-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bisq does not verify taker's funding TX is broadcast to Bitcoin P2P network #3489
Comments
The peer's trade fee tx is not knows to BitcoinJ as it is not related to the wallet. Beside that it is a valid situation that the peer's trade fee is not confirmed or not even found in the mempool, specailly for the taker fee tx that is likely the case as the time between publishing taker fee tx and deposit tx is very short and the tx is likely not propagated much in the network. We have to find out what causes those bugs with not published txs. It might be related to the AddressEntry management, that there is a bug in some edge cases. |
@wiz: I have put my log at a web URL. See bisq chat, please. |
@chimp1984 since BitcoinJ / SPV cannot verify this TX, we are discussing having all the btcnode operators start running a block explorer API like electrs on their servers - this will allow Bisq to query the full node if a TX exists in the mempool or not, which means the fullnode would have verified it. Users will be able to choose which node(s) to verify this TX using, including their own full node if they have one. |
Bisq can be modified to query the full node REST API with the TXID like this, if it exists in mempool then taker can be allowed to accept the trade offer. http://jiuuuislm7ooesic.onion:3000/tx/44d675e87d667d89c471a24269489a7a37eb631bde8e75439c42d036f6f7de54 |
Actually I found this TODO item which seems to be to add the missing verification without needing electrs https://github.com/bisq-network/bisq/blob/master/core/src/main/java/bisq/core/trade/protocol/tasks/maker/MakerVerifyTakerFeePayment.java#L41 |
So far 2 btcnode operators are online running electrs nodes: |
Please be aware that this approach likely is not feasible (take offer process takes 1-2 sec. not enough time to enure a tx is visible to all nodes). Please don't rush in a wrong direction before we have a clear picture whats the cause of the problem. |
Well to be brutally honest, the approach of trusting 0-conf TXs to accept Bisq trade offers isn't feasible either. How else can we solve this fundamental design flaw in the Bisq trade protocol, if not to delay accepting the offer by a few seconds until Bisq can verify the 0-conf TX is actually in the Bitcoin mempool? It seems to fix this properly would require re-architecting the trade protocol quite a bit. |
Moving discussion to bisq-network/proposals#132 |
@ripcurlx I am going to re-open this issue because while the concept of "failed trades" was introduced, which reduced the severity of this issue so that it does not cause wallet corruption, it still inconveniences the user and Bisq should verify the taker's funding TX. I proposed using a REST API electrs backend on our federated btcnodes for this purpose |
To add to that. Given the issues Bisq has been having, I'm vehemently against relaying offers with not-broadcast or unconfirmed maker fee tx. Thinking of it it seems like a possible point of attack to flood the network, strand takers funds and strain support personnel. |
Yes, that is another missing part of the trade protocol from the original design, but since Bisq is SPV it cannot verify transactions that are outside of its wallet without using some API to a trusted Bitcoin fullnode |
There is actually a task (
|
Right, so we want to use a REST API electrs backend for this verification, to our federated btcnodes |
Query all of our federated nodes, if all of them return 404 for this API call, then consider the TX to be invalid |
@sqrrm @freimair @ripcurlx
In this deposit TX, the taker's funding TX My suggested workaround, is to have both trade parties re-broadcast the deposit TX to their Bitcoin peers. They should expect either a successful broadcast, or a "already in mempool" error, which also indicates a valid TX. If they receive any other error when re-broadcasting the TX, such as "spends invalid UTXO", etc. the maker can assume the taker's funding TX is not valid, and it can reject the peer attempting to take the offer. |
The trade protocol must not be delayed by the API call as that would just introduce more problems like network disconnections or timeouts. It would also decrease UX. I recommend to do that API lookup after a certain period and then display a waring to the user. The cases if "too long unconfirmed tx chain" can be handled differently by limiting the offer to be created or offers taken by the number of unconfirmed transactions in the users wallet. That is not perfect and does not handle all possible cases but I think that will reduce those issues by > 90% and is relatively easy to implement and does not cause UX issues for most users (only those who create many offers in a row which is not a standard behaviour). Also note that trades with "too long unconfirmed tx chain" still can be confirmed later and the trade can be completed normally. SPV resync have to been taken carefully. It can cause more harm as it helps, for instance if a tx does not get confirmed fast but would have been confirmed in a few hours a SPV resync of one trader will render the deposit tx invalid if that user makes a double spend in the meantime. Then the other user has a failed deposit tx and require a SPV resync as well. The seller is doing the publishing of the deposit tx. If the buyer would do it as well it has to be taken care that the wallet does not add 2 times the same tx (it will hear from the network once the seller broadcasts) as that cause problems in BitcoinJ. It is tricky to test as the timing is not guaranteed if the tx comes first or the P2P message which triggers the re-broadcast of the buyer. I don't recommend to add here more complexity and fragility without having clear evidence that this is causing a problem. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed because of inactivity. Feel free to reopen it if you think it is still relevant. |
Description
Bisq allows its offers to be taken without verifying the taker's funding TX was actually broadcast to the Bitcoin P2P network.
Version
1.1.7
Steps to reproduce
Expected behaviour
Alice's node should not attempt to take the offer if it cannot broadcast a valid funding TX to the Bitcoin P2P network.
Bob's node should not allow Alice to accept his offer if Bob cannot verify that Alice's funding TXID has been seen by at least 1 of his Bitcoin peers.
Actual behaviour
Bob's offer gets accepted state, but the trade can never begin because Alice's funding TX was not broadcast to the Bitcoin P2P network. Additionally, Bob's funds are now stuck in limbo.
Screenshots
The text was updated successfully, but these errors were encountered: