BitShares XT - Security against Market Manipulation FIND ATTACKS FOR TIPS

[tonyk]

The 10x margin is all well and good in preventing attacks discussed but it leads (in my opinion) to exposing system problems already existing in the proposed market – in particular small (and known/pre-determined) money supply. Adding to this small money supply a strongly unbalanced voting/price determination power is dangerous (and that is what the 10x margin does). What I mean is in order for the shorts to cast a vote (to say generally that the BitUSD is overvalued they need 9-10 times the resources/money  the counter party needs to say the BitUSD is undervalued). This misbalance will in itself  stay in the way of the market determining the fair price of the Bitassets but in the context of this discussion here is an example of market manipulation/attack that this misbalance facilitates.

One (the attacker) will need no more than 10% of the all BTXs to have full control over the demand for all BitAssets. That is to say he can match all asks in all assets even if everybody else is 1. Participating/actually placing orders in the market 2. everybody else is of the opinion that the BitUSD is overvalued (i.e. is placing a sell/short sale orders). In practice the attack will be possible with probably 1-3% of all BTXs to attack just one particular BitAsset.


Here is a very rough form of the attack (refining it is not that hard)
Having 10.01% of the all BTXs
1. Buy some arbitrary amount of all offered BitUSD (Let say 5%-10%) at the very beginning of the market at say price p1.
2.Place an ask order for the Bitasset bought in step#1 at let’s say 130.01% the purchase price p1.
3.Place big enough ask bid/s (as of quantity BTX offered up to 10% of all BTXs, but in practice you will need most of the time much smaller amount)  @ price sliding from 101% to  130% the p1 price. Effectively matching/swallowing all asks coming to the market.
The important thing here is that your demand for BitUSD is so big that you can ‘swallow’/match any possible ask coming to the market so you will inevitable drive the price to the desired level.
4. Keep a ‘hard bottom’ (placing a bid order/s @ 130% p1, for amount of BitUSD unsurpassable by any and all potential ask orders) until you have sold sufficient percent of the initial BitUSD (bought @100% p1and sold for 130.01% p1)
5. At your leisure push the price slowly from 130% p1 to let say 160% p1, as in step 3.
And cash in some more BitUSD @160.01% p the same way as in step 4.

If you asked me name the attack  -‘Unbalanced Forces Attack” (‘Unbalanced forces are forces that produce a non-zero net force, which changes an object's motion’)

[MolonLabe]

I don't see how that changes the fundamental idea of buying Asks and then sucking out their money with a fake high price.

I propose putting a speed limit on the percentage change of the current price, as seen from the short liquidation logic.  So a short-term action that wipes out the entire Ask side of the book doesn't result in immediate liquidation of every single existing short position.

I agree that this would help, but one interesting property of a virtual market like this one (where I can't redeem my Gold for Gold) is that if ANY possibility of attack remains it can become completely self-fulfilling.

The speed limit assumes that there is a counterbalancing force (sort of like a car sliding down a hill...a speed limit would help ensure that the care never makes it up and over the hill), but if there's no counterbalancing force the speed of attack doesn't matter (ie the car will eventually go over the hill if it is not sliding down, as long as it has positive speed). So if any attack is possible, people may abandon the effort to return the market price to its 'true value' and instead view the market as an opportunity to use the mechanism to steal BTS.

For example, imagine that every market, priced in BTS, just permanently rises at the speed limit. This is the last iteration of rationalizable behavior before the following undesirable Nash Equilibrium: people decide to NEVER sell (including short sales) and the market vanishes. Traders could even coordinate with people they don't trust to pull this off, as it is a win for every long. People could even go long on the off chance that someone else does it.

So all attacks must be completely removed, not just discouraged.

[theoretical]

I don't see how that changes the fundamental idea of buying Asks and then sucking out their money with a fake high price.

This is actually a great concern I have as well.

I propose putting a speed limit on the percentage change of the current price, as seen from the short liquidation logic.  So a short-term action that wipes out the entire Ask side of the book doesn't result in immediate liquidation of every single existing short position.

Consider the scenario I call the "fat-fingered whale":  Someone with a huge wallet accidentally enters a market order to buy $100000000 BitUSD instead of $1.00000000 BitUSD.  With a speed limit, people will have plenty of time (hours or days depending on the speed limit) to notice the unusual chart activity, manually inspect the blockchain if necessary, and determine the price has doubled or more due to the rogue activity of a single deep-pocketed market participant and react accordingly (probably by rebuilding the Ask book, offering new shorts at high prices which, if they somehow get filled in the chaos, will result in a handsome profit when the market regains its sanity).

I think a market depth limitation has been discussed as well, i.e. only a few percent of the BTS value of orders on the books can be filled per block.  While I think this is a good idea, and will protect against the fat-fingered whale (even giving the whale himself some time to cancel the rest of his order if he quickly realizes his mistake).  But I'm worried a deep-pocketed attacker who's not concerned about transaction fees could artificially inflate the depth of the market by placing a bunch of orders far away from the current price.

I believe the total amount of capital that's willing to participate in the exchange market is probably a lot higher than the orders on the books at any given time, but you may need to give a human time to react to get some of that money into the market.  You can think of it like a "hidden" or "dark" book of trades people are willing to make, but don't publish orders.  So short-term price fluctuations should be suppressed; the dark pool should be given time to reinforce the book before the network invokes an extreme behavior like liquidating a large number of short positions.

[MolonLabe]

Oh I think I see the mixup: the shorts don't have to buy from you, the network just buys whichever usd are cheapest. So in addition to your matched bid/ask you'd have to place an unmatched ask at the higher price. Would that make it unprofitable?

This stuff is hard to think about without drawing pictures =[

Sent from my SCH-I535 using Tapatalk

Maybe. I can't figure out exactly how you are measuring market depth, specifically the units. Can you provide an example? My guess is that it may lower the attack from 100% hitrate to possibly <50% hitrate but not remove the core idea. This order depth rule wasn't in the video...from the paper it seems that you can't cancel orders instantly? That might help prevent the attack, as with 'cancellable orders' anyone can fake an infinite order book at finite cost (with infinite bid and infinite ask, either of which you just cancel if someone starts actually trading with you). Do you know precisely how an 'order' is defined? (In addition to the market depth measurement question).

I'm hammering the ASKs, though, so my intuition is that I temporarily control that whole side. Anyone who makes an Ask might lose money if the price continues upward.

I didn't think about this on the train (where I get all of my best ideas) but reconsidering it now I'm wondering what would happen if multiple people used the "place simultaneous Bid Ask to set a price" idea at once (with different prices). Anyone shorting with an Ask is taking a big risk though, assuming the attack's logic is still sound.

A picture is worth a thousand words...I have a whole 'whiteboard room' in my house.

[toast]

Oh I think I see the mixup: the shorts don't have to buy from you, the network just buys whichever usd are cheapest. So in addition to your matched bid/ask you'd have to place an unmatched ask at the higher price. Would that make it unprofitable?

This stuff is hard to think about without drawing pictures =[

Sent from my SCH-I535 using Tapatalk

[MolonLabe]

One minor point is that the shorts only had 2x collateral at the price they shorted at so you'd only get 2*(.01666 + .02 + .025)

Otherwise I think this attack is basically a variant of the SIDS attack described in the OP. I think the defense against this is just to have sufficient market depth: "b) no market trading will be allowed anytime either side of the order book has a depth below D% of the share supply."

I don't see how that changes the fundamental idea of buying Asks and then sucking out their money with a fake high price.

For example, I can repeat what I did several times: build a full order book on both sides and walk it up slowly, I just place Bid, Ask, Bid, Ask, Bid, Ask, at higher and higher prices (Bitshares per Bitasset), and I'm always buying my own Bitasset (leaving me unexposed), or placing BIDs that go permanently unfilled.

Then the price just rolls up and up and up. I have to tie up more capital, but I get all of it back when I later combine my own long and short positions (both of which I already own) to cover. I still steal everyone's money that had an ASK and double up almost instantly.

To prevent this, you'd need a way of telling a scenario like this from a different scenario where the underlying asset DID actually slowly increase to 2x 4x its initial value (because BitSharesX needs to be able to handle that to qualify as an exchange).


I'm going to sleep but I'll check this sometime tomorrow, I was just watching the video and was curious about how this worked. I have a background in mechanism design but I still found this question puzzling. I assumed that I misunderstood the mechanism but now the case may be that I uncovered a defect, which is far more interesting. Perhaps on the train tomorrow I will try to block my own attack in a convenient way.

[toast]

One minor point is that the shorts only had 2x collateral at the price they shorted at so you'd only get 2*(.01666 + .02 + .025)

Otherwise I think this attack is basically a variant of the SIDS attack described in the OP. I think the defense against this is just to have sufficient market depth: "b) no market trading will be allowed anytime either side of the order book has a depth below D% of the share supply."

Also, if ASKs realize what is happening they will panic (and disappear) as they are sitting ducks to instantly lose money.

I don't think they'd panic and disappear, I think they'd just move their asks to some price which they think you couldn't possibly buy out.

If you legitimately moved the price to a "hole" in the ask side and set the price yourself it's not much different from the price just moving up to that point and so you can enjoy your profits.

[MolonLabe]

Sure. I don't even know if it works, but this is what I was thinking:

(I am thinking about it in bts/usd, I dont see why that should make a difference as it is only a question of units [but I guess it might]).

BID 1 usd @ .01       bts/usd    (100 usd/bts)
BID 1 usd @ .01111 bts/usd    (90 usd/bts)
BID 1 usd @ .0125   bts/usd    (80 usd/bts)
BID 1 usd @  (1/70) bts/usd
ASK 1 usd @  (1/60) bts/usd
ASK 1 usd @  (1/50) bts/usd
ASK 1 usd @  (1/40) bts/usd

Buy all Asks:
I have spent .0559523809 bts on +3 usd, lets call them: [ -.0559523809, +3] total.
Counterparties are:
   [ + .0166666 = (1/60), -1 ]   (first short)
   [ + .02, -1 ] 
   [ + .025, -1 ] 

BID 1 usd @ .01       bts/usd    (100 usd/bts)
BID 1 usd @ .01111 bts/usd    (90 usd/bts)
BID 1 usd @ .0125   bts/usd    (80 usd/bts)
BID 1 usd @  (1/70) bts/usd
+
BID 1 usd @  (1/20) bts/usd
ASK 1 usd @  (1/20) bts/usd

These cancel, but they also 'set' the price at 1/20 = .05
The video claims that the 3 shorts must repurchase "at the new price".

 [ + .0166666 = (1/60), -1 ]    +   (cover) [ - .05,  + 1]   =   [-.03333333, 0]  (this individual lost .03333 bts to close out their position at net=0)
 [ + .02, -1 ]                            +   (cover) [ - .05,  + 1]   =   [-.03, 0]
 [ + .025, -1 ]                          +   (cover) [ - .05,  + 1]   =   [-.025, 0]

For myself:
[ -.0559523809, +3]  +  [ +.15 , -3] (my proceeds from the sale to close out my position) =  [ .0940476191 , 0 ]   profit, for a + 168.0851% return.

[toast]

Ok walk me through this...

Market starts like:

ASK 100 usd/bts
ASK 90 usd/bts
ASK 80 usd/bts
ASK 70 usd/bts
BID 60 usd/bts
BID 50 usd/bts
BID 40 usd/bts

The ASKS are all short positions. Suppose you buy the first two and that is enough to cause a margin call on the 3rd or even the 4th ASK (EDIT nvm you couldn't cause a short squeeze since the price would have to go above what he took the short position at... so let's say you just buy them and trigger other short positions, market just buys the USD from the ask side), so you don't even have to buy the whole ask side (this is how the slingshot attack works, you would take advantage of the short squeeze then short at the top when market corrects). Anyway, now the market looks like this:

BID 60
BID 50
BID 40

So you match your new bid and ask at the higher prices

ASK 300
BID 300
BID 60
BID 50
BID 40

Your orders are matched so now it looks like this

BID 60
BID 50
BID 40

Where did you make money?

If you do a walkthrough similar to this it might help me understand

[MolonLabe]

The part I still don't get is how you cleared the entire ask side (all the shorts) but then still somehow you can cause a margin call when your bid/ask is matched at the higher price. Shorts put down collateral at the price they're taking the short position on, no?

Do you see in the video where Sam shorted something, paying =1 bitshare / BitUSD  for something but then HAD to repurchase it for 1.5 bitshares / BitUSD?

(notice the units are flipped in the video).

[toast]

The part I still don't get is how you cleared the entire ask side (all the shorts) but then still somehow you can cause a margin call when your bid/ask is matched at the higher price. Shorts put down collateral at the price they're taking the short position on, no?

[MolonLabe]

That's essentially a smaller version of a "slingshot" attack as outlined in the first post.  There's already a mechanism to limit the effect of a short squeeze by increasing margin requirements.

I don't see why that would work. Can you explain it? This attack produces a risk free return, not a finite payoff, so if anything the ability to put more money into the attack should make it easier to find someone to lend me the money required to pull it off.

Another way you could prevent it is to make the definition of a BID order to "the MAXIMUM price you are willing to pay to obtain an asset".  That way, the strike price will be dictated by the ASK prices.  I may be a bit naive here, but I can't think of a reason why anybody would want to pay more for an asset than the ask prices unless they are trying to manipulate the market in some way.

I bought all the ASKs in 2 for this reason. Also, if ASKs realize what is happening they will panic (and disappear) as they are sitting ducks to instantly lose money.

[MolonLabe]

I have an attack idea.

1] Select a market,
 1a] for example lets choose BitBTC,
 1b] for consistency let's refer to the market price as units of "Bitshares per Bitcoin" ie (BS/BTC) ,
 1c] lets assume the Last traded market price was 500 Bitshares for each Bitcoin, or '500',
2] Place a huge Bid of the amount equal to all current Ask orders,
 2a] let's imagine this costs a total of "Z bitshares",
 2b] I am now betting that the value (BS/BTC) will go up, ie that a Bitcoin will be worth more than 500 Bitshares,
3] Place a new Ask order at a much higher price,
4] Place a new Bid order at this exact price, (this tricks BitSharesX into believing that the price has gone way, way up, say from 500 to 1000),
5] Force shorts to close out your position (as BitSharesX forces them to cover), by selling to you (at twice what you just paid).

Can even rinse-and-repeat this strategy with higher and higher prices.

Market depth makes this attack costlier, but simultaneously, more profitable, so a different type of solution may be required.

Not sure I understand this, if you're able to match your bid/ask at a much higher price doesn't that mean you would have cleared out the entire ask side of the market? So then it's not "tricking bitshares X" but actually pushing the price up. Step 5 actually happens during step 2 and if you succeeded, that just means you moved the price up and you don't profit from matching your bid/ask at 1000

Yes, you understand, I am pushing the price up but I used the word 'trick' to reflect the fact that the "real" price probably did not change, let alone double.

I don't intend to profit or otherwise do anything with the small trades in 3-4. I'm "Alice" in this clip from the video. http://www.youtube.com/watch?v=5BV55IrZi7g&t=5m50s

[pariah99]

I have an attack idea.

1] Select a market,
 1a] for example lets choose BitBTC,
 1b] for consistency let's refer to the market price as units of "Bitshares per Bitcoin" ie (BS/BTC) ,
 1c] lets assume the Last traded market price was 500 Bitshares for each Bitcoin, or '500',
2] Place a huge Bid of the amount equal to all current Ask orders,
 2a] let's imagine this costs a total of "Z bitshares",
 2b] I am now betting that the value (BS/BTC) will go up, ie that a Bitcoin will be worth more than 500 Bitshares,
3] Place a new Ask order at a much higher price,
4] Place a new Bid order at this exact price, (this tricks BitSharesX into believing that the price has gone way, way up, say from 500 to 1000),
5] Force shorts to close out your position (as BitSharesX forces them to cover), by selling to you (at twice what you just paid).

Can even rinse-and-repeat this strategy with higher and higher prices.

Market depth makes this attack costlier, but simultaneously, more profitable, so a different type of solution may be required.

That's essentially a smaller version of a "slingshot" attack as outlined in the first post.  There's already a mechanism to limit the effect of a short squeeze by increasing margin requirements.

Another way you could prevent it is to make the definition of a BID order to "the MAXIMUM price you are willing to pay to obtain an asset".  That way, the strike price will be dictated by the ASK prices.  I may be a bit naive here, but I can't think of a reason why anybody would want to pay more for an asset than the ask prices unless they are trying to manipulate the market in some way.

[toast]

I have an attack idea.

1] Select a market,
 1a] for example lets choose BitBTC,
 1b] for consistency let's refer to the market price as units of "Bitshares per Bitcoin" ie (BS/BTC) ,
 1c] lets assume the Last traded market price was 500 Bitshares for each Bitcoin, or '500',
2] Place a huge Bid of the amount equal to all current Ask orders,
 2a] let's imagine this costs a total of "Z bitshares",
 2b] I am now betting that the value (BS/BTC) will go up, ie that a Bitcoin will be worth more than 500 Bitshares,
3] Place a new Ask order at a much higher price,
4] Place a new Bid order at this exact price, (this tricks BitSharesX into believing that the price has gone way, way up, say from 500 to 1000),
5] Force shorts to close out your position (as BitSharesX forces them to cover), by selling to you (at twice what you just paid).

Can even rinse-and-repeat this strategy with higher and higher prices.

Market depth makes this attack costlier, but simultaneously, more profitable, so a different type of solution may be required.

Not sure I understand this, if you're able to match your bid/ask at a much higher price doesn't that mean you would have cleared out the entire ask side of the market? So then it's not "tricking bitshares X" but actually pushing the price up. Step 5 actually happens during step 2 and if you succeeded, that just means you moved the price up and you don't profit from matching your bid/ask at 1000