The Complete Vendor's Guide to Multi-sig Escrow on Outlaw Market

Multi-signature bitcoin transactions are a way to simultaneously eliminate vendor and market scams.

With the advent of some good multi-sig implementations on several markets, vendors/scammers no longer have any excuse to demand FE.

This guide is intended to help vendors get started with multi-sig on Outlaw Market, and learn a little about how it works in Bitcoin Core. Unlike other guides, this one is focused on the vendor side of things and highlights everything a vendor needs to know.

Remember, vendors: if your escrowed bitcoins are held with true multi-sig, the market will never be able to steal them.

WHAT YOU WILL NEED:

  1. Vendor account on Outlaw

  2. Bitcoin Core (the "standard" bitcoin wallet program. Open-source software maintained by the Core developers of Bitcoin. Get it at bitcoin.org)


EXPLANATION OF MULTI-SIG

Outlaw's multi-sig is 2-of-2, the way this works is that both vendor and market have to sign off, or agree on, the vendor getting escrowed coins. Thus, the market can never steal coins because the market does not know the vendor's private key.

This is unlike 2-of-3 multi-sig where buyer, market, and vendor each have a key and 2 of 3 keys are needed to "unlock" the funds. With Outlaw however, the market shares their key with the buyer so the customer also knows 1 of the 2 keys needed.

This actually makes the multi-sig process dead simple for the customer. All customers have to do is click a button and let the market generate the shared public/private key, and copy it in a text file somewhere, to be sent to the vendor in case of market outage.


EXPLANATION OF NORMAL ESCROW RELEASE

For non-emergency situations, when the market is up and running, you simply copy-paste your private key into Outlaw's console in order to release your coins. Very simple!


EXPLANATION OF EMERGENCY ESCROW RELEASE

These are the steps necessary to release funds from Outlaw's multi-sig escrow off-market. Meaning, this is how you as a vendor will retrieve your coins if Outlaw's servers blow up and Outlaw disappears forever.

SOURCE WHERE I GOT THIS INFO: https://gist.github.com/gavinandresen/3966071

  1. Download Bitcoin Core at bitcoin.org, and let it synchronize (this takes a couple of days, and around 40GB of storage)

  2. When the buyer makes an order on Outlaw, the site will give you a "createmultisig" command. This is the command used to create the multi-sig address on the blockchain. You'll want to a) check that your public key which you entered into Outlaw (under Settings) is one of the two keys used and b) run the createmultisig command on the debug window in Bitcoin Core, and see that it gives the same multi-sig address that Outlaw gives you. Make sure that the redeemScript is correct as well.

    createmultisig 2 '["03d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003be466172d94", "025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc9c53"]'

  3. Now that we know the multi-sig address is correct, there are two very important multi-sig parameters to note: the scriptPubKey, and the redeemScript. These two parameters are needed to spend from the multi-sig address. Outlaw now gives you both, so copy and save them. The rest of this step is unnecessary. Outlaw already gives you the redeemScript (which we have confirmed ourselves above), and below we will find the scriptPubKey.

    a) First, copy the txid that funded the multi-sig address. Outlaw gives it to you, to double check you can enter the multi-sig address into blockchain.info, and copy the txid there.

    b) Enter into Bitcoin Core console:

    getrawtransaction f7146cb37bbabbc602f2baef73032f84b4aad36bf58abe29ac7fb6ffda00629d <- replace with your txid

    c) Enter into console:

    decoderawtransaction 010000000161fa924dc53f6dc72b0dced4f24b44a3bd5d33b58184c96b0018b7ea63cdcba70 00000006b483045022100e7844b7dc405479a3e77a1a423fbbd7661d3f9d85e1c68b070fe40 cadeebd56d0220221b8a488cc41c594c9ca8e3063133769b591ee4ee374966f1d08fe6d5981 5ec0121038eaa31bbb1eb02b677496d37b62db0a7d19e593b03f5cba59290958e49951412ff ffffff0200ad43000000000017a9148a365eea21d2e8fb4dd063b5c977395e26d8d40587b0c 61a00000000001976a914e19857e84435ba7f7481a2f4d192dc165b352e6688ac00000000 <- replace with your value in b)

    d) Congratulations, now it will show you the scriptPubKey hex value, copy and save it.

  4. Now, there are four steps needed to actually get your coins.

    A) Create the spend-from-multisig transaction

    B) Sign the transaction (with buyer/market private key)

    C) Sign the transaction again (with vendor private key)

    D) Send the transaction over the Bitcoin network

A) First we will create the spend-from-multisig transaction. Replace the command below with the fund-the-multisig txid, scriptPubKey, and redeemScript above. Replace the bitcoin address at the end with your own personal address, this is where the coins will go. Be sure to enter a lower amount of BTC than what is currently in the multi-sig address, as the remainder will become the miner's fee which nowadays needs to be higher than .0001)

createrawtransaction
'[{"txid":"f7146cb37bbabbc602f2baef73032f84b4aad36bf58abe29ac7fb6ffda00629d",
"vout":0,"scriptPubKey":"a9148a365eea21d2e8fb4dd063b5c977395e26d8d40587",
"redeemScript":"522103d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003
be466172d9421025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc
9c5352ae"}]' '{"[ADDRESS REMOVED]":0.04405200}'

Screenshot

B) Sign the transaction with the buyer/market private key. Outlaw shares this key with the buyer, so in event of market shutdown, you will need to contact the buyer through some other means like email/Bitmessage, to get the private key that they saved.

Replace the first parameter with your result in A), txid/scriptPubKey/redeemScript same as always, and the buyer's private key.

signrawtransaction
'01000000019d6200daffb67fac29be8af56bd3aab4842f0373efbaf202c6bbba7bb36c14f7
0000000000ffffffff01d0374300000000001976a914b5d906afc958260e952115c19fbd0c1
9fbd50e1888ac00000000' '[{"txid":"f7146cb37bbabbc602f2baef73032f84b4aad36bf58abe29ac7fb6ffda00629d",
"vout":0,"scriptPubKey":"a9148a365eea21d2e8fb4dd063b5c977395e26d8d40587",
"redeemScript":"522103d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003
be466172d9421025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc
9c5352ae"}]' '["L2Q4BscNHPiNQL642qTdEsvh2vAYhxtXrRz2mi7euuRRw2UJU5zG"]'

Screenshot

C) Sign the transaction again, this time with your own (vendor) private key. Note that you can do B) and C) in reverse order as well (with the vendor's private key first then the buyer's).

Replace the raw value with your result in B), txid/scriptPubKey/redeemScript same as always, and the vendor's private key. Note that the transaction is now longer as it contains the buyer's signature.

signrawtransaction
'01000000019d6200daffb67fac29be8af56bd3aab4842f0373efbaf202c6bbba7bb36c14f7
000000009200483045022100adbe3f85bba1e17076384baa30b990b3a0579bd0bdcd2bd26a1
bcbf1cfe96f6902206cbe8790037370454cb200999bef7f963e3551d708687feed378bd37f6
f4c1e80147522103d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003be4661
72d9421025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc9c5352
aeffffffff01d0374300000000001976a914b5d906afc958260e952115c19fbd0c19fbd50e1
888ac00000000' '[{"txid":"f7146cb37bbabbc602f2baef73032f84b4aad36bf58abe29ac7fb6ffda00629d",
"vout":0,"scriptPubKey":"a9148a365eea21d2e8fb4dd063b5c977395e26d8d40587",
"redeemScript":"522103d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003
be466172d9421025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc
9c5352ae"}]' '["L4a8UG6MLGtQ81uzVnc3AkupkT9Braj3xH2wdpfifPcbxHQfMWL8"]'

Screenshot

D) Lastly, send the transaction over the network (with the hex value given in C). Congratulations, you are done! The console will give you a txid which you can look up on blockchain.info

sendrawtransaction
01000000019d6200daffb67fac29be8af56bd3aab4842f0373efbaf202c6bbba7bb36c14f70
0000000db00483045022100dece624d65eb4c0747bc214d6ccf7ef945c99774b9bd368caefb
3cfea17b604d0220505b6ae64f8621ee7e4bdbb20d57ab00d12928ba0f1168c4939f5842866
01b8001483045022100adbe3f85bba1e17076384baa30b990b3a0579bd0bdcd2bd26a1bcbf1
cfe96f6902206cbe8790037370454cb200999bef7f963e3551d708687feed378bd37f6f4c1e
80147522103d9692812675ae69cc2dd85bd05e2a18ef44d56ee29591d3fcc003be466172d94
21025e4bf818b8cafd4f775eb1f0a8568b79979c2686453b2fdc33c3f29303dc9c5352aefff
fffff01d0374300000000001976a914b5d906afc958260e952115c19fbd0c19fbd50e1888ac
00000000

Screenshot


QUESTIONS:

Q. Do I have to use Bitcoin Core? Can I use Electrum or another wallet program? What if I don't have a spare 40GB on my computer to store the blockchain?

A. Yes. It's probably possible to use Electrum/another wallet but I haven't tried so I don't know. If you don't have a spare 40GB on your computer, you should get it. A 40GB thumb drive is probably what $20? Small price to pay for markets never being able to scam you again.

Q. But doesn't this mean that I have to get the email/Bitmessage of all my customers, so that I have an off-market way to contact them for their private key in case the market goes down?

A. Yes.

Q. But under normal escrow release, I have to give up my private key! Does this mean I need to use a new public/private key for every multi-sig order?

A. Yes, you should.

Q. Since the customer also knows the multi-sig address, should I tumble/mix my coins after I get them, to avoid blockchain analysis?

A. Yes.


Since I have been asked about this, here is my personal opinion on the state of multi-sig on other markets:

East India (2-of-3): Seems alright, but no US vendors allowed?! Have fun not making any money ;)

Mr. Lee (2-of-3): Looks promising and the market has great support, but their implementation is a bit obscure. It's hard to do what we just did above with their implementation. I like them, but I do not have the time to look through the thousands of lines of code that make up their offline multi-sig tool, to determine whether it has the potential of breaking or not.

TheRealDeal (2-of-3): Their implementation is flat-out incorrect, their createmultisig command was not using the public keys they were supposed to be using. I contacted them about this but never got a response.

Oxygen (2-of-3): Haven't tested this one yet

Alphabay (2-of-3): Fuck carders!


Comments


[6 Points] TotesMessenger:

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)


[2 Points] None:

OmG rocket im ur #1 fan!!!


[1 Points] beanbagracist:

That is considerably more complicated than that EIC guide. Can you give Electrum instructions too please.

THANK YOU FOR OFFERING MULTISIG!


[1 Points] hksupport:

Wow, that is a hell of a post, TheRealRocketShip. Thank you for spending your time helping raise awareness for multisig. We are all for anything that gets out the word. Can you please be more specific about what you think makes our implementation "obscure?" We are all about transparency and adoption, but there is some complexity that goes along with multisig, no matter how easy we try to make it. If there is something we can do to make our multisig implementation more palatable to users, we want to hear about it.

We believe the experience for our buyer is as simple as any normal market, unless they require one of the locked refunds. In those cases, we will gladly walk the buyer through step-by-step. For the vendor, we have batch export and import, which allows the vendor to copy/paste a block of text back and forth, and be done with it.

It is true that the codebase for the multisig tool is large, but it is as transparent as we can make it. Anyone is welcome to go over it. The tool is also intended to increase multisig adoption as a whole, not just for our market, and it includes features that allow users to construct their own multisig transactions, even if they don't use our market! We really want to see true multisig become the standard.


[1 Points] None:

[deleted]


[1 Points] kkkkkkggggggyugygygy:

lol just follow these 23 simple steps to getting your money out just dont make any mistakes or lose your keys!

edit: in light of constructive critisism outlaw should use timelocking instead of making vendors do all that which i guess is better than losing your money but a funny outcome of this with 2/2 is that vendors can exit-scam with escrow lolololol it keeps getting better

Q. Since the customer also knows the multi-sig address, should I tumble/mix my coins after I get them, to avoid blockchain analysis?

They'll also see every tx youve made through that wallet as well as any cops that are ordering from you

A 40GB thumb drive is probably what $20?

llolololllolol


[1 Points] ciphersexual:

I'm glad I read this, thanks for posting it.

May I ask what your relationship is to Outlaw, if any?