pull down to refresh

first the buyer creates an htlc and deposits his coins inside the buyer should be able to take the coins after the timelock but the seller should be able to take them with the preimage next the seller creates an htlc and deposits a coinbase inside the seller should be able to take the coins after the timelock but the buyer should be able to take them with the preimage the buyer's timelock should be longer than the seller's otherwise the buyer could wait til his own timelock expires, then sweep the funds from his own htlc using the timelock path, then sweep the funds from the seller's htlc using the preimage before the seller's timelock expires, thus taking the seller's money without the seller being able to reimburse himself also both htlcs should use the same hash which the buyer knows when the coinbase matures the buyer should disclose the preimage to the seller then the seller should send the buyer a sig so he can withdraw from the seller's htlc using the multisig path then the buyer should send the seller a sig so he can withdraw from the buyer's htlc using the multisig path
Nice, you found an explainer in my documentation
Unfortunately it doesn't give a very high level overview of what's happening
Basically you're doing a swap: the miner gives you part of his coinbase output and you give the miner the same amount plus a fee
You end up with coins that have no history and he ends up with a new revenue stream
reply
Why would a miner trade “tainted” coins for “virgin” BTC? I’d imagine it would cost more than a coinjoin
reply
I think you maybe got it reversed? Miners create "virgin coins" in every bitcoin block. For them, the supply of "virgin coins" is abundant. But for everyone else, "virgin coins" are hard to come by. Lots of people want virgin coins but only miners have a steady supply of them. So miners can charge a premium for them. Plus, when a miner receives "tainted coins", they can use them as fees that they pay to themselves in a bunch of smaller transactions. I suspect there are ways of doing this that evade detection by chain analysts, allowing miners to effectively turn "tainted coins" back into "virgin coins" and resell them.
reply
"Plus, when a miner receives "tainted coins", they can use them as fees that they pay to themselves in a bunch of smaller transactions."
This is a service that has been missing for a long time.
reply
deleted by author
reply
How does that work? Does the miner just try to tip themselves within their own block template?
reply
Transactions don't even need fees if they're not intended to be broadcasted to the rest of the network. So yes, they include in their own block template.
reply
Can you elaborate on the decision to use Nostr for a "privacy" app? Wouldn't using this app entail broadcasting details about the swap to third parties? I get that the note is encrypted, but why leak data about who is messaging who? What does nostr solve here? Is it just easier than using a DB for hackathon prototype?
reply
Nostr is certainly easier to use in a hackathon than a real database, but there are additional factors: who should host the database? Nick and I don't plan to do it, it would make us a central point of failure. Censors from various countries could easily serve use takedown notices if they don't like the offers in our database -- we can avoid that by simply not having one. We'll make the website optional too, because having a single, easily shuttered frontend is another obvious footgun.
Each miner can store their own database of offers and disclose them on whatever media they want. That is probably the most robust solution, but I hope using nostr for message transport in this prototype sets a standard for interopetability so that these databases can fill a global orderbook rather than create a dozen silos.
Also, to reduce metadata leaks, we aren't having anyone sign in using nostr. No one's identity is needed for this because the buyer and the seller don't have to trust one another. Your transactions should not ever be tied to your real nostr identity, so we just don't have you or the miner sign in. Instead, from nostr's perspective, each order is only associated with an ephemeral keypair created when you visit the site and only used for one purchase, then discarded forever.
Moreover, we'll also put up a warning message if you visit the site on a clearnet browser, reminding you that if you don't hide your ip address e.g. via tor or a vpn, you'll reveal your use of our tool to your ISP and anyone they choose to disclose that information to.
reply
It's very endearing that Nostr is so bad at its designed use case, but so useful for many other things.
reply
Thanks for the explain. Especially about using newly generated nostr keys per session. Makes total sense. I'm keen to dive in.
It doesn't have to be a coinbase output right, could trade for any (dirty) utxo right?
reply
We will probably add a "certified pre-owned" section where regular people can sell not-new utxos
It might be useful if someone who doesn't think they have the time or skill to use coinjoins still wants to have some coinjoined utxos
They can just purchase them instead of doing an actual coinjoin themselves
reply
This should use less block space than coinjoin. Also, no coordinator fees.
However, the history of a not-new utxo is preserved, unlike coinjoin.
But there is still value in trading for a utxo with different history as opposed to no history, or obfuscated history. Especially if its more space efficient than alternative trustless swaps.
reply
Agreed. I have been looking for a way to trustlessly swap doxxic UTXOs for a long time.
I already call this "SwapDox" when I explain the tool that I am looking for.
reply
today I added a section where you can sell your toxic change:
I know the interface is a mess but give it time! I'm working on it
decentralization is the main component of this whole thing. why centralize when we don't have to
reply
Because privacy is the main component of UTXO Dealership and encrypted nostr messages do not hide the public keys who are messaging, nor the date/time of sending the message. Typically, you don't broadcast details about private dealings on a censorship resistant public network. I'd rather a single server had incriminating evidence than broadcast that evidence to hundreds of servers. You might be better off swapping UTXOs for privacy shitcoins with ring signatures or other tech that obfuscates the addresses, then swapping back to BTC to get a new UTXO. Less metadata stored and more resistant to timing analysis.
reply
You'll end up with coins that have a history of being used in coinswaps by specific miners given that most are completely doxxed.
reply
I don't think doxxed mining pools will sell their coins using this software, because they won't want to do anything where their customers are anonymous (they might not even legally be allowed to)
so customers and profits will naturally flow to the not doxxed mining pools who do run the software
in the best case scenario -- in the wild land of my imagination, where my hopes and dreams live alongside unicorns and butterflies -- the pursuit of profit could attract miners to leave kyc'd mining pools in pursuit of greater profitability elsewhere (i.e. at mining pools that do sell their coins anonymously)
reply
Totally a free market that could happen, with anon pools being more profitable and getting more use. I think random coins swapping with random coins in an indistinguishable way will offer more ambiguity, but potentially more scrutiny on buyers.
reply
ideally the utxo goes straight into the swap address as a coinbase output -- that way it belongs to the buyer from the moment it's created. I want chain analysts to have difficulty telling if someone bought the coinbase or mined it. Coinswaps help with this because, thanks to taproot, they look like an ordinary single sig address. (Well, right now mine don't, they look like a 2 of 2 -- but I am fixing that as we speak.)
reply
How do you stop grief?
reply
I don't have anything special in place
The buyer has to deposit first which I suppose imposes a kind of natural grief cost on him: griefing costs two mining fees, one to make the initial deposit and a second to abort.
I suppose I can make the abort transaction expensive by making it so the miner has to cosign it, and include an expensive op_return in there so that the only way the user can abort is by sacrificing a meaningful amount of money.
Or I can make it so that the abort transaction is only valid after a long timelock expires, that way I impose an opportunity cost on the aborter rather than destroying bitcoins forever.
If I make the buyer's abort transaction expensive, I should probably make the seller's abort transaction expensive too, that way there's parity. If either party aborts, the other party has to abort too, so it might be nice if that was disincentivized by making abortions costly for both parties.
Do you have any thoughts on this?
reply
Yeah that's interesting. It depends on the price of the fee I think. There's plenty of parties that would spend a lot of money to find things out.
Timelocks and total liquidity lock ups sound more costly if someone was trying to do this at scale. Lightning kinda requires that. Is that what a fidelity bond accomplishes?
If it was fee based, you may have other miners gladly spend the fees if it comes back to them anyways.