robosats icon indicating copy to clipboard operation
robosats copied to clipboard
verified publisher icon RoboSats

Potential issue of a bad actor hiding the order book

Open tmwclaxton opened this issue 1 year ago • 2 comments

Describe the bug An offer can be hidden from the order book by accepting it, but not paying the bond for a few minutes at a time. You could in theory then automate creating robots and accepting offers repeatedly so that only your orders get picked.

To Reproduce Steps to reproduce the behavior:

  1. Create robots
  2. Accept offer - don't pay bond
  3. Log out - create new robot - observe offer is now gone

Expected behavior Offers shouldn't disappear until their taker bond is paid; bonds should be refunded to people who weren't able to pay in time.

tmwclaxton avatar Sep 05 '24 08:09 tmwclaxton

I sent funds, then the order was cancelled. I only received my bond back. I wasn't refunded my fiat, and didn't receive my lightning. Any advice on what to do? I still have the token.

iucrypto avatar Sep 13 '24 23:09 iucrypto

I sent funds, then the order was cancelled. I only received my bond back. I wasn't refunded my fiat, and didn't receive my lightning. Any advice on what to do? I still have the token.

So you had an on going trade where you already sent fiat and the order was cancelled? How is that? Do you have screenshot or more details?

KoalaSat avatar Sep 15 '24 07:09 KoalaSat

Won’t this introduce new complexities in if multiple robots are attempting to pay the bond simultaneously? Maybe a new “pending” state on the order book so only one user can still be paying the invoice but everyone can see that may become available again?

g0lden3agle avatar Oct 30 '24 10:10 g0lden3agle

Won’t this introduce new complexities in if multiple robots are attempting to pay the bond simultaneously? Maybe a new “pending” state on the order book so only one user can still be paying the invoice but everyone can see that may become available again?

A solution would be to keep the order visible in the book but disable it to clicks with a visual feedback to indicate there is currently someone in process of locking the bond. That way, if other robot is interested in the order, it can watch the order state up until it becomes available again, which will probably elicit a watch list for users as a complementary feature.

femelo avatar Nov 05 '24 17:11 femelo

I need to bump this issue, as someone has begun to exploit this issue to suppress my orders, continuously accepting orders with new robots, forcing me into a situation where I have to scale up the number of duplicate orders in order to try to get the attacker to back down. This action shouldn't be possible for people to do.

tmwclaxton avatar Jan 03 '25 17:01 tmwclaxton

I also noticed this attack on my active order. The bot was taking the order with different identities continuously. One solution I could imagine would be allowing multiple takers at the same time and cancelling the htlcs of all other takers once the first one has paid fully. The other takers could be shown a error message in the frontend so they are not confused.

f321x avatar Jan 27 '25 18:01 f321x

We have been receiving some other messages about it. We need to work on this but so far it requires some extra modifications in the code that will affect the already well established workflow.

The main workload will be on detecting 2 LN payments arriving at the same time, nothing crazy, but notorious.

My plan is to talk to the coordinator to agree on the best way to manage

KoalaSat avatar Feb 02 '25 10:02 KoalaSat

Ready for next release!

KoalaSat avatar Mar 15 '25 10:03 KoalaSat