The attack scenario articulated by Nagalim has a premise that the BTC price can be predicted, which I don’t accept.
He makes some valid points about asymmetries in liquidity between tier 4 sell side and tier 6 (buy side), but I believe that asymmetry is of minimal importance when selecting the threshold at which to intervene in the currency market.
Let’s pretend we move the % up to 49%. Now, the signers are basically constantly selling and buying, much like T1-3. Except now the volatility risk is not decentralized, it is essentially taken directly out of Nu’s marketcap. The % gap (‘virtual spread’ as I call it) allows us to dampen the effects of volatility using park rates and decentralized liquidity. A wider spread allows us to sustain a wider volume of volatility before we engage multisig funds directly.
If I want to sell a lot of nbt it would be better for me to put it up as sell side, kick the percentage over the 40% barrier, and force signers to buy from me at the spread premium (or just under so I step in front of the other custodians). The threshold determines how much liquidity I need to activate the signers, in all scenarios.
Put up 100,000 buy side. Force signers to sell at $0.99.
Take down buys and put up 100,000 sell side. Force signers to buy at $1.01.
Profit at Nu’s expense.
If we go from 40% to 30% we make it so the threshold for that kind of manipulation is $40k instead of $20k (Assuming 200k total liquidity). If we factor in T5 and things like fixed cost and ‘shift’ in additional to normal supply and demand rules, doubling the threshold can give us a good bit more of a comfort zone than even that $20k. With a 30% threshold the amount of liquidity required to attack the network in such a way more than doubles over a 40% threshold.
A signer does not need to run a full node, simply sign a Tx that is passed to them. (I think)
A signer must be available for signing consistently, which means reachable by bit message or whatever. @JordanLee made the suggestion 5 days a week and 45 weeks a year. FLOP should coordinate so there’s always signers available.
Retrieve unspent outputs for the multisig address. It better not involve scanning the blockchain oneself, but I don’t know anything about the API of the blockexplorer. If we can’t properly automate fetching this data from the blockexplorer we can create a small database to keep track of the outputs, and put it on a server or github. I prefer github either way in case blockexplorer is unavailable.
A first signer “proposing” a transaction would choose suitable outputs and sign a transaction. Without nud you’ll need to keep the private key and do some scripting.
The signed transaction is broadcasted (e.g. on the forum, via github). The next signer picks it up, signs it, and broadcast via the same medium, so on so forth.
When there are enough signatures somebody would use sendrawtransaction to put it through the network.
(5. Somebody with access to the blockchain or blockexplorer would update the unspent outputs)
I prefer not to use Bitmessage in any part of the main workflow as it’s not suitable for mobile networks.
It isn’t clear whether full Bitcoin nodes will be needed, because it depends on which multisig client signers decide to use. Armory is popular and requires a full Bitcoin node. There are web wallets as well as local thin clients that also support multisig transactions. Which software is best for Bitcoin multisig transactions needs to be researched and resolved. For NBT and NSR, signers will need to manage funds using a Nu client via RPC, or command line. The process of creating an NSR or NBT multisig address and spending from it is described in detail here. The process isn’t exactly user friendly but it doesn’t require programming skills or anything like that.
As Nagalim mentioned, availability will need to be coordinated so that enough signers are always available to form a transaction at any time. It isn’t clear how formalised this will need to be, but with multiple backup signers, scheduling time you will be unavailable probably doesn’t need to be done meticulously.
Signers need to watch liquidity figures on a daily basis and be available for contact by other signers. It would be ideal if they are regular forum readers.
When it is time to transfer funds, in the case of an NSR or NBT address, one signer will start by creating and signing a raw transaction, then send the raw transaction to the second signer, who signs it and passes to the next signer until it has enough signatures, at which point it will be published to the Nu network. The process with Bitcoin is likely to be even easier.
While I can’t predict how often action will need to be taken, it is likely to be between once a week and once a month. After doing it a couple times, I think signers will find the process easy and comfortable.
Does anyone have any additional questions about what it means to be a signer?
No, the first signer signs, then the next signer signs, but it doesn’t matter who the next signer is (any other member of FLOT). Then that signer passes it on. If a signer signs a different chain of signatures they are forking the transaction.
Someone, anyone, even someone not on FLOT, forms a raw Txn and broadcasts to the FLOT. A member verifies the Txn, signs it with a private key, and rebroadcasts. Another signer verifies, signs, and rebroadcasts. And so on. Once the threshold is reached, anyone, even someone not on FLOT, can broadcast the signed Txn to the network via a node.
You don’t need to make sure the next one signs, broadcasting it should be enough. Once a Txn accumulates enough signers and is broadcast to Nu it will consume the outputs and render any signing forks useless.
Ideally one would sign a transaction and pass it to another person, and the transaction is passed down until it gets enough signatures. The next person might not be available or reliable for signing, so by chance you’ll need to try somebody else.
So you may as well just broadcast the signed transaction e.g. on the forum and just let the first FLOT member who sees it do the job. After this next person signs the transaction, he will need to broadcast the transaction again, and the signer that goes after him will need to sign this newly signed transaction.
Two people might try to sign the same transaction at the same time, producing a fork. Practically there’s only one valid fork but it means one of the two people would need to sign again, this time the transaction signed by the other one of the two people. There are coordination issues but it isn’t serious, we just need a protocol that has locks and timeouts on top of the broadcasting.
By the way, once the group is formed we’d be creating a first multisig to receive the current balance of Tier 4 and that likely requires coordination within a forum post. We’ll see how smoothly that goes.
The centralization of a message board or other means is more of an issue of reliability and responsiveness rather than security. Whether or not a transaction can be signed ultimately depends on the discretion of each signer and the information they can get. For now we can just use several public channels, perhaps even simultaneously, and this also helps with transparency.
@FLOT, please start posting your proposals to join the FLOT. An example was given by JL like this:
Begin motion @satoshi shall be one of the members of the First Liquidity Operations Team. @satoshi will coordinate with other signers to defend the peg. @satoshi promises to be a part of FLOT for at least one year and to abide by all shareholder motions governing the use of funds. @satoshi will be available for signing at least 5 days a week and 45 weeks a year. No monetary is compensation is required. End motion