A mid-sized bank settles ~$2B/day across Fedwire, CHIPS, SWIFT, and a
regional faster-payments rail. For wires above a policy threshold
(e.g., $1M), internal controls require two separately-credentialed
officers to cosign, with a compliance officer review for anything
above $10M.
Current production reality at most banks:
Cosigning is a spreadsheet workflow wrapped around a hardware
security module (HSM). The “second signature” is often a scanned
approval PDF attached in a ticket.
When an HSM dies (firmware bug, cert expiry, a staff member
departs), remediation is an emergency vendor ticket. Wires pile up.
Replay protection is transaction-ID uniqueness in the core banking
system, which is a single point of contention. If the core is
unreachable (e.g., DR failover), two branches can process the same
wire twice.
There’s no cryptographic audit trail of “which officer’s key
approved this wire”, only a database row with a user ID.
When an auditor or regulator asks “prove this $50M wire was authorized
by two distinct, active officers on that date,” the answer is a
screenshot of an SSO login event plus an emailed PDF. Nobody is happy
about that.
Why Quidnug fits
The capabilities Quidnug offers line up directly with the primitives a
multi-party wire-approval system needs:
Problem
Quidnug primitive
”Which officers can approve this class of wire?”
GuardianSetUpdate, on-chain M-of-N quorum
”Is this approval replay-safe?”
Per-signer monotonic anchor nonces
”Officer’s HSM died, now what?”
GuardianRecoveryInit + time-locked rotation
”How do we audit this?”
Signed anchor history in the blockchain
”How do we coordinate policy changes?”
ForkBlockTransaction at scheduled height
”Compliance needs to veto in-flight wires”
Guardian recovery veto (within delay window)
A wire approval becomes: a TITLE transaction over the wire
instruction, authorized by the bank’s M-of-N guardian set, with each
cosigner’s signature at their own monotonically-advancing nonce.
Each officer holds their own HSM-backed signing key. The bank’s node
tracks the on-chain guardian set; wire instructions route to officers
for signing; signed titles are published to a consortium of peer
banks (clearing counterparties, correspondent banks, regulators) that
all run Quidnug nodes.
Key Quidnug features used
GuardianSetUpdate (QDP-0002), declares which officers have
approval authority, with weighted thresholds so the compliance
officer (weight=2) counts as two regular officers. Every officer
in the set must have on-chain consented.
Per-signer anchor nonces (QDP-0001), each wire approval
includes an officer’s anchor-nonce that must strictly advance. A
replayed approval from a captured session is rejected at the
ledger.
Guardian-based recovery (QDP-0002 §6.4.4), when Alice’s HSM
fails, her coworkers (her personal guardian set, separate from the
bank’s approval set) initiate a rotation to a new HSM. The default
1-hour time-lock window is plenty for Alice to veto if she’s at a
coffee shop and not actually dead.
GuardianResignation (QDP-0006), when Alice leaves the bank,
she resigns from the approval set. Doesn’t invalidate wires
already in flight.
Lazy epoch probe (QDP-0007), correspondent banks that haven’t
seen Alice sign a wire in 30 days probe her home domain before
accepting a new approval. Catches the “Alice’s old key was
compromised after she rotated but before the counterparty learned
of the rotation” attack.
Fork-block trigger (QDP-0009), when the consortium decides
to raise the high-value threshold from $10M to $25M, a fork-block
transaction signed by a quorum of member banks activates the new
rule at a future height across all participants simultaneously.
wire_approval.py, pure decision logic: tier selection,
weighted signers, role gating, per-signer NonceLedger,
counterparty verification.
wire_approval_test.py, 14 pytest cases across the full
decision surface.
demo.py, seven-step end-to-end flow: install tiered
policy, run three wires across the tier boundaries,
receiver re-verification, replay-defense demonstration.
architecture.md, detailed data model,
sequence diagrams, per-component breakdown
integration.md, how the use case composes
on top of the three architectural pillars (QDP-0012 governance,
QDP-0013 federation, QDP-0014 discovery + sharding); why each
bank is its own network
operations.md, deployment topology by
bank scale (community / regional / national / global),
capacity planning, daily ops playbook, incident response,
SWIFT/Fedwire/SEPA bridge patterns
launch-checklist.md, T-180 through
T+30 bank-onboarding sequence: legal + regulatory foundation,
HSM procurement, governance setup, peer federation,
staged rollout to production
implementation.md, concrete Quidnug API
calls with Go and shell examples
threat-model.md, attacker profiles, what the
design defends against, explicit limits
UseCases/elections/, companion coordination-
archetype use case (same governance + federation + discovery
story, different deployment profile)
Out of scope for this design
Actual settlement finality. Quidnug authorizes; the Fedwire /
CHIPS / SWIFT gateway still settles. This design is the approval
and audit layer, not replacement for the rails.
AML/KYC on the payee. Standard compliance tooling still runs;
the Quidnug layer attests that the bank’s internal controls were
followed.
Encryption of wire contents. All signed data is in the open on
the consortium chain. A production system would encrypt the wire
payload and store a hash on-chain, decrypting via a separate
key-management flow. That’s a design axis orthogonal to trust.
PendingRecovery stored; Alice can veto if she's actually fine.
[t+1h11m] No veto. Commit transaction lands automatically or is
explicitly POSTed. Alice's currentEpoch advances to 1;
new HSM's key is authoritative going forward.
[t+1h12m] Any in-flight wire approvals signed under the OLD epoch
within the MaxAcceptedOldNonce window still settle. After
that cap, old-epoch signatures are rejected.
Wires that Alice had partially approved before the HSM failure
complete via the original signatures, the rotation doesn’t
retroactively invalidate her prior valid approvals.
Data flow: officer departure
Alice leaves the bank. Three things happen:
GuardianSetUpdate on bank-us-wire, remove Alice from the
approval set. Requires: bank’s root-quid signature + current
approval-set quorum (2 of {Alice, Bob, Carol}).
Since Alice is the one leaving, the remaining signers (Bob +
Carol) approve. Alice can opt to sign too or not, the threshold
is already met without her if Carol(w=2) signs with Bob(w=1).
GuardianResignation, Alice can optionally withdraw from her
own role proactively. Not strictly required since the set update
removes her, but documents her exit in the chain.
Alice’s personal quid lives on, in case any wires she signed
before departure need post-hoc auditing. Her currentEpoch is
frozen (invalidation anchor); no new approvals from her key work.
Carol alone → 2. ✓ (compliance officer’s weight covers the
threshold alone, this is deliberate for $10M+ wires where the
bank’s policy lets compliance unilaterally authorize; check if
that’s actually what you want or if threshold should be 3)
To prevent the “Carol alone” case, raise threshold to 3:
threshold: 3
Now Carol alone (w=2) is insufficient; a line officer must also sign.
Weighted threshold with distrust of Carol
If the bank policy is that compliance is a check-and-balance (not a
unilateral approver), set threshold=3 and keep Carol at w=2. Means
compliance can’t act alone; always requires an operator.
Consortium trust graph
Correspondent banks operate their own nodes. The trust setup:
From the correspondent’s perspective, when they receive a wire
title and event stream claiming the bank approved it, they verify:
Every signer is in bank-us-wire’s current GuardianSet as of
the approval’s block height.
Every signature verifies against the signer’s current-epoch key
(from the blockchain’s identity registry).
Nonces are monotonic.
Threshold is met.
If the correspondent hasn’t seen the bank’s recent guardian-set
updates (partition, just rejoined the network), push gossip
(QDP-0005) delivers them on demand, and the lazy-epoch probe
(QDP-0007) catches edge cases.
Scale estimates
Typical US mid-sized bank:
2,000 high-value wires/day
50 authorized approval officers across regions
5 compliance officers
~20 correspondent bank peers
Workload on a single Quidnug node:
2,000 titles/day = ~100 KB/day in titles
~6,000 events/day (avg 3 signatures per wire)
~100 KB/day peer gossip for inter-bank propagation
Quidnug’s consortium-scale target (thousands of TPS with many
correspondents) is comfortable headroom above this workload.
Concrete Quidnug API calls for a working implementation. Examples in
cURL and Go. Real production code would use signed HSM outputs; here
we use ECDSA keys generated by the Quidnug client for clarity.
0. Prerequisites
A Quidnug node running with the nonce ledger enabled:
Terminal window
ENABLE_NONCE_LEDGER=true\
ENABLE_PUSH_GOSSIP=true \
ENABLE_LAZY_EPOCH_PROBE=true \
NODE_AUTH_SECRET=<32-byte hex>\
./bin/quidnug
1. Bootstrap identities
Create quids for the bank, three officers, and each officer’s personal
guardian (spouse, manager, backup HSM, we’ll reuse a single quid per
role for brevity here; production would be distinct real people).
Every officer in the new set must have consented on-chain. The bank’s
root signature + consent sigs are assembled by whatever ceremony the
bank runs (in-person, quarterly, with HSMs).
package main
import (
"context"
"encoding/hex"
"encoding/json"
"net/http"
"bytes"
"time"
"github.com/quidnug/quidnug/internal/core"
)
funcinstallBankApprovalSet(apiBasestring) error {
// Build the new set.
newSet:= core.GuardianSet{
Guardians: []core.GuardianRef{
{Quid: "alice-op", Weight: 1, Epoch: 0},
{Quid: "bob-op", Weight: 1, Epoch: 0},
{Quid: "carol-compliance", Weight: 2, Epoch: 0},
},
Threshold: 3, // Carol alone insufficient
RecoveryDelay: 1*time.Hour,
}
update:= core.GuardianSetUpdate{
Kind: core.AnchorGuardianSetUpdate,
SubjectQuid: "bank-us-wire",
NewSet: newSet,
AnchorNonce: 1,
ValidFrom: time.Now().Unix(),
}
// Signable canonical bytes (same for bank, each new guardian,
A $50M wire requires compliance (weight=2) + an operator. Three step
sequence:
3a. Title the wire (first signer, Alice)
Terminal window
curl-XPOSThttp://localhost:8080/api/v1/titles-d'{
"type": "TITLE",
"assetId": "wire-2026-04-18-xyz",
"domain": "wires.fed.fedwire.us",
"owners": [{
"ownerId": "bank-us-wire",
"percentage": 100.0
}],
"titleType": "wire.instruction",
"attributes": {
"payer": "bank-us-wire",
"payee": "recipient-abc",
"amount": "50000000",
"currency": "USD",
"rail": "FEDWIRE",
"reference": "WIRE-2026-04-18-XYZ-001",
"valueDate": "2026-04-19"
},
"creator": "alice-op",
"signatures": {
"alice-op": "<hex signature over canonical title bytes>"
}
}'
Alice’s signature uses her current-epoch key and her anchor
nonce + 1. The anchor nonce is separate from the wire’s internal
sequence, it’s a per-officer monotonic counter.
3b. Cosign via event (Bob)
Terminal window
curl-XPOSThttp://localhost:8080/api/v1/events-d'{
"type": "EVENT",
"subjectId": "wire-2026-04-18-xyz",
"subjectType": "TITLE",
"eventType": "wire.cosign",
"payload": {
"signerQuid": "bob-op",
"keyEpoch": 0,
"anchorNonce": 47
},
"creator": "bob-op",
"signature": "<hex signature>"
}'
3c. Compliance review (Carol, if amount ≥ $10M)
Terminal window
curl-XPOSThttp://localhost:8080/api/v1/events-d'{
"type": "EVENT",
"subjectId": "wire-2026-04-18-xyz",
"subjectType": "TITLE",
"eventType": "wire.compliance_approved",
"payload": {
"signerQuid": "carol-compliance",
"keyEpoch": 0,
"anchorNonce": 124,
"complianceNotes": "KYC up to date; sanctions clear"
},
"creator": "carol-compliance",
"signature": "<hex signature>"
}'
3d. Node quorum validation (automatic)
On each wire.cosign / wire.compliance_approved event, your
application-side listener computes the current signer weights:
funcquorumMet(wireIDstring, ledger*core.NonceLedger, now time.Time) (bool, error) {
// 1. Get the bank's effective guardian set (post-resignations).
This opens a 1-hour time-lock window. If the recovery is malicious
(e.g., Alice’s spouse’s key was compromised and it’s a social-
engineering attempt on the bank), Alice can veto from her original
HSM if it’s still alive, or, if the HSM is confirmed dead, the bank
can halt the recovery via its oversight quorum.
# 3. Verify each signer's signature against their current-epoch key
# at the time (use the identity registry's historical view).
A single audit tool can reassemble: “at block 100,000, on date
2026-04-18, bank-us-wire’s guardian set was X, the wire was signed
by {alice-op@e=0, bob-op@e=0, carol-compliance@e=0} at their
respective monotonic nonces, quorum weight = 4 ≥ threshold 3,
therefore the approval was valid.”
9. Monitoring
Key Prometheus metrics to alert on:
quidnug_guardian_set_weakened_total{subject="bank-us-wire"}
rising → officers are resigning faster than replacements arrive.
quidnug_guardian_resignations_rejected_total{reason="set_hash_mismatch"}
→ someone is trying stale resignations (integration bug or
attack).
Bank’s root quid, the identity that controls the approval
guardian set itself; compromising it enables swapping in
attacker-controlled officers.
Attackers
Attacker
Capability
Motivation
External (untrusted)
Can send HTTP requests, observe public gossip
Theft
Insider: operator
Has one officer’s HSM; one valid signing key
Fraud
Insider: compliance
Has compliance HSM (weight 2); theoretically unilateral
Collusion with operator
Insider: admin/IT
Can modify node config, restart services
Sabotage / deploy backdoor
Insider: CEO/CFO
Can authorize bank root quid updates
Catastrophic (mitigated separately)
State-level adversary
Can intercept network, subpoena key material
Surveillance / control
Supply-chain
Compromised HSM firmware, dependency injection
Persistent backdoor
Threats and mitigations
T1. External forgery of a wire approval
Attack. Attacker with no insider access tries to submit a wire
title claiming to be signed by Alice.
Mitigation.
Every signature verifies against signerKeys[alice-op][alice's current epoch], attacker doesn’t have Alice’s HSM.
Monotonic nonce means even a replay of a captured valid signature
is rejected (nonce already accepted).
Even if the attacker has network access, the NODE_AUTH_SECRET
HMAC gates inter-node traffic.
Residual risk. None structural. Reduces to “can the attacker
compromise an HSM”, which is the endpoint security problem, not
a protocol problem.
T2. Captured session replay
Attack. Attacker intercepts Alice’s valid approval for wire A
and replays it as approval for wire B.
Mitigation.
The signature binds to the specific wire title’s content. Replaying
Alice’s wire-A signature against wire-B produces a signature that
doesn’t match wire-B’s canonical bytes.
Anchor-nonce monotonicity: even if the attacker crafts wire B to
have identical bytes (unlikely given amount/payee/timestamp), the
nonce has already been accepted.
Residual risk. None.
T3. Single compromised officer HSM
Attack. Alice’s HSM is compromised. Attacker has one signing
key.
Mitigation.
Wire still requires threshold 3. Alice alone = weight 1. Attacker
also needs another compromise.
Alice’s anchor nonce is monotonic. If Alice notices unusual
activity and rotates via her personal guardian recovery, the old
key is immediately unable to sign new wires.
MaxAcceptedOldNonce cap on rotation limits the window.
Residual risk. If attacker compromises Alice AND Bob before
anyone notices, they reach threshold 2 (w=1+1). Still under 3.
Need Alice+Bob+Carol or Alice+Carol or Bob+Carol to reach 3+ with
w=2 Carol. So: two or three simultaneous compromises required
depending on who’s compromised. This is a significantly higher
bar than “one compromise.”
T4. Compliance officer collusion
Attack. Carol (weight=2) collaborates with Alice (weight=1) to
steal. Their combined weight (3) meets threshold.
Mitigation (partial, organizational).
Weight distribution is a policy decision. The design doc’s
threshold=3 setup specifically addresses this by requiring
three parties (Carol + Alice + Bob) for any wire. If the bank
wants the weaker property, it picks threshold=2.
If threshold=3, Carol and Alice alone = 3 (w=2+1) does meet
threshold. The fix is threshold=4 with compliance staying at
w=2, requires two operators AND compliance.
Residual risk. Protocol cannot prevent quorum-of-allowed-parties
collusion by design. Standard corporate governance (separation of
duties, rotation, background checks) is the countermeasure.
T5. Attacker compromises bank root quid
Attack. The root quid that controls the approval set is
compromised. Attacker adds their own key to the approval set and
drains the bank.
Mitigation.
Root quid has its own guardian set (CEO, CFO, legal). A
GuardianSetUpdate for bank-us-wire requires primary signature
(root’s current-epoch key) AND current-set consent quorum.
Root-quid key compromise requires also compromising multiple
executive guardians, far above the single-key-compromise bar.
Even if achieved, the GuardianSetUpdate lands on the blockchain
and the anomaly is auditable.
Residual risk. Low; this is the “CEO gets phished” scenario
where traditional controls (executive HSMs with in-person use,
quarterly attestation) apply.
T6. Guardian takeover
Attack. Alice’s personal guardians (spouse, manager, backup
HSM) are all compromised. Attacker initiates a recovery to their
own key.
Mitigation.
Time-lock delay: default 1 hour, configurable up to 1 year. The
legitimate Alice (if her key is fine) can veto during the
window.
EnableLazyEpochProbe (QDP-0007) means correspondent banks
probe on stale signers. An unexpected recovery fires visible
events.
Guardian RequireGuardianRotation flag can be set on officer
quids, forcing any rotation to go through the time-locked
recovery path, so there’s no “fast path” recovery for high-
value officers.
Residual risk. An attacker with guardian quorum AND the ability
to prevent Alice from vetoing (e.g., Alice is on a plane for 12
hours) can complete a recovery. Mitigation: longer delay for
high-value officers; compensating monitoring.
T7. Correspondent bank lies
Attack. Correspondent bank claims they received a valid
approval from us; actually they got half-signed state and are
trying to collect on an unapproved wire.
Mitigation.
Wire isn’t “approved” until the event stream has a quorum. The
correspondent can re-verify our guardian set and weigh signatures
independently, they have all the public state.
Push gossip + fingerprints ensure both sides see the same state.
Residual risk. If correspondent also has their own internal
gaps, that’s their problem; they can’t forge our approval without
cryptographic material they don’t have.
T8. Fork-block hijack
Attack. A malicious quorum of consortium members passes a
fork-block lowering the compliance threshold, enabling easier theft.
Mitigation.
Fork-block requires 2/3 (ceiling) of validators in the domain.
Compromising a majority of banks’ root keys is the prerequisite
orders of magnitude above compromising one officer.
MinForkNoticeBlocks = 1440 (~24h) means any change is visible
to every participant for 24 hours before activation. Operators
can observe a malicious fork in advance and halt their nodes.
Post-activation, a future fork can roll back. Nothing is
permanent unless the consortium says so.
Residual risk. Requires majority-validator compromise. At that
point the consortium has bigger problems.
T9. Denial-of-service on the approval flow
Attack. Attacker floods the node with fake approval submissions
to keep legitimate ones from being processed.
Dedup-first validation on gossip means replayed valid messages
cost ~1 map lookup each.
Push-gossip producer rate limiter (QDP-0005 §7) throttles any
single party.
Residual risk. A well-provisioned attacker can cause resource
exhaustion against a single node, but not corrupt state.
T10. Supply-chain compromise
Attack. A Quidnug dependency (Go stdlib, Gorilla mux,
Prometheus client) has a backdoor that exfiltrates signing keys.
Mitigation.
Dependencies are minimal; see go.mod.
Keys never leave HSMs in the designed flow. A dependency
compromise can see signable bytes but not signing material.
Apache-2.0 includes explicit patent grant; no custom crypto.
Reproducible builds (TODO for the project) would help detect
tampering.
Residual risk. Standard supply-chain risk level, comparable
to any Go binary running in production. Mitigated by standard
practices.
Not defended against
Explicit limits of this design:
Off-chain policy enforcement. The protocol authorizes
wires; it doesn’t sanity-check the payee’s sanctions status.
That’s OFAC / application-layer concern.
Rail-level double-spends. Quidnug says “this wire is
approved.” If your core banking system then tries to send the
same approval to Fedwire twice, Fedwire’s own idempotency keys
should catch it. Quidnug doesn’t try to control the rails.
Insider with root-quid access. If the bank’s CEO actively
participates in fraud, the protocol documents the crime
beautifully but doesn’t prevent it. Standard corporate
governance is needed.
HSM implementation bugs. If the HSM’s P-256 implementation
has a known weakness (e.g., biased nonce during ECDSA sign),
the protocol’s correctness doesn’t save you. Use good HSMs.
Long-range chain rewrites. Since Quidnug’s consensus is
relational, a node could theoretically accept a re-written
history from a very-trusted peer. Mitigation: audit logs, the
ledger’s monotonic nonce invariants, and operator vigilance.
Not a cryptographic guarantee the way Bitcoin’s is.
Confidentiality. Wire contents are public on the consortium
chain in this design. Production would encrypt payloads and
store hashes on-chain. See §“Out of scope” in README.md.
Residual monitoring
Run Prometheus scrapes on:
quidnug_guardian_resignations_total, spikes suggest an
insider mass-exit.
quidnug_probe_failure_total, network partition isolating a
correspondent (could be precursor to forged-approval attack).
Incident response playbook
Officer key suspected compromised.
Page on-call HSM operator.
Run POST /api/anchors invalidation on the compromised epoch
(freeze it). Zero tolerance for maxAcceptedOldNonce.
Guardian-set update removing the officer from approval quorum.
If no rotation possible: guardian recovery with shortest
permitted delay.
Bank root quid compromise suspected.
Halt all nodes (operator switch, not protocol).
Re-verify guardian-set state.
Initiate root-quid rotation via executive guardian quorum.
Audit all recent guardian-set changes for unauthorized
modifications.
Unexpected fork-block transaction observed.
Review signatures on the fork-block tx.
If quorum is legitimate: communicate with consortium.
If quorum involves suspect validator signatures: file an
emergency-halt request with the consortium. Each node can
independently refuse to activate the feature by operator
override.
Interbank wire authorization integration with the three architectural pillars
How the interbank-wire use case composes on top of the three
architectural QDPs (0012 Domain Governance, 0013 Network
Federation, 0014 Node Discovery + Sharding). Companion to
README.md + architecture.md,
which predate the pillars and describe the wire-authorization
mechanics without addressing the larger protocol architecture.
The interbank-wire-authorization use case is structurally
similar to elections: coordination-archetype, multi-party
governance, guardian-recoverable keys, auditable event streams.
But the deployment profile is fundamentally different:
Elections
Interbank wires
Number of participating orgs
~5-50 (authority + observers)
~2-20 per wire (originator + correspondents + beneficiary bank)
Geography
Jurisdiction-bounded
Cross-border and cross-jurisdiction by definition
Transaction volume
~10M per major election
~150M SWIFT wires per DAY globally
Latency requirement
Minutes (tally; daily cycle)
Seconds-to-minutes (SWIFT is already ~minutes; real-time is the goal)
Audit timeline
Weeks-to-months post-election
Hours to 7 days (regulatory inquiry windows)
Regulatory framework
State election law per-jurisdiction
FATF + Basel + local central-bank rules, every bank in every country
Failure cost
Election integrity + political crisis
Tens of millions per missed wire, trust erosion, regulatory fines
So the integration needs emphasize: federation (every bank
is its own network), discovery (finding the right node for
a counterparty’s transaction at wire time), and governance
(changes to signatory rosters need explicit on-chain action,
not ad-hoc spreadsheets).
2. QDP-0012 governance, every bank is its own governing body
2.1 The domain + governance shape
Each bank is an operator with its own domain tree:
bank.<id> (the bank's root domain)
├── wires.outbound (wires originated by this bank)
├── wires.inbound (wires received by this bank)
├── signatories (who's authorized to cosign)
├── audit (compliance log)
└── peering.counterparty-banks (trust edges to other banks)
(plus any read-only observer node the regulator runs)
Crucially, the regulator (fed-reserve-monitor-quid) is a
governor, not a validator. They can vote on governance
changes + observe every transaction, but they don’t produce
blocks. This distinction matters: regulators need visibility +
authority-to-block-bad-changes but shouldn’t hold block-
production keys (that’s the bank’s operational concern).
2.2 Signatory quorum as a domain property
A wire transfer needs M-of-N cosigning from authorized bank
employees. Instead of hardcoding this in application logic,
the signatory quorum is a governance property of the
bank.chase.wires.outbound domain:
Any addition / removal / weight change to the signatory pool
is a DOMAIN_GOVERNANCE action (QDP-0012), signed by the
bank’s governor quorum, subject to the 24-hour notice period.
This is the critical protection against insider attack: a
compromised wire-officer can’t silently add a co-conspirator;
that change takes 24 hours + signatures from multiple
governors.
2.3 Wire-specific governance actions
Three wire-specific actions extend the standard QDP-0012 set:
Action
Effect
Required signers
ADD_SIGNATORY
Add a quid to the wire-signatory pool
governor quorum
REMOVE_SIGNATORY
Remove a quid
governor quorum
UPDATE_SIGNATORY_POLICY
Change minSigners, requiredRoles, thresholds
governor quorum + 7-day notice (longer than ADD/REMOVE)
Each action takes effect after the notice period. During the
notice window, the old policy remains active; the old
signatories can continue cosigning pending wires. This
ensures no in-flight wires are orphaned by a signatory-pool
change.
3. QDP-0013 federation, every bank is its own network
3.1 The federation topology
Every bank runs its own Quidnug network. Cross-bank wires
federate bilaterally:
Each bank operator independently runs their consortium, holds
their own keys, and manages their own domain tree. What
federation adds is the ability to cross-reference attestations
between networks.
3.2 Three federation use cases
Use case 1: a wire originated at Bank A, destined to
Bank B. Bank A’s network publishes a WIRE_AUTHORIZED
event. Bank B’s network federates with Bank A’s to verify:
Wire came from a signatory in good standing on Bank A’s
chain.
Quorum of signatures met Bank A’s policy.
Wire amount + currency + beneficiary match what’s being
remitted.
Bank B then publishes its own WIRE_RECEIVED event on its
chain referencing Bank A’s originating event. Two signed
records of the same wire, one per bank. Reconciliation
becomes trivial.
Use case 2: regulator audits across banks. A federal
regulator (FinCEN, FSA, FCA, etc.) runs a read-only node
that federates with every bank under their jurisdiction. They
can query “show me every wire over $1M to sanctioned
countries in Q4 2026” across dozens of banks without having
to request data from each one.
All responses are cryptographically signed by the
originating bank’s governor quorum; the regulator has no
access to any bank’s private keys but can verify every
response is authentic.
Use case 3: correspondent-bank reputation. A bank choosing
whether to open a correspondent relationship with another
bank can query that bank’s public reputation edges, e.g.,
“has FinCEN flagged this bank for sanctions violations in the
last 24 months?” Trust edges from regulators (or from other
banks) are public + signed + verifiable.
3.3 Privacy boundaries
Some wire details are public on both banks’ chains (from
to quids, timestamp, wire amount in aggregate). Others
are encrypted payloads with on-chain hash commitments (the
memo line, internal routing details, KYC documentation).
Only authorized parties (originator bank, receiver bank, the
two beneficiaries’ banks if different, plus regulators with
subpoena-backed access) can decrypt the encrypted parts.
The hashes on-chain are enough for auditors to verify later
that “what was actually sent” matches the public record.
This pattern is generalizable to any federation with
privacy concerns, see QDP-0017 for the data-subject-rights
framework that formalizes it.
4. QDP-0014 node discovery + sharding
4.1 Operator-to-nodes hierarchy for a global bank
A major bank runs nodes in every major banking center
(NY, London, Singapore, Tokyo, Hong Kong, Frankfurt, etc.).
Each node is attested by the bank’s operator quid:
Clients (a corporate treasury team originating a wire, a
compliance officer auditing) use the discovery API:
GET /api/v2/discovery/domain/bank.chase.wires.outbound
Returns the three NY/London/SG validators plus the 10
regional caches. The client’s HTTP library picks the
closest (by geoip, or by a pre-configured region preference)
and submits the wire authorization there.
4.3 Wire-processing topology
Daily volume at a major bank is ~500k wires / day. Peak is
~10k/minute during end-of-day cutoffs. The topology needs to
handle this without dropping wires:
Geography: each region has its own validator pool and
cache tier. US wires hit NY; Europe hits London; Asia
hits Singapore. Cross-region wires gossip across
consortiums.
Capability: validators don’t serve reads; caches
don’t produce blocks; archives are rarely touched except
during regulatory queries.
Domain-tree:wires.outbound and wires.inbound are
separate domains, each with its own consortium. Some
smaller banks run them on the same consortium; giant
banks run them independently for isolation.
5. No-node participation for corporate clients
A mid-size corporation (say, a supply-chain company needing
to pay international suppliers) doesn’t run a Quidnug node.
They:
Hold a cryptographic quid for their treasury department.
Have trust edges from their bank(s) attesting to their
account authorization.
Use client-side SDK to sign wire-authorization events.
POST to the bank’s api gateway.
The bank’s validator consortium verifies:
The corporate’s quid is in good standing.
Signatory quorum for THE CORPORATE entity’s policy is met
(e.g., CFO + controller for wires > $1M).
The wire is properly formed.
If all pass, the wire is authorized + transmitted to the
correspondent/receiving bank via existing SWIFT or a federated
Quidnug link.
The corporate gets real-time verifiability (they know when
the wire hit each stage) without running any infrastructure.
Same pattern as voters in elections, full cryptographic
participation, zero infrastructure. This is QDP-0014’s
“lightweight participation” mode.
6. Cross-network flow: end-to-end wire
Full sequence, touching all three pillars:
1. Corporate treasurer at MegaCorp prepares wire instruction:
$2.5M USD from MegaCorp's USD account at Chase
to beneficiary's EUR account at Deutsche Bank.
2. MegaCorp's treasurer (Alice) and CFO (Bob) both sign an
instruction (each with their own quid; quorum 2-of-2
required per MegaCorp's internal policy for $1M+).
Published as WIRE_REQUEST event on MegaCorp's own domain
7. Deutsche credits the beneficiary's account. Publishes
SETTLEMENT event referencing the WIRE_RECEIVED.
8. Chase's inbound federation picks up the SETTLEMENT event,
publishes SETTLEMENT_CONFIRMED on its own chain, completing
the loop.
9. Both banks' regulators (FinCEN, BaFin) see the complete
chain of events via their read-only federation nodes.
10. MegaCorp's treasurer can verify every step by fetching
the events from either bank's api gateway.
Every step is cryptographically signed + publicly verifiable.
The whole wire takes ~30 seconds vs. the current ~1 hour
minimum for SWIFT + correspondent banking. Regulatory access
is real-time instead of quarterly after-action reviews.
7. Governance changes mid-wire-day
Unlike elections (which happen on a fixed schedule),
interbank wires happen 24/7. Governance changes have to be
non-disruptive.
7.1 Adding a new signatory mid-day
Routine, happens whenever a new person is hired or
promoted to a wire-authorization role.
Governor quorum signs ADD_SIGNATORY transaction.
24-hour notice period: the new signatory can’t sign
wires yet.
At activation, the new signatory is added to the pool
with the specified role + weight.
Banks routinely plan these 24h+ in advance (employee
onboarding takes that long anyway).
7.2 Emergency removal of a compromised signatory
If a signatory’s key is suspected compromised:
Any governor can initiate REMOVE_SIGNATORY with the
1-hour emergency clause.
Immediate audit event published noting the removal +
reason.
1 hour later: signatory is removed from the pool.
Any pending wires they signed in the last hour are
flagged for manual review.
Post-incident: guardian recovery on their individual
quid if desired (separate from the pool-removal action).
7.3 Cross-bank coordinated changes
Occasionally two or more banks need to coordinate changes
(e.g., standard cutoff times for a new currency pair).
Each bank independently publishes the change on their own
network; federation ensures the other bank sees it. No
central coordinator is required; the federation topology
is the coordination layer.
Two substantial topics this integration doc deliberately
defers:
SWIFT/Fedwire/SEPA bridging. Each jurisdiction has
existing wire-transfer infrastructure. The Quidnug
design replaces the authorization layer, not the
transport layer, a wire authorized on Quidnug still
typically moves via SWIFT. Bridge design is its own
substantial project; see operations.md §5 for the
integration pattern.
Regulatory reporting (AML, CTR, SAR). Each country’s
reporting requirements differ. Quidnug makes the data
available in a standardized format; the per-jurisdiction
reporting code lives in bank-specific applications on
top.
Both are legitimate production concerns; both are
application-layer, not protocol-layer. A deploying bank
builds them atop the Quidnug substrate the same way they
build SWIFT message generation atop internal databases
today.
Operations
Runbooks, observability, incident response.
Interbank wire authorization operations
Deployment topology, capacity planning, daily operations, and
incident response for a bank running Quidnug-based wire
authorization. Adapted from
UseCases/elections/operations.md
for banking deployment profile.
1. Deployment scale
Scale
Example
Wires / day
Nodes
Monthly cost
Staffing
Small community bank
Local credit union
< 100
2 validators + 1 cache
$200-500
1 part-time admin
Regional bank
State-level commercial bank
1k-10k
5 nodes, 2 regions
$2k-5k
2 FTEs ops
National bank
Top 20 US bank
10k-100k
15-30 nodes, 3 regions
$20k-60k
8-15 FTEs ops
Global
Chase, HSBC, Deutsche
100k-1M
50-150 nodes, 8+ regions
$100k-500k
40+ FTEs ops + compliance
Different from elections: wire volume per day is higher and
more continuous. 24/7 operation. Lower tolerance for outages
(minutes of downtime = tens of millions in delayed settlements).
5 caches per major region (NY, LA, Chicago, DFW, Atlanta,
London, Singapore) = ~35 cache nodes total.
Archive:
4 nodes: 2 in separate regulator-approved data centers,
2 in cold-storage backup.
2.4 Global bank
Per major banking center, a full regional consortium:
3-5 validators
5-10 cache nodes
1-2 archive
Regulator observer nodes per jurisdiction
Cross-region federation per QDP-0013. Each jurisdiction
may have its own regulator + its own governance variation
(e.g., EU wires governed under EU rules; US wires under
FFIEC/OCC).
Total: 50-150 nodes spread across 8-15 countries.
3. Hardware
Role
CPU
RAM
Disk
Network
Validator
8 cores
32 GB
2 TB NVMe (IOPS 50k)
10 Gbps
Cache
4 cores
16 GB
500 GB SSD
1 Gbps
Archive
4 cores
16 GB
20 TB HDD + 1 TB SSD cache
1 Gbps
Observer
2 cores
8 GB
1 TB SSD
100 Mbps
Validators are expensive, they need high-IOPS SSD for
replay + crash recovery. Caches are cheap; can be spot
instances. Archives are slow but huge.
Per QDP-0014’s sharding model, validator-cache-archive
separation is enforced via node advertisement capabilities
a cache node cannot produce blocks even if configured
incorrectly.
4. Capacity planning
4.1 Wire volume
For a national bank with 50k wires/day = ~0.58/s sustained
= ~10/s peak (end-of-day cutoff). Per-wire transaction size:
Quidnug-to-SWIFT bridge service generates MT103 message →
SWIFT network delivers →
Receiving bank's SWIFT MT103 → Quidnug-to-SWIFT bridge
generates WIRE_RECEIVED event on Quidnug.
The bridge is a trusted service operated by the bank’s IT
team. Not a Quidnug primitive, just application code
tying existing SWIFT connectivity to Quidnug’s
authorization + audit layer.
For banks wanting to skip SWIFT entirely (interbank
settlement via Quidnug alone), QDP-0013 federation makes
this possible but requires bilateral agreement with every
counterparty bank. Realistic only for closed-consortium
scenarios (e.g., a central-bank settlement network).
5.2 Fedwire
Similar bridge pattern. Fedwire’s ISO 20022 message format
is structurally similar to SWIFT MT; one bridge handles
both with different message-generation modules.
The bank’s Fedwire credentials (the one-per-bank account
with the Fed) stay in the bank’s existing infrastructure;
Quidnug events trigger Fedwire message generation.
5.3 SEPA
SEPA credit transfers (SCT) and instant payments (SCT Inst)
both have ISO 20022 message formats. Same bridge pattern.
SEPA is the closest to “real-time” in existing
infrastructure and benefits the most from Quidnug’s
authorization + audit speed. A Quidnug-accelerated SEPA
flow can complete in seconds end-to-end.
6. Daily operations playbook
6.1 Pre-market (03:00-06:00 local)
Operations team runs overnight reconciliation between
consortium state and core banking system.
Batch settlement jobs for prior-day wires complete.
Archive backup runs.
Morning briefing: on-call rotation, known incidents.
6.2 Market open (06:00-18:00)
Wire traffic ramps throughout the morning.
Peak hours: 09:00-11:00 (Europe open), 15:00-16:00 (US
close + Europe late).
End-of-day cutoff: typically 17:00 or 18:00 local.
If transient: automated retry with exponential backoff.
If sustained: bridge to SWIFT as fallback; notify
affected corporates.
Post-healing: reconcile any wires that went via SWIFT
fallback against the federation record.
7.3 Suspected signatory key compromise
Detection: anomalous wire pattern (volume, destination,
time-of-day) flagged by AML engine; or direct security-team
alert.
Response:
Freeze the signatory’s quid immediately (via governor
quorum emergency REMOVE_SIGNATORY action, 1 hour
notice).
Audit all wires signed by that signatory in the last
24h; flag for additional manual review before
settlement.
Notify affected corporates.
Law enforcement referral per bank policy.
Guardian recovery on the compromised quid; new key
installed only if the original holder is cleared.
7.4 Regulator subpoena
Detection: legal notice arrives.
Response:
Legal team reviews scope.
Operations generates read-only access for the regulator’s
designated investigator, a federated read-only node
connecting to the bank’s network with scoped domain
access.
All queries the regulator runs are logged on-chain (the
regulator’s node publishes its queries as events on an
audit domain, so the subpoena scope is provable).
Regulator’s queries return cryptographically-verifiable
data; no edits possible; the chain IS the record.
If regulator also wants decrypted payload data (KYC docs,
wire memos), legal team evaluates scope; decryption keys
are released per the legal requirement.
This is a significant UX upgrade over current state,
regulatory queries today require months of IT work
extracting data from multiple systems + internal review.
With Quidnug, it’s hours.
8. Security discipline
8.1 Key custody
Role
Custody
Governor (CEO, compliance chief)
HSM-backed + paper backup + 3-of-5 guardian quorum
Validator node
Dedicated HSM per validator; keys never leave HSM
Signatory (wire officer)
YubiKey or similar; 2FA required; daily-use key
Corporate treasurer
Their own custody; bank provides optional guardian-recovery-as-a-service for small corporates
A compromised wire officer cannot alone produce wires;
quorum + separation-of-duty enforced on-chain.
A compromised validator cannot alone change signatory
pools; that requires governance quorum.
8.3 Annual audit
External security audit of the bank’s Quidnug
infrastructure annually.
Quarterly penetration testing.
Daily automated security scans.
9. Cost at scale
Scale
One-time
Ongoing/year
Main cost drivers
Small bank
$50k
$5k
HSM, one staff member’s time
Regional
$500k
$150k
Multiple HSMs, 2 FTEs
National
$5M
$3M
Enterprise HSMs, 10-15 FTEs, regulator-certified data centers
Global
$50M
$30M
Dozens of regional HSMs, 40+ FTEs, global compliance framework
Compare to current wire infrastructure: global banks spend
~$100M+/year on wire systems alone (SWIFT connectivity,
Fedwire licensing, FX infrastructure). Quidnug’s deployment
is a fraction.
Sequential T-180 through T+30 onboarding steps for bringing a
bank onto Quidnug-based wire authorization. Work top to
bottom; each item gates the next.
Written for a national bank joining its first correspondent
consortium (the most common starting profile). Small
community banks can collapse steps 3-4 (fewer governors,
single region); global banks should multiply the regional
stand-up steps across jurisdictions.
T-180 to T-120 days: Legal + regulatory foundation
Wire authorization is one of the most heavily regulated
activities a bank does. Nothing happens before legal sign-off.
Regulatory strategy
General counsel + compliance chief review + approve the
overall architecture. Specifically: does running wire
authorization on Quidnug satisfy:
- Home-jurisdiction central-bank rules (Fed for US,
BaFin for DE, BoE for UK, etc.)
- FFIEC IT Examination Handbook (US federal banking)
- OCC Heightened Standards (for national banks)
- FATF Recommendation 16 (Wire Transfers)
- Basel Committee Principles for Sound Management of
Operational Risk
File advance notice with primary regulator (US: OCC +
Federal Reserve; EU: ECB + national regulator). Some
jurisdictions require 30-90 day advance notice for
operational-risk framework changes.
Engage independent banking-software auditor for
pre-certification. Must have prior experience with
SWIFT/Fedwire/SEPA gateway integrations.
Legal opinion letter on whether on-chain signatures
satisfy the “two officer” requirement under applicable
rules (varies; many jurisdictions treat cryptographic
signatures as equivalent to written ones if audit
trail is preserved).
Privacy review: any PII in wire metadata that leaves the
bank’s controlled environment needs GDPR / CCPA / LGPD
assessment. Plan: encrypt wire payloads, store only
hashes on-chain for cross-bank audit.
Internal governance committee formed + briefed on the
protocol architecture. Typical composition:
- CEO or designated COO
- Chief Compliance Officer
- Chief Risk Officer
- Head of Wire Operations
- Head of IT / CISO
- External regulator liaison (observer, non-voting)
Governance structure defined + documented (see
integration.md §2):
- Governor quorum (who, weights, threshold)
- Consortium membership (which of the bank’s own nodes
produce blocks)
- Peer-bank trust edges (counterparty banks)
- Emergency-notice clause (normal 24h / emergency 1h)
- Signatory roster + per-wire-class thresholds
- Guardian quorums per governor (QDP-0002)
Signatory policy published internally:
- Wire-class thresholds ($1M, $10M, $100M, $1B)
- Required signer count per class
- Maker/checker separation rules
- Dual-control for policy changes
Board of directors briefed + resolution passed
authorizing the new infrastructure.
T-120 to T-90 days: Hardware + infrastructure procurement
HSM procurement
Wire authorization is HSM-dependent. Every signing key lives
in hardware; never plaintext in RAM.
Dedicated circuits for SWIFT (existing), Fedwire
(existing), SEPA (existing). Quidnug doesn’t replace
these; it augments them.
VPN + zero-trust network access for corporate treasury
clients.
Software + keys
Quidnug node binary built from a specific tagged
release (e.g., v2.4.0). SHA-256 hashes published.
Reproducible build verified.
All governor keys generated via air-gapped key
ceremony. Paper backups printed + distributed to
separate safe-deposit boxes (dual control).
Guardian quorums installed for each governor key
(following QDP-0002). Typical: 3-of-5 guardians per
governor, drawn from executive + board.
Validator node keys generated directly inside HSMs;
never exportable.
Signatory keys (wire officers) generated on YubiKey
or equivalent, one per officer. Backup guardian
quorum per signatory (typically 2-of-3 coworkers).
CLI tooling (quidnug-cli wires) tested in staging.
T-90 days: Domain + consortium setup
Publish the network descriptor
Publish https://bank.<id>.com/.well-known/quidnug-network.json
per QDP-0014 §7. Signed by the bank’s operator key.
Includes:
- Operator quid + pubkey (the bank’s root identity)
- API gateway URLs
- Seed nodes + capabilities
- Governors + quorum
- Domain tree
- Peer banks + federation links (QDP-0013)
Publish backup mirror of the well-known file at a
federated location (e.g., https://quidnug.com/.well-known/banks/<id>.json)
for resilience if the bank’s public site is down.
Governance quorum signs ADD_SIGNATORY event per
officer, granting authority in specific policy
domains:
bash quidnug-cli wires add-signatory \ --signatory-quid <alice-quid> \ --policy-domain "bank.<id>.wires.policy.high-value-1m-10m" \ --weight 1 \ --governor-signatures "<sigs>" \ --sign-with <governor-primary-key>
Each signatory’s guardian quorum published (for key
recovery if YubiKey lost).
T-60 days: Federation setup + peer onboarding
Peer bank TRUST edges
Interbank wires cross networks (per QDP-0013). Before you
can send a wire to another bank, you need a federation
relationship.
Bilateral federation agreement signed with each peer
bank (legal document, not cryptographic). Covers:
- Liability boundaries
- Regulator observability terms
- Emergency-response communication channels
- Dispute-resolution procedure
Regulator observer node provisioned (either by the
bank in the regulator’s data center, or by the
regulator themselves connecting to the bank’s
network).
Observer node registered as capability=observer only
(no validator, no archive, purely read).
Regulator credentials issued for scoped-access
queries (domain-level visibility per their mandate).
Regulator training completed: how to run recounts,
how to subpoena data, how to file an audit query.
Regulator month-1 briefing + sign-off for full
production.
Board of directors update.
T+90 days: Legacy decommission
Legacy wire-authorization system decommissioned.
All paper-based cosigning workflows retired.
Annual-audit cycle transitions from old system to
Quidnug chain queries.
First full quarter of operation closed with clean
regulatory review.
Metrics to track
For every operational day, track these against targets from
operations.md §4:
Metric
Target
How to measure
Wires authorized
(per bank baseline)
Count of WIRE_AUTHORIZED events
Authorization latency p99
< 3s
Event timestamp delta
Cross-bank handoff p99
< 30s
WIRE_AUTHORIZED → WIRE_RECEIVED delta
End-to-end settlement p99
< 2 min
WIRE_AUTHORIZED → SETTLED delta
Consortium uptime
> 99.95%
Block-production rate + validator health
Cross-bank federation uptime
> 99.9%
Federation latency monitor
Reconciliation match rate
100%
Daily cross-check with core banking
Failed-authorization rate
< 0.1%
Rejected events / total attempts
Regulator query response p99
< 5s
Query logs
HSM operation error rate
< 0.001%
HSM logs
Audit events vs wires ratio
1:1
Every wire produces 5-9 audit events
What to do if…
…a signatory’s YubiKey is reported lost
Signatory’s guardian quorum (typically 2-of-3 coworkers)
initiates QuidRecoveryInit per QDP-0002.
1-hour time-lock window starts. Signatory cannot veto
since the YubiKey is lost; if it turns out to be
misplaced and they find it, they can reclaim within
the window.
After time-lock, new YubiKey provisioned; signatory
resumes wire-authorization authority.
Audit event published: SIGNATORY_KEY_RECOVERED.
All wires signed within the preceding 72 hours by the
old key flagged for review (potential compromise
window).
…a validator node fails during market hours
Confirm it’s a real failure (not transient network).
Consortium continues with remaining validators
(quorum preserved per operations.md §7.1).
Spare validator brought online from DR tier; new node
publishes NODE_ADVERTISEMENT; consortium re-balances.
Post-incident: root-cause analysis + postmortem within
48h.
…cross-bank federation is partitioned
Wires to/from the partitioned counterparty queue.
Fallback to SWIFT / Fedwire / SEPA for urgent wires.
Monitor both networks’ status pages.
Once partition heals, federation catches up
automatically via gossip; reconciliation confirms no
wires lost or duplicated.
If partition exceeds 1 hour during market hours:
escalate to senior management + regulator notice.
…a wire is contested by a corporate client
Corporate submits WIRE_DISPUTE event via their client.
Operations team pulls full signature chain from chain
queries: who signed, when, under which policy.
If dispute is clerical (wrong account, wrong amount
but authorized): standard wire-recall procedure.
If dispute alleges unauthorized signing: security team
investigates + potential signatory compromise handling.
Chain queries are cryptographically verifiable so
dispute resolution is fast + unambiguous compared to
legacy “search 4 systems” approach.
…a regulator subpoenas wire data
Legal team reviews scope.
Operations provisions read-only scoped access for the
regulator’s investigator (federated read-only node +
scoped domain access).
All queries the regulator runs are logged on-chain
(regulator’s node publishes queries as events on an
audit domain; subpoena scope is provable).
If decrypted payload data required (wire memo, KYC
docs, beneficiary details): legal team releases
decryption keys per subpoena.
Response time: hours to days, vs months under legacy.
…a peer bank exits the federation (e.g., acquired or failed)
Governance quorum signs TRUST_IMPORT_REVOCATION for
the exiting peer.
In-flight wires to/from the peer are drained via SWIFT
fallback.
Historical wires remain on-chain for audit; new wires
to that peer are blocked.
If the peer is being acquired, reconfiguration of the
federation to the acquirer’s network takes 30-90 days
(repeat the peer-onboarding flow from T-60).
…the home regulator revokes permission
Immediately halt all new wire authorizations (governor
quorum emergency FREEZE_NEW_WIRES action).
In-flight wires complete via legacy path.
Legal team + senior management engage regulator.
If permanent revocation: decommission the network.
Archive all data for retention period per
jurisdiction (typically 5-7 years for banking).