Deposit & Burn
CBDC redemption workflow covering vault deposit ingestion, withdrawal processing, burn authorisation, and the complete note lifecycle from MINTED through TRANSFERRED, REDEEMED, and BURNED states.
System Overview
Deposit & Burn is the redemption side of the CBDC lifecycle. When a holder returns CBDC notes to the issuing central bank, the notes are deposited back into the vault, verified, and ultimately burned — permanently removing them from the money supply.
The WithdrawalCBDC module handles physical redemption: a holder presents notes, an agent verifies them against the registry, and the funds are released to a designated settlement account. The burn workflow is a separate, governance-gated action that permanently cancels the notes from the central bank's ledger.
Deposit Intake
- Vault file ingestion (SFTP auto-loader)
- Per-file deletion after processing
- Batch upload validation
- Transferred vs unspent CBDC path detection
Withdrawal Processing
- Holder note presentation
- Registry verification
- Settlement account designation
- Redemption confirmation
Burn Authorization
- Burn candidate selection
- Governance gate check
- Irreversible burn execution
- Supply reduction reporting
Note Lifecycle
Every CBDC note passes through a strictly ordered sequence of states. State transitions are irreversible and every transition is recorded in the audit trail.
MINTED
Note created in a CVIB batch by the issuing central bank. Signed with Ed25519 key. Assigned a serial number.
ISSUED
Batch dispatched to commercial bank via SFTP. Notes are now in circulation as claims on the issuer.
TRANSFERRED
Note ownership moved from one holder to another via the P2P transfer module. Ed25519 challenge-response signed.
REDEEMED
Holder returns note to the central bank or authorised agent. Note is withdrawn from circulation. Settlement account credited.
BURNED
Governance-authorised permanent cancellation. Note record marked burned. Money supply reduced by denomination amount.
Data Model
CvibNote
| Field | Type | Description |
|---|---|---|
| id | uuid | Primary key |
| serial_number | string | Unique serial from SerialAllocationService |
| cvib_batch_id | uuid FK | Parent batch |
| denomination | decimal | Face value in corridor asset currency |
| status | enum | minted | issued | transferred | redeemed | burned |
| current_holder_id | string | Current holder's DID or wallet identifier |
| blockchain_hash | string | Ed25519 signed payload hash for verification |
| redeemed_at | timestamp | When note was redeemed |
| burned_at | timestamp | When note was burned (permanent) |
| burn_authorized_by | string | Operator who authorized the burn |
WithdrawalCBDC
| Field | Type | Description |
|---|---|---|
| id | uuid | Primary key |
| note_serial | string | Serial of note being redeemed |
| holder_id | string | Redeeming holder's identifier |
| settlement_account | string | Destination account for fiat settlement |
| amount | decimal | Note denomination (= settlement amount) |
| status | enum | pending | verified | settled | rejected |
| processed_at | timestamp | When settlement was completed |
Vault Operations
SFTP Auto-Loader
The vault auto-loader monitors a designated SFTP directory. When a new vault file arrives it is ingested, validated, and processed. After successful processing, the source file is deleted from the SFTP server (per-file deletion). Files containing transferred (spent) CBDC follow a different path than unspent CBDC deposits.
Duplicate Prevention
A QSet of processed serial numbers is maintained in-session to prevent double-processing of the same note from duplicate SFTP deliveries. Server-side idempotency is enforced via the note's serial_number unique constraint.
Burn Authorisation
Burning a CBDC note is an irreversible monetary policy action — it permanently reduces the money supply. The burn workflow requires governance approval (Four-Eyes) before execution.
Identify burn candidates
Operator selects redeemed notes that are ready for permanent cancellation. Notes must be in REDEEMED state.
Governance gate
Burn proposal submitted via POST /api/v2/governance/proposals. Second operator must approve.
Execute burn
POST triggers note status → BURNED. burned_at and burn_authorized_by fields set. Action is immutable.
Supply reporting
Corridor's linked_outstanding decremented by burned denomination. Full audit entry created.