Escrow model, 2 of 3 multisig on Nexus
The escrow mechanism explained end to end, plus what it covers and what it does not.
Every deposit on Nexus Market settles through a 2 of 3 multisig contract. Three private keys are generated per order, one held by the buyer, one held by the vendor, one held by the market platform. Any two of the three, in combination, can move the coin out of escrow. The third is not needed for a healthy order.
Why 2 of 3
The design goal is to remove the market operator as a custodian while keeping a tiebreaker for disputes. In a straight 2 of 2 between buyer and vendor, either side going offline would freeze the coin indefinitely. Adding a third key held by the platform gives the reader a dispute path without giving the platform custody. The market cannot walk with the coin because it holds one out of three keys, and any single key on its own can move nothing.
The happy path
Buyer deposits into the multisig address printed at checkout. Vendor ships. Buyer marks the order received. Buyer and vendor sign the release. Coin moves to the vendor address. Platform key never moves.
The dispute path
Either party opens a dispute through the storefront. The moderator reads both sides of the message thread, requests any missing evidence, checks the vendor dispute history, and judges. The moderator then cosigns with whichever side they judged correct. That signature is the second of the two needed. Coin releases accordingly.
The refund path
When the moderator decides the buyer is owed a refund, the moderator cosigns with the buyer key to move the coin to a refund address the buyer specifies at that stage. The vendor is not required for the refund to settle. This is the second most common failure mode after seller fraud, and it is exactly the mode a 2 of 3 model closes cleanly.
Edge cases
Buyer loses their key mid-order. Buyer becomes one of two remaining signers, dispute path resolves the deadlock, moderator cosigns with the vendor to complete the order or with a refund address depending on the moderator judgement.
Vendor loses their key mid-order. Symmetric case. Buyer opens the dispute, moderator cosigns with the buyer to either release the coin to the vendor or refund the buyer.
Platform loses moderator availability during a dispute window. This has not been observed on Nexus. In theory the coin would remain in the multisig address indefinitely until a moderator returned, since neither party has enough signatures alone.
What the model fixes
The classic exit-scam pattern. The market operator cannot wake up one morning, move the entire pool of buyer deposits, and vanish. Every deposit sits in its own multisig contract, and the operator holds one key per contract, never enough to release. This closes the single largest historical failure mode of Tor storefronts.
What the model does not fix
Seller fraud. A vendor can still ship a rock instead of the item. Multisig only guarantees the platform cannot steal, it does not guarantee the vendor is honest.
Moderator error or bias. If a moderator cosigns with the wrong side of a dispute, the correct-side party is out. Reader defence here is choosing vendors with clean dispute histories in the first place.
Buyer error. Buyer signs a release without receiving the item (finalising early, or FE) and then no path exists to reverse the release. The Bureau discourages FE in every context. See the note on FE for details.
Practical read for a first-time buyer
Multisig closes the biggest historical risk but does not remove the human risks. Choose vendors carefully, do not finalise early, keep escrow balance sized to the current order rather than the year of orders, and use the message system for anything a dispute might turn on.