We, the undersigned core developers of OpenBazaar, have decided with consensus
on the following on November 4th, 2014:
Because of the facts that:
(1) Developers can be malicious
Our threat model involves powerful agents at play. These can include malicious
governments who have the ability to issue secret warrants legally requiring
developers to take certain actions. We therefore follow a trust-but-verify
model in all our development process. As such, certain developers of the
project may in the future be legally required to perform actions that they do
not agree with, without the ability to communicate this fact to others. Through
multisig, we are requiring at least one more developer to perform a check on
financial decisions as a safety-net.
(2) Mistakes happen
We are human and often make mistakes. This can include lost wallet keys,
or destroyed laptops. Multisig will allow us to migrate our funds in case one
developer loses their keys.
We also sometimes make transactions that may be incorrect. A second pair of
eyes is good to make sure we don’t burn our funds or we don’t send them to the
wrong third party.
(3) Developers can become unavailable
Developers may become unavailable for various reasons such as accident or
death. We do not want to depend on one individual for all our funds. In case of
unavailability, multisig allows us to move our funds to a new address.
(4) Dictatorship is evil
We take team decisions with consensus. However, sometimes consensus cannot be
reached. We have never had this problem in our team yet, but it is bound to
happen in the future. In cases where consensus cannot be reached, an individual
developer should not have the power to act solely as a dictator and enforce
their opinion. Multisig requires at least one more party to consent. This acts
as a safety net.
(5) Transparency is good
We believe in a transparent development model. All our code is open source. We
interact with the community through public chat on IRC, on a public subreddit,
and in forums, all viewable by anyone. We plan features and submit bug reports
through GitHub issues, which are public. Anyone is able to criticize us through
these channels directly, even pseudonymously.
As of Beta 3, we are also making all all-hands developer video calls publicly
available through live streaming, and they are recorded for future reference.
We wish to be held accountable for our actions, and we invite the criticism of
In this direction, as we are funded through donations, we believe the public
should know exactly how much money we have and where and when exactly it is
spent. By publishing our multisig address, we submit our financial records to
Now, therefore, we are announcing the following:
(1) Ownership of public keys
Each of us controls one of the following public bitcoin keys. We are
providing bitcoin signatures as proof that we are in control of each.
Message: This is Brian and I own 12khSGHCvJoB7d5evWykvgeJVdYtSgAaxo
Message: This is Sam. I own 19xZbcnF9HB3ycfFJmQS5Gr7eJ7riJKrWc and will use
it for the OpenBazaar multisignature fund.
Uncompressed Pubic Key:
Message: This is Washington, confirming that I own this address.
Uncompressed Public Key:
Message: This is Dionysis Zindros, confirming that I own this address.
We invite the public to verify our signatures above.
(2) Multisig address migration
We are designating the following 2-of-4 multisig address for the storage of
The address is constructed with the above 4 public keys. We invite the public
to check that the multisig address is a 2-of-4 address and that it is
constructed using the above 4 public keys. For verification purposes, the
bitcoin script is given below:
(3) Mandatory transparency
We have transfered all our funds to the multisig address and published it
to be used for donations. While we still have access to our old donations
address for donations coming from people who have stored it, we will be
using the new address for all donation purposes from now on. Any funds
donated to the old address will be immediately transfered to the multisig
We will make all our organizational payments directly from our multisig
address. We vow to publish the following information for every transaction
originating from our project multisig address from now on:
- The recipient bitcoin address
- The date of the transaction
- The recipient actual name or company name
- The reason for the expenses
In case of conversion to fiat currency, we will state the above data for the
recipient of the converted fiat currency.
We invite the public to verify our GPG signatures on the above announcement.
Brian Hofmann, Project Lead
Sam Patterson, Operations Lead
Washington Sanchez, Research Lead
Dionysis Zindros, Trust & Identity Developer
Please verify the authenticity of this message using GPG. Our public keys are available on popular keyservers.