Quorum Freeze (CAP-77): A Governed, Onchain Incident Response on Stellar

CAP-77 introduces the first protocol-native, onchain account freeze mechanism on a major L1 blockchain.

CAP-77 gives Stellar a consensus-driven way to quarantine specific accounts, contract data, or asset balances directly onchain. It does not require a chain halt, an emergency software release, or off-chain coordination. It is executed through the same validator consensus process that governs any protocol-level change on Stellar, and it is reversible.

This is the industry's first designed response to an old question: what happens when something goes wrong?

On November 3, 2025, Balancer V2 was exploited for over $120 million across nine blockchain networks. The responses varied by chain, and each one was ad hoc, uncoordinated at the protocol level, and left no formal audit trail. Most recently, a $280M+ exploit drained Drift Protocol on Solana. The response relied on off-chain coordination and improvised measures, and it took too long. These incidents surface a structural gap in how blockchain networks handle emergencies.

Most networks rely on off-chain response: emergency software upgrades that require every validator to rebuild and redeploy. That is slow by design, and every minute of delay is an opportunity for an attacker to move funds across wallets and bridges.

CAP-77 changes that calculus. When attacker addresses are identified, validators can reach consensus on a freeze command in minutes rather than the hours required for an emergency software upgrade. The mechanism also supports authorized recovery transactions: a specifically crafted transaction (such as a negotiated fund return) can be executed against a frozen account without fully lifting the freeze, closing the window attackers would otherwise exploit.

CAP-77 is noteworthy in three fundamental ways:

It's onchain and auditable. The frozen accounts are stored in the ledger. Any observer can audit exactly what was frozen, when, and why. For regulated institutions—banks, funds, payment companies—this auditability isn't a nice-to-have. It's a compliance requirement.

It's fast. CAP-77 can go from identifying attacker addresses to a fully deployed, consensus-validated freeze in minutes. Compare that to the hours required to build, distribute, and coordinate an emergency software upgrade—hours during which an attacker can be continuously moving funds across wallets and bridges.

It operates through normal validator consensus. CAP-77 operates through Stellar's standard voting process. A quorum of validators must reach consensus on the freeze command which is the same threshold used for protocol upgrades and configuration changes. The mechanism is surgical and bounded, does not require changes to core node software and it can be reversed.

The answer is trust.

Stellar's consensus model, the Stellar Consensus Protocol (SCP), is built on federated trust. Validators are known, accountable participants with publicly declared trust relationships. Consensus on Stellar is something the network's participants actively and transparently agree upon.

That foundation of federated trust is what makes CAP-77 meaningful. A freeze is executed through the same consensus process as any protocol-level configuration change on Stellar, and the resulting ledger state is recorded onchain and observable to anyone. On networks where validators are anonymous and consensus is stake-weighted, a decision to freeze an account raises a question the network cannot answer on its own: by whose authority? SCP makes that question answerable at the protocol level. That is the architectural prerequisite for a mechanism like CAP-77 to exist with integrity. That is why we call it Quorum Freeze. A quorum of Stellar validators has to reach consensus before any freeze takes effect. The name describes the mechanism.

Regulated institutions including banks, custodians, payment companies, operate under fiduciary and compliance obligations that require more than a technical audit before they commit capital to a network. They need to understand what happens when something goes wrong.

CAP-77 enables Stellar network participants to secure significant real-world value in ways not previously possible, without compromising the principles of decentralization. This is critical for the next wave of adoption, especially for institutions and early digital economy leaders already moving billions onchain. By leaving the industry's previous methods behind (improvisation), a clearly scoped and reversible framework like CAP-77 introduces transparent safeguards against data corruption while enabling rapid, coordinated responses to high-profile attacks. The result is better architecture for institutional needs.

Billions of dollars are moving onchain. Institutional capital, stablecoins, tokenized treasuries, payment rails are all already here. The question of what happens when things go wrong can no longer be ignored.

Quorum Freeze (CAP-77) is the first protocol-native, onchain, validator-consensus-driven emergency response tool in the industry. It is auditable, reversible, fast, and designed to be proportionate. It does not require a chain halt, a unilateral foundation decision, or a frantic off-chain war room. It requires governance. And governance is exactly what real-world adoption demands.

With Quorum Freeze (CAP-77) live, validators need to converge on a shared framework for when the mechanism is justified to invoke. It's a step toward active, opinionated governance: validators shaping the rules of the network, not only running it.