Suppose you want to buy something online. For many consumer goods, you give Amazon the cash, and trust them to deliver the goods on time.

But what if you want to buy something from someone you don't know? In the Amazon example, we can assume that although Amazon can theoretically scam you, it is very unlikely. For a third-party vendor that lacks the same credibility, things aren't so simple. You can give the cash first, but then they could swindle you. They can also give you the item first, but you, too, can forego payment.

How can we do business with potential con artists?

Traditional escrow without decentralization.

An age old solution of escrow

The standard solution here is to use escrow. An escrow service is a well-respected entity that temporarily takes your cash. Only when you receive the item do you "release" the funds to the vendor. The third-party service settles all problems, and usually charges a cut.

Escrow is a very, very old concept. A lot has changed since its advent. With new technologies and ideas, can we improve upon the standard?

We sure can. With some thinking we can prevent the escrow service from even holding cash. With even more creative thinking, we can get rid of escrow altogether.

A short introduction

The crucial element here is a decentralized currency. The most famous of which is Bitcoin, which made national headlines in 2014 after its upsurge in popularity resulted in countless fortunes, breakthrough technologies, crime dramas, and bankruptcies all at the same time.

What is it though? Here's a simplified version:

You can imagine bitcoins as rare passwords that computers try to guess. Guessers are called miners, who periodically get lucky and obtain bitcoins. Everyone can store these coins in wallets, which are a set of 34-character addresses that are used to both receive bitcoins from others. Each address has an associated 64-character private key, that only the user knows, to spend bitcoins that are sent to the address.

Private keys need to be kept safe and only accessed when you want to sign a transaction, and Bitcoin addresses can be freely handed out to the world.

Multisignature transactions

That's all well and good, but it does nothing to help us solve the escrow problem. Using Bitcoin as a simple send-receive system would be to lose out on its maximum capability.

What can help us, though, is an idea first formalized into the standard Bitcoin protocol three years after its creation in 2011 and 2012: multisignature transactions. In a traditional Bitcoin account, each address has one associated private key that grants the keyholder full control over the funds. With multisignature addresses, it's possible to create a Bitcoin address with three private keys, with two of them needed to create any given transaction.

In fact, the combinatorial possibilities are endless: you can have one-of-three, five-of-five, or seven-of-eleven addresses too.

Changing the game: a proposal for decentralized escrow

Multisignature transactions change the escrow game entirely. With them, it's no longer necessary to hand money to a third party. Let's use the overstated cryptography duo Alice and Bob as an example.

Suppose Alice wants to sell a widget for $100, and Bob wishes to buy a widget for $100. Here's what happens:

  1. Alice and Bob collectively find a relatively trustworthy mediator, Carol.
  2. Alice, Bob, and Carol create a 2-3 multisig address. Once again, this means two out of three people are needed to complete any given transaction.
  3. A transaction is created that specifies $100 to be sent from Bob to the multisig address. Alice and Bob both sign, making it go through.
  4. Another transaction is created that specifies $100 to be sent to Alice.
  5. Alice ships the widget to Bob, and signs.
  6. When Bob gets the widget, he too signs, and the transaction goes through.

Why do we need Carol? In cases where Alice tries to scam Bob, or vice versa, Carol is needed to ensure justice.

If Alice refuses to ship the widget, Carol can verify the fact. Bob and Carol can collectively sign a transaction that fully refunds Bob.

If the widget arrives and Bob refuses to sign, Carol can verify the fact. Alice and Carol and collectively sign a transaction that pays Alice in full.

This system is an improvement upon traditional escrow because Carol (the third-party escrow agent) never actually touches any of the cash being transferred. There is zero probability that she can run off with the money.

However, it is still not perfect. Even though Carol never has access to the money, she is liable to coercion and bribery by both parties. If Alice is able to control Carol, she can take Bob's money without ever shipping the item. To ensure trustworthiness and compensate for investigative time, Carol would still likely need payment to serve as arbitrator.

Indeed, there are many existing services that do this already. Brawker is an example of an escrow business that used this model. Sadly, they're now out of business.

Can we ditch the middleman entirely?

Why of course we can. Anything is possible with some clever interdisicplinary thinking! This one's slightly more involved, so I made an infographic:

Decentralized Escrow Infographic

As you can see, Carol is completely out of the picture. So how does this all work in practice? I'm going to address three key issues here.


This is the big one. How can we be sure that Alice never tries to defraud Bob by never sending the widget? How can we be sure that Bob never tries to swindle Alice by not paying her?

The crux of how everything works is Nash equilibrium. A concept in game theory, Nash equilibrium is a state in which all the rules are laid out, and no player has anything to gain from straying from the correct strategy. When Alice and Bob both deposit their collateral, they enter what is known as a mutually assured destruction. Neither party is willing to initiate a scam because the other party has the power to blow up the entire system. The best example in history is the use of nuclear weapons in the Cold War, where neither the United States or the USSR was incentivized to launch an initial attack because both sides had the power to wipe out the earth.

In the same way, Alice and Bob will both lose their collateral if one person tries to scam the other. There's a core tenet of rationality here:

Rational actors are not willing to hurt themselves a little bit to hurt others a lot.

That is, nobody theoretically wants to lose $10 to make a complete stranger on the internet lose $105. Since Alice had put up her end of the collateral, it costs her money every time to run a scam. The same goes for Bob, and so via game theory, there are strong incentives for both parties to be honest.


But a seasonsed con artist might ask: why can't Alice refuse to give Bob the widget, and say something to the tune of:

"You've been scammed! I'm never giving you the widget, but if you give me $20 through a wire transfer, then I'll sign my end of the contract and release the funds back to you."

This is a clear example of extortion. The counterpunch is pretty simple. Game theoretically, since Alice has no obligation to sign whether you give her the $20 or not, there is no reason to ever give in to demands like these.

Additionally, the $10 and $5 collateral in the example above is purely arbitrary. Usually, the seller should assume more risk, but assumed in the system above is a collateral system proportional to one's trust. All bitcoin records are public, and so scores on one's trust history are easily unearthed. We can give individuals with a trustworthy past a smaller incentive, and penalize Internet acts of scam artistry with a very large collateral.


This was a more relevant concern when Bitcoin was in its nascent days, but the price of Bitcoin fluctuates very, very heavily. More so than the average penny stock or even highly leveraged instruments. A market that operates 24/7, Bitcoins and countless alternative coins see swings upwards of thousands of percent daily.

The issue here is that the price of Bitcoin may tank to the point where it's worth it for Alice to forego her collateral in exchange for not selling her item at the original price. She can then post other ads on the network to sell the widget at a new price reflective of the recent market crash.

The solution here is to design collateral to be proportional to market volatility. With high enough collateratal, we can reduce the likelihood that market effects will disrupt Nash equilibrium. Another key point is for collateral to be reflective of the importance of the transaction. For particularly important transactions, it may be worth negotiating collateral worth even more than the item itself, thus forcing both parties to go to great ends to resolve disputes.