BitAsset Market Manipulation Security

[GaltReport]

...
4) At least 25% of the delegates must be producing a feed
...

How is this done?  Are the feeds going to be build into the software and delegates just need to enable them?

[AsymmetricInformation]

The feeds are not even critical...  if an attacker can get 51% of the feeds and and have enough stake to manipulate the market then they can destroy one BitAsset... the chain would fork and people would continue.

You shouldn't really worry about what I have to say, I haven't had the opportunity to think through this at all. But forking the chain can be profitable via double spends, can't it? I just attack a small or medium sized BitAsset, while selling BTS on an external exchange. After the fork I get my BTS back.

I would really just prefer you to turn it on, I think, than keep theorizing about it.

[Empirical1]

+ 5% I don't pretend to understand these things, but sounds good, much more comfortable having those limits in the beginning.

why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

Any attacker with significant capital could harm the network with anything other than price feeds or a large player acting as market maker.    Price feeds give us "low-cost" protection against attacks that likely prevents the attacks from happening in the first place and leaving us with a market-pegged asset.

Don't know about this, but what about volume of trade limits set by 51% of the delegates? Like only $X per hour. It's set at a level that would almost never be breached unless it was being done as an attack and is constantly raised as the trading pair becomes more popular. 

[bytemaster]

Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

12 delegates is not "instant victory" if every delegate is publishing a feed.   
The feeds are not even critical...  if an attacker can get 51% of the feeds and and have enough stake to manipulate the market then they can destroy one BitAsset... the chain would fork and people would continue. 

Blockchains are like the lock on your front door, they keep honest people honest but do nothing to protect against governments or wealthy adversaries wanting to take you out.  These attacks are not profitable to perform.   Honest people can still use the system with great effect and just fork out any attacker.   

Bottom line:  providing security against attackers that don't care about profit is not something that any crypto-system provides.   

[AsymmetricInformation]

Sounds like being a delegate is a lot of (crucial) work, and you might be arrested (LibertyReserve had way more than 100 employees). Maybe all of the delegates can be from Switzerland, or something.

This is going to be pretty complicated to analyse now...I suspect that with 12 delegates comes instant victory. Getting 12 might even be easy, if 88 are going to be left in the dust, you wouldn't want to be one of those 88. 1 for free if you are a delegate yourself... I don't know when I'll have time to try and figure this out.

[bytemaster]

why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

Any attacker with significant capital could harm the network with anything other than price feeds or a large player acting as market maker.    Price feeds give us "low-cost" protection against attacks that likely prevents the attacks from happening in the first place and leaving us with a market-pegged asset. 

[Shentist]

why not include marketdephs as a parameter?

for example

we could bind the max contract size to the marketdephs at that moment starting with a minimum contract size.

like only 1000 BitUSD are sold and bought in the past, the max order size per account could only be X BitUSD. So for one account here is not a problem anymore.
I am aware that this idea could not prefent fraud from more than 1 account but this kind of problem you will have all the time.

[luckybit]

BitAssets are a challenge to bootstrap because it only takes a single bogus trade for someone to print up a billion BitUSD backed by no collateral.   To execute this trade all that is necessary is for someone to gain control of both sides of the order book long enough to execute a trade against themselves at a price they pick.   This attack depends upon two factors:

1) The attacker having financial interest in destroying the network
2) The attacker having a large pot of cash that they can burn to bring it down.
3) The attacker being able to execute his attack in a timely manner.

Most of these problems go away once the network is as big as Bitcoin, but when we are young it is much harder to "secure" the market peg.  I have just finished implementing everything I think is necessary to launch BitAssets and having the system be secure:

1) There is a minimum market depth required before any shorts or covers are executed (1% XTS)
2) There is a maximum short price that is 50% higher than the current median price feed..  maximum_bid = median_price * 3 / 2
3) Only active delegates may publish a price feed and they must update it every 24 hours.
4) At least 25% of the delegates must be producing a feed

What these limits mean is that once trading begins the only time there can be a margin call is when delegates raise the median price feed.  It also means the delegates are circuit breakers in the system.  They can limit the price movements during rapid change giving players time to adjust their positions. 

Someone speculating in this market now knows that the value of BTSX in terms of BitUSD cannot fall by more than 33% without the delegates updating the price feed.

So what does this give us?   
1) A system where the there are up to 101 price feeds for USD / BTSX price, with at least 25
2) By using the median feeds that are way out of line are ignored.
3) Delegates don't set the price and thus the feed does not need to be very accurate and can get by with just one update per day.
4) The price feed is just used as a guardrail that makes attacks "impossible" while not actually being used to execute orders
5) Users only need to trust that delegates can produce a feed that is "close enough" and don't have to trust any individual delegate. 
6) Even if the delegates posted BOGUS feeds all they could do is stop new shorts from being executed.
       a) delegates have this power anyway by controlling what transactions get included.
       b) if the attacker controls over 50% of the price feeds they must control at least 12% of the delegates and that is already bad.
       c) everyone knows who the attacker is based upon their price feeds.

In the long-run, we can remove the need for the price feeds once the depth of the market is measured in billions of dollars... or perhaps loosen the price range a bit.   With this in place I believe we can launch a test network for BitUSD tomorrow.   All trading will occur just like it does with user issued assets with the addition that shorts can add bids (selling USD for BTSX) and margin positions can result in asks.

I thought if we have automated or algorithmic trading then the network could self bootstrap in a coordinated fashion. Bots would make the trades automatically in a coordinated symphony. But I see this is not something which everyone would do.

Manual trading would be harder to bootstrap but I need to take some time to think about this problem as it's not easy.

I think the solution Bytemaster presents above is worth a trial. I hope it works but I also hope we can find a more elegant solution which can be more autonomous.

[bytemaster]

BitAssets are a challenge to bootstrap because it only takes a single bogus trade for someone to print up a billion BitUSD backed by no collateral.   To execute this trade all that is necessary is for someone to gain control of both sides of the order book long enough to execute a trade against themselves at a price they pick.   This attack depends upon two factors:

1) The attacker having financial interest in destroying the network
2) The attacker having a large pot of cash that they can burn to bring it down.
3) The attacker being able to execute his attack in a timely manner.

Most of these problems go away once the network is as big as Bitcoin, but when we are young it is much harder to "secure" the market peg.  I have just finished implementing everything I think is necessary to launch BitAssets and having the system be secure:

1) There is a minimum market depth required before any shorts or covers are executed (1% XTS)
2) There is a maximum short price that is 50% higher than the current median price feed..  maximum_bid = median_price * 3 / 2
3) Only active delegates may publish a price feed and they must update it every 24 hours.
4) At least 25% of the delegates must be producing a feed

What these limits mean is that once trading begins the only time there can be a margin call is when delegates raise the median price feed.  It also means the delegates are circuit breakers in the system.  They can limit the price movements during rapid change giving players time to adjust their positions. 

Someone speculating in this market now knows that the value of BTSX in terms of BitUSD cannot fall by more than 33% without the delegates updating the price feed.

So what does this give us?   
1) A system where the there are up to 101 price feeds for USD / BTSX price, with at least 25
2) By using the median feeds that are way out of line are ignored.
3) Delegates don't set the price and thus the feed does not need to be very accurate and can get by with just one update per day.
4) The price feed is just used as a guardrail that makes attacks "impossible" while not actually being used to execute orders
5) Users only need to trust that delegates can produce a feed that is "close enough" and don't have to trust any individual delegate. 
6) Even if the delegates posted BOGUS feeds all they could do is stop new shorts from being executed.
       a) delegates have this power anyway by controlling what transactions get included.
       b) if the attacker controls over 50% of the price feeds they must control at least 12% of the delegates and that is already bad.
       c) everyone knows who the attacker is based upon their price feeds.

In the long-run, we can remove the need for the price feeds once the depth of the market is measured in billions of dollars... or perhaps loosen the price range a bit.   With this in place I believe we can launch a test network for BitUSD tomorrow.   All trading will occur just like it does with user issued assets with the addition that shorts can add bids (selling USD for BTSX) and margin positions can result in asks.