Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offers with invalid maker tx in the orderbook #6815

Closed
alexblom102 opened this issue Aug 16, 2023 · 6 comments
Closed

Offers with invalid maker tx in the orderbook #6815

alexblom102 opened this issue Aug 16, 2023 · 6 comments
Labels
was:dropped

Comments

@alexblom102
Copy link

alexblom102 commented Aug 16, 2023
edited
Loading

Description

There exist an issue where offers can be published with invalid maker fees.

Version

1.9.12

Steps to reproduce

  1. Fund the Bisq wallet.
  2. Double spend the funds away from the Bisq wallet.
  3. The funds will stay under "Available balance" forever(?). You are now able to create and publish offers with non-existing maker fees.

Details

Thanks to the enabling of "disableMempoolValidation"(?) filter, anyone who tries to take an invalid offer are presented with:
"This offer is not valid. Please choose a different offer.
[Tx not found]"
The offer is deactivated after a couple minutes, however, a malicious client could reenable the offer programmatically.
There doesn't seem to be any onion-address banning for misbehaving clients.

Impact

Malicious actors can spam the orderbook with offers at almost zero cost, advertising/luring victims off-platform with the "Additional information" field, all without paying any maker fees or risking losing their deposit.

Remediation suggestions

  1. Implement checks at the broadcasting/publishing stage (currently the check/filter only happens when someone tries to take an offer(?)).
  2. Ban onion-addresses that misbehave. (This would only increase the cost slightly for the malicious actor as a new double spend is required for each new onion-identity.)
@boring-cyborg
Copy link

boring-cyborg bot commented Aug 16, 2023

Thanks for opening your first issue here!

Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions GitHub Actions
Copy link

This issue has been automatically closed because of inactivity. Feel free to reopen it if you think it is still relevant.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 22, 2023
@pazza83
Copy link

pazza83 commented Nov 22, 2023

Hi @alexblom102 AFAIK the trade fee filter has been turned back on so offers with an invalid maker fee should no longer appear in the offer book.

@alexblom102
Copy link
Author

Hi @alexblom102 AFAIK the trade fee filter has been turned back on so offers with an invalid maker fee should no longer appear in the offer book.

Indeed it has, however, it only prevents peers from taking invalid offers. The problem is that invalid offers can still be broadcast and put in the order book. The mechanism used for deactivating these invalid orders can be bypassed.

@pazza83
Copy link

pazza83 commented Nov 24, 2023

Looks like there was a PR to fix this here: #6615

@jmacxx is it possible for someone to broadcast offers with a failed maker fee?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
was:dropped
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexblom102 @pazza83