Buyer-Seller Escrow Transactions (with or without 3rd-party)

[etotheipi]

Well, if DISPUTE is a fee-only transaction then miners have a VERY strong incentive to drop LAZY_ALICE and mine DISPUTE instead. I don't think we'd have trouble asking miners to support a code change that is something like:

I'm less concerned about miners not agreeing to it, than the complexity of making sure the arbitrary user has access to a miner that will do it for them.  Maybe it could just be a rule that most miners will adopt, but something doesn't sit right with me about most miners accepting conflicting zero-conf tx just by including a bigger fee.  Maybe zero-conf tx have very little value right now, but they'll have even less once anyone can start canceling their outgoing [zero-conf] tx on a whim...

etotheipi, I've been thinking about your comment "I don't like the asymmetry" ...
LAZY_ALICE and DISPUTE are, I think, symmetric-- Alice holds DISPUTE in case Bob doesn't hold up his end of the bargain, Bob holds LAZY_ALICE in case she doesn't.  I proposed that DISPUTE have an earlier lockTime than LAZY_ALICE, but maybe that's not necessary.

If Alice really doesn't trust Bob, then I think the whole scheme also works if Bob puts a "good faith security deposit" of bitcoins into the mix.

The asymmetry is that Alice is the only one with anything at risk.  Maybe Bob is just bored and wants to laugh about people losing money, so he starts advertising stuff he doesn't actually have.  When the person commits money, he delays a bit, then broadcasts LAZY_ALICE.  Worst case (for Bob), he doesn't get anything and gets his laugh.  Best-case, Alice can't figure out how to DISPUTE, and Bob actually gets some money!  Sweet game! 

I mean, people could do this now, though it would catch up to them eventually.  With Bitcoin, it's a lot easier to hide your identity, so there's almost no risk for Bob to do this. 

And so I'm coming around to your point about complexity and awkwardness of something like a Bob-deposit.  I agree, the further we deviate from what people are already used to, the stranger and more-confusing it will be.  At the very least, if we were to do something like risk-deposits, bitcoin.org could have an education section so users have some trusted place to go when they say "wait? I have to put in money as the seller?  sounds like a scam!"

The complexity of all this (5 possible transactions, different states the escrow can be in, initial communication to initiate the escrow) makes me nervous. Even just figuring out how Alice and Bob's clients talk to each to setup the escrow isn't obvious.

Yeah... I don't think anything is going to be easy about it, besides minimize the number of exchanges between parties.  Right now, I want to get anything that works, and let the knowledgeable users get their hands on it, play with it, break it, and figure out how it can be improved.   As you said, it'll be easier to know what people like when we see if they use it.

[1715414332]

1715414332

[1715414332]

1715414332

[1715414332]

1715414332

[Haplo]

The asymmetry is that Alice is the only one with anything at risk.  Maybe Bob is just bored and wants to laugh about people losing money, so he starts advertising stuff he doesn't actually have.  When the person commits money, he delays a bit, then broadcasts LAZY_ALICE.  Worst case (for Bob), he doesn't get anything and gets his laugh.  Best-case, Alice can't figure out how to DISPUTE, and Bob actually gets some money!  Sweet game! 

Alice and Bob sign a contract, Bob is to ship good X, Alice is to provide money. Bob holds 'Lazy_Alice', and Alice holds 'Dispute'. Bob ships the item and forwards the tracking number to Alice. Alice uses 'Dispute' to get most of her money back. What does Bob do?

I think you're wrong about Alice being the one taking all the risk. The symmetry lies in the fact that neither party is really getting any lower risk by such a deal, unless there's an asymmetry between 'Dispute' and 'Lazy_Alice' which would dump all the risk on one party or the other.

Trying to manage dispute resolution between two mutually untrusting parties without a third party is impossible. In the 2-of-3 case, as long as Alice and Bob are really both honest, they can sign for each other and finish the transaction. In the case that either Alice or Bob are dishonest, they cannot agree without arbitration (the money ends up in limbo). Given that the contract is only used where at least one party assumes the other may be dishonest, a 2-of-3 is absolutely required to resolve things if that does turn out to be the case.

[etotheipi]

The asymmetry is that Alice is the only one with anything at risk.  Maybe Bob is just bored and wants to laugh about people losing money, so he starts advertising stuff he doesn't actually have.  When the person commits money, he delays a bit, then broadcasts LAZY_ALICE.  Worst case (for Bob), he doesn't get anything and gets his laugh.  Best-case, Alice can't figure out how to DISPUTE, and Bob actually gets some money!  Sweet game!  

Alice and Bob sign a contract, Bob is to ship good X, Alice is to provide money. Bob holds 'Lazy_Alice', and Alice holds 'Dispute'. Bob ships the item and forwards the tracking number to Alice. Alice uses 'Dispute' to get most of her money back. What does Bob do?

That's why Gavin suggests that DISPUTE is actually a send-100%-to-tx-fee.  Then no one gets the money, but it does get recycled.   And that's why I recommended deposits, so that both parties have a mutual incentive not to do shady stuff.  If it costs them money to be a dick, there will be a lot less dickery.


The part that you're missing is that the Bitcoin network is offering a dramatic improvement over something that happens all the time -- people trust completely random strangers over the internet, endlessly.   And for those people, one party has to assume all the risk: Alice sends money first, or Bob sends merchandise first.  

But now the Bitcoin network can act as very dumb-but-strict escrow and split some of the risk between the two parties that choose to trust each other anyway.  Perhaps because they wish to preserve their own privacy, or simply don't feel like registering with a third-party.   I agree that for "full 100% guarantee" you need a third-party. But that doesn't mean that there is 0% value in using the scripting capabilities of the network to improve the non-third-party case.


Gavin,

I still think a risk deposit is necessary here.  Even if DISPUTE goes to the miners, Alice may just be bitter that her new merchandise is crappy quality and issue DISPUTE to spite Bob.  She doesn't get any money back either way, so what does it matter to her whether Bob gets it or the miners get it?

By the way, another problem with it:  if Alice has a lot of mining power, it's very +EV for her to pull the DISPUTE trigger, since she's would get something back instead of nothing.

[Haplo]

That's why Gavin suggests that DISPUTE is actually a send-100%-to-tx-fee.  Then no one gets the money, but it does get recycled.   And that's why I recommended deposits, so that both parties have a mutual incentive not to do shady stuff.  If it costs them money to be a dick, there will be a lot less dickery.

I see, so it's like a mutually-assured-destruction. If Bob's deposit is 100% of Alice's payment, that could work.

The part that you're missing is that the Bitcoin network is offering a dramatic improvement over something that happens all the time -- people trust completely random strangers over the internet, endlessly.   And for those people, one party has to assume all the risk: Alice sends money first, or Bob sends merchandise first.

Usually with the backstop of bank chargebacks or some company such as ebay or amazon resolving disputes. Also, seller ratings? Even if it's anonymous, you can usually still know something which will indicate whether the seller is honest or not, or else decide whether a purchase is too much money to chance or not, or what your chances are getting a chargeback via paypal or whatnot should they defect.

Gavin,

I still think a risk deposit is necessary here.  Even if DISPUTE goes to the miners, Alice may just be bitter that her new merchandise is crappy quality and issue DISPUTE to spite Bob.  She doesn't get any money back either way, so what does it matter to her whether Bob gets it or the miners get it?

By the way, another problem with it:  if Alice has a lot of mining power, it's very +EV for her to pull the DISPUTE trigger, since she's would get something back instead of nothing.

Except maybe that. That's the problem with trying to do business by mutually assured destruction .

I don't think Alice being a miner is a serious consideration, though. In order to get all of her money back, she would need to own a serious chunk of the total hashpower and be able to find a block herself (with her dispute included without being transmitted) before nLocktime ran out. In order to get most of it back, she'd have to at least own a serious chunk of a pool, and hope that her pool mines the block with her 'Dispute' call in it. She's much more likely to burn the contract just to be a dick.

[etotheipi]

You're right -- these days, sellers have incentive not to do shady stuff because they have a reputation, and likely have some degree of legal accountability because someone (usually the third-party) knows their identity.  Most of that is because sending money over the internet has always required a third-party.  It just so happens that in this case the third-party can arbitrate.

But Bitcoin is different -- the third party to hold the money is no longer necessary (or rather, it's the Bitcoin network).  So if you can find a way to eliminate the chance of needing arbitration, then why bother paying a third-party at all?  That is the Bitcoin way.  Of course, you won't eliminate it entirely, but I bet there's a way to reduce it enough for the MAD option to be like real MAD:  no one really ever uses it, but the threat that a party could use it is enough to keep people playing fairly.  

I think some combination of things Gavin and I are discussing add a lot of value for knowledgeable users, even if it's awkward and different.  For users that can't grok it, they can always just do it through the third-party, as usual.  


Gavin,

I just realized one complication -- the 2-of-2 tx (or 2-of-3) has to be created and fully signed before any of the spending tx can be created -- because they need the tx-hash for the 2-of-2 txout, which won't be available until all signatures are collected. That means I see a minimum of 4 "hops" for tx data:

(1) Alice contacts Bob saying "I'll buy this, here's some public keys"
(2) Bob creates the 2-of-2 tx (with SIGHASH_ANYONECANPAY), signs it and sends to Alice  (Bob can't create any spending tx until he gets Alice's sig)
(3) Alice signs the 2-of-2 and doesn't broadcast -- Creates and signs REFUND && LAZY_ALICE, sends to Bob
(4) Bob stashes REFUND and LAZY_ALICE, creates and signs DISPUTE/MAD and SUCCESS, sends to Alice

That's a lot of hops.  The nice thing is, Alice (who has the most money at stake) can hold onto the 2-of-2 and not broadcast it until she gets DISPUTE and SUCCESS signed from Bob.  That gives her a way to avoid locking her money until she at least has the power to MAD the money.

Sounds like there has to either be a third-party server to post data for each other to exchange, or direct-connect.  I don't like either idea.  It's a shame we finally have a way to send money conveniently, but no easy way to exchange all the data for this.  All solutions so far seem to be 80% solutions...

[sebastian]

Etotipi (just cant spell your name):
>>to have to share my personal information and transaction details with the entire Bitcoin network, or any subset thereof, just to have my transactions arbitrated.

Its required to share personal information and/or transaction details if you want to have your transaction arbitrated. Its same everywhere, if you pay in cash IRL and you want to have the deal arbitrated you will have to provide personal/transaction details and sign a contract and much more. Same with a third party arbitration service, you will have to provide them with your personal details and transaction details.

>>which may involve contacting both parties and collecting documentation.

Not required. The goal of the voting arbitration scheme is that buyer and seller SHOULD provide documentation before executing the deal, and if the seller's information is incorrect, (for example if the buyer and seller agreed on 25BTC for 50$ on paypal and instead sends 10BTC and writes "want 50$ on paypal for this") seller should REFUSE transaction and let it go back to sender.




Its same IRL too. You can either pay in cash, but then if you are scammed, the cash is lost. Cash is also anonymous.
Or you can pay in bank card, and then if you are scammed, then transaction can be chargebacked by the bank, but card is nonanonymous.


Since "the bank" in bitcoin is all nodes collectively, I think a voting scheme is best here. In this way all nodes collectively decide if the transaction should be chargebacked or not. Then you really get a decentralized "bank" which can do escrow, arbitration and control the money flow.

[Gavin Andresen]

I just realized one complication -- the 2-of-2 tx (or 2-of-3) has to be created and fully signed before any of the spending tx can be created -- because they need the tx-hash for the 2-of-2 txout, which won't be available until all signatures are collected.

Yes, if Bob puts in a deposit it adds a step internally.

I think for this to have a reasonable user-interface Alice and Bob's bitcoin clients will need to communicate in real time.

My inclination is to add JSON-RPC methods to bitcoin-qt/bitcoind to support this, and not build it into bitcoin-qt's GUI (or at least not right away). I'm imagining Armory or little "let's make a deal" 2-party-escrow-apps that... Do The Right Thing.

Random UI thoughts:

Alice could be asked "How much do you trust Bob?"  and "How much do you think Bob trusts you?"  If an answer is "not at all" then propose an escrow that requires a substantial deposit.  If the answer is "a lot" then maybe no deposit is required. It'd be way spiffy cool if it was automagically tied into the #bitcoin-otc web of trust sytem...

(... more random thoughts: would IRC as the communication mechanism under the covers be a good or bad idea?  might be a convenient way to prototype...)

I'm imagining Bob gets the details of the proposed escrow and can either agree or disagree (maybe with a message to let Alice know what he WOULD agree to).

[etotheipi]

I just realized one complication -- the 2-of-2 tx (or 2-of-3) has to be created and fully signed before any of the spending tx can be created -- because they need the tx-hash for the 2-of-2 txout, which won't be available until all signatures are collected.

Yes, if Bob puts in a deposit it adds a step internally.

I think for this to have a reasonable user-interface Alice and Bob's bitcoin clients will need to communicate in real time.

My inclination is to add JSON-RPC methods to bitcoin-qt/bitcoind to support this, and not build it into bitcoin-qt's GUI (or at least not right away). I'm imagining Armory or little "let's make a deal" 2-party-escrow-apps that... Do The Right Thing.

Random UI thoughts:

Alice could be asked "How much do you trust Bob?"  and "How much do you think Bob trusts you?"  If an answer is "not at all" then propose an escrow that requires a substantial deposit.  If the answer is "a lot" then maybe no deposit is required. It'd be way spiffy cool if it was automagically tied into the #bitcoin-otc web of trust sytem...

(... more random thoughts: would IRC as the communication mechanism under the covers be a good or bad idea?  might be a convenient way to prototype...)

I'm imagining Bob gets the details of the proposed escrow and can either agree or disagree (maybe with a message to let Alice know what he WOULD agree to).

As for Bob's deposit adding a step:  I guess Bob-zero-deposit could remove a step if Bob posts his public key as part of his advertisement.  But Alice has to send Bob a message and receive confirmation from Bob that he's still selling the item, anyway.  Even if she expects 0 deposit from Bob, she doesn't want to dump her money into a 2-of-2 or 2-of-3 until she's sure that Bob hasn't already sold the item.

But arguably, if this all has to get dumped into a bunch of opaque binary transfers between clients.  At that point, I guess it doesn't really matter.  3 vs 4 is immaterial (right?). Unfortunately, networking is not my forte.  There's a reason I rewrote everything in Armory except for the networking (and of course, because it's big and scary).  I will have to defer the creation of the protocol to others, and then follow the implementation in Armory.  (like verifying a mathematical proof instead of proving it myself)

So, I think we're in agreement that the clients will have to communicate in some fashion.  How difficult will it be to setup the communication?  Will it require extra steps, such as one person sending the other their IP address?  Or an IRC name?    Then it sounds like the method we define in this thread will not be so sensitive to the number of "hops" unless each hop requires confirmation from the user.  But I think the client can be made to have the user click once what their preferences are, and then the client apply all operations in sequence as long as each step completes/verifies successfully.  If Bob doesn't sign the DISPUTE/MAD tx, the client will not broadcast the multi-sig, etc.    However, that comes with the risk that the client handshakes and processing sequence have a vuln in them...

So there's still questions about whether deposits are necessary (sound like yes, but may be 0% in some cases) and whether there is a LAZY_ALICE tx (sounds like yes, but need to have a dumb-user-capable way for Alice to MAD the money after Bob prematurely broadcasts it).

[Btc4Domains]

Is it possible the parties to an escrow could elect which party pays the fee? Or split it.

[k99]

etotheipi,

what is the state of that project?

[k99]

I know that this topic is a bit out of date, but just in case you are still interested in a P2P Fiat-BTC exchange, I wanted to post an update of our project and announcement for our crowd funding campaign which will end in a few days (on February 9th).

Bitsquare released an alpha version in December and it can be tested at our regular testing sessions with other traders (testnet).
Today 17:00 CET we have such a session. Feel free to join us on our IRC channel #bitsquare-trading on Freenode.
Further information can be found here:
https://github.com/bitsquare/bitsquare/wiki/Bitsquare-WAN-Parties

Regarding the crowd funding campaign:
We are using Lighthouse as decentralized crowd funding solution to iteratively fund the development of every milestone, leading to a fully functional version 1.0.
The funding goal is 120 BTC for the next milestone and the campaign ends in a few days on February 9th. 
Please visit our web page for more details:
https://bitsquare.io/crowdfunding

If you like to support that project please help us to spread the word.

Best regards,
Manfred

[swapcoiner]

I wish to have both with/without 3rd party escrow in all of the services.