-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Off-chain trading using a lightning network of BTC & tainted BSQ #312
Comments
Thanks a lot @stejbac for those excellent ideas! To better understand your proposal I wrote down for myself the basics. I hope I interpreted it correctly, if not please correct me. I will share it here maybe it is helpful for other readers. A taint tx creates (a) pair(s) of equal valued Tainted BSQ (TBSA) and anti-tainted BSQ (ATBSQ). Example tx (ignoring BTC for miner fees): TBSQ and ATBSQ can be transferred like normal BSQ with some restrictions. TBSQ or ATBSQ are not valueable as BSQ and would not be accepted in a BSQ/BTC trade. Transfer is used between traders and escrow and in LN channel hops. Un-taint tx example: How are they used for the trade protocol: Alice is BTC buyer. We ignore security deposits and fees. We assume 10k USD = 10k BSQ = 1 BTC to keep numbers simple. Happy trade pathState 1: Transition 1: Input 1: 40k BSQ from Carol State 2: Transition 2 (Alice send USD): State 3: Transition 3 (Bob confirms USD receipt, atomic refund tx): Input 1: 10k TBSQ from Alice State 4: Not happy pathsCase 1: Case 1: Case 3: Case 4: I think the high capital requirement for Carol (4 times the trade amount if I understand it correctly) might become a problem for larger trades and volume. Currently we have about 0.5M USD volume per day, assuming average settlement time is 1 day that means 2M USD in BSQ need to be available for bonds. That is about 25% of current BSQ available. Settlement times would be much faster if we manage to automate altcoin trades (essentially XMR as thats 70-90% of total volume). Pure fiat volume is then only 20-30% so the required total capital for bonds would become much less. I think for altcoins we also can take benefit from the fast and cheap tx options in LN and try to do micropayment style trades if altcoin miner fee costs permit that. I am not sure if Carol could be considered a financial intermediary. At least she could run away with the BTC and then make the traders depend on the DAO to get reimbursed. I think that is worse then current burning man problem as the BM cannot trigger that the traders send the funds to the donation address as he is not part of the trade. I have not though more about the case that Alice (or Bob) plays the role of Carol. I will need more time to understand the second idea, specially the required garbled circuits. I think the ideas you presented here are a huge step further to a secure off-chain protocol. |
I think i was wrong with the 4 x bond requirement, 2x should be the minimum as burning one part of the bond pair will invalidate the other. Further I think a version without Carol should be possible as well and would look like that: Taint tx: Un-taint tx: I was not sure about the details how you defined the input - output rules, but to have an atomic tx where both taint their BSQ we would need a rule that 1 input maps to a pair of 2 outputs (TBSQ / ATBSQ). So by that in a non cooperative outcome either trader can burn the TBSQ of the peer and their own ATBSQ and thus destroying both bonds. The DAO might reimburse the side who can proof their case (e.g. following mediator/arbitrator decision). I think that model can avoid the security deposit and does not require any blockchain for the trade currency pairs (e.g. trade apples to bananas). LN can be of course used for a BTC transfer but is not enforced by the protocol. Of course it would still require a BSQ LN fork as we don't want ot have the 2 txs. But even without that I think it would be an interesting alternative to the current on-chain protocol (but would not justify the effort and come with the issue of high costs for the bond). The problem that traders require at least the amount what they want to trade additionally as bond could be addressed by a lending market, so they pay some interest rate for getting that loan. It would be great if we could find a scheme which is not based on BSQ but could work with BTC over LN. Beside the challenge to get our own LN fork the volatility risk and dependency on the BSQ/DAO economy carries considerable risks. |
Another idea: I am not familiar with the details of Monero multisig, but I assume that should not cause problems. How to integrate it so that users dont need to run a full Monero node is an open challenge, but once the XMR-BTC atomic swap is implemented (probably in the next 3-6 months) there might be more options. Actually that would convert Bisq into a Monero based platform. Bitcoin would not play a fundamental role anymore but Monero would. Might bring back some love from the Monero community ;-) [1] If that data is correct miner fees seem to be unfairly cheap on XMR: https://bitinfocharts.com/comparison/monero-transactionfees.html#3m |
@chimp1984 Yes, that interpretation is basically correct. Thinking a bit further about the new BSQ tx rules, it would be useful to be able to create more than one TBSQ-ATBSQ pair per tx, just as in your example above (unlike in the original rules I devised, which always create one pair out of the first two outputs only). That would be useful for on-chain txs which atomically exchange newly created TBSQ and BTC between the traders, as in your examples. Also, it would mean that if a lightning channel had built up multiple pairs of differently tainted TBSQ-ATBSQ pairs in its final state (through lots of different trades being routed through it without all being completely cleaned up), then a cooperative channel closure would consist of just a single tx which spends the 2-2 BSQ lockup and creates all the pairs at once. That would be much neater and more efficient than trying to do it in multiple txs. To create multiple pairs of possibly different taint, perhaps one Also thinking further, the BTC security deposits are unnecessary as you point out, when Alice & Bob both double up as escrow agents and they each contribute some minimum amount to the bond total. (They don't actually have to have equal sized bonds - the total size is what's really important.) This can be seen since they would just be redistributing the escrow among themselves in proportion to their respective bond sizes, in their joint role as escrow agents. (So if their bonds were equal size, for example, they would first split the BTC escrow equally, make the fiat payment and then settle the BTC - a sort of "pay half now and half on delivery" scheme.) Provided each contribute a bond above some minimum percentage of the total (15 / 1.30 ~= 11.5% for a 15% security deposit), then the initial escrow redistribution to match the bond ratio wouldn't cause the BTC amount of either party to drop below the security deposit, so the security deposit could just be elided. When adjusting the trade parameters, as Alice or Bob's bond starts to drop below 11.5% of the total, it would be necessary for them both to contribute an ever growing BTC security deposit starting from 0%, until finally it reached 15% when one of the party's bond completely disappeared. |
Maybe a merkle root like structure could work here? |
I guess all the TAG and DBH data would ideally be included directly in the tx somewhere, rather than just a hash or set of hashes (and then subsequently storing them off chain, like the ballot data), as that would make tx parsing simpler and more reliable. Thinking about the loan idea, it may be possible to relax the condition that the taint (TAG+DBH pair) is unique to each trade & escrow agent (including when Alice & Bob both double up as escrow agents, so they're just swapping differently tainted TBSQ), and instead allow it to be reused for different trades but always the same escrow agent. (There's definitely a security hole if it's reused for different escrow agents.) This would allow the BSQ lender to loan out TBSQ instead of BSQ, against a much smaller amount of the borrower's BTC collateral (just slightly larger than the escrow amount), which could then be passed to the trade peer(s) as normal. Thus the lender becomes a kind of backup escrow agent and the borrower (typically one of the traders) becomes a kind of delegate escrow agent who holds the actual escrow. If clean BSQ was borrowed instead, a much larger amount of collateral would presumably be needed to make a loan safe, since otherwise the borrower could just sell it instead of giving it back (and the BSQ could go up in price). In the case where Alice & Bob both have equal amounts (say 5k) of borrowed/reused TBSQ, then instead of creating TBSQ-ATBSQ pairs from a 10k BSQ bond each, they could open a trade (not necessarily involving BTC) by exchanging it in a tx which would typically have 3 inputs and 3 outputs, like: Input 1: 5k TBSQ from Alice If the trade closes normally, Bob could give Alice a private key or nonce that would unlock the first input for her, in order to return her TBSQ, and vice versa for the second input. Otherwise a (possibly timelocked) prepared tx could be published by either party to burn the TBSQ of both parties. Moving one of the outputs would automatically unlock the other output, much like the single tx trade protocol idea: #279. Thus it would be possible to trade arbitrary currency pairs with a single on-chain tx per trade to lock up the bonds. As I mentioned in #279, it may be possible to use cryptographic techniques to make the outputs P2WPKH instead of needing a custom script, in which case I guess it works out at 307 vBytes per trade (according to the bitcoinops.org size calculator). (The TBSQ coins could be used whole even if they're too big for the given trade, instead of splitting/joining them, in order to save tx fees.) |
Taking the above idea a bit further, we could have only one party (say the maker) providing a TBSQ bond and the taker providing a (much smaller) on-chain BTC security deposit (which, as I mentioned, is needed if either trader makes a bond of less than around 11% of the total required), with the rest of the trade being done off-chain, including provision of the security deposit of the maker. Then the on-chain tx would only need two inputs & two outputs, say: Input 1: 10k TBSQ from the maker This time, in the event of arbitration, the timelocked prepared tx would burn the maker's TBSQ and pay the (much smaller value) 0.15 BTC taker security deposit to the maker, so that they both have funds at stake. If the trade closes normally, they would swap private keys (or maybe nonces instead) so that the TBSQ & BTC went back to the maker and taker respectively, but shaving a little bit off of each. In this way, the maker would pay the trade fees by burning some of their TBSQ and the taker would pay the mining fee. Also, the traders would try not to split or join their TBSQ or BTC coins, but instead keep passing them on from one trade to the next, shaving a little bit off each time to pay fees, so that each trade only required a single tx of 2 inputs & outputs like the above. The coins would not need to be the exact amount required and instead all the trades would be overcollateralised, using perhaps a range of reused coins of geometrically increasing size kept by each trader. In this way, we could perhaps get the cost down to 208 vbytes per trade (or slightly more at 211 vbytes if we upgraded to taproot). It looks like recently the tx fees were reaching more than 150 sats/vbyte, so that would still be 31200 sats or around $15 per trade at the current BTC price. I have no idea how high that could climb over the next few years, maybe to $100's? |
Very happy to see this moving forward, awesome folks! There's also generalized lightning implementation written in Rust which aims to be even more extensible than Rust-Lightning and already supports colored coins via RGB. I'm not currently capable of helping with this myself but I wish you good luck with this awesome project! |
This is a somewhat ambitious proposal for an eventual off-chain trading protocol using a fork of the lightning network and a form of BSQ bonding, which is intended to reduce network fees + delays and eliminate the problematic role of the Burning Man as a collector of disputed BTC funds.
An off-chain trade protocol secured by BSQ bonds was considered a while ago in #32, but progress was stalled. I believe the main issue with that proposal is the difficulty of preventing reuse of the bond for an unlimited volume of simultaneous open trades in a truly secure way. In some sense, the bond needs to be 'borrowed' when a given trade opens and returned when it closes. Thus preventing unlimited reuse requires solving the double-spend problem (which is what a blockchain does!) and I don't think that the Bisq P2P network can really be expected to provide the level of security required to do this, in order to prevent theft of large amounts of trader deposits. (Also note that it isn't enough to detect unauthorised bond reuse after the fact and then confiscate the bond, since an attacker who can manipulate P2P network consensus could steal a very large amount of funds by sweeping the offer book, before being detected.)
So to prevent unlimited bond reuse, one needs a way to 'lend' a bond to the trade peer(s) in a way that is immune to double-spending in the face of potential P2P network attack. A BSQ lightning network could be implemented for this purpose, to transfer a bond instantly and without tx fees. However, this has the obvious problem that the recipient could just run off with the bond, which would be worth more than the BTC escrow. This proposal attempts to solve the problem by attaching a temporary taint to the transferred BSQ, intended to render it near worthless, such that the taint can only be removed upon return of the BSQ to the original bond holder.
Tainted BSQ
We could make a fork of the DAO consensus rules, by introducing a new
OP_RETURN
type, sayTAINT((byte) 0x18)
, as defined in theOpReturnType
Java enum. This could have two fields in its binary data:A BSQ tx with such an
OP_RETURN
output would have two or more BSQ outputs, the first two of which would be enforced to have equal value. These would be respectively tainted and antitainted BSQ. The DAO state parser would trace such special BSQ coins in the same way as regular BSQ, without requiring any further metadata to be embedded in downstream txs to identify them. (Anti)tainted BSQ can be transferred in the same way as regular BSQ. Additionally, such coins can be split, joined or partially burned in transfer txs, just as regular BSQ. However, they would be subject to additional rules, which failing to follow would cause the relevant BSQ tx outputs to be burned:TAINT
tag fields or self-destruct absolute heights.The self-destruct field specifies the block height at which the (anti)tainted BSQ would be automatically burned, if it had not yet been cleaned by cancelling out the taint and antitaint as above. This feature is probably not essential but may help to ensure that the coins never acquire any real market value, plus it may help to prevent long term pollution of the UXTO set by coins that fail to be cleaned. An absolute block height is used because tainted+antitainted BSQ would typically be locked in lightning channels and never get reified on-chain, but could do so any time in an uncooperative channel closure. It's necessary that the self-destruct heights match when cancelling taint & antitaint, since otherwise the self-destruct time could be continually pushed back by creating new tainted+antitainted output pairs and neutralising with an older output.
A lightning network for tainted BSQ payments
The main purpose of having txs which create equal amounts of tainted and antitainted BSQ (from clean BSQ) and letting both move freely in transfer txs is to facilitate multi-channel hops of tainted BSQ through a lightning network. If a node operator in the network receives a pending payment of tainted BSQ through one of his channels, he can forward it on by creating equal amounts of tainted+antitainted BSQ in a down route pending payment, keeping the antitainted BSQ for himself and paying the newly tainted BSQ to his down route channel partner. Then he can be made whole again if one of those channels closes, since he simply needs to close the neighbouring channel (well before the taint self-destruct date), leaving him with equal amounts of tainted & antitainted BSQ, which he can then combine together to recover his original clean BSQ.
Most of the time a tainted BSQ payment would be later reversed, when the respective trade closes normally, and probably along the same route of payment channels. That would clean all the taint and antitaint from the channels. Occasionally, it might go back along a different route, which would create a cycle of tainted BSQ payments. These cycles could be easily removed later, by cooperation between the affected nodes.
It should be noted that such tainted BSQ payments tie up channel liquidity along the route, much like a pending payment path of HTLCs. I don't believe that there is any way to set up a multiparty contract/escrow across a lightning network that doesn't tie up liquidity in proportion to the total size of the escrow times the number of channel hops between the contract parties.
It should also be noted that, unlike a regular BTC lightning network, each node would have a non-scalar account balance with its channel partner, consisting of an untainted BSQ balance and a balance of each kind of tainted & antitainted BSQ created within the channel, as well as a possible uncoloured BTC balance, the latter to ensure that there are funds for mining fees. Hopefully it wouldn't be a massive amount of work to fork an existing lightning client to support this. For example, the Eclair wallet is a JVM implementation written in Scala, with a separate eclair-core module that could possibly be adapted. Perhaps a BitcoinJ SPV wallet-based back end could be developed for it (as it currently has bitcoind & electrum back ends), so that it could be embedded into Bisq. The Rust-Lightning repo also looks quite interesting and states that it's intended to be extensible (although it appears to be a rather immature implementation).
Trading with an optional third party escrow agent
Suppose Alice and Bob are a BTC buyer and seller respectively and Carol is a third party BSQ 'bond' holder, acting as an escrow agent. To start a trade, Carol makes equal sized tainted BSQ pending payments to Alice and Bob, with a taint unique to that trade. Alice and Bob then make pending payments of their respective BTC deposits to Carol. This includes the trade amount (for Bob), plus equal sized (say 15% or so) security deposits each. The pending payments all share the same lightning secret (generated by Carol) and hash, so the entire exchange can then be made to go through atomically. (It isn't strictly necessary for the payments to all be made atomically, so long as Carol makes her BSQ payment before receiving any BTC from each respective trader, since all lightning payments have receipts. But it prevents the trader from walking off with the tainted BSQ and seriously inconveniencing Carol without penalty. Plus it is quite easy to make it atomic.)
Once the fiat payment from Alice to Bob has been made, the whole process can be reversed to close the trade: Carol makes a pending payment of the escrow back to Alice and Bob, in the correct proportions. Alice and Bob then make pending payments of the tainted BSQ back to Carol and the whole thing is made to go through atomically.
If there is a dispute which cannot be resolved through mediation and there's a breakdown of cooperation with the escrow agent, then the honest parties should close their respective lightning channels and burn the (anti)tainted BSQ that they're left with. If Carol handed back all her escrow correctly, then her burned BSQ should be reimbursed by the DAO. Alternatively, if an honest trader did not get back their escrow and subsequently burned the tainted BSQ that they were left with, then the DAO should reimburse them with an equivalent amount of BSQ or pay them in BTC via a refund agent. Either way, the honest parties are made whole and the DAO does not lose any money so long as Carol's 'bond' was big enough.
The absolute minimum bond size needed for this to work securely is twice the total BTC escrow value, but it should probably be quite a bit more than this (say double) to account for the BSQ-BTC price volatility. It should emphasised that the escrow agent is a rather low trust role and the protocol should work just as securely if Alice or Bob doubles up as the escrow agent. In that case, the bond would only need to be half as big, as one would be sending half of it to oneself. Moreover, the protocol can be easily extended to support multiple escrow agents, with the bond divided between them, which is secure so long as each one uses a separate taint. When Alice and Bob both double up as equal sized escrow agents, the maximum individual bond size is minimised, to a quarter of Carol's original bond size. The scheme then becomes similar to that in #32.
The point of having a third party escrow agent is simply to avoid Alice and Bob having to purchase large amounts of BSQ to start trading, which may be difficult or inconvenient for them.
An alternative, simpler lightning-based trade protocol
As an interim step to implementing the full scheme above, we could implement a hopefully simpler though less secure and decentralised trade protocol, which relies on just a regular BTC lightning network. It's a similar 3-party protocol to the above, between Alice, Bob and Carol, except this time Carol is the Burning Man / donation address holder. (One could have multiple such entities for network redundancy, though that would probably lead to similar security problems as having multiple Burning Men.)
The traders, Alice and Bob, each make a simultaneous pending lightning payment (using HTLCs with hashes HAC & H1BC respectively) of their BTC escrow to Carol, who in turn makes a pending lightning payment (using HTLCs with a third hash H2BC) back to Alice and Bob with a 10-20 day timeout. This second payment is routed through Bob to Alice and back to Bob again, in such a way that it drops off the trade amount + security deposit at Alice's node and sends the rest of the escrow (the security deposit) on to the seller, Bob.
It's essential that the full escrow amount is routed through both Alice and Bob in this second payment, since none of the lightning network outside one's own node can really be trusted. So if, say, the buyer Alice was in collusion with the donation address holder Carol, then without routing the full return payment through Bob, after confirmation of the first payment they could immediately steal all of the funds except a pending security deposit payment to Bob which would cancel after 10 days. By routing the full return payment through both traders, one should have no worse security than the present trade protocol w.r.t. the donation address holder. That is, a corrupt donation address holder could steal a large amount of funds by posing as a trader and sweeping the offer book, but is limited by the collateral needed for all those trades, which would be tied up for 10 days minimum before freeing up funds to continue with the scam, in which time it would be shut down. This allows a theft of no more than around 8 times the available starting funds (unlike a situation with an immediate deposit refund to the scammer, which allows unlimited theft from any starting amount). With a lightning-based protocol, the security is probably somewhat better in practice, since any attempt at mass theft would likely quickly tie up all the available liquidity / channel capacity with pending payments (HTLCs).
Before setting up any of the pending payments, Alice, Bob & Carol prepare 16-byte secrets SA, S1B, S2B (two for Bob) & SC and share commitments to them (say hashes), HA, H1B, H2B & HC, respectively. Then we set the earlier three hashes to be the following:
where X||Y is the concatenation of X and Y. These hashes need to be computed jointly, in such a way that it doesn't reveal any of the 4 secrets (or 3 preimages) to the other parties. That requires the use of a generic secure 2-party computation between Alice & Carol for the first hash and between Bob & Carol for the second two hashes, using garbled circuits. Carol needs to be sure that her secret SC isn't surreptitiously leaked and Alice and Bob need to be sure that the first two hashes produced are actually valid (that is, they will leak SC when their preimages are revealed during the commitment of the first two payments). Thus neither side can trust the garbled circuit provided by the other side, so without using zero-knowledge proofs (which would be very complex and big/slow), each side must exchange garbled circuits, run them independently and compare results.
Carol's secret SC serves as both a receipt of the escrow payment and a key which allows Bob to unlock the third pending payment back to the traders. Once all three pending payments are set up, Alice reveals SA to Carol and Bob reveals S1B to Carol, allowing Carol to commit the two escrow payments, which begins the trade. At this point only S2B remains secret, which Bob uses to commit the third payment to close the trade. Also at this point, there is no further involvement from Carol and the escrow can be recovered without her cooperation so long as Alice and Bob are in agreement, so that the remaining pending payment doesn't time out. If it does, the trade goes into arbitration and then Carol controls the escrow. So hopefully from a legal perspective, Carol wouldn't really be considered a custodian of the escrow, as she cannot do anything to stop the return of it to Alice and Bob.
The garbled circuits are big (of the order of MBs each) and so their exchange at the start of the trade would be slow. They can also be prepared well in advance, though, but are single use like one-time pads. Luckily, all the exchanges are with Carol and since there would only be one, or a very few, donation address holders, it should be possible to build up a small supply of such circuits for each separate trader and donation address holder by drip-feeding them through the P2P network prior to a given trade, so that it can start quickly (as actually running the circuits is very fast).
(The underlying problem which makes the use of garbled circuits necessary is that payment preimages in Lightning HTLCs are constrained to be exactly 32 bytes long, and that is short enough to fit in a single 512-bit message chunk of the SHA256 digest algorithm. If the network could be forked to make the preimages bigger, say 96 bytes, then that would spill into 2 chunks, so jointly computing hashes of each preimage which contains mixed secrets SA, SC, etc. could be done by passing the partial digest back and forth between the two parties with each side processing a fresh message chunk not containing the other side's secrets. That would make the whole trade setup much easier and more efficient.)
Final remark
Just as it is possible to do off-chain trading using BTC Lightning without needing any concept of tainted BSQ, one could use tainted BSQ in atomic swap txs as part of an ordinary on-chain trading protocol, in order to help eliminate the Burning Man. So it's really two separate problems being addressed here with two separate approaches. But I think it works best when they are combined.
The text was updated successfully, but these errors were encountered: