-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable face to face (F2F) trade in Bisq #24
Comments
I support this proposal. Starting with a minimal effort and learn as we go seems best. I have seen there have been quite a few requests for f2f trades but I still suspect if will be hard to match these people on location. For traders this would probably not be much more risky than any other system doing f2f trades such as localbitcoins considering the parties can choose their trade location according to local conditions. I could see a need for a feature to cancel the trade process if no trade location can be agreed upon, or include coordinates to suggested trade locations in the offer. I guess that would be what would be found out after running it for a bit though. The risk for Bisq network seems minimal. If there are scams we can learn how to handle that and if there are robberies that still comes down on the individuals. The feature can always be severely restricted or retired if it turns out it doesn't work. |
Several comments here:
|
A quick response to say +1 in general and that I think F2F trading (and/or cash by mail) is the single most important feature we can implement from a privacy and censorship resistance perspective. Having the option to trade without banks and payment processors in the mix is critical to Bisq being able to fulfill its mission in truly adversarial environments. With regard to arbitration, perhaps we could encourage or even require both parties to voice record their F2F interaction via their mobile device. Ideally these recordings would be stored locally and streamed back to the party’s (offsite) Bisq node for safe-keeping in case their device is stolen or confiscated, and the recordings would then be made available automatically to the arbitrator should a dispute be opened by either party. This kind of voice logging and streaming is something that a dedicated Bisq remote client like the one proposed in #25 could do, but obviously this isn’t a first-iteration feature. Note that the audio could/should also be signed, with hashes exchanged between parties’ clients immediately after the recording is finished to make the recordings tamper-evident in arbitration. |
I think this will work and it is on the way to make Bisq become an arbitration court for general trades, a la Lex Mercatoria. There are still some problems, one of which is blackmail. Despite the deposits being equal and large there is an asymmetry between a rich trader and a poor trader where the rich trader still can blackmail the poor trader. Granted that the rich one risks losing his deposit but it does not hurt as much as it hurts the poor one. I doubt this type of blackmail will occur much in practise though. |
I have an additional idea how to avoid the requirement that both traders bring their laptop to the meeting. The code gets generated at the sellers app and the hash of the code will get included in the trade contract and sent to the buyer. At the meeting after the fiat has handed over the seller need to give the code to the buyer as kind of statement that he has received the Fiat. The buyer can verify the code by scanning the QR code (the seller can print it out or has it on the mobile app). The mobile app will receive the hash of the code when the trade starts and will calculate the hash when the seller presents the QR code and then compare that calculated hash with the one from the trade contract. If it matches the buyer has a secure proof that the seller has confirmed receipt of the fiat. The usage of the code is optional, if both traders or at least the seller brings his laptop he can release the BTC directly as well. The buyer could press the payment started button before he goes to the meeting, so no need to bring his laptop. He can verify the payout tx at any block explorer on his mobile as well. |
What is missing is a docs webpage with a user guide, explanation of the rules and recommendations for F2F trade. |
Contact info can be anything (email, tel,...). Additional info can be TACs and/or public contact info of maker. |
The mobile app code idea is a great starting point. Bringing a laptop to a F2F trade brings more risk. I want to minimize the attack surface in these environments, if I'm going to get robbed I want to have as little to steal as possible. |
I though a bit about this F2F trade protocol. |
@BSQman Yes I agree basically but I think if the meeting place is some safe place like a hotel lobby the robbery risk should be quite low. Before putting too much dev effort in it I would like to see if it will be used at all. We added some payment methods which basically have zero usage like Western Union. Also not sure if the code idea is too complicate to understand for users. |
@HarryMacfinned The trade protocol is the same like in normal trades. Physical violence is a risk here and I think it can only be mitigated by choosing a safe meeting place and maybe to negotiate upfront some security checks (e.g. share social media accounts or so some sort of ID check - but that is up to the makers to define their TACs). |
I completely agree that we should not expect to define a top-down optimal procedure at the first try. And if an optimal procedure can be found, it will only be thru multiple trials. Certainly dozens of pretexts can be used to censor Bisq ... but with F2F the risk of physical violence is of course existent. It's a completely different game as sending fiat money from a bank etc. Safety on one side, no usability killer on the other side ... what a tightrope job ! |
@ManfredKarrer I agree under the assumption the scammer takes into account risk/reward. That would be a sophisticated attacker. Fortunately Bisq trades requires a BTC deposit, and that hopefully removes irrational - low time preference thieves. Couldn't the code in the form of a QR be shown to participants on the native app, and require some type of one sided scanning upon completion of in person exchange ? I would assume that would take any complexity out of the users hands... and onto your hands. :-D Regardless of how its implemented. The F2F exchange should be assumed to be extremely adversarial and high risk. There are so many tail risks associated with this type of interaction. People following people to their homes and robbing them, blackmail etc.. |
@HarryMacfinned The downside would be purely reputational, because that kind of "social" pressure would have no effect on the P2P nature of Bisq. All bisq can and should do is iterate on the optimal procedure and warn users of risk. Otherwise its our responsibility to asses and execute the level of risky behavior. If I get stabbed and robbed during a F2F interaction, that's on me, not Bisq, regardless of them facilitating it. |
Just stumbled over an older discussion here: |
F2F is an opportunity to bring people together. God forbid people meet ITRW! Assume the user is smart enough to take the necessary precautions. Building relationships is ultimately what the platform is for. Bring the people together! |
F2F with bisq is a good idea and even safer than localbitcoin, mycelium meetups, bitcointreff etc. because of the safety deposit that is held. |
This sounds like a really good feature which would make it much likely that I would use Bisq personally (as a user). I think there's a typo in the isue, where it says |
@chirhonul Ah thanks. My German language background fooled me. In German its "skrupellos" |
There is no other way to do it right like to secure 100% on both sides meaning if somebody sells 1 BTC he must also lock 1 BTC and same the buyer. This is obviously generating much more loss on one side but in fact you can defeat it ONLY by education. You must trade only as much as you can afford to LOSE! And this is compatible with reality. There is completely NO WAY to assess by arbitrator who is telling the truth if one part got robbed! |
I was thinking the other day how if BISQ could somehow integrate ATMs it would be game over... ; ) |
ATMs are a nice way but unfortunately the easiest target for regulators if they want to crack down on Bitcoin. HalCash is an interesting option in that direction but unfortunately limited to a few countries. If anyone knows more payment methods like HalCash please let us know. |
I've labeled this as approved, but am leaving the issue open for a while longer as useful conversation is ongoing. |
I'm awaiting for that f2f release! This is gonna be great! |
Just reading through this thread now in detail. I think the security issue is exaggerated. Here in the US, it's common for people to meet F2F to buy relatively expensive items like computers, car wheels, etc on the spot with cash. You never know who you're going to meet, but you arrange the meeting in a way that both parties are comfortable. As for those who worry about being robbed, they could arrange to do a credit card purchase using Square or similar. It wouldn't be anonymous, and there'd be a fee, but maybe the person prefers to pay a few bucks more to avoid the risk of carrying lots of fiat. Chargebacks would then become a potential problem, but it's really just a game of whack-a-mole because fiat can be counterfeit too. And chargebacks are already something we deal with for non-F2F trades anyway (so nothing really new). Being followed back to my house would be my biggest concern, but I'm not sure it's any different than being followed out of a bank. Just be vigilant. Banks aren't responsible for peoples' safety after they withdraw cash or visit a safe-deposit box, so neither should Bisq (I don't like the idea of comparing Bisq to banks but I think it's appropriate here). We should take measures to make bad situations unlikely, but beyond that it's up to people. |
Yes I agree with your comments. Regarding counterfeit: Could you add some hints which tools are recommended to detect counterfeit money (pen,...). I would prefer to keep that proposal open a while even after we have deployed F2F as I see it a bit of work in progress where we might adjust in follow up versions, and maybe some ideas posted here would become relevant in future... |
As I mentioned above. The only correct way to do F2F is to require 100% deposit over sell amount for seller and a 100% of buy amount on the buyers side. In case something goes wrong - funds must go to arbitrator. Why? Because scammer can try to convince to split funds between arbitrator and him\her. When it is known funds go to arbitrator anyway - there is no way scammer can beat that offer. Then scammer loses 100% of his deposit what makes this market not affordable for such individual for long (even if we consider excentric millionaire). This model also allows to seller to not confirm payment on the spot but go safely home and then do it without risk of being robbed right after confirmation and cash handling. Both traders are assured economically that trying tricks in this situation will result in loss on both sides - so there is no incentive to do so. Seller can easily split amount into 50/50 to satisfy 100% deposit requirement and in few hops sell nearly entire amount. Buyer can aquire small deposit amount with another method and also quickly with few hops increase funds to desired level to trade later comfortably. In crypto protocols most important thing is to eliminate trust and this proposal does it. |
@Schnakenberg If I understand it correctly, it's not only safer than localbitcoins etc. because of the security deposit, but also because the seller actually has to publish the TX already and have it mined into the blockchain AND the buyer also already signs it. Like with every other Bisq TX, this means as soon as you get a second signature (either from seller or arbitrator), the buyer has the BTC. |
Regarding counterfeits, issuing central banks usually have a lot of resources to help users be their own full nodes and spot fake banknotes. https://www.ecb.europa.eu/euro/banknotes/security/html/index.en.html There's some seriously detailed content there, including videos and podcasts. |
@great thanks @chris-belcher for the links! |
I will close the proposal now as the F2F trade is implemented. |
Enabling face to face (F2F) trades like offered at LocalBitcoins is an often requested feature but has not been considered to be added because Bisq has a different security model compared to LocalBitcoins and with our model we cannot provide sufficient security to make F2F trades safe. E.g. LocalBitcoins uses ID verification and reputation. Bisq uses the security deposit and the arbitrator as security protection which both would not help much in the context of a F2F trade.
Though there might be an interesting idea to allow us to support F2F trades.
Basic idea
It is based on the game theoretical idea of "mutual assured destruction" which is basically just the idea that if both traders do not come to a cooperative result both will lose all what they have put in the trade (e.g. trade amount and security deposits).
That model was actually used in the very first concept of Bisq and is used in some other projects like BitMarkets and BitHalo/Nightrader.
The reason why we went away from that model was because Adam Gibson found a severe risk for a blackmail scenario.
In short, there is always an asymmetry of the max. loss of each trader due to the fact of the non-atomic exchange on the fiat side. That enables that one trader could blackmail the other who has more to lose to agree to a different payout result as it was originally agreed on. An economic rational trader getting blackmailed in that way would agree to the changed payout to have less financial loss than if he would stick to the original contract and risks that his funds will be locked up forever.
This risk is specially serious in the context of an anonymous global online market.
But we do not suggest a pure "mutual assured destruction" model (based on 2of2 Multisig) but rather to use our existing arbitration system to add more flexibility and to reduce the blackmail risk.
Assumptions
Physical access changes risk situation
People meeting physically have a different risk exposure compared to the anonymous online market situation. E.g. The possibility of physical access makes unscrupulous behavior less likely. We can assume that the risk of a blackmail is much lower in such a context.
Of course physical access comes also with new forms of risks (robbery) but that has to be mitigated by the selection of a safe public meeting location. The general risk for violence in a certain country has to be taken in consideration as well.
Unclear strategy of arbitrators
There is no guarantee that the funds will be locked up forever as the arbitrator can do the payout as he thinks it is fair and/or at any time in the future. The threat that the funds are lock up forever is not a strong motivation anymore for the blackmailed person to agree to an altered payout. He rather would try to convince the arbitrator for his side.
If those assumptions holds we could use that model as basic protection for F2F trades.
Details
Payment method
The payment method will contain an email and/or mobile number field which will be used by the traders to exchange the details for arranging the meeting place.
Beside that there will be the location data (country, city, maybe map coordinates).
In a first version it should be a basic feature but could later be improved by implementing a map to set the position of the trader. Though exact positions of the traders address have to be avoided for security reasons.
Maybe we should add "terms and conditions" the users can define. At LocalBitcoins they often require ID verification of the peer. That should be done only in person to avoid risk of identity theft.
Offerbook
Offers for F2F trades will display additionally the location. In a first version that can be added to the payment method info. A filter option to search for traders by country and city would be good as well. In a later version we could implement a map to look up nearby traders.
Trade process
Once an offer gets taken both traders get in touch by email or mobile and arrange a meeting place and time.
We could consider that both traders bring their laptop and do the trade process similar like with an online payment. Though the additional risk for theft if they might have more BTC on their wallet as well as the inconvenience and risk to carry the laptop represents some downsides with that simple approach.
They could alternatively meet without any laptop and just do the Fiat transfer and when back home do the confirmation in Bisq for the Fiat sent and received events.
That would reduce the risk of theft to the Fiat amount but it does not feel very safe to hand over Fiat without getting immediately anything back in exchange.
We could require a hand signed contract so both would have at least some form of evidence. Better would be a digital system which is integrated with the Bisq trade process. LocalBitcoins uses Secret codes to be exchanges by the traders but I am not sure if that adds really much protection.
Ultimately there is no solution as the Fiat transfer is not an atomic transfer in exchange to a digital transfer of a signature. The best we can achieve is to bring the moments of both events close together.
Another approach might be to combine a repeated partial payment with repeated confirmations via a mobile app.
E.g. if the trade amount is 1000 USD the BTC buyer could start to hand over 100 USD to the seller. Next step is that the seller confirms on a mobile app the receipt of 100 USD. Then the next 100 USD will be handed over and then confirmed again. That will be repeated until the final amount has been transferred. It would lower the risk that the peer can run away quickly with the money without confirming the receipt. The receipt could be done as simple email to the BTC buyer or via any messenger app. The proof is not strong but at least it adds difficulty for a potential scammer to fake those messages. Best would be a mobile App which is connected to the Bisq trade and provides signed and encrypted messages. But that is too much effort for a first version. It is also questionable if people are really that paranoid and use that repeated payment method or prefer to hand it over in one part and then do the confirmation.
That area needs more though how to deal best with it. For the most simple version lets assume there is a paper contract signed by both traders.
Dispute
The arbitrator cannot help much in case of a dispute as in most cases there will be testimony against testimony and he cannot get a reliable proof about the transaction. So the standard resolution of any F2F trade disputes will be that both traders will got frozen their funds forever. Though they have the option at any time in the future to still come to an agreement and then tell the arbitrator to do the payout according to the result both have agreed on.
The arbitrator can also choose to make whatever payout he thinks is fair according to the testimonies of both traders. This option makes blackmail even less likely as there is no guarantee that the funds will be kept frozen. Also the blackmailing person will have likely higher risk to lose the case and the arbitrator decides in favor of the other peer. ID verification can be required as well from the arbitrator - a request scammers usually don't want to follow.
One problem is for sure that the dispute resolution adds much higher pressure to the arbitrator as he will not have a tamper proof evidence. But as said to not do the payout at all is a valid default option for the arbitrator. Different arbitrators might have different policies how to deal with disputes which again makes blackmail less likely as the arbitrators strategy is hard to predict.
It can be expected that real disputes are super rare (as with online trades) but most cases are caused by usability issues or bugs. For those cases the resolution process will work like any other payment methods.
Police report
In case of theft or blackmail attempt the victim can file a police report and present that to the arbitrator. This will have a lot of weight in the dispute process as it can be assumed the the scammer will unlikely go to that step to trick an innocent peer.
Security deposit
It will require more analysis how the security deposit should be set for F2F trades and it will depend on the model how the Fiat transfer will be executed.
Risks and warnings
The risks and different rules for dispute resolution have to be very clearly presented and accepted by both traders.
Test run
We could add that payment method as experimental for a test run to see how it works in reality and see how much demand exists for it. Before that it would be good to make a poll to see how much demand is really there for F2F trade. The still limited volume on Bisq will be an even bigger issue when it adds a location limitation as well.
Implementation effort
Depending on the open questions regarding the fiat exchange process the implementation effort should not be very high. It is mostly UI work and does not require any deeper changes for a fist version. For map integration though the effort will be higher but that should be left for later after a test run has shown how much demand for that payment method exists.
Request for more research
I think we should add more research about the usual issues with F2F trades on LocalBitcoins or other platforms.
If anyone can volunteer to do that research or if anyone has first-hand experience please add it below!
The text was updated successfully, but these errors were encountered: