You have some excellent inscription in your wallet that you wanna to sell. What can be simpler… Just ask your wallet to make a new address and ask the buyer to fund it with bitcoins you want for your creative work. Then you will send your inscription to the buyer.
A Simplest Way
Here two independent transactions are. That’s it. You sign a transaction sending your ordinal to another party, and he/she signs another transaction sending bitcoins back to you. There is no guarantee that both transactions will happen. It may happen that you will publish the signed transaction which sends your ordinal out and will never see bitcoin in answer. And visa-versa…
If you want some guarantees to receive money in answer you need to do it all in one.
Single Transaction
Create the transaction that spends your ordinal to the counterparty’s address as previously and ask the counterparty from which UTXO he/she wants to fund the buy. Add it as input to your transaction with corresponding output for your proceeds and may be additional output for change. Sign the ordinal input as previously.
Now you have a Partially Signed Bitcoin Transaction (PSBT) which you cannot publish to Bitcoin. You need to send it somehow to the counterparty and ask to verify and sign his/her corresponding input. Then anyone can safely broadcast it to Bitcoin. This way both transfers forth and backward are made in the single transaction.
And now what if you do not want to wait while it happens that somebody would buy you ordinal?..
Some Ordinals Theory
Let’s have a look at the transaction above. From the point of view of the common Bitcoin consensus rules it just gets two UTXOs with 546 and 1350 Sats. mixin it and assigns the same amounts to other addresses but mining fee amount. From the point of view of the Bitcoin Ordinals protocol, there was no mixin of UTXO: it is strictly arranged. 546 Sats. and 1000 Sats. flowed to their new addresses separately like in swimlanes. Mining fee is cut off ordinals from the last output.
Look at another transaction example:
This is a fully valid Bitcoin transaction and it does something wrong if you try to trade the ordinal from output with 546 Sats. It does not change hands. This is important to do client-side validation to complain against the Bitcoin Ordinals protocol since Bitcoin does not do it for you.
Delayed Buy
If you do not know the address of a counterparty who will wanna to buy your inscription it means his/her address is not known at the moment you sign the PSBT for ordinal sale. You can create a special kind of PSBT transaction. It says that you sign only the single input in a transaction, connected to the single output with the same index. The input spends your ordinal and the output contains the proceeds from selling the ordinal. This may be achieved by a special type of signature indicated by a combination of sighash flags: ANYONECANPAY & SINGLE. Later on, a buyer will add other inputs and outputs, and your signature will still be correct in the context of such a transaction.
When a buyer arrives, he/she will need to complete the transaction in such a way that the ordinal would be spent to appropriate new output according to the Bitcoin Ordinals protocol. This is achieved by inserting two special inputs before the ordinal input. These two inputs are spent to the single output inserted before the output with your proceeds. Additionally, the ordinal’s output is inserted in between the first inserted output and the proceeds output. Finally, the buyer adds new input after the ordinal input to fund your proceeds output and mining fee. There may be additional outputs in this transaction for change or service fee, etc. All these new inputs and outputs are controlled and signed by the buyer. The picture below shows the sell contract execution including a wallet preparation transaction that probably needs to be executed before, if not yet.
It may not be clear what happened in this transaction. An important moment here is the green-boxed input and output with the same index — the only part of the transaction that is covered by the initial seller signature. Next will look at the transaction from the point of view of the Ordinals protocol.
Here every input and output are scaled proportionally to how much Satoshis it contains. The part, covered by the seller’s signature, is still highlighted by the green color. The picture visualizes how additional inputs and outputs help to move the sold ordinal out of this signature and assign it to a new address, that wasn’t known when the seller was signing.
It looks like we just designed an elegant way to create a contract for swapping ordinals to some bitcoins. It allows control numbers of Satoshis during the swap and separates in time the signing of the sold ordinal and the bitcoins the ordinal is swapped for. So far so good except for the fact that the rose-colored part of the swap transaction may be replaced by anyone for whom the green-boxed seller’s conditions are known. From the moment of publishing the swap transaction to the Bitcoin mempool, the seller’s conditions are known to the whole world. From that moment any person may create and publish a concurrent transaction with a higher mining fee to beat the original one. This is known as a front-running attack.
Delayed Buy with a Trusted Intermediary
A simple solution for the front-running attack described above is to delegate the ordinal transfer to some known intermediary, a marketplace for example. In this case, the intermediary address is known at the moment of a seller signs and it is possible to use the seller’s signature to pin all the contract conditions. This is done by creating the seller signature with the ANYONECANPAY flag (without the SINGLE flag). Surprisingly, it allows to removal of these strange “ordinal shift” inputs and outputs.
Here the traded ordinal is in the first input and there is no need to shift. A seller signs with just ANYONECANPAY flag, so his/her signature covers all the conditions but a buyer input that is not known at the moment. The overall scheme looks much more simple.
The trade-off is that the front-running attack is still possible but in this case, the malicious actor is known: the only intermediary can create a concurrent transaction. Unfortunately, the marketplace here is able to completely steal the bitcoins paid for the ordinal. Positive side: the contract transactions are simple and do not contain Bitcoin scripts. This means it can be processed by a wallet that does not recognize “pay-to-script”-like addresses.
Delayed Buy with an Interested Witness
This contract is a modified version of the Delayed Buy contract above. The seller should commit on-chain the ordinal to the 2-of-2 multi-sig script, where the first participant is the seller him/herself and the second participant is the witness. Then the seller signs the main swap as previously with ANYONECANPAY | SINGLE. The role of the witness is to make the signature at the moment when a buyer becomes known. Thus he/she fixes the conditions that previously may be replaced during the front-running attack on the contract.
The main swap transaction remains the same as previously except the ordinal’s output is spent with the signatures of both the seller and the witness.
The scheme works if the witness is not interested in kidding the ordinal buyer. In the opposite case, the witness can still make a concurrent signature to enable front-running attack conditions in favor of another buyer.
Afterwords
The last two contract schemes are quite enough for a wast majority of ordinal markets, trade services, etc. that provide their services for some fee, support their reputation and lie on some trade scenarios, like white listed early access and auctions.
PS: A Trustless Witness?..
Is it even possible? The answer is: YES. We need to utilize the same math used by the Discrete Log Contract for an oracle’s signature. This time the witness signature must be formed similarly.
