[OFFICIAL]Bitfinex.com first Bitcoin P2P lending platform for leverage trading

[TwinWinNerD]

I love the ideo of futures trading on Bitfinex.

BUT FOR THE LOVE OF GOD, don't offer a high leverage, OKCoin and co have all had to socialise losses, because of high leverage.

[1713519661]

1713519661

[mjr]

It looks like Bitfinex could use some serious improvement in their routines regarding user security. And I think we should help them by brainstorming ideas for exactly how this should be done or just have a little public debate.

THE ISSUE:

https://www.reddit.com/r/Bitcoin/comments/2mchko/is_the_security_on_bitfinex_and_kraken_really/

A user posted this in /r/bitcoinmarkets about losing his 2FA keys

https://www.reddit.com/r/BitcoinMarkets/comments/2m944k/daily_discussion_friday_november_14_2014/cm29ldw

    For kraken there is an option to send a atemporary key to your email address to use in place of the 2FA key, which allows access to enable it again.

    For bitfinex I emailed them and they temporarily disabled the 2FA key so I could reset it.

    For bitstamp I emailed them and had to resend a new picture of my KYC docs, they then disabled 2FA and also virtual currency withdrawals, once you have re enabled it you then send another picture of your KYC docs with a message to them asking them to re enable BTc withdrawals.

    In terms of security its probably stamp > kraken > finex but in terms of customer services its kraken > finex > stamp. Kraken got back to me within the hour, finex took a day, stamp took 4.

So if someone gets access to your email, your 2FA becomes worthless on kraken. On bitfinex it seems they don't even need to get access to your email.

Has anyone else here been through a similar situation with these exchanges? Is it really this poor?

I use 2FA on Bitfinex - but what is it worth if someone can just make a myname@whatever.tld e-mail account and send them an e-mail asking them to disable it?

Not sure if I should try making some random e-mail account and bug them to give me my password and disable my 2FA using that just to see what happens.. perhaps I should do it, but not right now due to this posting, perhaps in a week or month or two months... As the above message shows: Attacking them just to see what happens is probably a good idea.

You would obviously need to have the Bitfinex username and password already to gain anything from disabling someone's 2FA - but even so, disabling 2FA should just not be simple. On the other hand, it could happen that someone does need them to disable their own 2FA for legitimate reasons - like .. your 2FA device is stolen/broken/flushed down the toilet (happened to a friend once) and you do not have a few encrypted USB sticks or a paper backup of the 2FA seed. There is also the question of "what would my family do if I die in a horrible car accident" (hint: make sure a family member you really trust, blood not "love", knows how to clear out your BFX account prior to this happening).

I for one would like Bitfinex to have the option of adding a GnuPG key. If a message comes from my e-mail signed by my GnuPG key then it is likely me. Weaknesses: a) Some customers will inevitably put all eggs in a very weak basket: Their mobile phone. b) your GnuPG key is probably on your computer and you type your password in on your computer so if that is owned..

A quick note on mobile phones here: They are CHEAP. As in get a $50 Android phone JUST for 2FA. Never bring it anywhere and never use it for anything else. If you have 1 Android phone and you a) use it for 2FA b) use it for e-mail and have your username and password permanently stored on it and c) have your secret GnuPG key on it and type your password into it all the time..   You're doing it wrong. If there is also a d) you use this device to login to Bitfinex.. then you are not using 2FA, you're using 1FA as in 1 device needs to be owned and you're screwed.

What I would like to see here is ideas on what the requirements should be for Bitfinex to accept "I forgot my password" and "Please disable my 2FA". My personal view is that the answer could be as strong as "Fly to our office and show us your ID" but I realize that many will not agree..

"Reddit"-style ID could also be a thing: Write the date and "please disable 2fa I screwed up" on a piece of paper and take a photo of yourself holding that and your ID (which they can verify against the verification documents they have in cold storage)? perhaps with shoe on head to top it off? I know this idea may sound a bit silly but ANYTHING is better than "just send an e-mail saying disable my 2fa plz"

Some threat models to consider:

* The adversary has owned your mobile phone. Everything on it is accessible to the adversary (which could include e-mail account, 2FA, Bitfinex login details as you type them in)
* The adversary has owned your computer and everything on it and knows everything you type but not your mobile phone (or your main mobile phone but not your dedicated 2FA phone)
* The adversary has owned your e-mail but nothing else.
* The adversary has owned your Bitfinex username and password but nothing else (only 2FA stands in the way).

I know I've been ranting. I'd just like some input and attention to this issue and I would not like to find my Bitfinex account empty one morning because someone used social engineering and/or script-kiddie level "hacking" to fool them into handing out my password and disabling my 2FA.

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.

Really want to continue this conversation, so let me know your thoughts.

[Heavens Gold]

Dear Bitfinex

My BTC deposit isn't added to my account even after more than 6 confirms.
I've sent an email to support@bitfinex.com containing transaction details

I've been using Bitfinex for several months without any issue but this time I'm disappointed.
Would u please fix it up as soon as possible?

Thanks in advance.


 ---------------PS--
It's fixed now. Thanks for the swift response.

[Sukrim]

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

How do you verify that an email that seems to be sent from john.doe@example.com actually IS sent from this address? It is not very hard to fake the originating address in an email... http://en.wikipedia.org/wiki/Email_spoofing - and just a quick google search for "email fake sender" already gives me several web servic es in which I can enter any mail I want that seems to be sent from any other mail address.

If you send a request for confirmation back (again, taking care that you don't just hit "reply" - this might send the reply to a different address!) - which you don't(!) - then at least the mail account needs to be pwned  too (probably not too hard, but at least a bit harder than just faking a mail).

[noobtrader]

if i offer swap of btc for 2 days and some ppl take it only for 3 hours, do i receive interest of 1 day or  just 3 hours


thanks

Pretty sure interested is compounded hourly so if someone returns a swap after 3 hours you only receive 3 hours of interest, not 1 whole day.  

ok...

thats great  
i just got few btc swap offer returned before 1 hour which mean i got more interest in effect    
  

Note to self:  keep checking bitfinex every hours minute to maximize profit

[oyvinds]

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

Here is my problem with the current Bitfinex "security" system:

* Your e-mail account is ONE factor. ONE. Period.

If I get access to the e-mail account you used to sign up at BFX then I can:

* Reset your password.
* E-mail Bitfinex and have them disable your Google OTP.

The whole point of Google OTP is to provide TWO factor security for your account. What we have here is NOT two factor security, we have ONE factor factor security and that one factor is your e-mail account.

This means that your Bitfinex account is ONLY protected as well as your e-mail account is protected. If you, for example, signed up using a GMail account and use that with Bitfinex then everyone at Google can take control over your Bitfinex account.

Think about this: Why even bother ask for a password and OTP when you login at Bitfinex? Bitfinex could instead just ask you to enter your username and send you a login-link to your e-mail - then you click that link and you've got access to everything at Bitfinex. Does this sound secure? Well, regardless of what you think of that "security system" it is no less secure than the current system.

One little detail: You can not withdraw for 1 week after Bitfinex disables your OTP. This means that the adversary will need to look at your Facebook page and time the attack based on when you tell the world that you will be going on a two week jungle safari.

Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.

Really want to continue this conversation, so let me know your thoughts.

I agree that it is hard to make good trade-off's here. What I would like Bitfinex to solve better is that Google OTP should provide 2FA as in TWO FACTOR when it is used right. This means not using the device you use to login at Bitfinex for Google OTP (dedicated $50 android phone or a heavily passport protected normal phone, preferably one which you do not use to login at Bitfinex) and it also means not being able to remove Google OTP by the same means you can use to change the account password.

Bitfinex does not provide 2FA as long as you can use an e-mail account to easily both reset the password and remove OTP. That is NOT 2FA, that is 1FA. Period. And that is NOT secure. As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.

As for the $5 wrench.. yes, that is indeed a hard one to solve.

[Sukrim]

As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.

Won't work for people only using cryptocurrencies (no ID required) AND people don't always look like their ID picture all the time. It would be not too hard for me to look like a lot of generic white males if I just know the hair colour and some basic facial features for a blurry, badly lit picture.

[oyvinds]

Won't work for people only using cryptocurrencies (no ID required) AND people don't always look like their ID picture all the time. It would be not too hard for me to look like a lot of generic white males if I just know the hair colour and some basic facial features for a blurry, badly lit picture.

Good points.

I guess some trade-offs for people who do not want to verify are unavoidable. If Bitfinex has no clue who is the rightful owner of an account then they can't possibly verify who the rightful owner is. I guess those who do not want to verify would have to decide if they they want privacy or the ability to recover their account if something happens?

As for blurry, badly lit pictures, that is true but it could be solved by "The picture is too unclear, please take a better one". This would not help if the picture on the ID is unclear, though. I also see your point about generic $color males, but it does make it slightly harder for some. You will, for example, have a hard time looking Chinese if you are black?

Please share any better suggestions if you have any. Anxbtc verifies accounts by sending something to the physical post address you provide. That is just as secure as your mailbox is but it does prevent some hacker on the other side of the planet of typeing some things into his keyboard and gain access to your account (you can hack e-mail accounts remotely but you need to actually to go the physical mailbox to pick a letter out of it).

There are trade-offs as to what the second factor here should be. My concern is that there should be one, taking control over the e-mail account (one factor) should not be enough to a) change the password and b) remove/change Google OTP because (I know I am repeating myself but this is an important point) that is NOT 2FA, it's 1FA. Any actual second factor would add to the security model.

[Sukrim]

If Bitfinex has no clue who is the rightful owner of an account then they can't possibly verify who the rightful owner is.

GPG key uploaded to them before the user got compromised, GPG key attached to the user's email publicly before the user was compromised, access to Bitcoin addresses where deposited funds originated, electronically signed statements "I own account X" that can hold up in court as evidence if a fraudster withdraws money, locking down IP ranges on user request, offering VPN access (which can be often better secured than https websites, e.g. with certificates) to bitfinex, knowledge of previous interactions...

[noggin-scratcher]

lending offers that are taken slightly below FRR will still result in FRR increasing.

Would help a bit, but we really need for offers taken at FRR to result in the FRR increasing.

[gog1]

lending offers that are taken slightly below FRR will still result in FRR increasing.

Would help a bit, but we really need for offers taken at FRR to result in the FRR increasing.

Upon further thoughts, I think it is what it is; not much one can do to eradicate the problem.

[mjr]

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

Here is my problem with the current Bitfinex "security" system:

* Your e-mail account is ONE factor. ONE. Period.

If I get access to the e-mail account you used to sign up at BFX then I can:

* Reset your password.
* E-mail Bitfinex and have them disable your Google OTP.

The whole point of Google OTP is to provide TWO factor security for your account. What we have here is NOT two factor security, we have ONE factor factor security and that one factor is your e-mail account.

This means that your Bitfinex account is ONLY protected as well as your e-mail account is protected. If you, for example, signed up using a GMail account and use that with Bitfinex then everyone at Google can take control over your Bitfinex account.

Think about this: Why even bother ask for a password and OTP when you login at Bitfinex? Bitfinex could instead just ask you to enter your username and send you a login-link to your e-mail - then you click that link and you've got access to everything at Bitfinex. Does this sound secure? Well, regardless of what you think of that "security system" it is no less secure than the current system.

One little detail: You can not withdraw for 1 week after Bitfinex disables your OTP. This means that the adversary will need to look at your Facebook page and time the attack based on when you tell the world that you will be going on a two week jungle safari.

Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.

Really want to continue this conversation, so let me know your thoughts.

I agree that it is hard to make good trade-off's here. What I would like Bitfinex to solve better is that Google OTP should provide 2FA as in TWO FACTOR when it is used right. This means not using the device you use to login at Bitfinex for Google OTP (dedicated $50 android phone or a heavily passport protected normal phone, preferably one which you do not use to login at Bitfinex) and it also means not being able to remove Google OTP by the same means you can use to change the account password.

Bitfinex does not provide 2FA as long as you can use an e-mail account to easily both reset the password and remove OTP. That is NOT 2FA, that is 1FA. Period. And that is NOT secure. As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.

As for the $5 wrench.. yes, that is indeed a hard one to solve.

I don't think we disagree that things SHOULD be more secure, but in order to do that, as you suggest, people should buy another phone that they use ONLY for 2fa. That is probably not going to happen in 99% of cases. Therefore, due to the unwillingness to implement a hardware solution, it becomes 1fa. Here is the issue:

1. We need to know you are the person with the rights to access the account.
2. You do this by providing something you have.
3. If you lose that something, you still have the rights to access your account.
4. In order to remedy that, we have to be able to bypass the original security that you set up, due to the loss of your password, phone, email, etc

So, to be clear, if you maintain your security on your phone, and your email, you will never be able to be hacked. These issues affect people who have ALREADY been compromised. If we add gpg key as another method, what happens when you lose your gpg key? The simple fact remains, that google 2FA IS two factor authentication if you haven't lost one of the methods of authentication. We require the phone, which has the Google 2FA, and also the password, which you should be the only one to know. Obviously, since this system REQUIRES you to talk to someone in support, if you say that you lost your phone and forgot your password...the human who is talking to you will probe much more deeply and watch much more carefully. I agree that if I COULD just say "Hey, lost my phone and forgot my password, I sent you an email from the account used to open the account", and if this is all that is necessary, you could have a problem, but, you have to talk to someone in support, via email. They will respond to your request and await a response from you. I haven't seen the email spoofing successfully done, or reported here.

If you actually lose access to your phone, and you used an email which is on your phone, AND your phone isn't locked, the password can be guessed, or it doesn't use biometrics, THEN you have been pretty well compromised. For me, if I lost my phone, I would notice sometime within 24 hours. I usually touch my phone physically at least every hour, aside from sleep. Given that iPhones (and I believe Android?) can be remotely wiped, any access to the compromised phone should be able to be mitigated as soon as the loss is noticed. Since you cannot withdraw for a week, you should have more than enough time to work this out with support.

Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.

I think that if someone wanted to REQUEST that we require more than simply emailing us and having a conversation, and place additional restrictions on their account, and agreeing to endure the higher inconvenience, that would be reasonable.

[noggin-scratcher]

Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.

I believe the actual complaint was that if your email account is compromised from one device, that's pretty much game over - a sufficiently motivated attacker can have a password reset sent to that email address, and have a conversation with your support people to have the 2FA turned off. So the security of your Bitfinex account reduces to the security of your email account, with the OTP device serving mostly as a small additional roadblock to make the process slightly inconvenient, rather than a true additional 'factor'.

Not that I can really complain... my phone isn't secure enough to really count as an extra factor regardless of your implementation of 2FA... it's just a harder single factor to compromise given I'd have to physically lose it rather than getting myself electronically/remotely pwned.

[bubfranks]

Dear Bitfinex

It's been an hour, but my BTC withdrawal still says, "Processing." Perhaps your hot wallet is empty?
I've sent an email to support@bitfinex.com containing transaction details. Would you please take a look?

Thanks.

--EDIT: This withdrawal processed within about an hour of my email to support. Many thanks--

[Timetwister]

It seems like USD loans aren't taken at FRR.

[freakbits]

BTC swap rate is also terribly low even when the market was/is bearish.
Can we get a swap fee reduction from 15% to 10% maybe? Currently it's like 2.5% interest per year or less, hardly worth it.

[mjr]

BTC swap rate is also terribly low even when the market was/is bearish.
Can we get a swap fee reduction from 15% to 10% maybe? Currently it's like 2.5% interest per year or less, hardly worth it.

This is what I don't understand, this is exactly how a market works. If it isn't worth it for enough people, then there will be no supply, and people will have to offer higher rates. Again, we don't want to set rates, and we are not trying to guarantee any sort of return, it is simply an option that people can, if the rates are agreeable to them, choose.

So that is why I am always baffled by all the discussion about FRR. Your unwillingness to offer a swap is a signal to the market that the rates are too low for you. If enough people feel the same, rates will have to rise, or there will be no swaps available. It appears, given that there is plenty of supply, that a lot of people require much lower rates than you, and what is hardly worth it to you, is worth it to them. This is what I was talking about in an earlier post, markets are always a race to the bottom, that is actually the discovery of the price.

[Mythoughts]

BTC swap rate is also terribly low even when the market was/is bearish.
Can we get a swap fee reduction from 15% to 10% maybe? Currently it's like 2.5% interest per year or less, hardly worth it.

This is what I don't understand, this is exactly how a market works. If it isn't worth it for enough people, then there will be no supply, and people will have to offer higher rates. Again, we don't want to set rates, and we are not trying to guarantee any sort of return, it is simply an option that people can, if the rates are agreeable to them, choose.

So that is why I am always baffled by all the discussion about FRR. Your unwillingness to offer a swap is a signal to the market that the rates are too low for you. If enough people feel the same, rates will have to rise, or there will be no swaps available. It appears, given that there is plenty of supply, that a lot of people require much lower rates than you, and what is hardly worth it to you, is worth it to them. This is what I was talking about in an earlier post, markets are always a race to the bottom, that is actually the discovery of the price.

True... I totally cant understand why anyone would lend bitcoins at such low rates. The risks of BFX having some sort of technical troubles might be low, but certainly not low enough for the potential rewards.

But:
The market cant really rise with that huge FRR wall. And I cannot lend BTC at FRR and then re-lend them out higher, so this severly limits price discovery.
Did you see this post, some criticism of it and a way to avoid these problems?

[mjr]

BTC swap rate is also terribly low even when the market was/is bearish.
Can we get a swap fee reduction from 15% to 10% maybe? Currently it's like 2.5% interest per year or less, hardly worth it.

This is what I don't understand, this is exactly how a market works. If it isn't worth it for enough people, then there will be no supply, and people will have to offer higher rates. Again, we don't want to set rates, and we are not trying to guarantee any sort of return, it is simply an option that people can, if the rates are agreeable to them, choose.

So that is why I am always baffled by all the discussion about FRR. Your unwillingness to offer a swap is a signal to the market that the rates are too low for you. If enough people feel the same, rates will have to rise, or there will be no swaps available. It appears, given that there is plenty of supply, that a lot of people require much lower rates than you, and what is hardly worth it to you, is worth it to them. This is what I was talking about in an earlier post, markets are always a race to the bottom, that is actually the discovery of the price.

True... I totally cant understand why anyone would lend bitcoins at such low rates. The risks of BFX having some sort of technical troubles might be low, but certainly not low enough for the potential rewards.

But:
The market cant really rise with that huge FRR wall. And I cannot lend BTC at FRR and then re-lend them out higher, so this severly limits price discovery.
Did you see this post, some criticism of it and a way to avoid these problems?

Yes, we have been discussing it a while, and are working on a change to the FRR calculation. I think it could work a lot better, but in general...if you want rates to rise, don't lend. Constricting supply would raise rates, but you would have to forego any return for the meantime. Most people want something rather than nothing, and some posters even said, if the FRR wasn't there, I would just pick the lowest rate and do that. FRR is very similar to a market order, they don't request a specific return, and are basically willing to take whatever they get. I, personally, think that the FRR prob keeps rates higher, because they don't just go for the lowest possible.

[noggin-scratcher]

Most people want something rather than nothing, and some posters even said, if the FRR wasn't there, I would just pick the lowest rate and do that. FRR is very similar to a market order, they don't request a specific return, and are basically willing to take whatever they get. I, personally, think that the FRR prob keeps rates higher, because they don't just go for the lowest possible.

I can see that being possible... my instinct would be that it would be far more volatile - higher when we're on a bull run, lower when we're not, and more prone to jump about all crazy-like.

You'd have a steady stream of auto-lenders taking random pot-shots at whatever's available from the swap requests (hopefully not all of them - some would just take anything above zero but surely at least some would wise up and start at least picking a rate to auto-renew at once a day... and some would probably just leave), and that regular slow-trickle dump would indeed weaken the incentive for traders to take offers when they can just wait for a lowball 'market' offer... which might actually make the 'requests' side of the book relevant (and thicker at sensible rates) rather than just a queue of hopefuls waiting for someone to dump almost-free funding on them.

But even while full-auto lenders chew through the swap requests, without that giant anchoring wall on the offer-side, it'd also be that much easier for a rush of traders in a hurry to chew through the offers up to ~0.7%, as we've seen when the wall goes down before. That's why I'm thinking it would erode both sides and leave the going rate more freely wandering. Might be overall higher or lower, who knows, but that might well be more representative of the true supply/demand.

I can see the value in the FRR as a place to put all the lazy money so it can be stored up safely rather than unleashed all at once onto an unprepared set of 'requests', but I do still wish the wall would move when people start taking it; respond to the apparent demand by moving rates up a li'l bit to test whether there's still demand at that higher rate, then move back down if there isn't. I'm just going to keep saying that until either you're sick of hearing it or you become convinced.