On Alpaca Marketplace, all transactions are, by default, processed using our secure, yet straightforward multi-signature escrow process.
Multi-signature escrow ensures that transaction funds cannot be accessed without the signature of both the buyer and the vendor. Even in the (highly unlikely) event that the escrow server is compromised, the intruder will not be able do anything. In such an event, funds would still be accessible provided that both the buyer and vendor is able to generate their wallet signatures.
The escrow process is outlined below:
- With each new transaction, the buyer submits a verification message. The buyer may use a randomly generated message or he may choose his own.
- This message is encrypted and sent to the remote escrow server along with an encrypted wallet signature. 1
- Another encrypted wallet signature is sent to the vendor.
- On the escrow server, a single-signature, bitcoin deposit address is generated using the wallet signature and sent back to the buyer together with a signed version of the original verification message. The buyer can then verify, that this address was generated on the escrow server using his signature before he sends funds to the address.
- The buyer may cancel their order anytime up until the vendor responds. Doing so will immediately return all funds to his bitcoin address.
- With every order, the vendor has two options:
- Reject the order using the wallet signature from 2a. Funds are returned to the buyer.
- Accept the order. A 2-2 multi-signature wallet is generated 2 with the buyer and the vendor's signed public keys and funds are transferred from the deposit address. If the vendor has chosen to allow moderator dispute mediation, a 2-3 multisig is generated and the mediation private key will be encrypted and set aside. An administrator may then use it to release funds in the event that either party becomes unresponsive or dispute resolution reaches a stalemate. If not, the vendor risks that the funds are lost if the buyer is unresponsive or loses his private key, etc.
- With every accepted order, the buyer has two options:
- Release funds. His signature is sent to the escrow server and, once claimed by the vendor by sending his signature, the funds will be sent to the vendor's BTC address.
- Start a dispute. The buyer and the vendor are given access to the transaction dispute page, where they will be able to communicate in a chat-like interface and propose, accept and reject solutions to the dispute. Once both parties have agreed on a solution, an appropriate transaction will be signed using both keys and sent together with wallet signatures to the escrow servers that will process the solution using both keys. 2
1 By default, encryption and signing is carried out seamlessly on the server using the user's RSA keys. Advanced users can choose to manually sign and encrypt using PGP for maximum security.
2 By default, multi-signature public keys are generated and signed and transactions are signed using the users' RSA keys. Advanced users can choose to manually generate their multi-signature public keys and manually sign transactions.