The Programmability Spectrum
All digital money is programmable. Every digital dollar that moves through a banking system passes through software that can delay it, reverse it, freeze it, or report it. The question has never been whether money should be programmable. It already is.
The question that matters is: programmable by whom, for whose benefit, and against whom?
Central Bank Digital Currencies answer this explicitly. CBDCs are programmable by the issuing authority, for the benefit of the state, and against the holder when the state determines it necessary. Spending conditions, expiration dates, geographic restrictions, and transaction monitoring at the token level are not speculative concerns. They are documented design goals.
This paper proposes that the technical capability that makes CBDCs dangerous — programmability at the token level — can be redirected toward the opposite purpose. Instead of programming money to surveil and control its holders, it is possible to program money to defend itself and its holders from attack.
The token does not serve the consortium. The token does not serve the government. The token serves the network — which is to say, it serves everyone who holds it equally, including against the consortium itself if the consortium ever tried to act against the network’s interest.
The Threat Model
Every monetary system has attack surfaces. ₿USD’s primary attack surface is the fiat redemption boundary. Tokens circulating within the Bitcoin economy — spent, received, lent, and borrowed without converting to dollars — exert zero pressure on the reserve system regardless of what Bitcoin’s spot price does.
The system is at risk only when holders exit to fiat.
Coordinated Short-Plus-Redemption
An attacker builds a large BTC short position, accumulates ₿USD, then executes a mass fiat redemption to force Bitcoin selling and crash spot. The forced selling makes the short profitable. If other holders panic-redeem, a reflexive spiral begins.
Panic-Driven Bank Run
No coordinated attacker is needed. A sharp decline in BTC spot triggers fear among holders who begin redeeming for fiat. The redemption-driven selling deepens the decline, which triggers more redemptions. Individually rational behavior that is collectively destructive.
Targeted Consortium Member Attack
Instead of attacking the system as a whole, an adversary targets a single consortium member with thinner reserves. A concentrated redemption wave against that member’s tokens could force an entity-level liquidity crisis even if system-wide reserves are adequate.
Every one of these vectors has a common dependency: they require the fiat exit. If the fiat exit is structurally difficult to weaponize, the attacks become uneconomical.
Tokens as Network Participants
In traditional monetary systems, a token is a passive instrument. A dollar bill sits in a wallet. It does not know what other bills exist, how many are being spent, or whether the monetary system it belongs to is under stress. It is an IOU — inert, unaware, dependent on external institutions for its value.
₿USD tokens are designed as active participants in the monetary network they constitute. Each token — or more precisely, the smart contract governing all tokens on the sidechain — has access to aggregate network state and adjusts its own behavior based on conditions it can independently verify.
The token carries identity metadata. The issuer sees every transaction. Programmability serves surveillance.
The token carries provenance metadata about itself — not its holder. Programmability serves self-defense.
Token Provenance: Data About the Money, Not the Person
Every ₿USD token carries provenance metadata. This metadata describes the token itself — not its holder. The distinction is the bright line between CBDC surveillance architecture and TBDC defensive architecture.
What the token knows about itself
Mint date. Mint-day BTC spot price. Mint-day ₿C price. Block age. Transfer count. This is sufficient for every defensive mechanism. Self-defense does not require surveillance.
What the token cannot know
Holder identity. Spending patterns. Geographic location. Transaction purpose. The data does not exist at the protocol level because the protocol was designed never to produce it. This is not a privacy policy that could be revised. It is an architectural constraint.
Section 05Network State Awareness
The token contract has read access to aggregate metrics derived from on-chain data — all independently verifiable by any participant:
Total outstanding supply. The number of ₿USD tokens in circulation. Aggregate redemption velocity. The total volume redeemed for fiat within rolling time windows — 24 hours, 7 days, 30 days. This is the most important metric for attack detection. BTC spot relative to ₿C. The ratio between current market price and the cumulative average. Coverage ratio. Total consortium Bitcoin holdings valued at the ₿C price divided by total ₿USD outstanding. Reserve attestation status. Whether proof-of-reserves has been updated within the expected window.
None of these metrics require any information about individual holders. They are system-level vital signs — the monetary equivalent of blood pressure, heart rate, and oxygen saturation.
Section 06The Defensive Toolkit
Each mechanism is deterministic, transparent, and applies equally to every participant. None requires human intervention to activate. None can be overridden by the consortium.
6.1 — BTC-Default Redemption
When a holder redeems ₿USD, the consortium transfers Bitcoin at spot value directly to the redeemer’s wallet. No market order is placed. No slippage occurs. The spot price is unaffected by the redemption. This single design choice eliminates the most dangerous attack vector: forced selling. The coordinated short-plus-redemption attack depends on the consortium dumping BTC to meet fiat obligations. With BTC-default redemption, there is no forced selling.
Fiat redemption remains available as a premium service — slower processing, higher fees, subject to velocity limits. The fiat exit is always open. It is simply no longer the default.
6.2 — Time-Weighted Redemption Fees
The fiat redemption fee is a function of token age. The schedule is fixed in the protocol:
| Token Age | Fiat Fee | Rationale |
|---|---|---|
| 0 – 7 days | 3.0% | Prices out mint-and-redeem attack loops |
| 8 – 30 days | 1.5% | Discourages speculative cycling |
| 31 – 90 days | 0.5% | Modest friction; normal commerce unaffected |
| 91 – 180 days | 0.1% | Near-zero; long-term holders barely notice |
| > 180 days | 0.0% | Free — organic holders face no penalty |
BTC-default redemption and ₿C lateral conversion are not subject to these fees — they apply only to the fiat exit.
6.3 — Volume-Triggered Fee Escalation
Redemption fees also scale with aggregate redemption velocity. When rolling 7-day fiat redemption volume exceeds defined thresholds as a percentage of total supply, an additional surcharge applies. Below 1%: no surcharge. 1–2%: +0.5%. 2–5%: +1.5%. Above 5%: +3.0%. Congestion pricing for the fiat exit ramp.
6.4 — Adaptive Velocity Limits
The protocol imposes throughput limits on aggregate fiat redemptions. Under normal conditions, the daily cap is 5% of outstanding supply. As velocity rises, the cap tightens. These limits apply only to the fiat exit. BTC-default redemption and ₿C conversion remain unlimited at all times.
6.5 — ₿C Lateral Conversion
Any holder can convert to a ₿C-denominated position at any time, at no cost, with no delay. During a market panic, instead of fleeing to fiat, holders can move to the denomination that tracks Bitcoin’s lifetime average rather than its spot volatility. The consortium’s reserves are untouched. No Bitcoin is sold. The system absorbs the fear without absorbing the outflow. ₿USD is the on-ramp. ₿C is the destination.
6.6 — Redemption Notice Periods
Small fiat redemptions process immediately. Above $100,000, a notice period applies: 48 hours up to $1M, 7 days above that. The redemption is guaranteed — the notice period is a scheduling mechanism, not a gate. BTC-default redemption remains instant at any amount.
Section 07The Calm-State Guarantee
Under normal network conditions — which is the vast majority of the token’s life — every defensive mechanism is dormant. Transfers are instant and free. Redemptions are fast and cheap. The token behaves identically to any other stablecoin. The mechanisms activate only when the network’s vital signs indicate abnormal stress, and the thresholds are public, auditable, and identical for everyone.
Think of a circuit breaker behind a wall. It sits quietly for years. When the electrical load becomes dangerous, it trips — automatically, instantly, without asking permission. It protects the house. The holder does not experience the defensive mechanism as a restriction. They experience it as the reason their purchasing power survived.
The Inversion: CBDC vs. TBDC
The technical capability is identical. Both embed conditional logic at the token level. The architecture is the same. The philosophy could not be more different.
| Property | CBDC | TBDC (₿USD) |
|---|---|---|
| Programmability serves | The issuing authority | The token network and its holders |
| Holder surveillance | Built in by design | Structurally impossible — no identity metadata |
| Spending restrictions | Expiration dates, category limits, geographic fencing | None — holders spend freely |
| Crisis behavior | Authorities freeze accounts at discretion | Protocol hardens autonomously to protect all holders equally |
| Redemption control | Issuer can deny or delay | Deterministic rules, no discretion |
| Defense trigger | Political decision | On-chain metrics breach published thresholds |
| Collateral | Government promise | Bitcoin on the base layer, verifiable in real time |
| Who benefits | The state | Every holder equally |
| Failure mode | Policy change, authoritarian overreach | BTC sustained below lifetime average (no precedent) |
Game Theory: Why the Attack Becomes Uneconomical
Consider the coordinated short-plus-redemption attack against a defensively programmable ₿USD. The attacker mints $100M, builds a $100M BTC short, then attempts mass fiat redemption to force selling and crash spot. The obstacles stack:
BTC-default redemption means the consortium transfers Bitcoin rather than selling it. No forced selling, no spot impact, no short profit. Time-weighted fees on freshly minted tokens cost 3% — $3M — before any potential profit. Volume-triggered escalation adds another 3% at scale — $6M total. Velocity limits spread the redemption over weeks, during which the short accrues carrying costs. Even accepting BTC-default redemption and selling personally, the selling is distributed and gradual — nothing like the concentrated dump a short requires.
The defender’s advantage is structural, not tactical. The protocol does not need to detect the attacker, identify their strategy, or respond in real time. It applies the same rules to everyone. The rules happen to make the attack uneconomical. Defense by design, not defense by decision.
The Long Game
Every mechanism in this paper is designed for the transition period — the years during which holders still think of ₿USD as “digital dollars” and fiat redemption remains psychologically relevant. As the ecosystem matures — merchants accept ₿USD, workers receive salaries, lenders denominate loans — redemption becomes economically irrational. Tokens circulate indefinitely. Reserve pressure approaches zero.
The defensive mechanisms go permanently dormant. Not because they are disabled, but because the conditions that would trigger them can no longer occur. The bridge to fiat remains open. Nobody crosses it. The defenses kept the network alive long enough for the network to become self-sustaining.
This is the fundamental difference. CBDC controls are designed to be permanent — an architecture of indefinite state authority over money. ₿USD defenses are designed to be temporary — scaffolding that comes down when the building can stand on its own.
ConclusionMoney That Protects, Not Controls
Programmable money is coming. CBDCs are in active development across more than 130 countries. The question is not whether programmable money will exist. The question is whether the only programmable money available will be money that serves the state at the expense of the individual.
The answer is no. The same technical capability that enables CBDC surveillance can be repurposed — structurally, permanently, and verifiably — to build money that defends its holders instead of monitoring them.
CBDCs program money to control its holders. TBDCs program money to defend them. Same technology, opposite philosophy, opposite beneficiary. The world does not have to choose between uncontrolled money and controlled people. It can have programmable money that serves the people who hold it.