Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Escrow

A three-path payment where the funds can be released by any of:

  • Mutual release — both parties (A and B) sign.
  • Arbiter decision — a designated third party signs.
  • Timeout refund — A reclaims after a deadline.

The classic use is buyer–seller trade with a neutral arbiter: funds are locked while the trade is in progress. On success, both sign and the seller gets paid. On dispute, the arbiter rules. If everything goes quiet, the buyer gets refunded.

Lock

exfer script escrow-lock \
    --wallet    ~/party-a.key \
    --party-b   <PARTY_B_PUBKEY_HEX> \
    --arbiter   <ARBITER_PUBKEY_HEX> \
    --timeout   <BLOCK_HEIGHT> \
    --amount    "50 EXFER" \
    --rpc       "$RPC" \
    --json

--timeout is the block height after which A can reclaim. Pick it long enough that both parties have time to settle the trade. See the locktime conversion table in Vault.

Release (mutual)

Both parties sign together. Release goes to any destination they agree on:

exfer script escrow-release \
    --wallet    ~/party-a.key \
    --wallet2   ~/party-b.key \
    --tx-id     <LOCK_TX_ID> \
    --to        <DESTINATION_ADDRESS> \
    --party-a   <PARTY_A_PUBKEY_HEX> \
    --party-b   <PARTY_B_PUBKEY_HEX> \
    --arbiter   <ARBITER_PUBKEY_HEX> \
    --timeout   <BLOCK_HEIGHT> \
    --rpc       "$RPC" \
    --json

Arbitrate

The arbiter decides without needing either party's signature. Use only when the trade is disputed:

exfer script escrow-arbitrate \
    --wallet    ~/arbiter.key \
    --tx-id     <LOCK_TX_ID> \
    --to        <DESTINATION_ADDRESS> \
    --party-a   <PARTY_A_PUBKEY_HEX> \
    --party-b   <PARTY_B_PUBKEY_HEX> \
    --timeout   <BLOCK_HEIGHT> \
    --rpc       "$RPC" \
    --json

The destination is whoever the arbiter awards the funds to. The script itself does not constrain the arbiter's choice — that's why you only choose arbiters you trust to follow your agreement.

Reclaim (A after timeout)

If neither mutual release nor arbiter action happened by timeout, A reclaims:

exfer script escrow-reclaim \
    --wallet    ~/party-a.key \
    --tx-id     <LOCK_TX_ID> \
    --party-b   <PARTY_B_PUBKEY_HEX> \
    --arbiter   <ARBITER_PUBKEY_HEX> \
    --timeout   <BLOCK_HEIGHT> \
    --rpc       "$RPC" \
    --json

The CLI fails locally if current_height <= timeout.

Choosing an arbiter

The arbiter is a trusted third party — they can unilaterally award the funds. Reasonable choices:

  • A reputable community member (DAO multisig, well-known operator).
  • A specialized escrow service.
  • A judge / mediator with a public arbitration policy.

If you can't agree on an arbiter, use HTLC or Multisig 2-of-2 instead — those don't require a third-party role.

Common pitfalls

  • Arbiter compromise = full loss. The arbiter signature alone releases funds. Pick carefully; consider using a multisig key as arbiter for higher-value escrows.
  • Repeating the locked params on every spend. --party-a, --party-b, --arbiter, --timeout must match the lock-time values exactly on every spend path. The script binds them in the witness; mismatched values produce script-eval failures.
  • Picking --timeout too short. If the trade isn't done by timeout, A can sweep funds out from under B even if the trade technically succeeded. Err generous.