Whyte ConsolidatedWhyte Consolidated
Article · June 2, 2026 · Banking & regulation

Machine-coded banking policies.
Pre-committed exit routes on BTX.

A redemption stalls. A bridge batch funds but never settles. The issuer pauses the product, or winds it down entirely. In every one of those moments, the question is the same: who can claim what, under which rule, with what evidence — and is anyone going to argue about it later?

A pre-committed exit route is the answer written down before the incident. Not a help-desk macro after the fact, but a record committed into the same audit structure as the original transaction — who can exit, what they can claim, where the value goes, what timeout applies, and which machine-coded banking policycontrols it. On BTX, that record is anchored alongside the action itself, in the same aggregate commitment, with the customer-private details kept off-chain. The bank's rules stop being unwritten norms or PDF procedures and become an executable artefact — versioned, signed, and verifiable. The exit route stops being something operations has to invent during a crisis. It is already part of the design.

action_root/data_availability_root/recovery_or_exit_root/policy_commitment

Whyte Consolidated Research · 2026-06-02 · 12 min read · Draft companion to specs/btx-bank-stablecoin-l2-spec.md

1 · Why exit routes matter

Bank stablecoins need credible recovery, not just fast transfers.

Customers, banks, auditors, and regulators all need to know what happens when the normal path breaks. The normal path is easy to explain: a customer deposits dollars, the bank allocates reserves, the issuer mints the stablecoin, users transfer, a user redeems, the issuer burns or locks the redeemed tokens, and the ledger batches are anchored to BTX.

The harder questions are the ones a serious product has to answer in advance. What if a bridge batch is funded but settlement does not complete? What if the issuer has to pause redemptions? What if a payout fails? What if an account is frozen by mistake? What if the issuer winds down the product or the operator disappears? What if customers need proof of their claims?

Pre-committed exits answer those questions before the incident happens. They turn recovery from an afterthought into part of the original transaction design — and they give every party in the system a defined, evidence-bearing claim to work from when things deviate from the happy path.

2 · What “pre-committed” means

The exit record sits inside the same audit structure as the action.

Pre-committed means the exit information is committed beforefailure. The system does not just say, “we'll handle problems later.” It creates an exit record and commits that record into the same audit structure as the normal transaction. For a bank stablecoin, each batch should know the normal action being performed, the policy that allowed the action, the data needed to verify the action later, the exit or recovery path if the action fails, and the customer claim state if the issuer ever has to wind down.

All of that information can be hashed into a tree. The tree root can be anchored to BTX. The full private details stay in the issuer L2, auditor systems, or customer proof portal — but the root on BTX proves the state existed. That separation is what makes the design both private and credibly auditable at the same time.

3 · The BTX building blocks

Four roots, committed together, per relevant batch.

The BTX bridge framework already has an aggregate commitment with the pieces a serious exit design needs. A real exit route is not just a payment address; it needs policy, evidence, data, and a claim state. These four roots are how the network commits to all of them at once.

action_root

What the batch did

The normal action: mints, redemptions, transfers, settlements. The canonical record of intent and execution for the batch.

data_availability_root

Where the data lives

Where supporting evidence can be retrieved and verified — issuer L2, auditor systems, customer proof portal. Public roots, private leaves.

recovery_or_exit_root

The way out

Fallback claims attached to the batch: refunds, redemption claims, wind-down rights, frozen-balance review. Committed alongside the action.

policy_commitment

The rules that governed it

Which policy approved the action, which version applied, who can override. Powerful exit routes need bounded authority.

4 · Recovery vs. exit

Related ideas — but not the same thing.

Recovery means the system is still trying to complete the intended transaction or repair a stuck settlement. Exit means the system is no longer relying on the normal path, and is giving the customer, operator, or issuer a defined way to reclaim, redeem, refund, or prove a claim.

If a bridge settlement is stuck but can still complete, the wallet should retry — that is recovery. If settlement does not complete by the timeout height, the wallet may switch to a refund path — that is an exit. If a customer redemption is delayed but still active, the issuer keeps it in the redemption queue — recovery. If the issuer winds down the product, the customer needs a claim against the remaining reserve pool — exit. The clean design commits both in advance, so neither has to be invented during an incident.

The mechanics that make this practical are already in the framework. The bridge plan includes a refund_lock_height — an absolute chain height after which the refund path becomes eligible. The wallet keeps a pending recovery journal that records the bridge plan, the funding outpoint, the funded amount, refund destination, refund fee, retry counts, last errors, settlement transaction IDs, and refund transaction IDs. Operations stay visible, retries are safe, the refund switch is deterministic, and every outcome is archived — not lost in a one-shot transaction that requires manual rebuild on failure.

5 · Inside an exit leaf

A useful exit route carries more than a destination.

For a bank stablecoin, an exit leaf should carry the identifiers, amounts, claim type, trigger condition, destination, policy reference, evidence pointer, and status. The actual customer information does not have to be public — the public BTX commitment only needs the root. Customers, auditors, and regulators receive the proofs they are allowed to see.

{
  "version": 1,
  "exit_id": "exit_01J...",
  "asset_id": "stablecoin",
  "claim_type": "redemption_claim",
  "customer_id_hash": "hex",
  "account_id_hash": "hex",
  "amount_micro_usd": "1000000000",
  "normal_action_id": "redemption_01J...",
  "trigger_condition": {
    "type": "redemption_sla_expired",
    "deadline": "2026-06-05T17:00:00Z"
  },
  "destination_hash": "hex",
  "policy_id": "redemption-policy-usd-v1",
  "policy_version": 1,
  "policy_root": "hex",
  "evidence_hash": "hex",
  "status": "pending"
}

The claim_type may be a bridge timeout refund, a redemption claim, a failed-payout recovery, a wind-down claim, a frozen-balance review, or a migration claim. The trigger_condition may be a block height, a redemption SLA deadline, a failed-payout status, a bank-approved wind-down event, a regulator instruction, or a migration snapshot. Each leaf points back to a policy_id and version, so the rule that authorised the exit is itself committed and audit-traceable.

6 · Seven types of exit routes

From a stuck bridge to a full product wind-down.

Every relevant action in a bank stablecoin maps to one of these routes. Each is policy-bound, evidence-bearing, and has a defined status — and each is included in an anchored root when the batch is committed.

01

Bridge timeout refund

If a funded settlement does not confirm by the refund_lock_height, the pre-recorded refund route becomes available. Deterministic recovery instead of trapped funds.

02

Redemption claim

The moment a redemption is accepted, the L2 creates a claim. If the payout completes, the claim closes. If it stalls, the claim stays visible and escalates under the redemption policy.

03

Failed payout recovery

Wrong account, rejected wire, sanctions review — the policy defines the next step: retry, re-verify, restore the stablecoin balance, or escalate. Every option audit-recorded.

04

Pause and emergency exit

A pause is not a confiscation. The route shows which balances are affected, whether redemptions still accept, the authorising policy, and how the pause is lifted.

05

Wind-down claim

Snapshot of holders, claim tree, reserve pool, priorities, deadlines, treatment of frozen balances — anchored through recovery_or_exit_root so customers can prove their claim without a support ticket.

06

Frozen balance review

A freeze records the amount, authority, reason, approvers, review deadline, and release path. The exit may be a payout or a review path — but never invisible.

07

Native asset migration

If BTX later supports a native stablecoin, the issuer-ledger version migrates under a published claim tree: snapshot, eligibility, replay protection, and treatment of pending redemptions.

7 · Policy and data availability

Powerful routes need bounded authority and verifiable leaves.

Exit routes must be governed by policy. Every route should point to a policy root that answers who approved it, what rule allowed it, what customer rights apply, what deadlines apply, what evidence must be preserved, who can override it, and how it is audited. Exit routes are powerful — a bad exit policy could let an operator redirect value. A good one makes the route predictable, controlled, and reviewable.

An exit root is also not enough on its own. Somebody has to be able to verify the leaves. The issuer should define where exit evidence is stored and who can retrieve it: customers can pull their own exit proof; auditors can pull aggregate proofs; regulators can pull supervised proof sets; the bank holds the full operational record; the public can verify the BTX root and any public attestation. That structure keeps customer privacy intact while preserving full auditability of the system as a whole.

8 · Worked examples

What the pre-committed design looks like in three real incidents.

A stuck bridge batch

A bridge batch is funded. The normal path is settlement; the system builds the plan, records the batch, and tracks it in the pending journal. The pre-committed exit route already says: here is the refund key, the refund destination, the refund fee policy, the refund timeout height, the batch commitment, and the policy root that governs fallback. If settlement confirms, the operation is archived as settlement. If settlement does not complete and the refund height is reached, the wallet builds and submits the refund — archived in turn. No one has to invent the fallback in the middle of an incident.

A delayed redemption

A customer redeems 50,000 units of the stablecoin. The L2 creates a redemption event andan exit claim at the same time — the claim is the customer's pending right to receive the corresponding fiat under the redemption policy. If the payout succeeds, the claim closes. If it fails, the claim stays open and moves to the failed-payout recovery path. If the issuer later enters wind-down, that open claim is already part of the wind-down claim evidence.

A product wind-down

The bank decides to shut down the stablecoin. A weak system tells customers to contact support and wait for manual processing. A stronger system publishes a snapshot of holders, a claim tree, a reserve snapshot, a redemption schedule, a policy commitment, and a BTX anchor for the wind-down root. Customers can prove their claim from a published proof — not from a support ticket. The wind-down stops being a discretionary process and starts being a verifiable one.

9 · What each party can prove

Customers prove their claim. Auditors prove the system.

A customer should be able to prove that their balance event was included in an anchored batch, that their redemption request was accepted, that their pending redemption appears in the exit tree, that their payout was completed or is still pending, that their claim appears in a wind-down root if wind-down happens, and that the policy version governing their claim is identifiable. That proof never has to reveal any other customer — only the path and evidence for the one customer's claim.

An auditor should be able to prove total issued supply, total pending redemptions, total exit claims, reserve coverage after haircuts, completeness of redemption queues, whether exit claims reconcile to ledger balances, whether anchored roots match internal records, and whether policy changes were approved before they were used. This is where pre-committed exits stop being a technical feature and start being a control framework — the same set of roots that runs the product also satisfies the auditor and regulator without a separate parallel system.

And BTX, on its side, does not pretend to be the bank. BTX does not decide whether a customer passed KYC, whether a reserve asset is legally eligible, whether a T-bill is correctly valued, whether a fiat payout settled, whether a frozen account should be released, or whether a regulator order is valid. Those decisions belong to the issuer L2, the bank, legal counsel, compliance, treasury, custodians, auditors, and regulators. BTX provides the public commitment layer — and the commitments it provides are exactly the ones that make the bank's claims harder to rewrite after the fact.

10 · The design at a glance

Four numbers that frame the architecture.

4 roots
Anchored per batch
action · data · exit · policy
7 routes
Exit types
Bridge, redemption, payout, pause, wind-down, freeze, migration
L2
Enforcement
Issuer ledger applies banking rules
BTX
Anchor
Public commitment of the four roots

A practical operating model: define exit policies before launch; build exit leaves for every relevant action; include them in an exit tree; anchor the exit root to BTX with each relevant batch; keep a pending recovery journal; retry normal settlement while it is eligible; switch to refund or claim handling when the timeout or policy trigger occurs; archive completed exits after the required confirmation depth; and keep proofs available for customers, auditors, and regulators. Treated as core infrastructure, not an optional back-office feature.

Bottom line

Every important action knows its way out before it goes in.

Pre-committed exit routes make the BTX bank-stablecoin design more credible. They turn recovery from an afterthought into part of the original transaction design. They give customers a clearer claim, auditors a better trail, operators a safer runbook, and the bank a stronger control framework.

The split is straightforward. Use the issuer L2 to enforce the banking rules. Use BTX to anchor the action root, the policy root, the data root, and the recovery-or-exit root. That gives the product a practical exit architecture without pretending the MVP stablecoin is already a native BTX asset — and it gives every party in the system a defined, evidence-bearing place to land when the normal path breaks.

Frequently asked

Pre-committed exit routes, in brief.

What is a pre-committed exit route?
A pre-committed exit route is a planned way out of a transaction, bridge batch, stablecoin balance, or issuer-ledger position — recorded before anything goes wrong. It defines who can exit, what they can claim, where the value should go, what timeout applies, what policy controls it, and what evidence proves the claim.
How is an exit different from a recovery?
Recovery is the system still trying to complete the intended transaction — retry settlement, work the redemption queue. An exit is when the system stops relying on the normal path and gives the customer, operator, or issuer a defined way to reclaim, redeem, refund, or prove a claim. A clean design commits both in advance.
What does BTX actually anchor for a bank stablecoin?
BTX anchors four roots per relevant batch: an action_root for what the batch did, a data_availability_root for where supporting data can be verified, a recovery_or_exit_root for the fallback claims, and a policy_commitment for the rules that governed the batch. The customer-private details stay in the issuer L2; the public commitment only needs the root.
Who enforces the exit policy — BTX or the bank?
The issuer L2 enforces the policy. BTX anchors the evidence that the policy and exit route existed at the time the batch was committed. BTX does not decide KYC, reserve eligibility, payout settlement, or freeze releases — those are banking facts that belong to the bank, compliance, custodians, and regulators.
What types of exit routes does the design cover?
Seven: bridge timeout refunds, redemption claims, failed-payout recovery, pause and emergency exits, full product wind-down, frozen-balance review, and native-asset migration. Each one is policy-bound, has evidence, has a status, and is included in an anchored root when relevant.
Context & further reading

This article is a draft companion to the BTX bank-stablecoin L2 specification. The items below are primary sources and related pieces from this site — they are not endorsements of any system or token.

For informational purposes only. Not financial, investment, or legal advice. This article is a draft companion to the BTX bank-stablecoin L2 specification and may change as the spec evolves. Systems, protocols, and tokens referenced are described for context and are not endorsements. Readers should conduct their own research and consult qualified professionals before deploying capital.

← Back to the blog