Topic: Buyer-Seller Escrow Transactions (with or without 3rd-party) - page 2. (Read 12264 times)

Gavin, I totally agree with you if it were possible.  But so far I'm not seeing how.  The locktime/replacement stuff is promising, but it doesn't answer the question of how to deal with it now.  It would probably be a long time before we could test it enough and roll it out.  Which is why I don't feel bad that I don't understand it too well... I have time.

As far as I can tell, even locked transactions are final, it's just that the outputs can't be spent until the lock time.  This means that once any such transaction hits the network, one party will get the money in the future if they just disappear and do nothing else.  And because it's final and in the blockchain, there's nothing else you can do to divert it. Obviously, we want to avoid that situation.  But I'm not seeing many other ways with the tools we have (besides keeping third-parties in the loop)

Hi etothepi,

Thanks for the post, it's very clear to me now. I deleted my post because was not sane.

My fear with both buyer and seller pay charge fee is that this could estimulate a market where bad people linked in any way with
 malicious third party services could realize escrows with the only purpose to generate a dispute and profit with it.

Third party service:
 1- Decide in correct way who win. (So will have good reputation).
2- Refund the bad person.
3- Profit from the good person

I think it is really important that the bitcoins involved in failed escrows not be destroyed, but EVENTUALLY make their way back into the economy.

So I'd really like to see network and client support for having both people pre-sign and hold on to a transaction with a far-in-the-future lockTime (maybe as a fee-only transaction).

ACK: I was responding to a message from teste... but those disappeared...  here was my response to his now-missing message

You guys are missing the point of 2-of-3 transactions, which was the whole point of P2SH/BIP16:  there are X coins held up in a 2-of-3 transaction.  It means that in order for those coins to be used as input for a new transaction, that transaction must have the signatures of 2 of the 3 parties.  Any party can propose how to distribute the funds however the heck they want, but they can't make it happen unless they get one other party to sign it.  

Let me say that in another way:  No one party has any control over the money whatsoever.  

-- The third-party can't "run with the money," because it would require transferring 100% of that 2-of-3 output to their own address, and neither Alice nor Bob would ever sign that transaction.  
-- Alice could decide he deserves a refund, but he can't execute it without getting Bob's signature (when he agrees that there was a problem with the shipment and he needs to be refunded), or getting the third-party signature (after it arbitrates and decides that Alice deserves a refund).  
-- Alice and Bob are both understanding people and recognize they both f***ed up and they should split the money:  that works too!  They create a tx spending 28 BTC, and sending 14 BTC to each of them (and the third party wasn't even necessary).

In all cases: the Bitcoin network is acting as an escrow service -- and it's conditions are release are: "Wait for further instructions that are agreed upon by any two of these three people."  

BTW: I'm not proposing that this is the only way to escrow in the BTC network.  I would like to see some kind of time-locked tx that prevents laziness, and doesn't give one party too much power.  But I don't know how it can be done when tx-replacement isn't enabled on the network.

You're missing the point.  People buy stuff all the time, from other people they don't trust over the internet.  But for many transactions, they do it anyway, and just hope they don't get screwed.  This system makes it an order-of-magnitude safer to conduct these transactions.  No one gets any money (or gets their risk deposits back) until both parties agree.  Both parties have an incentive to complete the transaction smoothly and without issue.  It means that the seller can't send some super-shitty/incomplete product to the buyer knowing that he's already got the buyer's money.  The buyer doesn't have to send money to some random person on the internet hoping that he's going to ship some potentially-imaginary product.



You've missed a critical distinction here:  there's a difference between "escrow" and "third-party arbitration."  The escrow simply means that the money is held by a third-party that has no partiality towards either of the first two parties, and that there is an explicit agreement about the conditions under which the money will be released.  "Arbitration" means that the third party gets involved to solve a dispute, which may involve contacting both parties, and sorting out semi-truths to find out who the money should go to.  Typically, third-parties serve both roles.

In this case, the bitcoin network can be that third party escrow -- it is holding onto money for the two parties, and has instructions to release it only when there is a distribution agreement (spend tx) that is signed by both parties.  You're right, the network can't arbitrate it: but it can be trusted to be impartial and not steal the escrow fund.

In many cases, especially early in the multi-sig world, there may not be good third-party services that both parties agree on.  In that case, I'd prefer to use the network for escrow alone, than trust that some third-party the seller is recommending is truly impartial (super-common escrow fraud).  

As I said before:
(1) I only recommened this for small transactions, in which case the third-party arbitration may be more expensive than the transaction itself.  In lots of standard transactions, it doesn't even make sense to have a third-party, does that mean that we shouldn't bother at all?
(2) When neither party gets the money, they will (usually) find a way to agreeably resolve their own dispute so that the money does get unlocked.

The seller, who passes those fees onto the consumer either by higher S&H or by higher prices overall.


I don't see how that solves anything. If Alice wants to buy something from Bob for 10BTC, and Alice doesn't trust Bob to deliver and Bob doesn't trust Alice to pay, how does "the network" decide if Bob has delivered or not to know whether to sent the money to Alice or Bob? If Alice is "lazy", then Bob might have to wait until the contract n-locktime expires to get his money, which might be a long time. Worst case if the tx can't be finished without both parties signing it, then if Alice is lazy Bob might never get his money, and if Bob is crooked then Alice can't get her money back.


If you've figured out some magical way to do escrow without a trusted third party to settle disputes, I'd love to hear it, but it seems technically impossible to me. As I mentioned the best you're likely to do is to lock the money up on the blockchain so your third party doesn't need to be trusted to hold it, just to release it to the deserving party. That's really not much better than what's possible now, although it might streamline things a bit.

The problem is, I don't think Gavin's proposal works.  His proposal relies on transaction replacement, which is not enabled on the network, and he admitted that he made an erroneous assumption about the way locked transactions work.   Specifically, Alice can get Bob to put the 20 BTC into one of these transactions, and then Alice just disappears without doing anything -- then after 30 days she gets the money.  Gavin had assumed that Bob can replace the transaction, but I don't think it's feasible (at least not without setting up an explicit agreement with a miner, which is way beyond usable in this case).  EDIT: and even then, I think the locked tx technically goes into the blockchain, so it couldn't be pre-spent even with a miner's help -- it would be final.

However, if an alternative can be made to work with existing, enabled features of the network, I'm open to it.

Gavin proposal has something like:  if Alice is lazy for 30 days, it's the same of ok/agree

Etotheipi: what about your proposal?

It's not so clear cut who pays for overhead fees.  If you consider credit cards, it's always been the seller.  If it's PayPal transfers, again it's the seller.  Why not here, too?

In the case of Bitcoin, the network can be the third party.  That's what the 2-of-2 version is:  both parties agree on the terms (that only further agreement from both parties will be accepted) and the network holds it until they're ready for disbursement.  Of course, even with good intentions, the death of one party or HDD failure could lead to un-recoverable funds -- which is why I wouldn't recommend it for any substantial value.  But if you're purchasing something for under $100, I think it's acceptable (and third-parties may not want to deal with small tx, anyway).

I highly recommend third-parties, but I think it should be possible not to use them.  And people who use silk-road would probably agree with me (though I am making no formal endorsement of silk road or drugs in general:  just an example of where executing transactions between untrusted parties may be desirable without a third party).

Plus, the benefit of using 2-of-3 is that there's a lower threshold of trust needed for the third-party -- there is no risk that they take the bitcoins and run.  They'd have to collude with the one of the parties to do that.  All that matters is that they are impartial to the two parties involved.

Whatever overhead fees are incurred are on the buyer, who is asking for the service. I don't think it's possible to do escrow without a third party, at least not one which would be acceptable to both involved parties. The best you could do would be to store the deposited money to a "virtual address" on the blockchain so that your third party can't just steal the money (unless he's already in collaboration with the seller).

On the other hand, for a proxy-seller like bitmit it might make more sense to escrow the money to a proxy account so that the proxy service can collect their fees as well as guarantee their own buyers against seller abuse. Escrow can't work without at least one trusted third party anyway, which is why amazon is so successful, since customers know they can get their money back most of the time even with an unrated seller.

I prefer punish only the "loser"

Question: What about add an option to let users choose if only the "loser" is punished with the third party service fee or the two parts (seller and buyer)

I have posted a complete first-draft of how I would implement buyer-seller escrow if I had to do it right now in Armory.

https://gist.github.com/2305966

Luckily, I'm not doing it right now, and I think this could use some improvement & optimization.   I'll leave the bulk of the content on the gist page, but I have copied the "Things to ponder further..." section below:

• Someone had brought up the possibility that only the "loser" of the arbitration should pay, and the "winner" would get their risk deposit back. I'm not entirely sure I agree with this...
• If we can't use SIGHASH_ANYONECANPAY, then one party would have to supply the other party with an appropriate sized set of inputs and a change address, so that the other party can construct the entire transaction before signing. It may require an extra half-step, but also may not be too bad if this step is executed by software, anyway -- it's already producing a PubKeyB to send to Alice... it might as well also figure out an appropriate set of inputs and change address and forward that on. On the other hand, if the tx never executes, Bob just revealed some of his funds to Alice.
• Second-half tx fee could be included on the original amount: commit 28.01 BTC to the 2-of-3 to make sure you don't need extra inputs later just to pay it.
• Client software could integrate third-party services -- so the retrieval and verification steps for third-party, Charles, could be done in the software for you. This may be especially important, because if you do a lot of purchasing online, you may need to advance-register with the third party so that they know who to contact during arbitration...
  Message signing may become important here, especially for third-parties...
• In direct response to Gavin suggesting that "risk deposits" are awkward and confusing: I don't see a way without it. If Bob doesn't have a risk deposit, he has no incentive to complete the transaction after he receives the merchandise (besides being a good person). If Alice isn't required to put in a risk deposit -- she could have Bob create the 2-of-3 transaction (or 2-of-2!) with her address, and then she backs out and leaves the money stranded. Then Bob will have to pay Charles to help unlock the money. Or if it's a 2-of-2 -- it's just locked forever.
• This process is complicated, but half of it is under the hood. A lot of it can be automated with a "simple" set of options and a well-thought-out interface.
• I think the number one priority to optimize is simplicity/usability at the UI.  I don't mind complicating stuff under the hood a bit to make it easier on the user.  But I do require a solution that would work without relying on third-party services being available (I think the solution should work for 2-of-2 tx, as well, and let users eat the risk of small tx getting locked).