This could just be me being a complete dumbass. But is there any way to verify that the payment addresses Hansa gives you lead to multisig wallets? If not, wouldn't it be in the admins' power to start displaying addresses which lead to private wallets, and siphon off as much as they get away with before pulling the plug?
Again, this could just be me misunderstanding things (in which case apologies to Hansa for the FUD-y title), and Hansa is still my favourite of the current crop of sites, but if not we shouldn't be overly trusting just because they've positioned themselves as the good guy market. Oasis and EIC were too, once.
Yes. Hansa still does use central escrow (in isolated wallets) prior to moving the order being accepted. In between that all funds could be stolen or compromised through market failure. After acceptance you could check/verify the Redeemscript and verify it against the vendors public key. At any time the vendor could also check/verify if the Locktimescript was generated properly and is pointed at his address. The attack vector is there, but it is a fairly small one compared to full central escrow markets.