Improve security of Bisq Easy

[HenrikJannsen]

To increase security of the Bisq Easy reputation system we could consider various improvements:

• Map max allowed trade amount to reputation score
• Add time factor until reputation score gets it's full weight
• Change weight of proof of burn reputation score
• Add more fine grained ban mechanism
• Add signed-witness-like system

The assumption is that potential scammers don't want to lose time and more repeated smaller trades increase their risk to get detected and banned, thus losing their investment.

The security of bonding BSQ is considerable higher as with burning BSQ.
300 BSQ burned lead to the same 30k score as 3000 BSQ bonded.
With burning 300 BSQ (about 600 USD investment) the scammer need to make trades of 600 USD to be break even before his profile gets banned. This could be done with 1 single 600 USD trade.
With bonding 3000 BSQ (about 6000 USD investment) the scammer need to make trades of 6000 USD to be break even before his profile gets banned and later his bond confiscated. This is much harder to achieve (about 10 trades with 600 USD).

We should consider to either decrease weight of burned BSQ or add some time factor.
Adding a factor derived from past trades is not feasible as we do not have a secure way to proof trades (problem with self trades).
The only known solution would be a signed-witness-like system to build a web-of-trust like reputation system. This could be considered as a new reputation source but is a larger and more complex project.

Map max allowed trade amount to reputation score

Change the max allowed trade amount in create offer for BTC sellers to the reputation they have. If they don't have any reputation we might still allow a lower as currently amount but add a big warning when one taking that offer and also in the offer book show a clear warning.

With burning 300 BSQ the user gets 30 000 reputation score. Thats with current BSQ rate of about 2 USD a 600 USD investment.
We could limit trade amount to 600 USD but only after a test period is over. Directly after the reputation score increase event (e.g. burnt 300 BSQ) the max trade amount could be 10% of that, so 60 USD.

Add time factor until reputation score gets it's full weight

When building up reputation by burning BSQ we could only count 10% of the burned BSQ for the score. Then there is a linear increase to the full score over a certain time period, let say 100 days.

A scammer could of course wait 100 days but there is a reasonable assumption that scammers don't want to have a long term commitment and there are opportunity costs for blocking that investment.

Change weight of proof of burn reputation score

I think we made a mistake in the weigh assignment for burned BSQ. We should adjust the weight even if we add the time factor to decrease the risk that a scammer waits the full time period before starting to try to get quickly some trades. Currently it would only require 1 trade to be break even. I guess to increase that min. required success rate to 2 or 3 is a considerable risk increase to the scammer. This would mean we would reduce the weight of burning BSQ from currently 100 to say 50, 33 or 25. I would say 2 is a good number. Then burning to gain 30k reputation score would require 1200 BSQ burned (2400 USD) which would require about 4 trades with 600 USD to be break even. This is much harder to achieve.

Add more fine grained ban mechanism

Currently the moderator can ban a user profile which would then make it impossible for anyone to communicate with the banned user (also the moderators). This is not great if there is a suspicious case detected as it might be a honest user just delayed with the Fiat payment. We should apply the ban only to trades and public messages.
We might add more fine grained level of bans:

• Banned for new trades (cannot create offers, cannot take offers, other users cannot take the banned makers offers). Continuing existing trades where funds have been already transferred is ok. If an open trade is in early state, the buyer would get a warning that they cannot continue the trade and need to check with mediation how to continue.
• Banned all trade activity (including continuing the trade process)
• Banned from public chats (mostly for spammers)
• Banned from private messaging excluding mediators and moderators and trade messages
• Total banned (as currently)

Add signed-witness-like system

Similar as the Bisq 1 signed witness system we could build a cryptographic web of trust reputation system where the traders sign each other after completed trade (both ways might be useful as buyers could scam with charge-backs or cancel trades).
To have the right to sign could be derived from a source which represents trust. E.g. age and score level of reputation. A timing factors should be added as well so that scammers who managed to get signed cannot easily engage in self signing.
I think such a system requires it own discussion and is a larger project.

[rodvar]

@HenrikJannsen all great ideas, with the following being the most effective in terms of benefit/cost ratio I believe:

1. Map max allowed trade amount to reputation score (this is like a no-brainer for a protocol like bisq-easy)
2. Add time factor until reputation score gets it's full weight
3. Change weight of proof of burn reputation score (your explanation makes total sense, 600USD is way too low it needs 10x at least)

The other 2 are great but could be done in the near future whether as the above is fairly doable fast.
Let me know if you need any help happy to take anything related to help do this ASAP!

[HenrikJannsen]

Further idea:

• Based on some metrics (profile age, reputation score and type, markup price, payment methods, currencies,...) we could derive a "risk rating" and display that to a taker. Requires careful wording and background info which metrics are used and how the rating is created. Should only be shown if trader has a high-risk profile.

[solomon1923]

Maybe rather than risk we calculate a maximum recommended trade size.

Reputation score / 150 = max recommended trade size

Example

User A burns 300 BSQ

• 30000/200 = 150 USD

To p current user ~ 75,000 reputation

• 75000/200 = 375 USD

This would also encourage users to burn / bond BSQ more to increase the trade sizes.

The reputation score system lends itself to creating a dynamic security model. This way the max trade amount could go higher than 600 USD if the seller has burnt / bonded a large amount of BSQ.

[solomon1923]

Maybe a simpler alternative is to use the star system with each star representing 100 USD

1 star = $100 USD max recommended trade
2 star = $200 USD max recommended trade
3 star = $300 USD max recommended trade
4 star = $400 USD max recommended trade
5 star = $500 USD max recommended trade

As the reputation scores increase over time these numbers could also be increased.

[HenrikJannsen]

I would prefer to not mix it with the graphical representation as that might change and has atm a non-linearity as far I remember.
But we get the similar result with your suggested 1/200 factor.

[HenrikJannsen]

Just tested to change Burn BSQ weight from 100 to 25 and there are no major issues.
Not updated users would use the old weight, updated users would be use the new weight.
A updated user cannot take an offer anymore which was sufficient score with old version (e.g. maker had 300 BSQ -> 30k score but for new user that is only a score of 7500 and below min. required reputation).
A not updated user can still take offers of new users who burned 300 BSQ even in the new version that's only a score of 7500.

I consider those issues not a major problem.

[solomon1923]

Just tested to change Burn BSQ weight from 100 to 25 and there are no major issues.

How many sellers have the required 30k reputation score when the BSQ burning weight is decreased to 25?

If a new seller wants to achieve 30 k reputation they would need to burn 1,200 BSQ ($2,400 USD). The max trade size reducing to 0.005 BTC would mean that assuming they make 5% per trade they would need to do 160 trades to recoup their BSQ burn. This seems like too much to me.

[HenrikJannsen]

I dropped that idea already in favor of the time based function as described below.

[HenrikJannsen]

To change the max trade amount I am considering following:

• Reduce the max trade amount to about 300 USD
• Derive it from current BTC price in each currency
• Add a risk factor to each market which allows to change the max amount based on the markets risk profile. E.g. Japan might get higher limit as scam rate is very low, other countries with bad reputation regarding security get a lower limit.
• Optional: Allow security manager to override the hard coded risk factor by market. User could ignore that, similar as with min. reputation score. This would allow us to quickly respond to events with the cost of added power to the security manager. Not sure if its needed. Can be added later.

Not planned it to add a risk factor by payment method. This would become too complex UX wise with multiple payment methods are used. The "risk rating" idea would cover payment methods.

[solomon1923]

Reduce the max trade amount to about 300 USD

I am not sure if this needs to be decreased if the minimum 'security model' requirements increase by 4X.

As buyers can complete multiple trades with users (and a scammer would encourage this), I think it would be better to decrease the BSQ burn weight rather than couple it with a reduction in the trade amount.

[HenrikJannsen]

After further thoughts, I think only adding a timing function is enough. This will avoid frustration from long term users who would see their reputation dropped as after 100 days there is no impact on the score by that change.
For a scammer to wait 100 days for getting the full score seems like quite some added burden.
At burn time there is only 10% applies which would increase the number of traded to get break even to 10.
With burning 1000 BSQ (2000 USD) it would take them about 24 days to get 30k reputation score and that still would require 3-4 trades to get break even.

[solomon1923]

I think this is a good option.

It still could put a new seller off from participating. If they want to try out Bisq Easy and burn the min amount they have to wait 100 days before they get enough reputation to start trading.

[HenrikJannsen]

They can use Bonded BSQ and other sources as well. Burning BSQ gets with the time function some more "long game" component.

[suddenwhipvapor]

Good points, the only thing that I was thinking about downsides, was that existing and/or new sellers would be penalized because of the possibility of a scammer to pop in... and you fixed that later by concentrating on the timing effect. That, and the trade amount limit based on reputation score, both combined, should be more than enough protection,

[solomon1923]

I think we need to consider the above numbers with a new seller in mind (at least one that is active on Bisq 1 and wants to try out Bisq Easy).

Making it more costly for scammers is good but this needs to be balanced with keeping the platform accessible to sellers that want to participate in Bisq Easy.

[HenrikJannsen]

Yes I agree, and we have already a problem with a few power traders occupying a large part of market share.

[rodvar]

I don't think this is a problem as long as they are fair traders (by fair I mean they respect bisq rules and are real traders not scammers) - are you foreseeing anything else?

[suddenwhipvapor]

I agree with @solomon1923 and if trade amount is limited based on repscore, as well as repscore increasing from 10% to the nominal value with a gradient function, I think it is okay if BSQ burn score is not reduced, at least not significantly, or legitimate new sellers could be deterred.

[HenrikJannsen]

Just to make clear: Current version has dropped the 25% decrease of the weight but only added the time function from 10% at burn time to 100% in 100 days.

To link the max trade amount to reputation is a good idea.

Let's try to get a rough model for financial gain from a scam using burned BSQ.
Burning 300 BSQ is about 600 USD. This is the amount the scammer need to trade at least to be break even.
With current model its just 1 trade with max amount.

The current min required reputation score is 30 000.
With new model of time based score, he would only get a score of 3000 initially. He would need to burn 3000 BSQ/6000 USD to be able to start trading with current max amounts of 600. This would require him to get 10 trades. This is very risky as his scam will likely be detected before he manages to get 10 trades.
He could instead wait 100 days and then be at the same state as now and would only require 1 trade for break even. It is unlikely that he want to invest 600 USD and wait 3 months where he does not know how the security model in Bisq might change. But still there is a risk left.

For a new trader to burn 300 BSQ but cannot trade for 100 days before reaching min. score reduces the motivation to burn in the first place.

Lets link the trade amount to the reputation score:
A score with 30 000 (300 BSQ/600 USD) should allow a max trade amount of say 150 USD. Then the scammer need at least 4 trades to reach break even. This sounds like a reasonable burden (he want to make profit, so need more than 4 and there are uncertainties).
That would be a factor of 1/200.

The highest reputation scores are about 70 000, this would allow a trade amount of 350 USD which seems a reasonable level.
They would get motivated to get more reputation to trade higher amounts.

I think we still should have a upper hard limit, maybe the 600 USD we have already. Would only affect user with score of 120k and above.

To change the reputation score algorithm might also lead to frustration for users who just burned BSQ to get over the 30k threshold and then discover they are below again. So maybe we can drop that time based function in favor of only changeing the max limits.

[suddenwhipvapor]

The numbers look good to prevent a scammer. 4 trades to break even before their scam is discovered seems like a disincentive to scam.

Lets also take a look at a new seller.

They burn 300 BSQ (600 USD). The max trade size after 100 days is $150 USD. They sell bitcoin 5% over market rate making $7.5 per trade. They would need 80 trades to break even. I think this seems high?

Maybe allow mediators to apply a reputation boost to sellers after 100 days. For example after seller has been in mediation a few times and has sorted out any issues they could be given a boost. The boost would reduce the divide by 200 amount to just divide by 100. This would double the 'more trusted seller' max trade amount.

what about a thrustworthy seller who still hasn't gone through any mediation, exactly because he's that good?

[solomon1923]

I think most active sellers will enter mediation at some point as lots of buyers do not end up going through with the trade. Having said that I am not really keen on a manual intervention from a mediator to increase reputation score.

[HenrikJannsen]

Sorry I was unclear with my previous post. In the initial sentence I just wanted to make clear that the 25% drop idea has been discarded and pointed out the time based model which was used instead. But with further discussions it seems also the timebased model is not needed and we can use only the min. trade amount for managing risks better.

So to summarize current suggestion:

• Keep Burn BSQ algorithm as it is
• Derive max trade amount from reputation, maybe use profile age as additional factor
• As @suddenwhipvapor added, we could also derive the users min/ required reputation score from the reputation and profile age of the peer

I dont think we should give the mediator any power here as that would increase liability and would create wrong incentives to open mediation.

[HenrikJannsen]

@solomon1923

Here I adjusted your example without the time function but with the booster by profile age:
They burn 300 BSQ (600 USD).
The max trade size at burn time is $150 USD.
Over a period of 6 months the trade amount limit goes up to 600 USD.
Assume they sell with 5% premium.
Initially they get $7.5 per trade (150 USD limit).
After 6 months they can get $30 per trade (600 USD limit).

var initialLimit = 150;
var targetLimit = 600;
var delta = 450;
var t = month after burn BSQ; // we would use milliseconds, but for demonstration here lets use months
var max = 6 months days;
var boostFactor = t/max; // Max 1
var limit = initialLimit + boostFactor * delta

Numbers per months:
In 1st month: 150 USD, profit per trade: 7.5 USD
In 2nd month: 225 USD, profit per trade: 11.25 USD
In 3rd month: 300 USD, profit per trade: 15 USD
In 4th month: 375 USD, profit per trade: 18.75 USD
In 5th month: 450 USD, profit per trade: 22.5 USD
In 6th month: 525 USD, profit per trade: 26.25 USD
In 7th month: 600 USD, profit per trade: 30 USD
Sum profit per trade: 131.25 USD
With 5 trades per months profit is 656,25 USD, thus covers the investment of burning 300 BSQ.
With 10 trades per months profit after 4 months is 750 USD.

Not sure how attractive those numbers are for traders, but also now traders cannot expect to get all trades with 600 USD, I guess average trade amount is in the 200-300 USD range. Also for smaller amounts a higher premium is common, so the above numbers would get increased.

Also the trade limits are only per trade. Users who want to trade larger amounts can do that by repeated trades. With lower limits we force traders to use the more secure pattern of repeated trades and it does not really limit the amounts ppl want to trade. It only adds a time delay and more work for doing more trades but increases significantly security.

I think it might be useful for new traders who try to figure out themself if its profitable to share those models and thoughts, so that they can find easier a conclusion.

[solomon1923]

Thanks for the examples, This strikes a good balance between keeping away scammers and still making burning a good option for sellers looking to make a number of trades on Bisq Easy.

[HenrikJannsen]

As discussed in Matrix, we could also include the profile age as factor for max trade amount.

A new profile would have factor 1, after 6 months it grows linearly to factor 4.
With a reputation to amount factor of 1/200 a 300 BSQ burn would result then in a max trade amount from initially 150 USD to 600 USD after 6 months.

[HenrikJannsen]

More though about using a time function based on the burn BSQ event or based on profile age:

Using time function based on burn event:

Pro:

• More secure as each investment gets a time component and to reach investment costs by potential scams takes longer
  Con:
• Less incentive for long term sellers with high reputation as effect takes time to materialize.

Using time function based on profile age

Pro:

• The waiting time for enjoying full effect of investment by burned BSQ happens only once. Long term traders get after 6 months their newly burned BSQ 100% effective immediately.
• Utilizes profile age, which is not part of the reputation score
  Con:
• A scammer could create a profile and let it mature and then abuse the then less secure ratio of investment and number of trade to reach break-even (only one 600 USD trade)
• A scammer could try to buy old profiles. Old inactive profiles would become a valuable asset for scammers.
• Might lead to more centralization of power traders, as they benefit by new investments in reputation increase faster than new traders.

Both models have the disadvantage that we add some additional concept next to reputation. If we can use the reputation score alone for deriving the trade limit it would be easier and more clean conceptually.

We could add a boost factor from 1 to 2 over a period of 1 year to the Burn BSQ event or consider to add the same boost factor to all reputation sources from the time when they have been added. This would help to avoid to give Burn BSQ a higher overall impact as it is today (which might be already too high). We could even adjust that by using different boost factors by reputation source if want to change the impact of different reputation sources. But the added complexity might not pay off.

By using that model we would avoid that user profiles which have been never been used or active trading (as seller) will become a valuable asset to purchase by scammers or that a scammer can just create a profile and leave it until it matures.

[suddenwhipvapor]

Scammers letting a profile mature is the first downside I thought about, too.
A mixed approach is to start counting profile age since the first minimum eligible burn event (ie 300bsq), burnt either in one go or as the sum of all burn events until it reaches a total of 300bsq.

Let's also define the scope: while limiting trade amount based on burn amount, even alone without time functions, is enough to disincentivize scammers, we are discussing this further to not also disincentivize legit sellers from investing in the platform, and I guess even if we try our best to come up with a strategy that doesn't have that effect and doesn't need to be revisited later, the way the market goes will still be a metric that could require further improvements.

[suddenwhipvapor]

My first reaction to the addition of boost factors is that it indeed adds complexity. Since it will trigger after one year though, could it be left for later on, to be implemented closer to the date it should actually be effective, so that in the meantime the effect of the trade amount limitation alone can be examined and see if it actually needs improvements?

[HenrikJannsen]

it will trigger after one year

Its continuous and only grow up to 1 year.

[solomon1923]

My preference of the two is using a time function based on burn event.

• Reason being it is too easy for a scammer to spin up multiple profiles and then wait to use them.
• It also gives BSQ bonds a bit more of an advantage which is not a bad thing as scammers are less likely to bond BSQ.
• I do not think the deterrent is too bad for serious sellers, but think it is good enough to keep away scammers.

[HenrikJannsen]

Here are screenshot with implementation of above boost factor:
Left is current model, right is model applying the boost factor based on reputation source event.

[HenrikJannsen]

One thing to consider is that with increase of the weight of old reputation events we reduce incentive for newly burned BSQ, which is the only funding source for Bisq Easy. But we have to take into account that sellers are competing with higher reputation and the relative ranking is the important factor and that would not change much.

Btw. a nice side effect is that the account age and signed account age witness reputation sources will get a boost of factor 2 for any bisq 1 account older than 1 year. I think we had used a too low weight and this would correct that.
It still would be an increase from 4000 to 8000 for account age and from 10000 to 20000 for signed account age witness in case of max age (6 year old Bisq 1 accounts). With 28k score it would be still below the 30k of current min required reputation.

If we consider that too much we could adjust the boost factor for each reputation source.

[HenrikJannsen]

When using the trade limit derived from reputation we could apply for sellers without or with low reputation a low max trade amount of say 25 USD. So if the score/200 value is below 25 (score <5000) then the user would get that max. limit. We can adjust the text in the popup warning to create a sell offer with no reputation (extending it to <5000 scores and tell user that limit is at 25 USD).

The upper limit of the trade amount is 600 USD, even for users with higher than 120k score.

For creating a buy offer we can leave the max amount of 600 USD. Only sellers with >=120k score could take that. We could add information in the amount UI to make that more clear to users, that they limit their chances to find a seller.

When taking a sell offer and having set one's min required score of say 30k, but offer makers score is 0 or too low but was using the 25 limit, we could give the user the choice to still take the offer and explaining the risks, but the low amount limits the potential damage. Now we show only the popup that one cannot take the offer.

[suddenwhipvapor]

got it, so it's 25usd gross fiat amount including whatever markup.

[solomon1923]

The upper limit of the trade amount is 600 USD, even for users with higher than 120k score.

While I can see the logic in an upper limit it will also cause issues when the BSQ prices increases.

If bitcoin doubles in price then BSQ will roughly double in price, that makes a 300 BSQ burn twice as expensive.

• Is it possible to link the max recommended trade amount to the BSQ price somehow?
• Why shouldn't a trade with a reputation of 240k have double the reputation of a trader with 120k (max trade size in Bisq 1 for fiat trades is about $6,000)? I would be happy for Bisq Easy to be a quarter of this if reputation allowed. This would also allow for about 0.01 BTC trades to take place on Bisq Easy if the price of bitcoin were to double.

[HenrikJannsen]

Ah good point with BSQ price. Easiest way would be if we get the BSQ price from the price provider, otherwise we need to add a feature to the oracle node. Will look into it.
I think we should not go too high with max cap of amounts. There is also the chargeback risk and the buyer has nothing at stake in contrast to Bisq 1. Also we are still in early days and we don't know which surprised might come in future. With high amounts risks are higher if our assumptions fail. Also it would increase risk for oracle nodes, as those provide the relevant data for reputation. I think we should rather promote (in the UI) the concept of repeated trades after successful settlement. Distributing risks by that on the cost of a bit less convenience seems better to me.

[HenrikJannsen]

Re BSQ price: I think we should use the price at burn event, not the latest price. This would then require anyway a solution via Oracle.

[suddenwhipvapor]

I don't see increasing trade USD amount as a significant factor, bisq easy does use a scam-resistant protocol but it's way less solid than multisig, so amounts should be expected to oscillate around a safe minimum to cover for a bisq1 deposit

[HenrikJannsen]

I paused work to wait for more feedback and also as I think a hotfix release is not needed, so it will be part of next normal release.

There are 2 potential trade limit solutions:

• Set trade limit for seller to 1/200 of reputation score. If it would result in a limit of < 25 USD we allow 25 USD but add some warning for taker.
• We keep a fixed limit (300 or 600) but show warnings when the reputation score / 200 is < trade amount.

I think first one is better.

[cparke2]

I just heard about the scammer incident and this discussion on Bisq2 itself.

From my perspective, the idea of "reputation score" is not security at all! It is just a "feel safe" metric, and the minimum required reputation score is arbitrary in nature. Only a security deposit or bonding system makes sense to me, which requires cash or an indemnity to pay out liability on successful claims. For Bisq Easy, this means BTC sellers should be required to maintain a performance bond of BSQ on Bisq1, or a security deposit of BTC on Bisq2, in order to make any BTC offers (the same way governments often condition issuance of many business licenses and permits). The amount of the deposit or bond should be up to the prospective seller, but whatever it is, that amount determines the total amount of trade value in offers that the seller may accept on Bisq Easy at any one time. In the event that the seller loses a dispute, the bond or security deposit is used to satisfy the buyer's winning claim. The deposit/bond is for maintaining general selling privileges on Bisq Easy, not a per trade deposit as on Bisq1.

The above system design would make Bisq Easy arguably safer than Bisq1, since when a scammer seller on Bisq1 loses his 20% BTC security deposit on a $5,000 trade by falsely not acknowledging receipt of the funds, he has still made a big win of $4,000! For this reason, Bisq1 buyer/seller security deposit amounts really should be set at 50% in order to eliminate the possibility of arbitrage from either party. As for "Burning BSQ" to gain reputation, that is essentially a, "buying reputation" scheme through paying a one-time fee, and it smells like a spoils system! Finally, when it comes to banning someone, is that actually effective in the Bisq environment? What stops peers from simply deleting their data directory and then getting a new identity to continue using the service notwithstanding?

I will conclude by saying that Bisq as a service and a community has impressed me immensely. It seems a lot of smart people are here and working at the project, and I'm sure you all will figure out how to resolve these issues best to make Bisq Easy as safe and effective as it can be.

[HenrikJannsen]

I think there are some misunderstandings, please read more about the Bisq Easy reputation system and the identity concept on the Wiki.

What you describe is essentially better fulfilled as what you suggest (50% deposit). Only by burning BSQ or bonding BSQ relevant levels of reputation score can be generated and the come with relevant financial commitments.

Example:
A seller needs to burn 300 BSQ (about 600 USD) to get the required 30k reputation score (assuming the buyer has not lowered the min. required reputation score). The max. trade amount currently is 600 USD. So that represents a 100% non-refundable financial commitment. Though to get 600 USD trade is not easy, specially if its a new profile. Most security minded buyers make small trades first to lower risks...
Bonded BSQ requires 3000 BSQ (about 6000 USD) to get the required 30k reputation score (and is refundable after about 1 year).
If a seller scams, his profile gets banned and his investment in reputation is gone (as it is tied to the profile). For bonded reputation his bond can be confiscated by the DAO.

The scam was mainly enabled by the fact that we lowered the min. required reputation score to 10000 for helping to bootstrap the markets. It should have be reset to the original 30k earlier in retrospect (it is now 30k again). Thus it allowed the scammer with a 200 USD investment to scam buyers. That some traded quite high amounts shows that a lack of security awareness of some traders and we need to improve UX on that.
We are in the process of improving various aspects (like max. allowed trade amount based on reputation score) as described in that discussion and already partially implemented for the next release.

Your suggestion to require a security deposit from the seller is interesting but would turn Bisq Easy into a Multisig protocol (otherwise who controls the deposit) with all the benefits of Bisq Easy lost (e.g. traders don't need to be online at the same time, no need for wallet integration,...).

Bisq Easy has different trade-offs to Bisq 1 and that is clearly stated, It does not compete with Bisq 1 but complement it (e.g. for users without BTC). Also the more simple model leads to more simple UX, specially that both traders dont need to be online at take-offer.

[suddenwhipvapor]

Hi @cparke2 I believe I replied to you in bisq2 as well.
The security model of bisq1 is for bisq1 only, and it will be ported with several enhancements in bisq2 in due time, please review https://bisq.wiki/Security_deposit to understand how the security deposit really works, a seller stands losing the whole trade amount on top of the deposit if something goes wrong because of him.

On the other side, bisq easy is an on-ramp to get your first btc, in order to trade on bisq1 for larger amounts and better security, so the reputation model is more than safe when trading with high reputation sellers, and for smaller amounts.
Misusing the bisq easy protocol (buying larger amounts, and choosing small reputation sellers) means increasing the risk exponentially, and this discussion is aimed at reducing the possibility of that happening in the future.

[cparke2]

Hi @suddenwhipvapor

I am aware the security model for Bisq1 vs. Bisq2 is different and the intended uses of the two platforms is different. I have already bought and sold BTC on Bisq1 and bought BTC on Bisq2 too. And I have traded on other P2P exchange platforms. And I have lost money once due to bad policies and administration on one of those other platforms (I ultimately did get my BTC from the seller after going through a CFPB complaint against the platform, but that is highly unusual).

I am suggesting that the security model for both Bisq platforms has flaws. Nothing is perfect, we know this, but Bisq can do better. Let me try to re-state my proposal here for a better security model in Bisq1 and Bisq2 (Bisq Easy):

1. Bisq1 - Should support multiple payments to satisfy the trade. It's a problem because some banks limit payment methods to small amounts that the buyer may not even realize until opening the trade. Each buyer payment must be confirmed as received by seller before the next one starts. The idea of BSQ bonding also might be useful in Bisq1 so buyer could exempt from creating a new security deposit multisig for each trade, but I don't know if that's technically feasible. It might also be prudent for unsigned accounts to keep the trade open and the bitcoin withheld in the multisig for several more days after the seller confirms receiving payment (a post-trade waiting period), because chargebacks for things like buyer using stolen account can take several days to happen.

2. Bisq Easy (Bisq2) - Reputation model should be scrapped, it betrays longstanding Bisq policy. The bonded BSQ option is the only method of gaining reputation that has merit. On Bisq Easy, only Bitcoin sellers really need reputation today anyway, first time BTC buyers have no way to earn it. Under my proposal, Bisq Easy trades should be secured with the existing BSQ bond or a new BTC performance bond system. The bond amount needs to cover 100% of the seller's exposure to deliver BTC at any one time on Bisq Easy. Seller can change or cancel the bond at any time, provided he has no outstanding trades exceeding the new bond amount. Post-trade waiting period before the trade can be closed should be mandatory for all account types that normally would undergo signing on Bisq1. This system fulfills the Bisq Easy purposes while also providing safety and recourse for buyers who don't receive bitcoin for their payments; right now, Bisq Easy is little more than a message board and a workflow, with voluntary mediation being the only enforcement mechanism.

Sellers do have more risk on Bisq Easy because buyers have no reputation or bond, but chargebacks still can happen.

[HenrikJannsen]

Re 1:
It was discussed to add a delay at BTC release, but it would harm UX. Chargeback risk are primarily from the type of payment methods (thats why Bisq does not support Paypal and such crap). I agree that many Chargebacks are discovered in the span of a few days up to 2 weeks, thought technically I think they can happen up to 6 months. Even a delay of a few days might be not acceptable for most traders. But for Bisq 2 MS we might consider to add options so sellers can add a custom delay. Sellers can anyway extend the release up to the tolerated response time.

To add BSQ bonding when there is already a MS scheme in place seems like an unnecessary complexity. We want to keep things as simple as possible. Any added complexity adds risks.

Not sure if I understand the first part. You are suggesting an incremental fiat payment inside of one trade? More simple would be just to repeat trades with small amounts. As said we try to keep things as simple as possible and such a feature seems to me not justified by the added complexity. Also many small bank transfers to the same receiver might add risk that banks become nasty.

Re 2:
As mentioned above it seems your understanding of the reputation system and the identity concept is incomplete / wrong. Please read the wiki.
How should a BTC performance bond system work? The only way I see is the MS scheme used in Bisq 1 (with seller as only party to add a deposit). Using a MS would turn Bisq Easy into Bisq MS.

I agree there is a range of options between Bisq Easy and Bisq MS, but one has to decide which options are the most beneficial with regards to trade-offs.
Bisq Easy is not only about onboarding no-coiners (that could be achieved by a variation of Bisq MS with no requirement for buyer to add a security deposit and seller pays all fees - though that would have its own can or worms...). It is also to enable a more lightweight model leading to much better UX and feasible for mobile.
And it explores the potential of a new security model based on a reputation system (which might become re-usable later to other protocols). That the security here is limited is clearly stated and is the trade-off for a much more simple and better UX.
Sellers have to be aware of chargeback risks and have to account for that in their price markups and trade strategy (e.g. run their own insurance model). Nothing prevents them to check with a new buyer first in a chat conversation if trust is justified. And repeated trades with small amounts are the best and most simple strategy for risk reduction for both sides. Experienced sellers have found their strategies to deal with the risks and as we see in repeated burn/bond BSQ activity it seems they consider it profitable to trade on Bisq Easy.

[cparke2]

@HenrikJannsen Very thoughtful response, thank you!

It is indeed the payment methods subject to signing on Bisq1 (ex: Zelle), which also happen to be the most commonly used, that are of particularly of concern for chargeback. Indeed, buyers don't like waiting for release of bitcoin after they've sent they've sent their payment, even if I acknowledge to them that I received the payment and will be releasing it after a clearing period (the same way banks hold funds availability on deposited checks for several days). Seller like me runs the clock for as long as the trade platform will allow before closing the trade, to give the payment service that buyer used a chance to catch any fraud and invoke a chargeback process, so that if it happens, I can dispute the trade with buyer rather than lose bitcoin (since there is no way to dispute after closing the trade and releasing BTC). It would be much better if a post-trade hold process was included in the Bisq trade workflow, but of course holds alone are still not a guarantee, and the timing has to be a reasonable amount of time (ideally 3-5 business days hold period from when payment was marked received by seller, particularly if it coming from a new buyer).

There are some buyers like me who would appreciate being able to pay in several smaller payments. Even when sending money electronically to someone they already know personally, people often will send a small test payment first just to verify the funds transfer service works and the recipient information is correct, before sending the correct amount. Also, sometimes banks unexpectedly lower the send limits or even suspend a payment method, forcing a buyer to resort to some different payment arrangement to complete the trade (the bank does this to limit their own exposure to possibly unauthorized transactions). If trading a larger amount (Bisq1), as a buyer I want to limit my potential amount of loss if the seller suddenly disappears or denies receiving funds after I sent a large payment; baby steps to confirm each smaller payment to get to the final amount would be more reassuring than losing it all at once! Banks are less likely to consider a large number of transactions and multiple payments suspicious if seller is receiving them into a business bank account. Multiple small trades are not a good alternative, because the trade pricing is different on low amounts because of separate BTC transaction fees involved. Allowing multiple payments and payment methods within a single trade is indeed what I am asking for to be considered.

Finally, I certainly don't want to see Bisq Easy turn into Bisq MS, and I do appreciate the differences of the two platforms (you mentioned several times the advantages of "UX", for example). I am not advocating for a per-trade security deposit as in Bisq MS; I am advocating for a per-seller security deposit or bond be required to enable sellers to accept offers on the platform. Admittedly, I do not understand how the BSQ bonding process actually works, how it is different from the MS of BTC, and accordingly why the bond couldn't be done with BTC instead. BTC would be better security currency than BSQ, which needs to be swapped on Bisq1 in order to be sent out. Either way, the strategy suggested is to have all Bisq Easy sellers bonded in BSQ or BTC before trading on Bisq Easy, with that bond amount available to moderators to distribute to buyers in a dispute if the seller doesn't participate or cooperate in the mediation process. The idea floated earlier in this thread about setting the (cumulative?) trade limits on sellers based on their reputation score is a good step in this direction, but what I am saying is reputation really needs to based on bond amount alone, and the other methods of gain reputation points (especially Bisq1 account ages) should be eliminated.

P.S. Why is Bisq Easy limited to trading in BTC despite it not managing a BTC wallet nor dealing with MS?

[HenrikJannsen]

Account ages/Signed account age have much lower impact on reputation score than burning BSQ or bonding BSQ.
Why not Bitcoin? Because we can confiscate by DAO voting bonded BSQ, but not BTC. Because burned BSQ act like a fee payment to the DAO and is the only funding source for Bisq Easy. Burning BTC would serve all Bitcoin holders equally (by reducing supply one unit gets more valuable). Too big and un-connected group that it would make sense for Bisq to do that.
To fully understand all that you would need to read up the docs on the Wiki about the Bisq DAO. It's the core of Bisq and Bisq would not exist anymore without it for various reasons. All security models (Bisq 1 and Bisq 2) are fundamentally based on the DAO.

For your multi-stage payout scheme, I don't see a obvious solution how to secure those steps. It would become a bit like a Lightning channel update if done properly. If its only a UI thing it will likely have security issues (have not thought it through).

[HenrikJannsen]

Here the screenshots of the current implementation:

Create offer to buy BTC:

Create offer to sell BTC with 30k reputation:

Take offer cases. Left is user with 0 reputation, right user with 30k reputation.

[HenrikJannsen]

Here a summary of the current state:

The basic rules are:

• Sellers reputation based trade limits (RBTL) are calculated from their reputation score: score/200= limit in USD.
• Sell offers above that limit can be taken by buyers but there will be displayed a warning popup. This is only allowed in the take offer use case not in the trade wizard.
• Sellers do not need reputation for up to 25 USD. Buyers creating offers allowing <=25 USD will see a warning in the create offer screen.
• Min. required reputation score is not used anymore. Will get removed from the UI. We need to communicate that in the release notes.

There are 4 use case where the changes have effects:

• Create offer
• Take offer
• Browse offer-book
• Trade wizard (Getting started)

All USD amounts are converted to the used currency. Fixed min. and max amounts are 6-600 USD (now we use btc for limits, thus making limits exposed to volatility issues)

Create offer

As buyer

We show a green indicator line at the slider for amounts potentially covered by users reputation. E.g. If the highest reputation in the network justifies a limit of 500 USD, the green line goes up to 500. Above that there is no user currently in the network which would have the required reputation.
If my amount is <=25 USD (min. amount or fixed) a warning text is displayed that anyone without reputation can take that offer. This might need some more improvements. Ideas welcome.
If I move amounts >25 USD no warning is displayed. Only sellers with sufficient RBTL can take my offer.
If I move amount outside the green indicator I see that there are no sellers in the market able to take that offer.
The number of potential sellers (could need improvements in wording here) is updated with slider movements.

As seller

If my reputation is 0 I see a overlay at clicking Sell (not changed from current):

If creating an offer <= 25 USD I am in the tolerated range (wording needs improvement):

For higher amounts we show the max. amount tolerated. With click on it the amount is set to 25 USD.

TODO: Improve wording, should not read: "provide security up to 25 USD", as its not providing any security...

Take offer

As buyer

I can take any sell offer which is covered by the sellers RBTL without a warning popup. If users selects an amount > than sellers RBTL a warning text is displayed with "learn more":

If the amount is not covered by the sellers RBTL, a warning is shown.

As seller

I can take any offer which is either <= 25 USD or <= my RBTL. If trying to take an offer above my RBTL I get a popup telling me that I cant take it, or if the min. amount is below my RBTL but max amount above, I can take it but my amount range is limited to my RBTL.

Taker with RBTL of 157 USD:

Taker with 0 reputation:

Browse offer-book

We could grey out offers which cannot be taken (sell offer not covered by RBTL).
We could mark sell offers with partially insufficient reputation with a warn sign (probably not needed and would overload the offerbook).

Trade wizard (Getting started)

As buyer

I can select the amount and see in which range there are available offers by a green indicator line at the amount slider. Only sell offers which are either <=25 USD or are covered by sufficient reputation are allowed. If the offer is a fixed amount offer the amount must be <= the sellers rep. based limit. If its a range amount and the max amount is > sellers rep. based limit only the amount up to the sellers rep. based limit is allowed.
If there are gaps in the available offers we keep the gaps filled. This can be improved but questionable if it would cause too much confusion. The text indicates the number of available offers.

Here the sell offer has exceeded the sellers limit, so not the 300 USD but his limit of 157 USD is used. The range is from lowest possible to highest possible amount (25-157). For the selected amount of 107 there is no offer but we still keep the green line as it might be too confusion if the line gets lot of fragments (could be done though).

As seller

I get offered all offers matching my RBTL.

[suddenwhipvapor]

Amounts up to 25usd do not require any reputation

[suddenwhipvapor]

I think it is important to explicitly add that the buyer risks losing money.
This impies higher risk of a malicious party not sending any BTC after receiving the fiat

[HenrikJannsen]

TODO: Improve wording, should not read: "provide security up to 25 USD", as its not providing any security...

Either one size fits all, "Your reputation score of X limits to you an amount of Y", or you have to provide a case switch, where options are:

* You can sell up to 25usd without reputation

* Your reputation score of X provides security up to Y

New version:

[HenrikJannsen]

I think it is important to explicitly add that the buyer risks losing money. This impies higher risk of a malicious party not sending any BTC after receiving the fiat

New verison:

But yes can be more explicit...

[suddenwhipvapor]

I reckon there is balance to be found between making absolutely sure to be upfront with users, and scaring them 😄

[HenrikJannsen]

Thanks for suggestions.

[HenrikJannsen]

Closing as implemented for upcoming 2.1.1 release

[beage666]

Why

[HenrikJannsen]

What do you mean with why? Why its closed? Because its implemented (not released though but in process).

[beage666]

Ok in process