Recovery Primitives — freeze / burn / reissue
Bounded state-correction tools for the rare cases where a chain rollback would otherwise be the only option.
Hacks, phishing, and clearly illegal fund flows happen in real-world payment systems. Maroo provides three bounded recovery primitives — freeze, burn, reissue — that correct state without rolling back the chain. All three operate only when there's a documented legal basis and the prescribed procedure has been followed; every invocation is logged to Observer Nodes and the governance audit trail. These are not always-on intervention tools, and Maroo prefers forward correction (new transactions that override prior state) over backward rewriting wherever the legal basis allows.
freeze — temporary asset block
Suspends asset movement for a specific address. The address can still receive but cannot send. Used as a circuit breaker while an investigation is underway. Reversible — once the investigation concludes (or the legal basis lapses), the freeze is lifted by the same governance procedure that imposed it.
Note: a freeze on the
Note: a freeze on the
from side prevents outgoing transactions; transactions targeting the address (deposits, etc.) still settle normally.burn — destroy clearly-illegal funds
Destroys a specific asset balance. Used only with a documented legal basis (e.g., court order, regulator directive). Irreversible. Total OKRW supply decreases by the burned amount, which is reflected in the next supply snapshot.
This is intentionally the heaviest tool — burning shifts assets out of the economy permanently. It exists for cases where the alternative is worse (laundered or trafficked funds returning to circulation).
This is intentionally the heaviest tool — burning shifts assets out of the economy permanently. It exists for cases where the alternative is worse (laundered or trafficked funds returning to circulation).
reissue — make a victim whole
Mints an equivalent amount of the asset to a victim's address as restitution. Used in conjunction with
Reissue does NOT increase aggregate supply on net — when paired with a corresponding burn, total supply is conserved. Standalone reissue (without a paired burn) is rare and requires explicit governance authorization.
burn (typically: burn the proceeds of the crime, reissue the equivalent to the victim) or when stolen funds cannot be recovered but a remediation has been authorized. Like burn, it requires a documented legal basis and is logged as an audit trail entry.Reissue does NOT increase aggregate supply on net — when paired with a corresponding burn, total supply is conserved. Standalone reissue (without a paired burn) is rare and requires explicit governance authorization.
Governance and audit
These primitives are gated by the Maroo governance process — a recovery action requires a successful proposal (or, for time-critical freezes, an emergency multi-sig that's later ratified). Every call is recorded in three places:
1. The on-chain transaction itself (immutable).
2. The Observer Node feed (regulator-accessible audit trail).
3. The governance proposal log (public).
Nothing about the recovery primitives bypasses the chain's transparency or finality — they operate as ordinary transactions with an extraordinary governance signature. The chain's history is never rewritten.
1. The on-chain transaction itself (immutable).
2. The Observer Node feed (regulator-accessible audit trail).
3. The governance proposal log (public).
Nothing about the recovery primitives bypasses the chain's transparency or finality — they operate as ordinary transactions with an extraordinary governance signature. The chain's history is never rewritten.
Why not chain rollback?
Rolling back the chain would invalidate every transaction since the rollback point — including innocent ones. For a payment infrastructure where merchants, payroll, and consumer purchases are settling in real time, this is catastrophic. Recovery primitives let Maroo absorb specific incidents without that collateral damage. The trade-off: each primitive must be small-scoped and well-documented; they cannot replace the auditability of the underlying chain.