This is an attempt at Mike Hearn's "exercise for the reader.
" It relies on P2SH (or multisig) and nLockTime, with no transaction replacement.
1. A vendor agrees to produce a good if X BTC are raised by date D and to pay Y BTC to each of n
contributors if X BTC are not raised by date D, or to pay n
Y BTC if X BTC are raised and the vendor fails to produce the good to the satisfaction of 2 of 3 independent arbitrators picked through a fair process
2. The arbitrators create a 2-of-3 P2SH address with a public key from each arbitrator, which will allow them to judge the performance on actually producing the good
3. For each contributor:
3a. The vendor and the contributor exchange public keys
3b. They create a 2-of-2 P2SH address from those public keys
3c. With no change, they create a transaction with an input of X/n BTC from the contributor and an input of Y BTC from the vendor, with X/n
+Y going to the address created in 3b
3d. The vendor signs a transaction of the entire balance of the transaction in 3c over to the contributor with nLockTime of D and gives it to the contributor
3e. The contributor signs a transaction where the output is X+nY to the address created in step 2 and the input is the output of the transaction in 3c, signed using SIGHASH_ALL | SIGHASH_ANYONECANPAY and gives it to the vendor
4. As date D nears, nLockTime comes close to expiration.
4a. If enough (n
) people contribute, all of the inputs from 3e can combine to make the output valid, creating a valid transaction sending that money to the arbitrators, which only agree to release the funds when the vendor produces a satisfactory output
4b. If not enough people (<n
) contribute, nLockTime expires on the transaction in 3d, meaning each contributor can sign and redeem her transaction containing X/n
+ Y BTC from 3c
4c. Note that there is a limit at which it can be more profitable for the vendor to make the remaining contributions when D approaches