Author

Topic: As a intermediary/third-party, can I validate if a transaction occured? (Read 232 times)

brand new
Activity: 0
Merit: 0
newbie
Activity: 8
Merit: 6
Therefore.. OP.. what is the reason you think using the xpub is a bad idea ?
For the reasons cited by HeRetiK. I searched for "bitcoin xpub key" and some of the first results warn about sharing it.

I agree that asking the seller to share his xpub key shoudn't be an issue if a wallet specifically made for my website has been created by him.

Asking for a batch of pre-created addresses also looks to me as a viable idea.

I may even give the choice of the method to the seller...

Thanks for those ideas!
legendary
Activity: 1624
Merit: 2481
1) Whoever has access to the xpub key can track your transactions

If OP is an intermediary, he already can track all transactions.
If the seller only creates this particular wallet for selling stuff on his website, that's not an issue at all.



2) Whoever has access to the xpub key and to the private key of one of its derived addresses can derive the private keys of its other addresses as well

This only applies to unhardened derivation paths, but not to hardened ones.

If OP simply uses a hardened derivation path (which is standard in most - if not all - wallets), this is not an issue either.



Therefore.. OP.. what is the reason you think using the xpub is a bad idea ?
legendary
Activity: 3108
Merit: 2177
Playgram - The Telegram Casino
You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale.
I didn't know about xpub key, thanks. But after some researches, it seems that it's not a good idea to share your xpub key, so I can't really ask this from my sellers.

There's 2 risks involved when sharing your xpub key:
1) Whoever has access to the xpub key can track your transactions
2) Whoever has access to the xpub key and to the private key of one of its derived addresses can derive the private keys of its other addresses as well

(1) is precisely what you want to achieve, (2) should not happen as long as the seller keeps their private keys safe -- apart from very special scenarios where they explicitely export a single private key usually either all their private keys are safe or none of them are; regardless of whether they shared the xpub key.

So while you shouldn't share your xpub key with random strangers on the internet, the scenario that you describe would be a typical use case for it.


Alternatively, if you don't feel comfortable with asking sellers for the xpub key, you could also have them send you new addresses in batches. Having them send you e.g. 100 addresses a month would still be less cumbersome than them sending you a new address 3 times a day. Not optimal, yes, but unfortunately as far as non-custodial address generation goes you can't do much better than using the xpub key.
legendary
Activity: 1624
Merit: 2481
I cannot ask the sellers to change their receiveing address by themselves, after each sell, this makes no sense.. Imagine there are 3 sales within one minute for example.

Actually, you can.
And it is the best way to accomplish what you are trying to do.

If you are some kind of intermediary (without direct connection to the sellers server via an API etc.), you would request your seller to give you 10k addresses of them (generating them doesn't take more than a few seconds).
Then each time a customer wants to buy something from seller X, you give them an unused address of seller X. Once you hand out this address, regard it as 'used'. Even if the buyer doesn't actually buy something.

By giving each deal (customer Y buys from seller X) an unique address, it is way easier for everyone to check whether the transaction occurred and whether the amount is correct.

Once the address pool is 'low' (e.g. < 1k addresses), you request another 10k addresses.



However, if you as an intermediary are needed and don't want to regularly stay in contact with your sellers regarding addresses, using an xpub is probably the best option.
At least if a lot of sales are happening and refilling address pool would have to be done quite often.

Why exactly do you think it is not a 'good idea' for them to share their xpub with you ?
newbie
Activity: 8
Merit: 6
You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale.
I didn't know about xpub key, thanks. But after some researches, it seems that it's not a good idea to share your xpub key, so I can't really ask this from my sellers.

One should always create a new receiving address. For each transaction.
I cannot ask the sellers to change their receiveing address by themselves, after each sell, this makes no sense.. Imagine there are 3 sales within one minute for example.
legendary
Activity: 1624
Merit: 2481
I cannot ask the seller to update his receiving address after each sell, that would be way too cumbersome.

Actually that's the way it is supposed to be.

One should always create a new receiving address. For each transaction.
This is done to increase the privacy and reduce the possible information leak (who sent how much to person X).

Generating addresses is not a problem at all. That's basically just increasing a counter and doing some small calculation.
Wallets do that automatically already. And so do most merchants.
legendary
Activity: 3108
Merit: 2177
Playgram - The Telegram Casino
So if I understand properly, the "correct" way of doing such transactions (in a way that it's not too hard for both parties), is really to ask the seller to send the money to one of my address, and then forward the amount to the seller.

Thanks for your help.

Not necessarily.

You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale. This way the seller retains full control over their private keys and you can both generate and monitor payment addresses.

Essentially you'd have a watch-only wallet while the seller stays in full control of their funds.
newbie
Activity: 8
Merit: 6
So if I understand properly, the "correct" way of doing such transactions (in a way that it's not too hard for both parties), is really to ask the seller to send the money to one of my address, and then forward the amount to the seller.

Thanks for your help.
legendary
Activity: 2268
Merit: 18711
Should I, for example, ask the buyer to make the payment using his favorite wallet, then copy/paste the transaction id on my website so I can validate it using the blockchain?
No, this is not a great option.

Anyone who knows the seller's address (which includes all your potential customers) can look up that address on the blockchain and see all incoming transactions. A fraudster/scammer could therefore see someone else's payment and claim it as their own. As mentioned above, the only way to resolve a situation like this would be to have the users sign a message from the address to prove ownership.

Signing a message is a special function of bitcoin which uses your private key and a message of your choice to generate an unique signature. Other users can verify this signature, which proves to them you have ownership of the associated address. The issue with using this method is that it is time consuming for both buyer and seller, many buyers may not know how to sign a message, and not all wallets (particularly web wallets and exchanges) have this functionality at all, leaving you caught in limbo.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
(I juste read your last paragraph) What kind of "message" are you talking about? A message on my website? A message somewhere on the
blockchain?
Signing a message means that both the sender and the receiver will sign a message respectively using their ECDSA private key. For example, if they sign a message stating:
"XX is in control of ADDRESS", you will know that XX has the private key since it won't validate unless it has been signed with the private key that corresponds to the address. Thus, you will be able to tell if the transaction has really occurred if there is a transaction between the two addresses.



Address reuse is not bad, per se but it would decrease on their privacy. It is advisable for the seller to be able to generate a separate address for each transaction anyways. If all else fails, you can ask the seller to get the buyer to send Bitcoins at specific amounts, (0.00201928 vs 0.00201900) for example. The downside is that the seller has to update you about the amount of Bitcoins that will be sent by each buyer.
newbie
Activity: 8
Merit: 6
and assuming that they are using new addresses for each payment
That would work if I could generate new addresses for the seller by myself! But I guess this is not possible...

I cannot ask the seller to update his receiving address after each sell, that would be way too cumbersome.
staff
Activity: 3458
Merit: 6793
Just writing some code
Knowing the receiving address is trivial since I would display the associated QR Code on my website.

I guess the issue is to know the transaction id when a sell is made, so I can validate it!
If you know the receiving address the seller is using, and assuming that they are using new addresses for each payment, you can watch the Bitcoin network for any transactions that send to that address. If the seller is using unique addresses, then once you see a transaction sending Bitcoin to that address, you will know that the seller has paid. This is what the seller's Bitcoin wallet is doing in order to show the seller his transactions and Bitcoin.
newbie
Activity: 8
Merit: 6
Thanks for the reply achow101!

Knowing the receiving address is trivial since I would display the associated QR Code on my website.

I guess the issue is to know the transaction id when a sell is made, so I can validate it!

Should I, for example, ask the buyer to make the payment using his favorite wallet, then copy/paste the transaction id on my website so I can validate it using the blockchain?

Is this something websites/apps do? Ask the buyer to provide the transaction id?

-----

(I juste read your last paragraph) What kind of "message" are you talking about? A message on my website? A message somewhere on the blockchain?
staff
Activity: 3458
Merit: 6793
Just writing some code
All Bitcoin transactions are public information and are stored permanently in the blockchain. This means that if you are running a Bitcoin node, you can look up any confirmed transaction. This means that you can lookup the transaction on any blockchain explorer. There is no difference between you depositing Bitcoin in an exchange or you paying someone else - they are both Bitcoin transactions and will be available on the blockchain.

The main issue is really proving that a particular transaction was actually made or received by a particular person. You would have to know which transaction inputs are that user's in order to know whether a transaction was made by them. You would also have to know what the receiver's addresses are in order to know whether a transaction actually paid the receiver. That is much more difficult to do if they can lie.

One way would be to have both the sender and the receiver sign a unique message with the private keys that are associated with their Bitcoin (for the sender) or their receiving addresses (sender). This would prove that both the sender and receiver have access to the private keys involved in the transaction. All together, this would make it highly likely that the sender actually made the transaction, and the receiver was actually a recipient.
newbie
Activity: 8
Merit: 6
Hi,

I'm new to the Bitcoin protocole.
So please forgive this newbie question.

I'd like to know if, without providing some kind of "escrow wallet", a intermediary can know if a buyer has actually send an amount of money to another user? If the buyer and/or seller do provide some required information?

For example a buyer goes to my website where is directly displayed the QR Code of a Bitcoin address from a seller. The buyer buys something costing 0.002 Bitcoins from that seller... Is there a way for the buyer and/or the seller to provide me a way to make sure the transaction actually occured or not?

I know most intermediaries, such as exchanges, require you to first deposite money on a special wallet on their side so they can validate your transactions. But is such validation possible when a direct tranfert is made from a buyer to a seller? Again, if both parties do agree for the transaction to be validated?

I could of course ask the seller to confirm that he has received the money... But I would prefere something more robust, something that would protect the buyer too.

Thanks in advance for any tips, links or articles!
Jump to: