Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: BitAsset Market Manipulation Security  (Read 1357 times)

0 Members and 1 Guest are viewing this topic.

Offline bytemaster

BitAsset Market Manipulation Security
« on: July 27, 2014, 08:34:39 PM »

BitAssets are a challenge to bootstrap because it only takes a single bogus trade for someone to print up a billion BitUSD backed by no collateral.   To execute this trade all that is necessary is for someone to gain control of both sides of the order book long enough to execute a trade against themselves at a price they pick.   This attack depends upon two factors:

1) The attacker having financial interest in destroying the network
2) The attacker having a large pot of cash that they can burn to bring it down.
3) The attacker being able to execute his attack in a timely manner.

Most of these problems go away once the network is as big as Bitcoin, but when we are young it is much harder to "secure" the market peg.  I have just finished implementing everything I think is necessary to launch BitAssets and having the system be secure:

1) There is a minimum market depth required before any shorts or covers are executed (1% XTS)
2) There is a maximum short price that is 50% higher than the current median price feed..  maximum_bid = median_price * 3 / 2
3) Only active delegates may publish a price feed and they must update it every 24 hours.
4) At least 25% of the delegates must be producing a feed

What these limits mean is that once trading begins the only time there can be a margin call is when delegates raise the median price feed.  It also means the delegates are circuit breakers in the system.  They can limit the price movements during rapid change giving players time to adjust their positions. 

Someone speculating in this market now knows that the value of BTSX in terms of BitUSD cannot fall by more than 33% without the delegates updating the price feed.

So what does this give us?   
1) A system where the there are up to 101 price feeds for USD / BTSX price, with at least 25
2) By using the median feeds that are way out of line are ignored.
3) Delegates don't set the price and thus the feed does not need to be very accurate and can get by with just one update per day.
4) The price feed is just used as a guardrail that makes attacks "impossible" while not actually being used to execute orders
5) Users only need to trust that delegates can produce a feed that is "close enough" and don't have to trust any individual delegate. 
6) Even if the delegates posted BOGUS feeds all they could do is stop new shorts from being executed.
       a) delegates have this power anyway by controlling what transactions get included.
       b) if the attacker controls over 50% of the price feeds they must control at least 12% of the delegates and that is already bad.
       c) everyone knows who the attacker is based upon their price feeds.

In the long-run, we can remove the need for the price feeds once the depth of the market is measured in billions of dollars... or perhaps loosen the price range a bit.   With this in place I believe we can launch a test network for BitUSD tomorrow.   All trading will occur just like it does with user issued assets with the addition that shorts can add bids (selling USD for BTSX) and margin positions can result in asks.






For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline luckybit

Re: BitAsset Market Manipulation Security
« Reply #1 on: July 27, 2014, 08:46:47 PM »
BitAssets are a challenge to bootstrap because it only takes a single bogus trade for someone to print up a billion BitUSD backed by no collateral.   To execute this trade all that is necessary is for someone to gain control of both sides of the order book long enough to execute a trade against themselves at a price they pick.   This attack depends upon two factors:

1) The attacker having financial interest in destroying the network
2) The attacker having a large pot of cash that they can burn to bring it down.
3) The attacker being able to execute his attack in a timely manner.

Most of these problems go away once the network is as big as Bitcoin, but when we are young it is much harder to "secure" the market peg.  I have just finished implementing everything I think is necessary to launch BitAssets and having the system be secure:

1) There is a minimum market depth required before any shorts or covers are executed (1% XTS)
2) There is a maximum short price that is 50% higher than the current median price feed..  maximum_bid = median_price * 3 / 2
3) Only active delegates may publish a price feed and they must update it every 24 hours.
4) At least 25% of the delegates must be producing a feed

What these limits mean is that once trading begins the only time there can be a margin call is when delegates raise the median price feed.  It also means the delegates are circuit breakers in the system.  They can limit the price movements during rapid change giving players time to adjust their positions. 

Someone speculating in this market now knows that the value of BTSX in terms of BitUSD cannot fall by more than 33% without the delegates updating the price feed.

So what does this give us?   
1) A system where the there are up to 101 price feeds for USD / BTSX price, with at least 25
2) By using the median feeds that are way out of line are ignored.
3) Delegates don't set the price and thus the feed does not need to be very accurate and can get by with just one update per day.
4) The price feed is just used as a guardrail that makes attacks "impossible" while not actually being used to execute orders
5) Users only need to trust that delegates can produce a feed that is "close enough" and don't have to trust any individual delegate. 
6) Even if the delegates posted BOGUS feeds all they could do is stop new shorts from being executed.
       a) delegates have this power anyway by controlling what transactions get included.
       b) if the attacker controls over 50% of the price feeds they must control at least 12% of the delegates and that is already bad.
       c) everyone knows who the attacker is based upon their price feeds.

In the long-run, we can remove the need for the price feeds once the depth of the market is measured in billions of dollars... or perhaps loosen the price range a bit.   With this in place I believe we can launch a test network for BitUSD tomorrow.   All trading will occur just like it does with user issued assets with the addition that shorts can add bids (selling USD for BTSX) and margin positions can result in asks.

I thought if we have automated or algorithmic trading then the network could self bootstrap in a coordinated fashion. Bots would make the trades automatically in a coordinated symphony. But I see this is not something which everyone would do.

Manual trading would be harder to bootstrap but I need to take some time to think about this problem as it's not easy.

I think the solution Bytemaster presents above is worth a trial. I hope it works but I also hope we can find a more elegant solution which can be more autonomous.
« Last Edit: July 27, 2014, 08:56:21 PM by luckybit »
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Online Shentist

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 1605
    • View Profile
    • metaexchange
  • BTS: shentist
Re: BitAsset Market Manipulation Security
« Reply #2 on: July 27, 2014, 08:51:05 PM »
why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

Offline bytemaster

Re: BitAsset Market Manipulation Security
« Reply #3 on: July 27, 2014, 08:54:24 PM »
why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

Any attacker with significant capital could harm the network with anything other than price feeds or a large player acting as market maker.    Price feeds give us "low-cost" protection against attacks that likely prevents the attacks from happening in the first place and leaving us with a market-pegged asset. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline AsymmetricInformation

  • Full Member
  • ***
  • Posts: 67
    • View Profile
    • Truthcoin
Re: BitAsset Market Manipulation Security
« Reply #4 on: July 27, 2014, 09:59:36 PM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

Offline bytemaster

Re: BitAsset Market Manipulation Security
« Reply #5 on: July 27, 2014, 10:17:22 PM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

12 delegates is not "instant victory" if every delegate is publishing a feed.   
The feeds are not even critical...  if an attacker can get 51% of the feeds and and have enough stake to manipulate the market then they can destroy one BitAsset... the chain would fork and people would continue. 

Blockchains are like the lock on your front door, they keep honest people honest but do nothing to protect against governments or wealthy adversaries wanting to take you out.  These attacks are not profitable to perform.   Honest people can still use the system with great effect and just fork out any attacker.   

Bottom line:  providing security against attackers that don't care about profit is not something that any crypto-system provides.   

For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline Empirical1

  • Hero Member
  • *****
  • Posts: 884
    • View Profile
Re: BitAsset Market Manipulation Security
« Reply #6 on: July 27, 2014, 11:22:12 PM »
+ 5% I don't pretend to understand these things, but sounds good, much more comfortable having those limits in the beginning.

why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

Any attacker with significant capital could harm the network with anything other than price feeds or a large player acting as market maker.    Price feeds give us "low-cost" protection against attacks that likely prevents the attacks from happening in the first place and leaving us with a market-pegged asset.

Don't know about this, but what about volume of trade limits set by 51% of the delegates? Like only $X per hour. It's set at a level that would almost never be breached unless it was being done as an attack and is constantly raised as the trading pair becomes more popular. 

Offline AsymmetricInformation

  • Full Member
  • ***
  • Posts: 67
    • View Profile
    • Truthcoin
Re: BitAsset Market Manipulation Security
« Reply #7 on: July 27, 2014, 11:33:12 PM »
The feeds are not even critical...  if an attacker can get 51% of the feeds and and have enough stake to manipulate the market then they can destroy one BitAsset... the chain would fork and people would continue.
You shouldn't really worry about what I have to say, I haven't had the opportunity to think through this at all. But forking the chain can be profitable via double spends, can't it? I just attack a small or medium sized BitAsset, while selling BTS on an external exchange. After the fork I get my BTS back.

I would really just prefer you to turn it on, I think, than keep theorizing about it.

Offline GaltReport

Re: BitAsset Market Manipulation Security
« Reply #8 on: July 27, 2014, 11:59:45 PM »
...
4) At least 25% of the delegates must be producing a feed
...

How is this done?  Are the feeds going to be build into the software and delegates just need to enable them?

Offline bitmeat

  • Hero Member
  • *****
  • Posts: 1116
    • View Profile
Re: BitAsset Market Manipulation Security
« Reply #9 on: July 28, 2014, 12:00:03 AM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.
AI, The guys you are talking about have done some really shady things though. I remember seeing a discussion with a strong attorney in the space from New York, who said that as long as you are not dealing with gateways, you should generally be OK. i.e. FIAT <-> BTC <-- serious regulation. BTC <-> other crypto, it's all virtual, no harm done.

In other words if someone does something shady, they will eventually need to cash out of crypto, and that's when they can be examined. Delegates are serving the same role as miners, are they not? It's like saying that if someone moved a lot of BTC used for bad things we should arrest all the miners who mined the blocks containing those transactions.

I'm not a lawyer, so go consult one, just repeating something I've seen in a Bitcoin conference video somewhere. (honestly don't remember the source)

Ggozzo

  • Guest
Re: BitAsset Market Manipulation Security
« Reply #10 on: July 28, 2014, 12:10:30 AM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

Wait a second. What do you mean we could be arrested? I've put my name on this delegate and was about to start pushing out advertisements as soon as this becomes profitable. At ~6 cents per hour right now, this may not be worth it.  I need to know what liabilities are involved before we get too deep. Can you describe what you mean and how we "could" be arrested?

Offline bitmeat

  • Hero Member
  • *****
  • Posts: 1116
    • View Profile
Re: BitAsset Market Manipulation Security
« Reply #11 on: July 28, 2014, 12:12:21 AM »
That said - I have an idea. And this needs to evolve into something more solid.

What if transactions are posted in encrypted format. Something along the lines of TITAN for the orderbook.

Let's say we have the following time line

At Block T, A has a confirmed order to buy listed in the order book. B wants to sell at the confirmed price A has listed in the order book.

B submits an encrypted pending order, which gets confirmed in Block T+1

B then submits the code to decrypt the pending order at Block T+2, which confirms and executes it, unless A managed to confirm order cancellation in Block T + 1.

Downside is that it now takes 2 confirmations instead of 1 for transaction to occur.

Also make orders extremely cheap, however extremely expensive to cancel. (i.e. they should be allowed, but this will reduce the bloat in the chain, as well as drive away those buying/selling non-stop)

UPDATE: mixed up A & B. Should be good now.
« Last Edit: July 28, 2014, 12:16:21 AM by happypatty »

Offline bytemaster

Re: BitAsset Market Manipulation Security
« Reply #12 on: July 28, 2014, 12:32:53 AM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

Wait a second. What do you mean we could be arrested? I've put my name on this delegate and was about to start pushing out advertisements as soon as this becomes profitable. At ~6 cents per hour right now, this may not be worth it.  I need to know what liabilities are involved before we get too deep. Can you describe what you mean and how we "could" be arrested?

Delegates do not exercise arbitrary authority and if publishing a data feed without any contractual obligations is a crime then the delegate can abstain from publishing a feed.   I do not know of any laws that a delegate could be accused of violating.

For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline GaltReport

Re: BitAsset Market Manipulation Security
« Reply #13 on: July 28, 2014, 12:53:11 AM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

Wait a second. What do you mean we could be arrested? I've put my name on this delegate and was about to start pushing out advertisements as soon as this becomes profitable. At ~6 cents per hour right now, this may not be worth it.  I need to know what liabilities are involved before we get too deep. Can you describe what you mean and how we "could" be arrested?

Too late.  Just consider yourself drafted private!! 

(8 hours of hot lights, no bathroom breaks or water and I'll be blaming Bytemaster, Stan and the Chinese for everything!!)

Just kidding.  I haven't a clue.  I would guess DacsUnlimited is taking the lead on this.

merockstar

  • Guest
Re: BitAsset Market Manipulation Security
« Reply #14 on: July 28, 2014, 12:54:32 AM »
Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

Wait a second. What do you mean we could be arrested? I've put my name on this delegate and was about to start pushing out advertisements as soon as this becomes profitable. At ~6 cents per hour right now, this may not be worth it.  I need to know what liabilities are involved before we get too deep. Can you describe what you mean and how we "could" be arrested?

you're part of a fair, viable alternative to the legacy banking system.

any government could potentially bullshit something up.

 

Google+