# Comment on Treasury ANPRM: GENIUS Act Implementation **Agency:** U.S. Department of the Treasury **Docket:** TREAS-DO-2025-0037 | **RIN:** 1505-ZA10 **Federal Register:** 90 FR 45159 (Sept 19, 2025); comment period **extended to Nov 4, 2025** (90 FR 47251, Oct 1, 2025) **Submitted by:** *Working Doge LLC* (research group; **no offering or sale of any token**) **Date:** November 3, 2025 **Purpose:** Provide neutral, technical observations on **issuance-layer risk** and **code-level mitigations**. **Non‑solicitation & status.** This comment is **informational**. It is **not** an offer to sell, a solicitation of an offer to buy, or a request for funding, customers, or users. We are **pre‑deployment** and **not offering or selling any token** or financial instrument. Our proposals are **policy and technical recommendations** intended to assist Treasury. --- ## Executive Summary **Claim.** Current rules couple *promises* to reserves (end-of-day parity; periodic attestations) rather than *mints* to reserves. This permits **transient, unverified supply** to exist intraday and propagate across venues when operational mistakes occur. **Evidence.** In October 2025, a widely reported internal error produced a large, erroneous stablecoin mint that was burned minutes later; several DeFi venues temporarily **froze** related markets as a precaution. The issue was not a breach; it was a **gap in issuance verification**. **Conclusion.** The only durable fix is a **Mint Verification Function (MVF)** that binds every `mint()` to **provable backing**. In a **collateralized issuance** model—**C + D = Collateral + Debt**—the MVF becomes a **Debt Verification Function (DVF)** that constrains minted **debt** against **escrowed collateral** (e.g., programmable Treasuries). Where reserves are **directly issued** on‑chain, MVF reduces to a reserve‑creation witness; where reserves are **collateralized**, DVF reduces to an **over‑collateralization witness**. In both cases, supply and backing are **coupled by code**. **National security.** Without mint‑time verification, a compromised or hostile **foreign or domestic issuer** could execute an **“infinite‑mint” shock** to undermine confidence in dollar‑linked rails; MVF/DVF makes invalid issuance **impossible by construction**: **no capacity/no reserve = no mint**. **Key requests (short form).** 1. Make **MVF/DVF mandatory** for PPSIs. 2. Recognize **programmable Treasuries** as the preferred **collateral** (and as the reserve in direct‑issuance designs). 3. Require **machine‑readable incident events** for failed/blocked issuance attempts. 4. Provide a **deemed‑compliance lane + 12‑month pilot** for PPSIs implementing **C + D** with DVF and programmable‑Treasury collateral (see § VI‑A). 5. **Process:** Host a **public technical workshop** (post‑ANPRM) focused on issuance‑layer safety; we will participate on a non‑exclusive basis alongside other submitters. --- ## I. How current regulations construct the issuance vulnerability - **State baselines (e.g., NYDFS 2022).** 1:1 backing at all times, timely redemption, and **monthly** independent CPA work. These frameworks generally **do not require** an issuance‑time predicate that ties each on‑chain `mint()` to backing (reserve creation or borrowing capacity). Intraday, an unverified mint can occur and be reversed later while end‑of‑day reports still reconcile. - **GENIUS ANPRM (federal posture).** The ANPRM invites comment on issuer requirements and “technological capability,” but does not yet prescribe a **mint‑time verification** gate. Absent such a gate, a system can be compliant **ex post** while leaving the **ex‑ante** issuance surface open. > **Result.** Compliance can be met *ex post* while leaving intact the *ex‑ante* vulnerability: an **unverified mint** can execute and propagate across venues **before** human or audit controls react. In DeFi, this manifests as a **MEV window**—a brief interval where searchers/validators can extract value from dislocations created by the transient supply shock. (See § II.) --- ## II. Case study (abbreviated): why verification must occur at **mint** - **Observed pattern.** A large, erroneous mint occurred due to an internal process error and was burned within ~20 minutes; certain lending venues froze affected markets as a precaution. - **Implication.** Even with rapid remediation, a transient, unconstrained mint created **ecosystem‑wide externalities**. Policies, timelocks, and monthly attestations **cannot** eliminate this—because they do not **bind the act of minting to backing** (reserve creation or borrowing capacity). **Policy takeaway.** GENIUS should require that issuance **fails closed by construction**: if a mint lacks backing or exceeds deterministic caps, it **must revert on‑chain**. --- ## III. MEV window from unverified mints (structural risk) - **MEV (maximal extractable value)** is value captured by builders/validators/searchers by **choosing ordering, inclusion, or censorship** of transactions. - **How the window opens.** Without a mint‑time verification gate, a transient supply shock hits markets; **before** correction lands on‑chain, venues/oracles reflect inconsistent states. - **What gets extracted.** Cross‑venue arbitrage, priority‑gas auctions around liquidations, and toxic‑orderflow capture—**driven by the temporary supply imbalance**, not organic price discovery. - **Why policy controls don’t close it.** Multisig policies, timelocks, and attestations may reduce frequency/magnitude but **cannot eliminate** the **possibility** of an out‑of‑invariant mint—so the **MEV window** remains non‑zero. --- ## III‑A. National‑security risk: infinite‑mint destabilization vector Absent an MVF/DVF that binds `mint()` to **authoritative backing** (reserve creation or borrowing capacity), a hostile actor (or compromised issuer) can effect a **large, intraday over‑mint** that propagates across exchanges and lending venues before policy‑level controls react—targeting **confidence in dollar‑denominated settlement rails**. In DeFi this presents as a **MEV window**; in TradFi, it manifests as sudden collateral and liquidity stress. **MVF/DVF + programmable Treasuries** eliminate this vector by making invalid issuance **impossible by construction**. --- ## IV. Formal necessity: MVF/DVF Let `S(t)` be total supply (debt outstanding) at time *t*, `C(t)` the set of escrowed collateral positions, and `Cap(C)` the **borrowing capacity** of collateral (after haircuts, buffers). For direct issuance, treat `Cap` as the reserve amount available to back `S` at par. - **Safety invariant (collateralized form):** `∀ t. S(t) ≤ Cap(C(t))`. - **Necessity.** If the invariant must hold on **every** execution trace, then every successful `mint(Δ)` must pass a predicate that binds `Δ` to **either** (i) authoritative reserve creation (MVF) **or** (ii) an **authoritative increase in borrowing capacity** from escrowed collateral (DVF). Otherwise, there exists a trace where `S` increases while backing does not, violating the invariant. **MEV‑minimization principle.** For invalid issuance attempts, the **MEV window** `W = t_fix − t_mint` must be **zero**. MVF/DVF makes `W = 0` by construction (the transaction reverts). --- ## V. Minimal **DVF** design — type‑theoretic specification (C + D = Collateral + Dollar) > **Intent.** Make an **invalid mint** **not typable**. Well‑typed traces preserve the collateralization invariant and give a **zero‑length MEV window**. ### A. Primitives & state - Asset set `A`; quantities `q : A → ℚ≥0`. - **Haircut** `h : A → [0,1]`; **price** `p : A → ℚ≥0` (par = 1 for tokenized bills). - **Effective collateral value**: `ECV(C) = Σ_a h(a) · p(a) · q(a)` (over escrowed positions). - **Borrowing capacity**: `Cap(C) = ECV(C) − Buffer`, with policy `Buffer ≥ 0`. - State (collateralized form): ``` record StateCD : Type := (S : ℚ≥0) -- stablecoin supply (C : Collateral) -- escrowed collateral positions (inv : S ≤ Cap(C)) -- invariant: overcollateralized ``` ### B. DVF as a type ``` -- Witness that capacity increased (new collateral, price update, haircut change) record CapacityWitness (C C' : Collateral) (Δ : ℚ≥0) : Prop := (cap : Cap(C') = Cap(C) + Δ) -- Mint only constructible with a capacity witness Mint : (Δ : ℚ≥0) → (s : StateCD) → { C' : Collateral // CapacityWitness s.C C' Δ } → StateCD ``` **Construction.** `Mint Δ s ⟨C', π⟩` returns `s'` with `s'.S = s.S + Δ`, `s'.C = C'`, and `s'.inv` from `s.inv` and `π.cap` (i.e., `s.S + Δ ≤ Cap(C) + Δ = Cap(C')`). ### C. Core theorems ``` -- Safety (preservation) theorem preservation_CD : ∀ (Δ) (s : StateCD) (w : {C' // CapacityWitness s.C C' Δ}), (MintDebt Δ s w).inv. -- No invalid mints (progress) theorem progress_CD : ∀ (Δ) (s : StateCD), ¬ ∃ s', s' = MintDebt Δ s ?no_witness. -- MEV bound (invalid debt mints do not appear) corollary mev_window_zero_CD : ∀ traces, WellTyped traces → (InvalidDebtMint ∉ traces). ``` ### D. Notes on **programmable Treasuries** (as collateral) - If collateral is **authoritative on‑chain** (tokenized T‑bills / gov MMF shares), `p` and `h` can be **constant rules** (par with conservative haircuts) and `CapacityWitness` is produced **atomically** by the escrow contract. - If collateral is off‑chain, use a **multi‑source attestation witness** with freshness bounds; this is weaker but still a DVF. --- ## VI. Programmable Treasuries align with Treasury’s software rules Treasury systems encode constraints that map to **type preconditions**: auction cadence (4–52 weeks), non‑competitive **$10M** cap, **35%** competitive award limit, auto‑reinvest/scheduling, **45‑day** original‑issue hold. In DVF, these become **policy constants** that govern haircuts, buffers, and issuance windows. --- ## VI‑A. Constructed opening for the **C + D Protocol** (deemed‑compliance & pilot) **Definition.** **C + D** = **Collateral** (escrowed, programmable‑Treasury assets) + **Debt** (stablecoin liability minted against **borrowing capacity**). **Purpose.** Provide a **deemed‑compliance path** and **pilot lane** for PPSIs implementing **DVF‑first collateralized issuance** via **programmable Treasuries**. **Participation (non‑exclusive).** If Treasury establishes a **transparent, open pilot**, we are **willing to participate** on the same terms as any qualified applicant. We seek **no preference** or exclusive designation; the **C + D reference** is offered as an **illustrative architecture** others may implement or critique. **Deemed‑compliance criteria (illustrative).** A PPSI is **deemed to comply** with issuer requirements (Q10–Q16) and technological capability (Q23) if it implements: 1. **DVF (collateralized issuance)** with a **CapacityWitness** (see § V). 2. **Deterministic limits:** per‑tx/rolling mint caps; **auction‑aware** windows; haircut & buffer constants. 3. **Portfolio guards:** WAM and ladder bands; breach → **block mint** and trigger disclosure. 4. **Keying & governance:** threshold keys; **on‑chain timelock** for parameter increases. 5. **Integrity events:** `DebtMintAttemptWithoutCapacity`, `AttestationStale`, `MintExceededCap`. 6. **Transparency:** daily machine‑readable supply, collateral buckets, WAM, concentration; **1‑BD** incident reports. **Direct‑Issuance Pilot (optional, complementary).** Treasury may concurrently pilot **MVF‑by‑construction** designs; both pilots share the same telemetry and integrity‑event schema. > **Note (status).** We are **pre‑deployment and not offering or selling any token**. The C + D Protocol is an **illustrative** architecture to help scope a DVF‑first deemed‑compliance lane. --- ## VII. Policy requests to Treasury 1) **Mandate MVF/DVF** at mint for all PPSIs. 2) Recognize **programmable Treasuries** as preferred collateral (and as reserve for direct issuance). 3) **Standardize integrity events** for failed capacity/reserve checks. 4) **Create a C + D pilot** with public telemetry and monthly invariant proofs. 5) **Host a public technical workshop** (post‑ANPRM) on issuance‑layer safety; include DVF/MVF invariants and Integrity Events schema. --- ## VIII. Closing Under current frameworks, issuers can meet end‑of‑day metrics **even if** a **transient, unverified mint** occurred intraday. With **MVF/DVF + programmable Treasuries**, **no capacity/no reserve = no mint**; issuance errors **revert by construction**, the **MEV window** for invalid issuance disappears, and lawful‑order capability improves via **mint‑scope** controls without broad freezes. **Community review (separate from the docket).** A public draft of the MVF/DVF specification is posted for **technical peer review**. Feedback collected there is **non‑binding**; the **docketed** version governs for rulemaking purposes. **Respectfully submitted,** *Satoshi Nakamoto*