Bisq Trade Funds Security
January 9, 2024•629 words
This is part of a series of posts on Bisq, the peer-to-peer Bitcoin trading platform. This series will serve as a primer to a Meetup presentation planned for February 2024.
Seriously, Cash in the Mail?
Yes, seriously. The most common question I get is
Do you ever worry about losing funds?"
My answer is no, after 100+ trades I've never lost a single sat or cent. This is after going through mediation and arbitration multiple times, losing my data directory, being ghosted by a peer, and fighting with a peer about my email address.
I have confidence in putting a high-value money order or untraceable cash in the mail to a stranger because of Bisq's trade process and rules. Firstly, both peers have to give a security deposit of equal amounts of bitcoin. Once the taker (could be a buyer or a seller) accepts the maker's (could be seller or buyer) offer, your Bisq software creates transactions to
- Send trade fees to the Decentralized Autonomous Organization (DAO).
- Send security deposits and the bitcoin to be transferred to the deposit address
- Return deposits and transfer sold bitcoin
- Send all funds to the DAO in the case of irreconcilable disagreements.
If you are savvy enough reading bitcoin transaction info, you can verify all of this yourself.
Self-Sovereign Escrow
This is the most important aspect of the Bisq trading protocol, in my opinion. The game theory around who controls funds and when incentivizes both parties to act in good faith, and greatly reduces third-party risk.
When a trade is accepted, a multisig address is created using each peer's wallet data (remember your Bisq instance has it's own self-custodial wallet). The funds are sent to this address. It's a 2-of-2 address, meaning there are only two keys that have control over the funds, and both are required to move the funds once deposited. It also means if one of the peers is non-responsive, no one can move the funds anywhere!
...unless additional steps are taken. Part of the deposit process is to immediately (and automatically) have both peers sign a time-locked transaction that sends the funds to the Bisq DAO. This has minimum hold of 10 or 20 days (depending on the fiat payment method of the trade).
The multisig and time-locked features are what prevent theft and loss, respectively, and are key to the security model of trades. If one peer acts maliciously or fails to complete the trade, the time-locked transaction can be published with a single click, sending funds to the DAO and allowing the remaining peer to collect what's owed to them. They are also likely entitled to a portion of the malicious/AWOL peer's security deposit.
This allows for seemingly risky actions on the fiat side, like sending cash by mail to a stranger (note: you still need to follow specific steps like taking pictures and purchasing mail tracking). The best part is all of this is done for you, all you have to worry about is clicking a button saying you sent your fiat (or received if you're the seller).
Before the current system, there was a 2-of-3 multisig in which a single Bisq dev held a key. This was deemed too risky, as it would be possible for a dev to act as a buyer or seller and unilaterally move the funds, screwing over the peer. Now, Bisq contributors only take possession if the peers are unable to come to an agreement, and even then the funds are sent to one of multiple contributors (there was a plan to send to the DAO so as to further reduce central points of failure but I don't think that's implemented yet).
Further reading
Trading Rules
Security Deposit
Deposit Transaction
Dispute Resolution