Every deposit on WeTheNorth sits behind a 2 of 3 multisig contract. Three private keys are generated per order. One held by the buyer, one by the vendor, one by the platform. Any two release the coin. This reading walks through the flow.
Why 2 of 3 and not 2 of 2
A pure 2 of 2 between buyer and vendor sounds cleaner because the market is not involved in settlement. In practice, if either side goes offline, the coin is stuck forever. The third key is the tiebreaker. Because the market holds only one of three keys, it cannot walk with the coin. It can only help.
The happy path
Buyer deposits. Vendor ships. Buyer marks received. Buyer and vendor both sign the release. Coin moves to the vendor. Platform key never moves.
The dispute path
Either party opens a dispute. Moderator reads both sides, checks the vendor history, judges. Moderator cosigns with the side they judged correct. That signature is the second of two needed. Coin releases accordingly.
The refund path
When the moderator judges the buyer is owed a refund, the moderator cosigns with the buyer key to move coin to a refund address the buyer specifies. Vendor is not required. This is exactly the failure mode a 2 of 3 model closes cleanly.
What multisig fixes
The classic exit-scam pattern. The market operator cannot wake up one morning, move every deposit at once, and vanish. Every deposit sits in its own multisig contract. The market holds one key per contract. That single key cannot move anything.
What multisig does not fix
Seller fraud. A vendor can still ship a rock. The moderator can rule wrongly. These are people problems, not protocol problems.