lead that the malicious peer gets reimbursed and the honest user finds out too late that his unpublished utxo got burned.

Avoiding arbitration cases from non-responders would be still a good feature but the cost/benefit should be checked by getting data from arbitrators about the number of such cases.






-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/279#issuecomment-826024355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20210423/d0dece5c/attachment.htm>


More information about the bisq-github mailing list