Bitcoin Forum
September 17, 2019, 05:24:35 AM *
News: If you like a topic and you see an orange "bump" link, click it. More info.
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: As a intermediary/third-party, can I validate if a transaction occured?  (Read 199 times)
troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 09, 2019, 12:20:15 AM
Merited by LoyceV (1), o_e_l_e_o (1)
 #1

Hi,

I'm new to the Bitcoin protocole.
So please forgive this newbie question.

I'd like to know if, without providing some kind of "escrow wallet", a intermediary can know if a buyer has actually send an amount of money to another user? If the buyer and/or seller do provide some required information?

For example a buyer goes to my website where is directly displayed the QR Code of a Bitcoin address from a seller. The buyer buys something costing 0.002 Bitcoins from that seller... Is there a way for the buyer and/or the seller to provide me a way to make sure the transaction actually occured or not?

I know most intermediaries, such as exchanges, require you to first deposite money on a special wallet on their side so they can validate your transactions. But is such validation possible when a direct tranfert is made from a buyer to a seller? Again, if both parties do agree for the transaction to be validated?

I could of course ask the seller to confirm that he has received the money... But I would prefere something more robust, something that would protect the buyer too.

Thanks in advance for any tips, links or articles!
1568697875
Hero Member
*
Offline Offline

Posts: 1568697875

View Profile Personal Message (Offline)

Ignore
1568697875
Reply with quote  #2

1568697875
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1890
Merit: 2736


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
July 09, 2019, 12:27:20 AM
Merited by Foxpup (4), ETFbitcoin (1), LoyceV (1)
 #2

All Bitcoin transactions are public information and are stored permanently in the blockchain. This means that if you are running a Bitcoin node, you can look up any confirmed transaction. This means that you can lookup the transaction on any blockchain explorer. There is no difference between you depositing Bitcoin in an exchange or you paying someone else - they are both Bitcoin transactions and will be available on the blockchain.

The main issue is really proving that a particular transaction was actually made or received by a particular person. You would have to know which transaction inputs are that user's in order to know whether a transaction was made by them. You would also have to know what the receiver's addresses are in order to know whether a transaction actually paid the receiver. That is much more difficult to do if they can lie.

One way would be to have both the sender and the receiver sign a unique message with the private keys that are associated with their Bitcoin (for the sender) or their receiving addresses (sender). This would prove that both the sender and receiver have access to the private keys involved in the transaction. All together, this would make it highly likely that the sender actually made the transaction, and the receiver was actually a recipient.

troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 09, 2019, 12:33:54 AM
 #3

Thanks for the reply achow101!

Knowing the receiving address is trivial since I would display the associated QR Code on my website.

I guess the issue is to know the transaction id when a sell is made, so I can validate it!

Should I, for example, ask the buyer to make the payment using his favorite wallet, then copy/paste the transaction id on my website so I can validate it using the blockchain?

Is this something websites/apps do? Ask the buyer to provide the transaction id?

-----

(I juste read your last paragraph) What kind of "message" are you talking about? A message on my website? A message somewhere on the blockchain?
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1890
Merit: 2736


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
July 09, 2019, 12:39:16 AM
 #4

Knowing the receiving address is trivial since I would display the associated QR Code on my website.

I guess the issue is to know the transaction id when a sell is made, so I can validate it!
If you know the receiving address the seller is using, and assuming that they are using new addresses for each payment, you can watch the Bitcoin network for any transactions that send to that address. If the seller is using unique addresses, then once you see a transaction sending Bitcoin to that address, you will know that the seller has paid. This is what the seller's Bitcoin wallet is doing in order to show the seller his transactions and Bitcoin.

troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 09, 2019, 12:49:43 AM
 #5

and assuming that they are using new addresses for each payment
That would work if I could generate new addresses for the seller by myself! But I guess this is not possible...

I cannot ask the seller to update his receiving address after each sell, that would be way too cumbersome.
ranochigo
Legendary
*
Offline Offline

Activity: 1778
Merit: 1180

Somewhat inactive.


View Profile WWW
July 09, 2019, 12:44:34 PM
 #6

(I juste read your last paragraph) What kind of "message" are you talking about? A message on my website? A message somewhere on the
blockchain?
Signing a message means that both the sender and the receiver will sign a message respectively using their ECDSA private key. For example, if they sign a message stating:
"XX is in control of ADDRESS", you will know that XX has the private key since it won't validate unless it has been signed with the private key that corresponds to the address. Thus, you will be able to tell if the transaction has really occurred if there is a transaction between the two addresses.



Address reuse is not bad, per se but it would decrease on their privacy. It is advisable for the seller to be able to generate a separate address for each transaction anyways. If all else fails, you can ask the seller to get the buyer to send Bitcoins at specific amounts, (0.00201928 vs 0.00201900) for example. The downside is that the seller has to update you about the amount of Bitcoins that will be sent by each buyer.

o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 686
Merit: 2720



View Profile
July 09, 2019, 12:52:36 PM
 #7

Should I, for example, ask the buyer to make the payment using his favorite wallet, then copy/paste the transaction id on my website so I can validate it using the blockchain?
No, this is not a great option.

Anyone who knows the seller's address (which includes all your potential customers) can look up that address on the blockchain and see all incoming transactions. A fraudster/scammer could therefore see someone else's payment and claim it as their own. As mentioned above, the only way to resolve a situation like this would be to have the users sign a message from the address to prove ownership.

Signing a message is a special function of bitcoin which uses your private key and a message of your choice to generate an unique signature. Other users can verify this signature, which proves to them you have ownership of the associated address. The issue with using this method is that it is time consuming for both buyer and seller, many buyers may not know how to sign a message, and not all wallets (particularly web wallets and exchanges) have this functionality at all, leaving you caught in limbo.

troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 09, 2019, 03:57:18 PM
 #8

So if I understand properly, the "correct" way of doing such transactions (in a way that it's not too hard for both parties), is really to ask the seller to send the money to one of my address, and then forward the amount to the seller.

Thanks for your help.
HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
July 10, 2019, 12:38:41 PM
Merited by ranochigo (2)
 #9

So if I understand properly, the "correct" way of doing such transactions (in a way that it's not too hard for both parties), is really to ask the seller to send the money to one of my address, and then forward the amount to the seller.

Thanks for your help.

Not necessarily.

You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale. This way the seller retains full control over their private keys and you can both generate and monitor payment addresses.

Essentially you'd have a watch-only wallet while the seller stays in full control of their funds.

bob123
Legendary
*
Offline Offline

Activity: 1022
Merit: 1506



View Profile WWW
July 10, 2019, 12:46:05 PM
 #10

I cannot ask the seller to update his receiving address after each sell, that would be way too cumbersome.

Actually that's the way it is supposed to be.

One should always create a new receiving address. For each transaction.
This is done to increase the privacy and reduce the possible information leak (who sent how much to person X).

Generating addresses is not a problem at all. That's basically just increasing a counter and doing some small calculation.
Wallets do that automatically already. And so do most merchants.

troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 10, 2019, 08:46:01 PM
 #11

You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale.
I didn't know about xpub key, thanks. But after some researches, it seems that it's not a good idea to share your xpub key, so I can't really ask this from my sellers.

One should always create a new receiving address. For each transaction.
I cannot ask the sellers to change their receiveing address by themselves, after each sell, this makes no sense.. Imagine there are 3 sales within one minute for example.
bob123
Legendary
*
Offline Offline

Activity: 1022
Merit: 1506



View Profile WWW
July 11, 2019, 07:30:17 AM
Merited by ETFbitcoin (1)
 #12

I cannot ask the sellers to change their receiveing address by themselves, after each sell, this makes no sense.. Imagine there are 3 sales within one minute for example.

Actually, you can.
And it is the best way to accomplish what you are trying to do.

If you are some kind of intermediary (without direct connection to the sellers server via an API etc.), you would request your seller to give you 10k addresses of them (generating them doesn't take more than a few seconds).
Then each time a customer wants to buy something from seller X, you give them an unused address of seller X. Once you hand out this address, regard it as 'used'. Even if the buyer doesn't actually buy something.

By giving each deal (customer Y buys from seller X) an unique address, it is way easier for everyone to check whether the transaction occurred and whether the amount is correct.

Once the address pool is 'low' (e.g. < 1k addresses), you request another 10k addresses.



However, if you as an intermediary are needed and don't want to regularly stay in contact with your sellers regarding addresses, using an xpub is probably the best option.
At least if a lot of sales are happening and refilling address pool would have to be done quite often.

Why exactly do you think it is not a 'good idea' for them to share their xpub with you ?

HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
July 11, 2019, 07:40:44 AM
Merited by ETFbitcoin (1)
 #13

You can also ask the seller for their xpub key and use it to derive a fresh payment address for each individual sale.
I didn't know about xpub key, thanks. But after some researches, it seems that it's not a good idea to share your xpub key, so I can't really ask this from my sellers.

There's 2 risks involved when sharing your xpub key:
1) Whoever has access to the xpub key can track your transactions
2) Whoever has access to the xpub key and to the private key of one of its derived addresses can derive the private keys of its other addresses as well

(1) is precisely what you want to achieve, (2) should not happen as long as the seller keeps their private keys safe -- apart from very special scenarios where they explicitely export a single private key usually either all their private keys are safe or none of them are; regardless of whether they shared the xpub key.

So while you shouldn't share your xpub key with random strangers on the internet, the scenario that you describe would be a typical use case for it.


Alternatively, if you don't feel comfortable with asking sellers for the xpub key, you could also have them send you new addresses in batches. Having them send you e.g. 100 addresses a month would still be less cumbersome than them sending you a new address 3 times a day. Not optimal, yes, but unfortunately as far as non-custodial address generation goes you can't do much better than using the xpub key.

bob123
Legendary
*
Offline Offline

Activity: 1022
Merit: 1506



View Profile WWW
July 11, 2019, 07:49:55 AM
 #14

1) Whoever has access to the xpub key can track your transactions

If OP is an intermediary, he already can track all transactions.
If the seller only creates this particular wallet for selling stuff on his website, that's not an issue at all.



2) Whoever has access to the xpub key and to the private key of one of its derived addresses can derive the private keys of its other addresses as well

This only applies to unhardened derivation paths, but not to hardened ones.

If OP simply uses a hardened derivation path (which is standard in most - if not all - wallets), this is not an issue either.



Therefore.. OP.. what is the reason you think using the xpub is a bad idea ?

troumla
Newbie
*
Offline Offline

Activity: 8
Merit: 6


View Profile
July 11, 2019, 11:52:28 AM
Merited by DarkStar_ (4)
 #15

Therefore.. OP.. what is the reason you think using the xpub is a bad idea ?
For the reasons cited by HeRetiK. I searched for "bitcoin xpub key" and some of the first results warn about sharing it.

I agree that asking the seller to share his xpub key shoudn't be an issue if a wallet specifically made for my website has been created by him.

Asking for a batch of pre-created addresses also looks to me as a viable idea.

I may even give the choice of the method to the seller...

Thanks for those ideas!
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!