A commodity token has to satisfy two customers with opposite needs. The first is a warehouse clerk, who wants exactly one name on the certificate—someone who can show up, present the document, and take the grain. The second is a market maker, who wants ten thousand holders trading small tickets in and out all day. Design for the clerk and the token is illiquid; design for the market maker and the certificate stops working as collateral.
This tension is the central architecture problem in agricultural tokenization, and most failed designs die on it. The good news: the solution does not need to be invented. Brazilian commercial law split these two functions decades ago, and the token structure that works is the same split, executed on a ledger. This article walks through that structure—what we consider the reference architecture for lending against tokenized farm collateral—layer by layer.
Context from earlier in this series: which agro-token projects actually settle deals, and the legal stack underneath them. Here we assume both and go one level deeper.
Two properties, one token, no solution
Lending against a tokenized commodity needs two things at once:
- Enforceability. On default, the creditor presents a document and takes the goods—days, not lawsuits. In Brazil this works because farm titles are extrajudicial executive titles and warehouse receipts entitle the holder to the physical lot.
- Liquidity. Investors want small tickets, instant entry and exit, and a fungible instrument a market can price continuously.
Put both in one token and each destroys the other. Fractionalize the warehouse receipt across ten thousand wallets and no one can enforce it: a warehouse releases a lot to a titleholder, and there is no procedure for ten thousand of them. Enforcement law assumes a name; a liquid market assumes there is no name. Worse, a fractional claim on a physical asset is precisely the shape regulators read as a collective investment scheme—the least favorable qualification available.
The law already made this split
Any lawyer in the room can relax: Brazil’s warehouse-receipt law has separated these functions since 2004. When a certified warehouse (armazém geral, a licensed custodian of third-party goods) accepts grain, it issues two certificates—the CDA (deposit certificate) carrying title to the goods, and the WA (warrant) carrying the pledge right. They circulate separately: the producer keeps the CDA and hands the WA to a lender, creating a security interest without moving the grain.
The two-tier token architecture is the same maneuver, one level up: keep the title instrument whole where enforcement lives, and let a separate instrument—a claim against a pool of loans—carry the liquidity. Nothing about the split is a crypto invention; the ledger only makes it programmable.
The bottom tier: a warrant that refuses to fractionalize
The base layer is a non-fungible warrant: one token, one certificate, one lot (in EVM terms, ERC-721). It represents the warehouse receipt or the registered farm title, and it is deliberately kept whole.
What the token adds over the paper it mirrors:
- Machine-readable collateral. The metadata carries the lot, grade, warehouse, insurance policy, and encumbrance status—so a lender, an auditor, or a pool contract can verify the collateral without calling anyone.
- A public price anchor. Soy, corn, coffee, and sugar are priced off published indices (CEPEA/Esalq spot, B3 futures, Argus/Platts export parity), which is what lets banks set advance rates without a bespoke oracle—the pricing problem was solved by the commodity exchanges long ago.
- Programmable encumbrance. Locking the warrant in a lending contract is the on-chain equivalent of endorsing the WA to a creditor—except the lock, the release, and the default trigger are code.
The boundary of this design is data. Exchange-traded crops clear it; specialty crops mostly do not—the olive-harvest project we mentioned in the first article stalled on precisely this bar: no published index for its grades, and lot values that swing with who pays the freight. If the asset’s price and quality cannot be verified from public data plus warehouse-and-insurer attestations, the warrant tier has nothing solid to stand on.
The top tier: a share in the loan book
Investors never touch the warrant. They hold a fungible pool token (ERC-20): a pro-rata claim on a portfolio of loans that are each secured by locked warrants. Yield equals the interest the portfolio earns, gross of structuring, servicing, and hedging costs—in Brazil’s free-market circuit, the underlying loans price off farmer rates of 18–25% in BRL.
The token holder owns a credit claim on the portfolio, and everything the design gets right follows from that:
- Enforcement stays intact. The pool, a single legal entity, is the sole name on every warrant. On default there is exactly one party for the warehouse to deal with.
- The regulatory read improves. A share in a credit instrument is a known, wrapped, taxable thing; a fractional interest in physical grain is an exotic one. Brazil offers two ready wrappers: the FIDC receivables fund and the tokenized CRA (agribusiness receivables certificate), which brings a segregated estate and the individual income-tax exemption—the same wrapper logic as tokenized equity.
- The utility model is honest. In our taxonomy this is an ownership-model token on a cash-flow-bearing portfolio: its fair value is the NAV of the loan book, its yield is the portfolio coupon, and it needs no artificial sinks or emissions to justify itself.
In economic substance, the structure is a bank or a plain securitization. What is new is machine-readable collateral and programmable waterfalls—an incremental, real improvement. Pitch decks that promise more are usually promising away the credit risk, which no ledger absorbs.
Default: capital flows up, legal force flows down
The architecture proves itself on a bad day, so walk the bad day explicitly. A borrower misses payment. The pool contract already holds the locked warrant. The pool, as titleholder, presents it to the warehouse, the lot is auctioned under the warehouse-receipt procedure, and proceeds return to the pool. Investors take a haircut only if the collateral sale falls short; they never take custody of grain.
Brazil’s 2024–2025 default wave ran a live experiment on exactly this distinction. When the farm-retail group AgroGalaxy entered judicial recovery, the creditor holding fiduciary title to specific collateral stayed outside the process and collected; holders of certificates backed by unsecured corporate receivables took an 85% haircut. The architecture described here is built to put token holders on the first side of that line—the warrant tier exists precisely to keep the pool’s claim on the secured side. One honest caveat travels with it: inside a court-supervised recovery, a judge can declare collateral essential to the debtor’s operations and stay even secured enforcement for 180+ days. (We dissect the AgroGalaxy case, including which protections failed and which held, later in this series.)
The money leg: onshore, through the front door
One more constraint shapes the design, and it comes from the regulator. Brazil reclassified foreign-currency stablecoin operations as FX transactions: legal, but routed through authorized institutions, with a US$100k limit against unauthorized counterparties. From 1 October 2026, a further rule bars unlicensed cross-border payment providers from settling abroad in stablecoins. A direct “global DeFi pool pays the farmer in USDC” bridge is, from that date, simply not a lawful design in Brazil.
The compliant shape: global capital converts through an authorized bank’s FX desk into a local fund vehicle (the FIDC), the fund lends in BRL, and the farmer never sees a stablecoin. The stablecoin’s remaining role is upstream, as an asset wrapper in which foreign investors hold and transfer their claim; settlement itself runs through the bank’s FX desk. Any architecture that ignores this leg is designing for a jurisdiction that stops existing in October 2026.
Three architectures compared
| Direct fractionalization | Mirror token | Two-tier (warrant + pool) | |
|---|---|---|---|
| What the investor holds | A fraction of the physical lot’s title | A receipt tracking an off-chain security | A share in a secured loan portfolio |
| Enforceability | Broken—no single titleholder | Unchanged—lives entirely off-chain | Intact—pool is the sole titleholder |
| Liquidity | High on paper, until default | Limited by the wrapped security | High—fungible pool token |
| Regulatory read | Collective scheme on a physical asset | Follows the underlying security | Credit instrument in a known wrapper |
| Default path | Effectively none | Standard, but the token adds nothing to it | Warrant → warehouse auction → pool |
| Where you see it | Failed pilots and pitch decks | VERT-style on-chain CRA issuances | Emerging lending designs |
The mirror token deserves a fair word: it is the proven, conservative end of this spectrum—the R$1.1 billion of on-chain CRA issuances from the first article are mirror tokens, and they work. What they do not do is change the instrument: the token is a window onto the securitization; the load-bearing structure stays off-chain. The two-tier design is what it looks like when the token layer starts carrying weight—collateral verification, encumbrance, waterfall execution—while still respecting the enforcement boundary.
What is still missing
The honest gap in every current implementation: a verifiable bridge between the state-sanctioned registrar and the public chain. Brazilian titles must live in authorized registries (B3, CERC), which internally already run on a permissioned ledger. Until the registry state is provable on the public network (rather than re-attested by the issuer), the warrant NFT is only as good as the process that syncs it. Whoever ships that bridge removes the last trusted intermediary in the stack; until then, every design carries a named reconciliation agent, and diligence should ask who it is.
Designing a token on real-world collateral?
We build two-tier RWA architectures end to end—title layer, pool economics, wrapper selection, and the default-path modeling that investors now ask for first.
Get in touchThe takeaway
The architecture that holds up in front of a warehouse clerk, a securities regulator, and a defaulting borrower is the one that refuses to merge two jobs into one token. A whole, machine-readable warrant holds the enforcement power, and a fungible pool token carries the liquidity and the yield. The onshore wrapper carries the law. Brazilian commercial practice arrived at the same division of labor on paper twenty years ago; the ledger’s contribution is verification and programmability on top of that split. The open question this architecture cannot answer by itself is price: what yield does the pool token have to pay a dollar investor, once hedging and country risk are counted honestly? That is the next article in this series—and the honest number is higher than most pitch decks assume.