Bitcoin Forum
July 12, 2026, 03:27:53 PM *
News: Latest Bitcoin Core release: 31.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: XMREscrow - White Paper  (Read 33 times)
xmrescrow (OP)
Newbie
*
Offline

Activity: 3
Merit: 0


View Profile
July 06, 2026, 10:13:11 PM
 #1

*Monero-only, operator-mediated escrow for private peer-to-peer trades.*
Version 1.0 · Covers service v1.0.9-beta

---

## 1. The problem

Peer-to-peer Monero trades have no safety net. When two strangers agree an OTC or P2P deal, one side has to move first - and whoever moves first can be scammed. The buyer who pays up front risks getting nothing; the seller who ships first risks never being paid.

The usual fixes don't fit privacy-focused traders:

- **Centralized exchanges and marketplaces** require accounts, identity verification (KYC), and often ban Monero outright. They also see every trade.
- **Multisig wallets** are trustless but hard to use correctly. Coordinating a 2-of-3 wallet, exchanging keys, and constructing partially-signed transactions is beyond most traders and error-prone even for experts. Monero multisig has historically been fragile.
- **"Just trust each other"** works until it doesn't.

XMREscrow fills the gap between "too hard" (multisig) and "too exposed" (KYC platforms): a simple, no-account escrow that holds funds during a trade and releases them when both sides are satisfied - with a dispute path if they aren't.

## 2. How it works (in plain terms)

1. Two traders agree a deal and open an escrow. No account, no email, no KYC.
2. The buyer sends Monero to the escrow's deposit address.
3. Once the deposit confirms, the seller delivers.
4. The buyer releases the funds to the seller.
5. If something goes wrong, either party opens a dispute and the operator adjudicates.

Each escrow is reachable by a private link. There are no usernames, no login, and no profile tying trades to a person.

## 3. The trust model - stated honestly

**XMREscrow is a *trusted-operator* escrow, not a trustless one.** This is the single most important thing to understand, and we state it plainly rather than dress it up.

During an active escrow, the operator has technical custody of the deposited funds and is the party who resolves disputes. That means:

- You are trusting the operator to release funds correctly and to adjudicate disputes fairly.
- You are trusting the operator's infrastructure to stay secure and available.

This is a real trust assumption. It is the same assumption you make with any human escrow agent, lawyer's trust account, or marketplace escrow - but it is a trust assumption, and multisig does not require it.

We believe the honest response to this is **verifiability, not marketing claims**. Rather than ask you to "trust us," XMREscrow publishes the tools to hold the operator accountable:

- **Public PGP identity** (fingerprint `CD37A31282542C2ACE91FED3A345CD6C2674D00A`) so every official statement can be signed and verified.
- **Warrant canary**, updated on a schedule, so its absence is itself a signal.
- **`/solvency` and `/status` endpoints** so anyone can check the service is live and funds are accounted for.
- **Published Terms of Service and dispute policy** so the rules are the same for everyone.
- **A public track record** via signed version updates and transparent changelogs.

Trust is earned through consistent, verifiable behavior over time. The design goal is to make dishonesty detectable.

## 4. Privacy architecture

XMREscrow is built to collect as little as possible and expose nothing unnecessary:

- **Monero-only.** Every leg of every trade uses XMR, whose ring signatures, stealth addresses, and confidential amounts hide sender, receiver, and value by default.
- **Tor-native.** The service runs as a Tor onion service (`xmrescrobcw33cnm5ajyzn5xaqr5vkdsqxmptc55plgvxsnqybmhszqd.onion`), so users never need to reveal an IP address. A clearnet mirror exists for convenience with an `Onion-Location` header pointing to the onion.
- **No accounts, no KYC, no email.** Nothing to breach, subpoena, or leak, because it is never collected.
- **Zero JavaScript on public pages.** No client-side scripts means no fingerprinting surface, no tracking, and full functionality in the hardened "Safest" Tor Browser setting. Clipboard copy, fee calculation, and toggles are done with pure HTML/CSS and server-side logic.
- **"Invisible" escrows.** An optional mode where the escrow leaves no operator-visible description of what is being traded.
- **Minimal, expiring sessions.** Strict same-site, short-lived sessions; escrows auto-expire.
- **10-language interface** so privacy isn't limited to English speakers.

Privacy here is a *default*, not a setting you have to find.

## 5. Operator verification

Because this is a trusted-operator model, verifying who you're dealing with matters. Every official XMREscrow channel is cross-linked and PGP-anchored:

- **PGP fingerprint:** `CD37A31282542C2ACE91FED3A345CD6C2674D00A` (published at `/pgp.txt` and mirrored in every social bio).
- **X:** @xmrescrow · **Telegram:** @escro / @nonnegotiable · **XMPP:** xmrescrow@conversations.im
- **Warrant canary** and **signed announcements** for anything material.

If a message claims to be from XMREscrow but isn't signed by that key, treat it as an impostor.

## 6. Fee structure

- **Fee:** configurable, currently **2.5%** of the escrow amount.
- **Minimum:** currently **$3 equivalent** (in XMR) per escrow, so tiny trades stay viable while the service stays sustainable.
- **Referral codes** allow partners to offer reduced fees or share revenue via admin-set overrides.
- **Caps:** hard minimum and maximum escrow amounts are enforced to prevent mistakes and abuse.

Fees fund the infrastructure, dispute handling, and continued development. No hidden charges; the fee is shown before you commit via a server-side fee calculator.

## 7. How XMREscrow compares

| | XMREscrow | Monero multisig (2-of-3) | Centralized / KYC escrow |
|---|---|---|---|
| **Trust model** | Trusted operator, verifiable behavior | Trustless (cryptographic) | Trusted operator + custodian |
| **Ease of use** | High - a link, no setup | Low - key exchange, PSTs, fragile tooling | Medium |
| **Account / KYC** | None | None | Required |
| **Dispute resolution** | Operator adjudicates | Whoever holds the tie-breaking key | Platform staff |
| **Privacy** | Monero + Tor + no logs | Monero, but coordination leaks metadata | Usually poor; full visibility |
| **Availability of funds if operator vanishes** | At risk (custodial) | Not at risk | At risk |
| **Best for** | Fast, simple private trades | Users who can run multisig correctly and want zero custody | Users who accept KYC for recourse |

**The honest summary:** if you can run Monero multisig correctly and want no custodial risk, do that — it's cryptographically stronger. XMREscrow exists for the large majority of trades where multisig is impractical and KYC platforms are unacceptable, offering a usable middle path with the trust made as transparent and accountable as possible.

## 8. Design principles

- **Radical transparency** about the trust model as a credibility asset, not a liability.
- **Collect nothing you don't need.**
- **Make dishonesty detectable** through cryptographic identity and public status.
- **Privacy by default**, usability without compromise.

---

*This document describes the service as of v1.0.9-beta and may be updated. Verify the current version and any official statement against the PGP key above. XMREscrow is a tool for private peer-to-peer trading; users are responsible for complying with the laws that apply to them.*
xmrescrow (OP)
Newbie
*
Offline

Activity: 3
Merit: 0


View Profile
July 06, 2026, 10:36:43 PM
 #2

Yes used AI to fix my writing/formatting for a more professional layout. Tend to be all over the place with stuff im passionate about.
The website was developed by me and me only over the passed couple months. everything hosted on my own HW with a priority focus on privacy.
All feedback is noted, Id like to create a good product
xmrescrow (OP)
Newbie
*
Offline

Activity: 3
Merit: 0


View Profile
July 09, 2026, 02:22:16 AM
 #3

Two days of heavy work across the stack. Highlights:

Security & correctness — Completed a full audit of the escrow money-movement flow. Every fund-moving path (release, refund) is now fully atomic and protected against duplicate-submission edge cases. CSRF coverage extended to every state-changing action. Address validation now verifies directly against the Monero wallet instead of surface-level checks. Refund logic corrected so cancelled escrows return the full deposited amount — no fee on refunds, you only pay on a completed release.

New: buyer refund addresses — Buyers can now optionally set a refund address directly from their escrow link. If the operator refunds a disputed or cancelled escrow, funds return there automatically and the refund TX is shown on-chain to verify. Buyers still cannot move funds themselves — refunds remain operator-reviewed, which protects both parties.

Reliability — Migrated clearnet routing to an architecture that no longer depends on home-network port forwarding, eliminating a whole class of outages. Router reboots and ISP hiccups no longer take the site down. Monitoring now covers every service including listener-level health.

Backups — Daily integrity-checked DB backups plus encrypted disaster-recovery bundles, verified restorable.

Roadmap — Researching an optional 2/3 multisig mode for higher-value deals, for users comfortable running Monero wallet software. Given Monero multisig's complexity, this will be prototyped and tested extensively on stagenet before any mainnet release.

Official stable release coming soon.

Private. Monero only. Operator-mediated, honestly.

PGP: CD37 A312 8254 2C2A CE91 FED3 A345 CD6C 2674 D00A
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!