-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distributed reputation system #78
Comments
I understand that the signature from the trusted user is done in the background when the trusted user confirms the payment from the untrusted user. That is, the signing is fully linked with the payment confirmation and the delay. Correct? The new user should only get the signature from the trusted user when both the payment is confirmed and the delay time has been completed without disputes (i.e. chargeback request). |
Yes the signing happens after trade is completed. Not sure how to combine it with the delayed payout. Basically it could be kept independent. The signature alone has not much value yet only after the accunt age reaches a certain level. We need a mechanism for banning scammers so in case a signature was created and 1 week later a chargeback happens that account age witnetness become invalid. But I think that is not really required as a scammer gets added to the filter and cannot use that payment account anymore. |
If in the delay process it is required that the seller explicitly takes action in order to release the Bitcoin, then the signing can happen at that moment instead of on the payment confirmation. What we really want to be signed is the fact that no chargeback has occured, not so much that the payment has been received. |
Yes, I am just not so sure if we should combine too closely together both proposals (delayed payout) as that would let inherit that proposal the properties we have set in the other. If we keep it separate we are more flexible. E.g. If it is signed at confirm payment received we know the trader has used that account but we don't know it it might be chargebacked. So we treat such signatures less trustworthy. Only after a certain time (e.g. 2 months) we consider it safe. If a chargeback happens in the meantime it will get escalated anyway and the scammers account get banned. That banning is a centralized element but as its only exceptionally used I think its not a problem. We want to make the system so that scammers don't use it in the first place as they have no chance to succeed so if the meachnism for detecting and banning is fully decentralized or not is not that relevant IMO. Also keeping all those protection tools separate will make it easier to combine it. Some future ideas like the certificacte or BSQ bonding might get added and they all in sum create a trust score. E.g. A new user who is willing to lock up 10000 BSQ can be considered trustworthy even if his signature is just 1 day old. If we would not publish the signature before 30 days is over that information that he has traded with a trusted peer and used his account would not visible. But as it is valuable information we should make it visible and leave the interpretation to another layer. |
Ok, I see now. Making it modular is best. One concern I´ve just realised is that if a signed new account happens to be a stolen account, arbitrator eyes might turn not only to the scammer new account but also to the owner of the old account. This is bad if the old account owner was honest and simply the scammer´s victim realised the scam on a later transaction after the delay, but it is good if the old account owner was somehow colluding with the scammer by confirming an unexisting payment. My point is that with this system some kind of responsability could fall onto the signer. In this respect your approach by keeping it separate is better because the old account owner is just confirming a payment, which later the system uses for the account age mechanism to build an "account age reputation". It is good that the old account owner does not finalize the process by signing. Anyhow, If the old account owner is honest there wouldn´t be any responsability/liability problems outside Bisq as long as he can demonstrate that he received the payment, which he can prove with his bank information. Correct? The only risky situation for him is that if he mistakenly (honestly) confirms an unexisting payment from a scammer... That would be an extremely unlucky situation, but just thinking out loud.... |
Regarding arbitration keys: Another aspect to consider is how we treat new users getting verified by trusted traders. Once their account is mature they can act as signers for others as well. Should be consider them level 1 trusted users or add a new level 2 for them and the later level 3,....? As the initial trust distribution from the arbitrators does not give much more security than later when a traders account matured and he is enabled to sign others, I think we should not add complexity by multiple layers and treat all the same. The main security parameter is the time we want to wait before we consider an account safe, not if the signer received his signature from the arbitrator or other trusted traders. |
I´d say that once the account is mature it can be used to verify other traders. For more security I´d rather require more than 1 trade with old users and keep the non mature / mature binary, than adding more levels |
Regarding the above, I am not sure if we could have a limited issue with the accounts created the last few weeks and until this system is put in place, those accounts would be in the middle of nowhere.... Not old but not new, and created during a specifically risky time period. How will this accounts be treated when they become old? |
Regarding the above risk, requiring that 2 old accounts confirm a payment for the new account to become mature, would extremely reduce the impact of one of them mistankly (honestly) confirming an unexisting payment from a scammer. Given that this risk is worth mitigating. Furthermore, if liability / responsability is an issue (I am not sure about that), then maybe it would be worth requiring 2 of 3 payment confirmations from old owners and randomly selecting the 2 of 3 to relieve individual users from that possible liability. |
These are some interesting ideas. My first thought is how this will be done technically, do we keep some kind of accountagewitness map with respective acks from other trusted nodes? How do we avoid backdating and other such issues? This is probably solvable, sounds like @ManfredKarrer has an idea. Sounds like it will be quite a bit more complex than the current accountagewitness. I also wonder how we protect against an attacker that creates a genuine account, makes a tx and ages it such that they now have a trusted account. This attacker can now make fake trades with stolen accounts to age them and thus make them trusted. There is a bigger risk for the scammer as there need to be at least one genuine bank tx at some point but it seems like an attack vector. This kind of distributed reputation system probably adds some extra protection, at the price of complexity and possibly a feeling of being safer than it is. I'm not sure if it's worth adding or not. |
@sqrrm See bisq-network/bisq#2768 Basic idea: A new P2P network payload similar to AccountAgeWitness which takes a hash of a AccountAgeWitness the pubKey of the signer, the pubKey of the AccountAgeWitness owner, the date and the signature. It is date protected in the same way as the AccountAgeWitness (prevent backdating). It starts that arbitrators sign the AccountAgeWitness of traders of completed fiat trades (fiat was transferred). Then those who got signed can sign others with whom the trade. Regarding your attack concern: If the scammer uses the account for any tx it is likely that the fraud gets detected and leads to a chargeback and he loses control over the account. The signing of the AccountAgeWitness does not mean that the account owner is immediately trusted. It starts aging from that moment on and only after a certain time it is considered trusted. If it was a scammer it get banned anyway via the filter objects. |
Would it make sense to make signatures by a scammer account invalid? Just to prevent having lots of sub-accounts of the scammer in the system that might be trusted ones in the future?
But that is just for the case that she is using the same onion address. |
@ripcurlx The account age witness is based on the account data (IBAN,...). We can ban users by that account data and then the user is blocked independent if the account age witness is valid. Those account age witness data and the signed ones are immutable append only data so we cannot change or invalidate those directly, but use an external ban list to check if one is valid or not. |
Transfered to #27 (comment) |
@sqrrm I understand now your attack scenario (after our discussion). I summarize it here again and documment the protection idea: Attack: Protection: |
regarding @sqrrm attack scenario, An scammer creating real accounts and doing real trades is definetively possible, but he would be exposing his identity very dangerously. So it is not an easy path at all for him. Another way of adding protection from that attack is requiring more than 1 different old account to sign. The scammer would have to expose himself even more with several real accounts and trades. Although this would make identifying the sybil account more difficult. Also, as Manfred points out and I highlighted above, if scam happens eyes will quickly turn to the signer. In that respect please see my comment above about possible signer liability #78 (comment) |
Yes I see the liability issue now different. I think there is no risk for the signer as long he can proof that the fiat transfer really happened. All what he would be required in case if the above scam scenario is to provide the sybils account data and then the sybil need to proof that he did a real transfer with the scamme and he will fail on that. Of course in reality it will be harder as peers will not be online anymore, etc...But I think just to have that option in place makes it very risky for the sybil to collude. Maybe we need to add another note in the "Confirm fiat" popup so that it is clear that this confirmation has an additional security context. But not sure if that gets too complicate then? |
I am not sure because making it clear to the user could make it even more liable like it is his responsability and not that the system is just using his payment confirmation to build a reputation by its own. I acknowledge that I am little bit throwing the stone and hiding my hand with this liability issue. Just want to raise it to make sure is considered, but probably not that relevant. Liability only would arise in a situation where the signer mistakenly (honestly) confirms an unexistent payment from a scammer. But I guess that´d be a rather unlikey situation. |
I think the parameters (how many signers, age,...) should be delegated to the trust score layer so we are more flexible. The signing theshold though is a binary issue and cannot be changes later to not invalidate the trust chain (it is sort of blockchain of trust). So we need to make a good future proof decision here. Requireing too many signers to enable one to sign will slow down the propagation of trust. But 2 might be a reasonable number. How we interpret the age is up to the trust score domain. With signing the age starts but is does not provide security as the account still can be chargebacked. So we can be flexible what age we use to increase the score and how the score influence dealyed payout and deposit amount. The trade amount of the fiat transfer might be important to add as well to avoid that the scammer makes a real transfer to his stolen account which might be harder to detect for the victim. Probably not a big risk but we should consider to add that into the data. |
I feel inclined to require more signers, but that also has the problem that if the scammer manages to become a signer, it is more difficult to identify him amongst other signers. Keeping it down to 1 signer is the positive side of the liability problem (plus it is less complex). As a general comment, I forgot to say this at the dev call, for me the strongest deterrent for scammers by a huge difference will be the payment delay. The fact that new accounts are unable to cash out bitcoin for several days after the payment is extremely risky for the scammer compared to now having many chances that the scammer cashes out the btc before the chargeback request happens. This is a difference like night and day in my opinion. The reputation, if we get it right, would round this up by deterring also patient scammers. But probably keeping it as simple as possible is best. So I agree flexibility and simplicity is important. So I would vote for just 1 signer. Not completely sure, though. |
Sorry, what is a " EC key " ? |
Agree with @mpolavieja that time is the biggest factor. Scammers work under time pressure. The biggest drawback is that delays also impact all honest users. Considering that fraudsters represent a tiny % of trades and users... it is sad when ux is made worse for everyone to deter the 0.1%. |
I tend to agree with flix1. |
Elliptic curve key (e.g. Bitcoin key) |
Now I realize that this might be stupid, if there are 2 signers that sign a fraudulent account, it is very likely that both are scammers. |
Fully agree with @flix1 on the drawbacks and that fraudsters will be always a minority. But not having any delay is a red carpet welcoming the use of stolen accounts. For example having a minimum delay of 2 or 3 working days (which is happening already in many trades where the payment is received on the 2nd day and it is confirmed in the 4th or 5th day) would make a huge difference from not having a delay at all for new accounts. Regarding Harry concerns, I agree it might harm application usage, but chargebacks will also harm application usage, there are not so many banks, and as chargebacks occur bisq users could be eventually banned from all banks, specially the most active ones which are the ones that provide liquidity and make the system usable. |
I also agree with Harry that higher deposits are a fly to quality. Organized markets have been working like that for centuries for a reason. But to deterr scammers without a delay the security deposit must be at least as high as the trading amount, which would also impact UX. What are you referring by "ring of trust" @HarryMacfinned ? |
These measures (delayed payout and distributed reputation) would only need to be enabled for fiat payment methods with chargeback risk, correct? So anything cash-based like face-to-face and money orders (Western Union via cash, Moneygram, etc) would be exempt from payout delays and reputation limits? If so, they could be mitigating factors for usability/new-user on-ramping, since bank-related ones will make the process slow and frustrating. |
@mpolavieja |
No silly concerns! Yes -- you can see first and last name of sender. There may be edge cases such as name changes (PayPal claims 2-3 days lead time to process name changes, but how is that done, and what happens in the mean time?) that could be openings for scammers. I'm researching them now to better understand. |
We can consider any secondary bank where KYC is strong enough as such a 2FA. Paypal might be the weakest. Lots of scams and I would not be surprised that its not hard to fake name with a Paypal account. |
It's a long time since I opened my paypal account, but for what I remember, you do it with ... a bank account (normally yours). |
Even if PayPal is not the best way to do it @m52go core idea still stands. As @ManfredKarrer says the core idea is 2FA with another account so any other bank account from a different bank could do the work. Not always instant though, but this could be a very strong verification measure. |
@huey735 I was thinking about the use case of the one time user that just wants to privately buy around $500 - $4000 worth of BTC as a long term investment, and how we could facilitate UX for that kind of user (not having to wait to execute his trade). If the user does a minimum self verification (i.e. 2FA with 2 bank accounts, atm withdrawal, digital signature, etc) the system could allow him up to $2000 during the first month. Btw, I know that the delay option is being discarded at this moment, but this is the kind of user that probably wouldn´t mind a delay on the payment (we still would have the bad UX for the seller having to remember to take action once the delay is completed as I understand implementing an nlocktime for the release of BTC would not be easy at all as it would require a change on the protocol). So I am constantly running into the limitation of not having trading information about the peer. Despite my privacy concerns, I fully agree that having this information would be a really powerful tool, specially during the first month. If we could have that information as "zero-knowledge" as possible just during the first month it could be extremely useful. |
Instead of a distributed reputation... how about a "3 degrees of separation" system similar to that used by linkedin? It would allow each user to label 10 payment accounts as "trusted"... and on the order book for each offer you would see a little (1) (2) (3) badge showing if the account used to create the offer is: It would be merely informative, with no extra consequences or restrictions, but very visible. Most importantly if you remove an account from your trusted list... it would disappear from all your contacts as a 2nd or 3rd degree trusted account. Obviously this would only allow you to have up to 1110 1st/2nd/3rd degree trusted accounts... but on the other hand it seems easy to do, requires no personal identifying information and would be quite scalable. What do you think? |
A few more details about the above idea...
Since each payment account is already individually identified for account age purposes... all the information that you really need to store locally is a list of <1110 identifiers next to a (1)/(2)/(3). This might add a bit to the sync time for the network if this is updated often... but I believe the load would be very manageable. Finally, this trust mechanism can also be used for negative trust as a warning and blacklisting mechanism similar to the one described in #27 . |
Fully agree on that, we should take that as a core principle for any trust/reputation mechanism. To make it more difficult for scammers to build a trust branch by setting up colluding accounts, would it make sense that you could grant trust to others only after you have been granted trust from someone else? That would require a bootstrap procedure... such as the one proposed by Manfred using the arbitrators for the initial trust setup. Or maybe your proposal goes in the direction of avoiding that initial setup by relying more on revoking? |
Hi @mpolavieja the idea is that each user holds and manages their own whitelist of trusted accounts and also shares that information with the network. There is no signing of any kind. You don't grant somebody else's "trust" or some "official" network trust... you only grant your own trust and let the network know about it. So it does not matter if a fraudster creates a thousand fake accounts and uses them to "trust" each other... as long as you personally don't add one of them to your trusted list, they will never have a (1) next to them. Sure, if one of your trusted accounts adds a fake account to their trusted list, you will see offers using that account with a (2)... degree of trust decreases exponentially with each step away from direct trust. That is why only 3 degrees are really viable. However this way is fully organic and decentralized. It does not rely on any initial bootstrapping or authority (such as arbitrators). The information needed to bootstrap it is already there in your Bisq trade history: accounts that you have traded with multiple times months and years ago are the best candidates for you to trust. Even if scammers create a fully corrupted branch of the trust tree... users have an easy way to disconnect from it and isolate it. (The scammers can trade with themselves!) From a UX point of view this should also be very intuitive to the social media generation. With one key factor: trust must be made a scarce resource and so the number of accounts you can trust must have a (low) limit. Hence my suggestion of 10. |
From the point of view of a scammer, to abuse this system you would need to enter the trust circles of honest users. There is only one way to do that: perform multiple honest trades with that account over a period of time. The moment the account is: It will risk being dropped from the trusted list of the counterparty and replaced by a better partner in one of those 10 precious trust spots. The system can be used not just to prevent fraud, but also to reward preferential trading partners who trade efficiently. Just like the Uber 5-star feedback mechanism signals good drivers. Also see that it does not matter how many people trust you. That information is irrelevant and not shown to other traders. The only thing that matters is how close you are to direct trust with the other trader. So Sybil attacks or wash trading with yourself will not increase this score. Only convincing an honest user that you are also honest and reliable will have you added to their trustlist. A scammer would basically have to exit scam individually every single trading partner by gaining their trust over time before scamming them. And here is where the warning system of negative trust could come in: -Let's say that as well as a whitelist of 10 accounts you also locally manage a blacklist of 10 accounts. Where (-1) means that this account is in your blacklist and (!) means that it is in the blacklist of an account that you trust. |
Considering that at the moment there are at most 40 live offers by maybe 10-20 traders on the EUR offer book... it would be extremely easy to set up this system. By the time the web of trust has spread to include those 20 traders... it would take a very short time for the (!) warning sign to be seen by everyone on any offers made with an account that has been used to scam someone. Of course this helps reduce risk for takers... but what can we do to protect makers? Maybe a maker can choose the option to restrict their offers so they can only be taken by accounts which are in their (1)-(2)-(3) trust circles? or to exclude accounts with (-1) and (!) from taking their offers? I don't know if this can be done easily... But I like the idea of any restrictions and bans being set by users, not by the system or any Bisq "authority". |
Fully agree |
@flix1 Thanks for the interesting idea. Technically it can be done by requesting the trust assignments from the peers you choose by a request message and the peer responds with their trust list. There is some privacy issue though, maybe you don't want to reveal with whom you have traded to others? Maybe it could be limited so that only trusted peers can request that data? For makers rejecting peers which are not above the custom trust level might be a bit of usability issue as the taker does not know if he is inside the maker's trust tolerance. Default behaviour would be that he gets rejected with an error. But of course that can be improved so that the taker gets a more informative feedback. So that should not be a major issue... We have to be careful to not make it too hard for newbies to find traders. It would decrease the existing liquidity. My personal experience on LBTC was that it is very hard to find traders if you are a newby and then price is usually very bad or those are low trusted as well (newbies). So entering becomes more frustrating and a certain feeling of being a "second class" user can creep in. But beside all that, how much security does it add to the 2 main risks of scams (stolen account, money laundering)?
So I think that idea is helpful for distinguishing fast traders from slow ones or ones who do "future trades" by canceling in case of high volatility but I fear for our current focus to protect against the above 2 types of scammers it will not add protection. We also need to take care to not create signals for a wrong feeling of security which is not covered by the type of protection. That is true for the other ideas as well. Just because we can be very sure that the user is not a chargeback scammer of money launderer does not mean he is a fast and honest Bisq trader (still could cancel out in case of high volatility, be very uncooperative in disptues,....). But I think those problems are less severe and the security deposit is already a good protection (for the "future trades" issue). |
It does not help at all to prevent money laundering as these accounts can last for many months or even years before being detected. (Arguably all activity on Bisq could be considered an AML-risk). It would help with stolen accounts. 2-3 weeks is probably not long enough to gain much trust and because they would need to do honest trades to gain that trust it would increase risk of detection. ...but this is maybe already covered by the amount limitations that come with account age witness... and a simpler solution is preferable to a complicated one if the benefits are the same. |
Much simpler: Display prominently in the offer book:
Information for both is already available. No major changes or innovations are needed to implement this. There are no additional privacy concerns. This would allow takers to actively discriminate by only trading small amounts with unknown accounts and doing larger trades with those accounts that they personally have a longer history with or have been around for a long time. We already show the number of times that you have traded with a certain trader (based on the onion address?) but not with a particular payment account. |
I have been formulating a proposal for an alternative solution to this problem, but it still needs some issues ironing out, so I will post my preliminary thoughts here: The proposals we currently have for distributed trust and reputation systems (such as the one described above) are quite complex, which could make analysis of possible attacks quite difficult in practice. I'm also not convinced that we should move towards a system where we rely on the arbitrators as the root of trust - even though they could do this job, if we want to move to new trade protocols that remove the need for arbitration then this proposal would be a step in the opposite direction. Our primary issue with account aging currently is that it is only a reliable indicator of stolen account risk if we can guarantee that the aging started along with the first payment made from the account. The main problem here is that a scammer can make a fake trade to start aging, and so this is what my proposal here addresses, using the much simpler idea of BSQ bonds, which have been mentioned elsewhere but I have not seen a concrete proposal as to how they could be used.
The properties of the described system are as follows:
Using BSQ bonds as the root of trust for attesting account age leads to a similar system to that described above, but much simpler and with a clear economic disincentive to attempting to cheat the system, and an easier way for us to control that economic equation, by modifying the BSQ bond required or modifying trade limits, as necessary. |
Hi @reipichu, I think that most of us in the community think that BSQ bonding will be the best solution. The problem is that if requiring to own some BTC in order to onboard Bisq is a barrier of entry, requiring BSQ would raise the barrier of entry even more. Furthermore, BSQ token still needs to mature, and we need a solution in the meantime. Proposal #93 is a more concrete approach to strengthen account age as a trust parameter. In that proposal it wouldn't be that easy for a scammer to fake a fiat payment. The real root of trust in this proposal and also in #93 is not really arbitrators but old users. In #93 it is also suggested to put the first stones to pave the way for an arbitration-less protocol by enabling direct communication between users. And once arbitrators are gone, a decentralized blacklisting system can be implemented (we already have a rather solid conceptual design), which will be needed anyway regardless of the protocol (BSQ bonding included). I think we should focus on the priorities set at #91. What you propose is indeed excellent input for priority number 3, but we all need to make a decision first about priorities 1 and 2. |
In respect to the above, the system I outlined above would only require BSQ bonds for old users or regular traders, not for new users. The Bonded Traders would be used to ascertain whether an initial fiat payment has occurred from a new user who has traded with them - the new user just needs to pick a Bonded Trader to trade with for their initial trade. One incentive for old users to bond BSQ to be trusted to validate new users would be that they would be able to set slightly higher margins on their trade pricing as they would have a captive market of new users wishing to verify their payment accounts by trading with them. If that incentive is not sufficient, we could also consider a stipend/interest paid to Bonded Traders each cycle - not dissimilar to the role arbitrators currently serve. |
Yeah. Bonding BSQ opens a new ocean of possibilities. Indeed it could be implemented that for small quantities only the sellers would bond BSQ, as you said, and buyers would not need BSQ nor BTC, just fiat, and the seller would release the BTC upon receiving the fiat. So the on-boarding UX of newbies would be much better and it could lead to dramatically increase the number of Bisq users. But we would need to address carefully the risk of a scammer becoming a bonded seller to fake witness-sign an army of stolen accounts and deploy an attack after 30 days. If the bond is low, it could be profitable for the scammer. If the bond is high it could be impractical for honest sellers. I still think that relying on old users (> 6 months) as a root of trust is very interesting. Maybe a combination of age and bonding would do the trick.... Discussion is needed So as I said, we need first a practical solution within the current trade protocol, and then we can start the discussions and implementation of the new trade protocol (priority number 3 at #91) |
Closed as approved. Although not exactly as initially proposed, account signing has been finally implemented in version 1.2. |
In a discussion with @mpolavieja we developed a feasible solution for a distributed reputation system based on the account age witness but including a proof of a bank transfer. It is bases on an existing trusted element (arbitration) and from there we can build up a hierarchy of trusted traders.
The arbitrators could sign with their key all account age witness data from fiat traders who had completed the trades (fiat was trnasferred) and which have been older then 2 months. The P2P network payload data will contain the signature, the account age witness data (hash) and the public key of the arbitrator and it is distributed to all nodes. Anyone can verify the signature with the public key of the arbitrator. This will create the root of trust where the arbitrators are a semi-centralized trust root and they give those traders trust level 1.
We apply that to both buyers and sellers. It is guaranteed that the buyer did not has made a chargeback in that time frame. The seller does not give that guarantee but it is very unlikely that the scammer used his own account to receive the Fiat so it seems reasonable to include sellers and gain 50% more of initial level 1 peers.
For signing we might need to use the hard coded EC key as only that is persistant. The normal signature key would not be available anymore once an arbitrator has revoked as it is only part of the arbitrators P2P payload data. We need to think here about the future changes with integration of check for validity of an arbitrator depending on acceptance and locked up bond in the DAO. The current hard coded pubKeys will become obsolete then.
If a new user with a fresh account is trading with one of those traders who have received a signature from the arbitrators the trusted user will sign the untrusted one's account age witness data. By that he will gain trust level 2 but it will require some aging until it is considered trustworthy (e.g. the peer could still make a chargeback in the upcoming weeks). We could use a linear function to derive some trust score from that age.
It is an open question if a single signature is enough here or if we should require up to 3 signatures from 3 different trusted traders. Collusion risk between a potential scammer with a trusted peer is probably a very low risk. If we require too many it leads to some privacy loss for the trusted peer as with his public key anyone can see how often he has traded. If the number of such signing interactions are rather low the visible nr. of trades is much lower than the real number of trades and the problem is less severe.
Another open question is if the signing only would apply to buyers or both to buyers and sellers? Again if the seller is the scammer he would receive the funds on a stolen account which is unlikely that he want to do. If the victim sees incoming money he might get alerted as well and the account can get closed. So we prefer that the process of building up trust happens faster by doing it both ways rather that to be too restrictive.
All that signing and data publishing would happen without user interaction in the background.
A bigger challenge than the implementation of that part is the user experience aspect. We need to find a way to communicate those complex concepts in a simple way to users: The untrusted user need to understand why he has a low trust score and what he can do to increase that. The trade peer need to understand what risk he is willing to take (by trading with low trusted peers) and what are the usability consequences (delayed payout).
It has to be combined with the other proposal about the delayed payout. We need to support both the current account age witness system and that enhanced one with the signature of a trusted peer who has trades with you. With the current weaker account age reputation we are not protected against a scammer who is willing to wait for 1 months without using the stolen account. With the enhanced system one's account age would only start aging once you have done a trade with a trusted peer. New users would prefer to trade with a trusted peer so that they can get faster a good trust score. All that need to be packed into the UI in a way to not confuse users and to not add too much requirement for reading and understanding all that background. Probably the biggest challenge in that proposal....
The text was updated successfully, but these errors were encountered: