All Digital Money Is Programmable
Every digital dollar that moves through a banking system passes through software that can delay it, reverse it, freeze it, or report it. The debate over whether money should be programmable is already settled. The question is who the programmability serves.
CBDCs are programmable by the issuing authority, for the benefit of the state, and against the holder when the state determines it necessary. Spending conditions, expiration dates, geographic restrictions, and transaction monitoring at the token level are documented design goals in active CBDC pilots around the world. China's e-CNY has been deployed with expiration dates on government disbursements, requiring recipients to spend within a defined period or lose the funds. Nigeria's eNaira was paired with severe cash withdrawal restrictions that effectively coerced adoption. These are working demonstrations of programmable money in the service of the issuer.
This paper describes an alternative. The technical capability that enables CBDC surveillance and control can be redirected toward the opposite purpose: programming money to defend itself and every person who holds it from attack. This is the defensive programmability framework proposed in The Bitcoin Bridge.
The Digital Reserve Note does not serve the issuer. It serves the network and protects every holder equally.
The Inversion
The word "programmable" carries justified suspicion. In the CBDC context, programmability means the issuer can attach conditions to the holder's money. The token carries identity metadata. The central bank sees every transaction. Spending can be restricted by category, geography, or expiration date. The currency ceases to be a general-purpose medium of exchange and becomes a conditional permission to transact, revocable at the issuer's discretion.
₿USD programmability inverts this relationship entirely.
The token carries identity metadata. The issuer sees every transaction. The authority can freeze, expire, restrict, or surveil the holder's money. Programmability serves the state.
The reserve note carries provenance metadata about itself. It cannot identify its holder. It monitors aggregate network health and activates defenses autonomously. Programmability serves every holder equally.
The technical capability is identical. Both embed conditional logic at the protocol level. The architecture is the same. The philosophy is opposite. One programs money to control the people who hold it. The other programs money to defend the monetary network those people depend on.
The system achieves system-wide protection from individual units acting collectively to protect the network.
What the Reserve Note Knows
Every Digital Reserve Note in the issuer's inventory carries provenance metadata at the protocol level. This metadata describes the note itself. It does not and cannot describe the person holding ₿USD.
Note-level provenance data
Note number. Mint-day ₿C price, which is the note's timeblock, the cumulative average value of Bitcoin on the day the note was created. Together, the note number and timeblock form the note ID. Mint date. Mint-day BTC spot price. Block age. The end user sees a fungible dollar balance. Every unit redeems for $1. The provenance exists beneath the surface so the system can manage reserves and activate defensive behaviors autonomously.
PBP# (Profit Burn Priority)
In addition to its static provenance data, each reserve note continuously calculates a dynamic value: its PBP#, or Profit Burn Priority number. The PBP# ranks the note's position in the redemption burn queue based on its current profitability, the spread between its mint-day BTC spot price and the current spot price. The most profitable notes have the lowest PBP# and are first in line to be burned on redemption. The least profitable notes sit at the back of the queue.
The PBP# replaces a simple FIFO (first-in, first-out) burn order. In a cleanly rising market, the two methods produce identical results because the oldest notes are also the cheapest and therefore the most profitable. They diverge in volatile, non-monotonic price environments. If BTC goes from $50K to $90K to $60K to $85K, a FIFO system burns the $50K note first (correct) but then burns the $90K note second, which is underwater and forces a Ledger 2 draw. A PBP# system burns the $50K note first, then the $60K note, both at a profit. The $90K note waits at the back of the queue until conditions improve.
Modeling confirms that total surplus over the life of the system is identical regardless of burn order. The same satoshis enter at minting and the same $1-worth of BTC leaves at redemption. Surplus BTC from each burn stays in the reserve and appreciates at spot no matter which note produced it. PBP# does not earn the treasury more money over time.
What PBP# does is protect Ledger 2. By always burning the most profitable reserve note first, PBP# avoids drawing from the backstop reserve as long as any profitable note exists in the pool. In volatile markets, FIFO can burn underwater notes ahead of profitable ones simply because they are older. Every unnecessary Ledger 2 draw weakens the reserve that exists to absorb genuine stress events. PBP# eliminates this. The advantage is defensive, not financial. It costs the treasury nothing while providing structural protection. This makes it a natural addition to the defensive programmability toolkit.
The user has no visibility into or control over which reserve note gets burned. The PBP# governs which satoshis leave Ledger 1 on the base layer. The time-weighted fee structure, a separate system on The ₿ridge Network, governs what fees apply based on each ₿USD's holding period, determined by transaction timestamps on The ₿ridge Network.
What the reserve note does not need to know
Holder identity. Spending patterns. Geographic location. Transaction purpose. None of this information is required for the defensive mechanisms to function. Every defense described in this paper operates on note-level provenance and aggregate network metrics.
Existing stablecoins do not embed identity data in the token itself. USDT and USDC are standard tokens on public blockchains. What their issuers do retain is administrative control at the smart contract level. Tether has frozen over $3.3 billion across more than 7,000 addresses, working proactively with the FBI, Secret Service, and law enforcement agencies across 59 jurisdictions. Circle has frozen approximately $110 million across roughly 370 addresses, typically in response to court orders or OFAC sanctions. Both issuers can blacklist any wallet address, preventing it from sending or receiving tokens. Both can monitor wallet movements on public blockchains. Combined with exchange-level KYC, this creates effective traceability even without an identity-linked ledger at the protocol level.
These capabilities exist because regulators require them. The consortium members issuing ₿USD will operate within the same regulatory frameworks. They may prefer to minimize issuer-level control over individual wallets, but the degree to which they can do so depends on the jurisdictions they operate in and the compliance obligations they carry. The privacy advantage of ₿USD over a CBDC, where comprehensive surveillance is a stated design goal, can be substantial. The degree of that advantage will be shaped by the legal environment the consortium navigates. What is structurally different is that the defensive mechanisms themselves require no holder-level data to function. The system can protect itself without knowing who is inside it.
The red/black indicator
Each reserve note's health is deterministic from its provenance data, calculable at any time from the mint-day BTC price and current spot. A ₿USD reserve note reads "black" when the Bitcoin backing it is worth more than the $1 obligation, and "red" when spot has fallen below the minting price. A note minted at $85,000 spot reads black +11.8% when spot is $95,000 and red −17.6% when spot falls to $70,000. The user never sees this indicator. They see a balance. The red/black system exists so the protocol can assess its own health without assessing the people inside it.
Self-defense does not require surveillance. The reserve note knows its own age, its own origin, and its own reserve position. That is sufficient for every defensive mechanism described in this paper. The data the note needs to protect the network is data about the money, not about the person.
Network State Awareness
Beyond the provenance of individual reserve notes, the protocol has read access to aggregate metrics derived from on-chain data. All of these metrics are independently verifiable by any participant.
Total outstanding supply: the amount of ₿USD in circulation. Aggregate redemption velocity: the total volume redeemed for fiat within rolling time windows of 24 hours, 7 days, and 30 days. This is the most important metric for detecting abnormal stress. BTC spot relative to ₿C: the ratio between current market price and the cumulative average, indicating whether the broader market is above or below its historical baseline. Coverage ratio: total consortium Bitcoin holdings valued at the ₿C price divided by total ₿USD outstanding. Reserve attestation status: whether proof-of-reserves has been updated within the expected window.
None of these metrics require any information about individual holders. They are system-level vital signs. The monetary equivalent of blood pressure, heart rate, and oxygen saturation. The system monitors its own health without monitoring the people inside it.
Section 05The Threat Model
Every monetary system has attack surfaces. The primary attack surface for ₿USD is the redemption boundary. ₿USD circulating within the ecosystem, spent, received, lent, and borrowed without leaving the ecosystem, exert zero pressure on the reserve system regardless of where Bitcoin's spot price stands. The system faces reserve pressure when holders exit the ecosystem entirely, whether to BTC or to fiat. Both paths draw Bitcoin from Ledger 1. The fiat path adds an additional danger: concentrated selling pressure on spot that can trigger a reflexive feedback loop. The BTC path disperses any subsequent selling across the open market. But the reserve draw is real in both cases.
Coordinated short-plus-redemption
An attacker builds a large BTC short position, accumulates ₿USD, then executes mass fiat redemption to force Bitcoin selling and crash spot. The forced selling makes the short profitable. If other holders panic-redeem in response, a reflexive spiral begins.
Panic-driven bank run
No coordinated attacker is needed. A sharp decline in BTC spot triggers fear among holders who begin redeeming for fiat. The redemption-driven selling deepens the decline, which triggers more redemptions. Individually rational behavior that is collectively destructive.
Targeted consortium member attack
Instead of attacking the system as a whole, an adversary targets a single consortium member with thinner reserves. A concentrated redemption wave against that member's reserve notes could force an entity-level liquidity crisis even if system-wide reserves are adequate.
Oracle manipulation
An adversary attempts to corrupt the BTCADP reference price that governs ₿C, fee calculations, and coverage ratios. If the oracle can be moved, the defensive mechanisms themselves could be gamed.
Every one of these vectors shares a common dependency: they require holders to exit the ₿USD ecosystem, drawing Bitcoin from reserves. The fiat path is the most dangerous because it adds concentrated selling pressure. If the ecosystem exit is structurally difficult to weaponize and the oracle is resistant to manipulation, the attacks become uneconomical.
The Defensive Toolkit
Each mechanism described below is deterministic, transparent, and applies equally to every participant. None requires human intervention to activate. None can be overridden by the consortium. These are proposed defaults within The Bitcoin Bridge framework. The specific parameters, thresholds, and fee schedules presented here are starting points. Treasury companies implementing the system will calibrate based on their own risk analysis, and researchers will likely identify improvements. The design principle is fixed: defense by protocol, not defense by committee.
6.1 BTC-Default Redemption
When a holder redeems ₿USD, the consortium transfers Bitcoin at spot value directly to the redeemer's wallet. No market order is placed by the consortium. The mechanism does not eliminate selling pressure entirely. It disperses it, removing the consortium as the forced seller and eliminating the reflexive feedback loop where a single large sell order crashes spot and triggers further redemptions.
This single design choice eliminates the most dangerous attack vector: forced, concentrated selling. The coordinated short-plus-redemption attack depends on the consortium dumping BTC to meet fiat obligations. With BTC-default redemption, there is no forced selling. The redeemer may subsequently sell the BTC on the open market, but that selling pressure is distributed across exchanges at the redeemer's discretion rather than concentrated in a single consortium sell order during a stress event.
Fiat redemption remains available as a premium service with slower processing, higher fees, and velocity limits. The fiat exit is always open. It is simply no longer the default.
6.2 Time-Weighted Redemption Fees
The fiat redemption fee is a function of holding period. Freshly minted ₿USD carries a different cost profile than ₿USD that has been circulating for months. The proposed schedule:
| Holding Period | Fiat Fee | Rationale |
|---|---|---|
| 0 – 7 days | 3.0% | Prices out mint-and-redeem attack loops |
| 8 – 30 days | 1.5% | Discourages speculative cycling |
| 31 – 90 days | 0.5% | Modest friction; normal commerce unaffected |
| 91 – 180 days | 0.1% | Near-zero; long-term holders barely notice |
| > 180 days | 0.0% | Free. Organic holders face no penalty. |
BTC-default redemption carries its own fee schedule at a reduced rate, based on each ₿USD's holding period and network reserve depth. The fee is always lower than the equivalent fiat-path fee at every holding period. A holder who has been using ₿USD for daily commerce for six months pays very little to convert. A freshly acquired ₿USD attempting to convert within a week pays a steeper fee on either path. The fee structure makes rapid mint-and-redeem cycles expensive while leaving ordinary commerce completely unaffected.
6.3 Volume-Triggered Fee Escalation
Redemption fees also scale with aggregate redemption velocity. When rolling 7-day fiat redemption volume exceeds defined thresholds as a percentage of total supply, an additional surcharge applies automatically.
| 7-Day Fiat Volume (% of Supply) | Surcharge |
|---|---|
| Below 1% | +0.0% |
| 1 – 2% | +0.5% |
| 2 – 5% | +1.5% |
| Above 5% | +3.0% |
This is congestion pricing for the fiat exit ramp. The thresholds are published, auditable, and identical for everyone. They function as circuit breakers. The system is not preventing redemption. It is pricing the systemic cost of mass redemption into the transaction.
6.4 Adaptive Velocity Limits
The protocol imposes throughput limits on aggregate fiat redemptions. Under normal conditions, the proposed daily cap is 5% of outstanding supply. As velocity rises, the cap tightens. These limits apply only to the fiat exit. BTC-default redemption operates under its own graduated fee and throughput framework, with higher fees and soft limits during the system's early phase that ease automatically as reserve depth grows.
6.5 Redemption Notice Periods
Small fiat redemptions process immediately. Above $100,000, a notice period applies: 48 hours up to $1M, 7 days above that. The redemption is guaranteed. The notice period is a scheduling mechanism, not a gate. It gives the market time to absorb the information and prevents a single large actor from executing a surprise liquidation event. BTC-default redemption remains instant at any amount.
6.6 ₿OND Conversion
Any ₿USD holder can convert to a ₿OND at the current ₿C entry price at any time, at no cost, with no delay. This is the escape valve that absorbs fear without absorbing outflow.
During a market panic, instead of fleeing to fiat, holders move their capital from the spending layer to the savings layer. The consortium's reserves are untouched. No Bitcoin is sold. The circulating ₿USD supply contracts, improving network health metrics. The holder enters a return-targeted savings product whose dual-condition maturity ensures they receive their target return when conditions recover. The system converts panic into patience.
Section 07Structural Defenses Beyond the Toolkit
The six mechanisms above are the active defensive layer. But the ₿USD architecture also contains several structural properties that provide passive defense, operating continuously without activation thresholds because they are built into the system's design.
7.1 Circulation isolation
₿USD circulating on The ₿ridge Network, moving from wallet to wallet as a medium of exchange, exerts zero reserve pressure regardless of what BTC spot does. A million ₿USD transactions can occur without a single satoshi moving on Bitcoin's base layer. The base layer secures the reserves. The ₿ridge Network handles commerce. Reserve risk exists only at the boundary between the two. The more commerce that occurs within the ₿USD ecosystem, the smaller the proportion of activity that ever touches the reserve boundary. Adoption itself is a defense.
7.2 Self-fortifying reserves
Every ₿USD is minted at $1 backed by BTC purchased at spot. As Bitcoin's spot price appreciates, the BTC backing each $1 reserve note becomes worth more than $1. That surplus flows into Ledger 2 automatically. The reserve system recapitalizes itself as long as Bitcoin's long-run price trend continues. Over time, the proportion of notes in the black grows structurally. Older notes, issued months or years ago at lower spot prices, are deeply in surplus. Their surplus more than offsets any shortfall on recently minted notes that may be temporarily underwater. Time is a reserve asset.
7.3 Exit path gravity
The fee structure creates a natural hierarchy among exit paths. Converting ₿USD to ₿OND costs nothing and exerts no reserve pressure. Redeeming for BTC carries a low fee and disperses any subsequent selling. Redeeming for fiat carries the highest fee and is the only path that creates direct selling pressure. The lowest-friction paths are the ones that keep capital closest to Bitcoin. The highest-friction path is the one that imposes the greatest cost on the system. Capital gravitates toward the path of least resistance, which happens to be the path that strengthens the network.
| Exit Path | Friction | Market Impact | Ecosystem Effect |
|---|---|---|---|
| ₿USD → ₿OND | No fee | None. No reserve movement. | Strongly positive. Capital moves to savings layer. |
| ₿USD → BTC | Low fee | BTC transferred directly. No market selling. | Reserve draw without selling pressure. |
| ₿USD → Fiat | Highest fee | BTC sold from reserve at spot. | Reserve draw with selling pressure. Capital exits Bitcoin. |
7.4 Oracle resistance
The BTCADP reference price that governs ₿C, and by extension the fee calculations and coverage ratios, is the cumulative arithmetic mean of all daily values since January 3, 2009. After more than 6,000 data points, the daily drift of ₿C is measured in fractions of a percent. Moving the cumulative average by any meaningful amount would require sustained, large-scale manipulation of BTC spot across multiple qualified exchanges over an extended period. The trimmed mean methodology and exchange qualification filters prevent any single entity from influencing the reference price on any given day. As the dataset grows, the oracle becomes progressively harder to manipulate. Time is a defense here too.
7.5 Consortium distribution
₿USD is issued by a consortium of multiple independent, publicly traded treasury companies operating under a shared governance charter. The distributed structure means that a regulatory action in one jurisdiction, a liquidity crisis at one member, or a targeted attack against one entity does not bring down the system. Each member's reserves are held in publicly addressable Bitcoin wallets on the base layer, verifiable independently. A targeted consortium member attack is contained by the multi-member architecture.
Section 08The Calm-State Guarantee
Under normal network conditions, which is the vast majority of ₿USD's operational life, every active defensive mechanism is dormant. Transfers are instant and free. Redemptions are fast and cheap. ₿USD behaves identically to any other stablecoin. There are no spending restrictions, no geographic limits, no expiration dates, no category constraints. ₿USD must be a better value proposition than competing stablecoins for the end user, and that means the defensive layer cannot impose friction that users experience during normal operations.
The mechanisms activate only when the network's vital signs indicate abnormal stress. The thresholds are public, auditable, and identical for everyone. No human decides when to activate them. No committee votes. No emergency meeting. The protocol reads its own vital signs and responds.
Think of a circuit breaker behind a wall. It sits quietly for years. When the electrical load becomes dangerous, it trips automatically, instantly, without asking permission. It protects the house. The holder does not experience the defensive mechanism as a restriction. They experience it as the reason the system survived.
This is also what distinguishes ₿USD from a CBDC in practical daily use. A CBDC's programmable restrictions, expiration dates, spending limits, geographic fencing, are designed to be active during normal operation. They are features of the currency in its default state. The ₿USD defensive mechanisms are designed to be invisible during normal operation and active only under stress. The user experience during calm markets is indistinguishable from any other dollar stablecoin. The difference emerges only when it matters most.
Section 09Game Theory: Why the Attack Becomes Uneconomical
Consider the coordinated short-plus-redemption attack against a defensively programmable ₿USD. The attacker mints $100M in ₿USD, builds a $100M BTC short position, then attempts mass fiat redemption to force selling and crash spot. The obstacles stack:
BTC-default redemption means the consortium transfers Bitcoin to the redeemer rather than executing a concentrated sell order. Any subsequent selling is distributed across the open market at the redeemer's pace. No reflexive crash. No short profit from forced selling.
Time-weighted fees on freshly minted ₿USD cost 3%, or $3M on a $100M position, before any potential profit materializes.
Volume-triggered escalation adds another 3% at scale, bringing the total fee burden to $6M.
Redemption notice periods above $100K add 48 hours to 7 days of delay, during which the short position carries funding costs and the market can absorb the information and react.
Velocity limits spread the fiat redemption over weeks. Even if the attacker accepts BTC-default redemption and sells personally, the selling is distributed and gradual. Nothing like the concentrated dump a short position requires.
The expected return of such an attack is deeply negative. The mechanisms do not eliminate the theoretical possibility of attack. They make it economically irrational to attempt.
The defender's advantage is structural, not tactical. The protocol does not need to detect the attacker, identify their strategy, or respond in real time. It applies the same rules to everyone. The rules happen to make the attack uneconomical. Defense by design, not defense by decision.
The Full Inversion: CBDC vs. TBDC
| Property | CBDC | TBDC (₿USD) |
|---|---|---|
| Programmability serves | The issuing authority | The monetary network and its holders |
| Holder surveillance | Built in by design | Not built into the protocol. Distribution layer subject to regulatory requirements. |
| Spending restrictions | Expiration dates, category limits, geographic fencing | None. Holders spend freely. |
| Default state | Restrictions active during normal operation | All defenses dormant during normal operation |
| Crisis behavior | Authorities freeze accounts at discretion | Protocol hardens autonomously to protect all holders equally |
| Redemption control | Issuer can deny or delay at discretion | Deterministic rules, no discretion, BTC-default always available |
| Defense trigger | Political decision | On-chain metrics breach published thresholds |
| Collateral | Government promise | Bitcoin on the base layer, verifiable in real time |
| Monetary policy | Committee discretion. QE, negative rates possible. | Algorithmic. Coverage ratio formula governs. |
| Supply constraint | None. Central bank can expand at will. | Bitcoin reserves only. Cannot exceed holdings. |
| Who benefits | The state | Every holder equally |
| Failure mode | Policy change, authoritarian overreach | BTC sustained below lifetime average (no precedent) |
Open Questions
The framework presented here is a starting point. The core design principles, defense by protocol rather than committee, reserve note metadata about the money rather than the person, calm-state invisibility, are proposed as fixed. The specific parameters are proposed as defaults that will benefit from further research and real-world calibration.
Fee schedule optimization. Are the proposed time-weighted fee tiers and volume-triggered escalation thresholds optimal? Game-theoretic modeling and adversarial simulation could refine these parameters. The fees must be high enough to make attacks uneconomical but low enough that ₿USD remains more attractive than competing stablecoins for ordinary users.
Velocity limit calibration. The proposed 5% daily cap on fiat redemptions is a starting value. Agent-based modeling of redemption behavior under various stress scenarios could identify the optimal cap and tightening curve.
Consortium member isolation. How should the defensive mechanisms interact with a targeted attack against a single consortium member? Should cross-member reserve pooling activate under certain conditions, or does strict separation provide stronger guarantees?
Governance of parameter updates. If the thresholds need adjustment as the system matures, what governance mechanism preserves the principle that no human can override the active defenses while still allowing calibration of dormant parameters?
Privacy properties. The framework claims the protocol cannot identify holders. A formal analysis of the privacy guarantees and their boundaries, particularly at the intersection of ₿ridge Network transactions and distribution-layer KYC, would strengthen confidence in this claim.
Additional defensive mechanisms. Are there attack vectors or stress scenarios that the current six-mechanism toolkit does not adequately address? Researchers and treasury companies implementing the framework may identify gaps that call for additional protocol-level responses.
PBP# and treasury accounting. The PBP# burn order front-loads realized gains, which is optimal for reserve health. Treasury companies will need to determine how this interacts with their tax reporting and financial accounting obligations. The burn order is an operational decision at the protocol level. The accounting method used to report the resulting gains and losses to tax authorities may differ by jurisdiction. Whether regulators require companies to report in the order transactions actually occurred (PBP#) or permit alternative inventory methods is a question that needs professional accounting and legal input.
The Long Game
Every mechanism in this paper is designed for the transition period, the years during which holders still think of ₿USD as "digital dollars" and fiat redemption remains psychologically relevant. As the ecosystem matures, as merchants accept ₿USD, workers receive salaries, lenders denominate loans, redemption becomes economically irrational. ₿USD circulates indefinitely. Reserve pressure approaches zero.
The defensive mechanisms go permanently dormant. Not because they are disabled, but because the conditions that would trigger them can no longer occur. The bridge to fiat remains open. Nobody crosses it. The defenses kept the network alive long enough for the network to become self-sustaining.
This is the fundamental distinction. CBDC controls are designed to be permanent, an architecture of indefinite state authority over money. ₿USD defenses are designed to be temporary, scaffolding that comes down when the building can stand on its own.
ConclusionMoney That Protects, Not Controls
Programmable money is coming. CBDCs are in active development across more than 130 countries. The question is not whether programmable money will exist. The question is whether the only programmable money available will be money that serves the state at the expense of the individual.
The technical capability that enables CBDC surveillance can be repurposed, structurally, permanently, and verifiably, to build money that defends the people who hold it. The ₿USD defensive programmability framework demonstrates how. Reserve notes that carry data about themselves rather than their holders. A system that monitors its own vital signs rather than the economic behavior of its users. Defenses that activate autonomously under stress and remain invisible during calm. A fee structure that prices the actual systemic cost of each exit path. Reserves that strengthen over time. An oracle that becomes harder to manipulate with each passing day.
CBDCs program money to control its holders. TBDCs program money to defend them. Same technology, opposite philosophy, opposite beneficiary. The world does not have to choose between uncontrolled money and controlled people. It can have programmable money that serves the people who hold it.