Difference between revisions of "Arbitration"
Plebeian9000 (talk | contribs) (revise arbitrator description) |
(Rename Donation Address {Holder=>Owner}) |
||
Line 14: | Line 14: | ||
A ''time-locked transaction'' is signed (but not published) at the beginning of the trade process. Its purpose is to allow time for traders and mediators to work out a payout using the funds in the 2-of-2 multisig escrow, and to eliminate the [[#Avoiding_Fraud|possibility of fraud]] in case they can't. | A ''time-locked transaction'' is signed (but not published) at the beginning of the trade process. Its purpose is to allow time for traders and mediators to work out a payout using the funds in the 2-of-2 multisig escrow, and to eliminate the [[#Avoiding_Fraud|possibility of fraud]] in case they can't. | ||
− | Requesting arbitration publishes this time-locked transaction, sending all funds in the multisig escrow (i.e., those of both trading peers) to the Bisq "donation address" (which is owned by the [[Donation Address | + | Requesting arbitration publishes this time-locked transaction, sending all funds in the multisig escrow (i.e., those of both trading peers) to the Bisq "donation address" (which is owned by the [[Donation Address Owner]], a bonded role approved by DAO voting). This transaction can only be published 10 days after the deposit transaction is confirmed (for altcoin trades) and 20 days after the deposit transaction is confirmed (for fiat trades), which means arbitration is only available after this time has passed. |
− | The ''donation address'' is where disputed bitcoin funds are collected. The [[Donation Address | + | The ''donation address'' is where disputed bitcoin funds are collected. The [[Donation Address Owner]] uses the BTC that collects in this wallet to buy BSQ and burn it. This reduces BSQ supply, allowing for a corresponding amount of new BSQ to be issued to account for the BTC payouts made to traders as part of arbitration. As a result, BSQ supply is largely unaffected. |
This dynamic essentially makes bitcoin deposits confiscatable, enabling a sort of mutually assured destruction to drive dispute resolution on Bisq without trusted third parties. | This dynamic essentially makes bitcoin deposits confiscatable, enabling a sort of mutually assured destruction to drive dispute resolution on Bisq without trusted third parties. |
Revision as of 08:31, 16 June 2020
Arbitration refers to the last stage of the dispute resolution process—it's what takes place in case trader chat and mediation fail to resolve a dispute.
This page first covers the arbitration process itself, in a practical sense, so that users can be made aware of what to expect when trading. Then it covers the process in more detail, including its motivations, how all the components work together, and how the process is expected to develop in the future.
Contents
Process
Bisq's arbitration process is a thoroughly decentralized approach to handling disputes between 2 strangers on the internet: one in which no user needs to trust a third party with authority over their funds, but one in which a user can still expect good conduct to be rewarded and bad conduct to be penalized.
Arbitration is only available when:
- one or both traders reject a mediator’s suggested payout
- the time-locked transaction is published
A time-locked transaction is signed (but not published) at the beginning of the trade process. Its purpose is to allow time for traders and mediators to work out a payout using the funds in the 2-of-2 multisig escrow, and to eliminate the possibility of fraud in case they can't.
Requesting arbitration publishes this time-locked transaction, sending all funds in the multisig escrow (i.e., those of both trading peers) to the Bisq "donation address" (which is owned by the Donation Address Owner, a bonded role approved by DAO voting). This transaction can only be published 10 days after the deposit transaction is confirmed (for altcoin trades) and 20 days after the deposit transaction is confirmed (for fiat trades), which means arbitration is only available after this time has passed.
The donation address is where disputed bitcoin funds are collected. The Donation Address Owner uses the BTC that collects in this wallet to buy BSQ and burn it. This reduces BSQ supply, allowing for a corresponding amount of new BSQ to be issued to account for the BTC payouts made to traders as part of arbitration. As a result, BSQ supply is largely unaffected.
This dynamic essentially makes bitcoin deposits confiscatable, enabling a sort of mutually assured destruction to drive dispute resolution on Bisq without trusted third parties.
In plain language, here's how the process works for traders:
- If you’re dissatisfied with the mediator’s suggestion and think you are entitled to a better outcome, request arbitration when it's available (doing so publishes the time-locked transaction and sends funds to the donation address).
- Collaborate with an arbitrator to clarify the details of your case.
- If the arbitrator agrees you are owed BTC, they will pay it to you.
Takeaway: if you are owed BTC after a dispute, you'll get it from an arbitrator, just like before with legacy arbitration when arbitrators had a third key in 2-of-3 multisignature escrows. Only difference is the BTC payout won't be coming from the trade's multisig escrow.
Process, In Detail
To better understand arbitration, we need to first understand the new trade protocol, and how it improves upon the old trade protocol.
Old Trade Protocol
The previous model with 2-of-3 multisig deposit transactions (where an arbitrator was the 3rd key holder, and makes the payout to one of the traders in dispute cases) carried a significant risk: if the arbitrator was malicious (or was hacked), he could have taken all offers with a sockpuppet trader and made the payouts right back to his own sockpuppet.
This risk made it impossible to scale dispute resolution and find more arbitrators—we were limited to filling the role with a tiny number of Bisq contributors who could be 100% trusted to not be malicious and who had a good enough background in computer security to make getting hacked highly unlikely.
This element was the single most problematic element in Bisq’s old trade protocol, but since there weren’t any better solutions, we used it for as long as we had to.
New Trade Protocol
The new trade protocol, launched in Bisq v1.2, eliminates the risks described above to a large extent by separating functions and involving the DAO. It significantly improves censorship-resistance, security, and scalability of dispute resolution on Bisq.
The basic change is that it uses a 2-of-2 multisig in the deposit transaction with only the traders’ keys.
On the happy path, the traders each sign the payout tx once the fiat or altcoin is transferred.
If anything goes wrong, there are 3 stages to resolve the issue:
- The traders can have a direct chat where they can try to find a solution to their problem.
- If that does not succeed either trader can open a mediation ticket and request help from a mediator. Mediators play a role similar to that of arbitrators in the old model, except they don’t have a 3rd key. They only can make a suggestion for the payout distribution, which either trader is free to accept or reject. If both traders accept, they create and sign the payout tx and the trade is completed. If either trader rejects, the dispute goes to stage 3. This escalation can only take place after a certain time period has passed. For altcoins, this period is 10 days, and for fiat it’s 20 days.
- An arbitrator will investigate the case, just like a mediator would, and decide how a payout should be distributed. The arbitrator role currently has 2 parts: supreme mediator and refund agent (this is where the term refund agent comes from, but arbitrator is a better term for the role, as we will soon see). The supreme mediator part of the role is similar in function to that of a regular mediator (i.e., investigate a dispute)—but the refund agent part of the role is new and intended to be temporary. The refund agent reimburses traders BTC for disputed trades without requiring them to undergo the complex and time-consuming process of making a reimbursement request in the DAO. The ultimate goal, however, is to make such extreme dispute cases so rare that requiring users to request reimbursement from the DAO on their own becomes feasible (e.g., by reducing bugs, UX improvements, increasing security deposits, etc). But we’re not there yet, so for now, an arbitrator simply decides on a payout and funds this payout from their own pocket, and later makes a reimbursement request to the DAO to be reimbursed for their reimbursement to the user. To avoid potential fraud, and to keep the DAO from losing money in each arbitration case, we use the donation address to receive the funds from the trade via the time-locked payout tx.
Time-Locked Payout Transaction
Under the new protocol, traders create a time-locked payout tx where all the locked up funds (trade amount + both security deposits) are sent to the Bisq donation address. This is defined in the DAO as a default parameter and can be changed (by voting) to any BTC address. Right now, this address is controlled by the burning man who makes sure that the BTC collected will be brought into the BSQ market, but the donation address could also be owned by anyone else (e.g., another project Bisq wants to support, such as the Tor project).
If a trade is not completed in 10 days (for altcoins) or 20 days (for fiat), either of the 2 traders have a chance (after mediation) to publish the time-locked payout tx where all deposit funds are sent to the donation address, requiring the aggrieved trader to request arbitration so they can receive a payout. With the preliminary solution we use now, the trader gets a payout from an arbitrator directly, but the eventual goal is that the arbitrator makes a suggestion which the DAO uses as a basis for voting on the reimbursement request made by the trader(s).
Avoiding Fraud
The time-locked payout tx is essential to avoid fraud. A trader could make a self-trade and then claim that his “peer” has not paid. Without the time-locked payout tx, he could go through the dispute process, make a reimbursement request, and receive BSQ for the equivalent “lost” funds in BTC. After that he could make the payout to himself from the trade, since he controls both “traders”—thereby scamming the DAO with the trade amount.
To avoid this scheme, we require that locked up funds in the 2-of-2 multisig deposit tx are spent before opening an arbitration ticket. The funds are sent to the donation address so that fraud scheme is not possible anymore.
Donation Address
As mentioned already, the donation address can be any address to which DAO stakeholders want to send disputed deposit funds. This address is also used for receiving BTC trade fees. But since refund cases are not rare enough, and not enough Bisq traders use BSQ yet, we cannot afford to donate the funds that collect in the donation address just yet—so we use the burning man to bring those BTC into the BSQ ecosystem.
Donation Address Owner
The burning man (i.e., donation address owner) is a trusted and bonded role. He needs to make a proposal to the DAO to take on this role, and he is only allowed to carry out the duties of the role once stakeholders accept his request and he locks up a 50,000 BSQ bond.
The burning man controls the BTC address where BTC trade fees and funds from time-locked payout transactions are sent. He does periodic trading sessions where he buys BSQ with the BTC that has collected in his wallet, and then burns the purchased BSQ. The burning decreases the supply of BSQ, and is equivalent in effect to traders burning BSQ trade fees. For arbitration cases, this burning results in a zero sum outcome for the DAO economy (ignoring price volatility): BSQ issued to refund the arbitrator for his BTC payout to aggrieved traders is equal to the BSQ burned by the burning man.
Let’s make a simple example to clarify:
- Two traders are engaged in a 1 BTC trade, with 0.1 BTC each locked in a security deposit
- 1.2 BTC is locked in the 2-of-2 multisig deposit tx (ignoring miner fees)
- Assume BSQ/BTC is trading at 0.0001 (for easy calculations)
After the required time passes, and the mediation process is closed, one of the traders opens an arbitration case. By doing so, the 1.2 BTC is sent to the donation address (controlled by the burning man). This transaction was signed by both traders at the time the offer was taken, but was time-locked so it was invalid until the required time had passed. The arbitrator investigates the case and makes a 1.2 BTC payout to the winning trader. He pays this sum from his personal wallet (pre-financing). To reduce volatility risk, the arbitrator also sells 12,000 BSQ from his own pocket to receive 1.2 BTC. So now he’s not missing any BTC, but he is missing 12,000 BSQ.
On the other side, the burning man buys 12,000 BSQ with the 1.2 BTC he received from the deposit funds of the trade. Upon buying those BSQ, he burns those BSQ, reducing BSQ supply by 12,000 BSQ.
The arbitrator then makes a reimbursement request of 12,000 BSQ to settle his pre-financing. When approved, the DAO issues 12,000 BSQ to the arbitrator. But since the burning man already burned 12,000 BSQ from the 1.2 BTC he received from the trade’s deposit funds, there is no net effect on the DAO economy. And the aggrieved trader receives the BTC he is owed just like he would have in the old model—the only difference is that he needs to wait until the time-lock period is over so he can open an arbitration case.
The arbitrator on takes a high risk by pre-financing the reimbursement. To mitigate this we made an arrangement for the burning man to prioritize offers from the arbitrator to lower his exposure. See this proposal for details.
Why We Cannot Merge These Roles
The separation of those roles is essential to keep the system flexible, censorship-resistant, and scalable.
Keep in mind that the current dual role of arbitrators (i.e., supreme mediator and refund agent) is not the ultimate goal. The refund agent part of the role should be delegated to traders once the trade process is improved to a level where such cases rarely happen. How to keep the burden for traders low, and how to compensate them for this extra work—these items are still up for discussion (e.g. the trader could get a slight bonus if he does the reimbursement himself). A preferred option is to keep trader-submitted reimbursement requests optional and still offer arbitrator-funded reimbursements for a fee. The role could even be split, such that a market of refund agents develops where each agent offers their pre-financing services at different prices. But before getting into any of these discussions, we need to reduce bugs and improve UX.
The role of the burning man could also disappear when we have very few dispute cases, and once trade fees in BTC do not add up to a large amount. We could use the donation address to support critical infrastructure we use like Tor. Or we could use it to fund Bisq projects like the mobile wallet. Yet another idea is to rotate the funds coming in to this address among core contributors so a part of their earnings can come directly as BTC. There are many possibilities for how we could use these funds—but if we merged the burning man role with the arbitrator role, we would lose this flexibility.
The risks of the 2 roles are very different. An arbitrator does not present any severe risk to the DAO, actually, he takes on a lot of risk. The burning man, on the other hand, is a trusted role and there is an open problem that a malicious burning man could make many trades, go to the arbitrator, get payouts, and then run away with the funds he received from the donation address. The high bond is a partial protection, but ultimately, this is a trusted role and only highly trusted Bisq contributors can take it on. This is an open, known problem, and there are several ideas about how to mitigate it. But keep in mind that a single person can play this role even if there are 100,000 trades a day. So scalability is not an issue with the burning man, but we cannot say the same about the arbitrator. With more traders, there will be more cases, and we might need more arbitrators. Furthermore, with more regional expansion, we will need arbitrators with particular language skills. When arbitrators and burning man are not combined into one role, we can add arbitrators to support this growth without posing high risk to the Bisq network. If we merged both roles, we would not be able to do this. There is a risk arbitrators expose to the DAO: they could fake their reporting, but this is likely solvable (traders can provide evidence).
Another important aspect is that arbitrator reimbursement is not automated. DAO stakeholders have ultimate power. Sure, they would probably lose an arbitrator if they don’t reimburse him fairly, and it might be hard to find new arbitrators after unfair behaviour from DAO stakeholders. But it is highly important that stakeholders be able to exercise absolute power.
Another consideration: if the process to reimburse arbitrators were automated, the result would probably involve legal risks that we want to avoid. The role would then adopt elements of a custodial function, and that would likely trigger regulatory issues.
FAQ
What are the conditions that lead to a payout, for example, a dispute between Bob and Alice that is not resolved by normal mediation and gets escalated to arbitration?
After the time-lock period (10 days for altcoins and 20 days for fiat), and after mediation is completed, either trader can open an arbitration ticket. Doing so publishes the time-locked payout transaction.
How are Bob and Alice's BTC funds paid out to the Bisq donation address?
The time-locked payout transaction is created and signed in the take-offer process and stored by both traders. The trade protocol requires this transaction to be in place before a trade is started.
How is the arbitrator responsible for deciding what the payout distribution should be? Are facts and circumstances of the case taken into account? And how is this similar to legacy arbitration?
In terms of determining what a payout should be, an arbitrator's role is the same as that of a mediator. They'll ask you for any additional information they need to determine the facts and circumstances of the case. The only practical difference between arbitration and legacy arbitration is that arbitrators use their own funds to pay trader(s) instead of funds from the trading escrow.
How, upon deciding a payout, does an arbitrator pay the BTC to Bob and Alice?
Arbitrators need to have enough BTC to cover potential payouts—it's a requirement for anyone seeking to hold the role. An arbitration case can only be closed once an arbitrator makes a payout. Then, at the end of the DAO cycle, they'll get reimbursed with BSQ (which they can then sell for BTC).
How does the arbitrator issue a reimbursement request for an amount of BSQ equivalent to the amount of BTC paid out-of-pocket to settle disputes?
This process is a work in progress. Currently we try to reduce volatility and exposure risk by converting pre-financed BTC to BSQ as fast as possible. Once it is BSQ there is no longer any volatility risk, and the arbitrator simply sums up all pre-financed BSQ and requests reimbursement. The public result of an arbitrator's work is a reimbursement request to the Bisq DAO.
How does the DAO issue this BSQ to reimburse arbitrators?
A reimbursement request is technically the same as a compensation request. DAO stakeholders vote on an arbitrator's request. The arbitrator needs to provide solid reporting to make their request transparent to the DAO. Currently there is some trust involved, since it cannot be proven that the arbitrator is not adding fake cases. This may be solvable by collecting data from traders, but this requires more thought.
Doesn't this dispute resolution mechanism incentivize Bisq to have more trades go to arbitration, since disputed BTC funds are used to buy BSQ, reduce BSQ supply, and thereby benefit BSQ holders?
No, because arbitration does not reduce BSQ supply. Although BSQ supply is reduced by the burning man, arbitrators are reimbursed with newly-issued BSQ after they've done BTC payouts to traders, so ultimately there is no net impact on BSQ supply. Actually, arbitrators must charge for their time and risk, so the net result of having more arbitration cases is negative for BSQ holders.
Also consider that arbitration cases are bad for user experience, and each case required mediation and other support resources, all of which also cost the DAO. Reducing arbitration cases is absolutely in the DAO's best interest.
How does an arbitrator create offers to buy BTC with their newly-issued BSQ?
The arbitrator sells BSQ for BTC from the burning man as soon he has done the payout. In this way, we reduce volatility risk. Essentially, this allows the arbitrator to borrow BSQ from the DAO, which they'll then get back through a reimbursement request.
How does the burning man take offers from the arbitrator using BTC funds from the donation address?
The arbitrator has makes his onion address known so the burning man can see which offers are from him. The trade event is announced on the burning man's role issue, and the arbitrator needs to make sure they're online at that time with competitive offers.
How does the donation address owner burn the BSQ they buy?
Burning is done inside the Bisq software on DAO
> Proof-of-Burn
. A proof is created, and all details are documented on reports posted on the role issue.
Why not simply combine the burning man and arbitrator roles?
See longer explanation above. In short: to stay flexible, to be able to implement the target vision (reimbursement done by traders themselves), to avoid legal risks, to keep the arbitrator role scalable, and to address the trust/security issue with the current burning man model.