joinmarket-clientserver icon indicating copy to clipboard operation
joinmarket-clientserver copied to clipboard
verified publisher icon JoinMarket-Org

Hundreds of bondless spam makers in orderbook

Open cookcut opened this issue 7 months ago • 5 comments

Lets talk about the hundreds of makers in orderbook with about the same fee (some variation) which are likely an attack by the same person/group to be involved in as many coinjoins as possible and sniff out information. Can we require more makers with bonds to be involved in coinjoins? There is a default which is 12.5% currently, should we change it to 5%?

cookcut avatar May 28 '25 04:05 cookcut

I don't think that's an issue. You cannot sniff much information if your participation anyway is limited to 12.5% in each coinjoin with default configuration.

kristapsk avatar Jul 05 '25 14:07 kristapsk

Lets talk about the hundreds of makers in orderbook with about the same fee (some variation) which are likely an attack by the same person/group to be involved in as many coinjoins as possible and sniff out information. Can we require more makers with bonds to be involved in coinjoins? There is a default which is 12.5% currently, should we change it to 5%?

Related: https://github.com/JoinMarket-Org/joinmarket-clientserver/issues/1790 let's drop to 0%

seamo1 avatar Jul 19 '25 12:07 seamo1

What about honest bonded makers that can't get their bond taken into account resulting in a bond value of 0 in the orderbook? How many are they?

DarKOrange75 avatar Aug 08 '25 13:08 DarKOrange75

What about honest bonded makers that can't get their bond taken into account resulting in a bond value of 0 in the orderbook? How many are they?

Well that's only the case temporarily until the orderbook is restarted. I don't know why it happens, but in practice it has little impact since the JM daemon is usually started in place for each cj, getting all the available offers with the correct bond value. It's just a problem for long running orderbook watchers which are probably not used much for actual cj peer selection.

m0wer avatar Aug 11 '25 19:08 m0wer

What about honest bonded makers that can't get their bond taken into account resulting in a bond value of 0 in the orderbook? How many are they?

Well that's only the case temporarily until the orderbook is restarted. I don't know why it happens

It's only a problem in ob-watcher.py because it doesn't request bond signatures from new makers as they announce their offers, only once at startup. Makers can't announce their bonds publicly because the bond announcement contains a signature that is specific to the maker and the taker. (This prevents replay attacks.) So the only way to see a maker's bond is to actively request it from them. You can't just passively observe bonds.

whitslack avatar Aug 28 '25 15:08 whitslack