1. Executive summary
Brazil issues more than 4 billion bank slips per year, making the boleto one of the most used payment instruments in the country. However, this volume coexists with an alarming reality: estimates point to losses between R$ 25 and 29 billion annually in digital fraud involving slips and other electronic payment methods (ClearSale, 2024; Finsiders, 2024).
Stellar Boleto Guardian is a solution that records the barcode of each issued slip on the Stellar blockchain, creating a public, immutable and auditable proof of authenticity. The key differentiator is the end-user experience: to validate a slip, simply type the numbers printed on the document. No need to know hashes, cryptographic keys or any technical concept.
The solution integrates with any ERP system via a middleware API, making it platform-agnostic. In this whitepaper we use TOTVS Protheus as an implementation reference, but the architecture is replicable for any ERP on the market.
2. The problem
2.1 Fraud scenario in Brazil
The bank slip (boleto) is a pillar of the Brazilian financial system. Present in B2B, B2C and government transactions, it serves from large corporations to end consumers. Its popularity has made it one of the preferred targets of digital criminals.
- 4 billion slips issued annually in Brazil (FEBRABAN)
- R$ 25 to 29 billion in losses from digital fraud, including slips and PIX
- The tampered slip scam is among the most common types of digital crime in the country
2.2 How fraud happens
The fraud cycle exploits vulnerabilities at several points in the chain:
Company issues Slip in transit Criminal Payer receives legitimate slip intercepts tampered slip +-----------+ +-----------+ +-----------+ +-----------+ | ERP | | Email, | | Alters | | Pays to | | generates | -----> | mail, | -----> | barcode | -----> | wrong | | slip | | portal | | or data | | account | +-----------+ +-----------+ +-----------+ +-----------+
Most common techniques: email interception with barcode replacement; malware that alters the barcode on display or print; social engineering with fake slips; physical tampering of printed slips.
2.3 The trust gap
The fundamental problem is the absence of a public, reliable verification layer between company, financial institution and payer. Today, the payer depends exclusively on trust in the sender. There is no public, tamper-proof mechanism to verify whether the received slip is identical to the one issued by the company.
2.4 Limitations of current solutions
| Approach | Limitation |
|---|---|
| Bank verification | Requires internet banking access and manual checking |
| Corporate antifraud systems | Operate internally, no transparency for the payer |
| DDA (Authorized Direct Debit) | Requires prior registration, does not cover all scenarios |
| ERP internal logs | Can be altered; not public or auditable |
They all share a common flaw: the payer has no autonomy to validate the slip independently, publicly and instantly.
3. The solution: Boleto Guardian
3.1 The concept
Boleto Guardian solves the trust gap directly: when issuing a slip, the company records the barcode on the Stellar blockchain. From then on, anyone with the slip can verify its authenticity by querying the blockchain.
Received a slip? Type the numbers. If it exists on the blockchain, it's authentic.
3.2 Why the barcode as key?
A Brazilian bank slip barcode has 47 digits. This sequence is unique per slip, printed on the document, standardized by FEBRABAN and compact (fits in Stellar's 64-byte Manage Data). This choice eliminates the need for the user to know any technical information. The slip is the query credential itself.
| Approach | Query key | What the user needs | Experience |
|---|---|---|---|
| Traditional (hash) | Slip hash | Account ID + SHA1 hash | Complex, technical |
| Boleto Guardian | Barcode (47 digits) | Nothing but the slip | Simple, intuitive |
3.3 Stellar Manage Data
The Stellar blockchain natively offers the Manage Data operation: key-value pairs on the user's account. Key up to 64 bytes (barcode); value up to 64 bytes (our number, amount, due date, status). No smart contracts or complex infrastructure required.
3.4 One account per company
Each issuing company has one account on the Stellar network. All slips are recorded on that account. The Account ID is configured once in the API β the end user never needs to know it.
Company (e.g. DS2U) Stellar account: GABCD...XYZ +--------------------------------------------------+ | Manage Data key: 23793.38128...004001... | | val: 000000040|120.50|20250805|pending | key: 23793.38128...004002... | | val: 000000041|350.00|20250810|pending | ... (all company slips) | +--------------------------------------------------+
3.5 Zero-friction validation
1) The payer receives the slip. 2) Accesses the validation page (or QR code). 3) Types the 47 digits. 4) The system queries Stellar and displays the original data. 5) If the data matches, the slip is authentic. If the barcode does not exist on the blockchain, the slip was not issued by the company β potential fraud.
4. Conceptual architecture
4.1 Overview
Three layers: ERP β API Middleware β Stellar Network. The end user queries via GET (types the barcode and validates).
+-------------------+ +-------------------+ +-------------------+
| ERP SYSTEM | | API MIDDLEWARE | | STELLAR NETWORK |
| Generates slips | POST | Receives, | TX | Manage Data |
| Sends barcode |------>| validates, |----->| Immutable record |
+-------------------+ | builds TX, sends | | Public query |
+--------^--------+ +-------------------+
| GET
+--------+--------+
| END USER |
| Types barcode |
+-----------------+
4.2 The three moments
Moment 1 β Issuance: The ERP generates the slip and sends barcode and metadata to the API. Moment 2 β Blockchain registration: The API validates, builds the Manage Data transaction and submits to the network; in ~5 seconds the record is confirmed and immutable. Moment 3 β Public validation: Anyone queries the blockchain with the barcode; the API returns the original data for comparison.
4.3 ERP integration
Boleto Guardian is ERP-agnostic. Communication is via HTTP (REST). We use TOTVS Protheus as a reference; the same integration can be replicated for Sankhya, Omie, SAP, Oracle or any ERP that supports web requests.
5. Why Stellar?
Blockchain choice is critical. Boleto Guardian requires a fast, cheap, secure and easy-to-integrate network. Stellar meets all requirements.
5.2 Manage Data: native operation
Unlike blockchains that require smart contracts to store data, Stellar offers this natively in the protocol: no writing or auditing contracts, no contract vulnerability risks. Simplicity that reduces development, maintenance and auditing.
5.3 Operational cost
Each transaction costs approximately 0.00001 XLM. The cost per registered slip remains in the order of fractions of a cent. Comparison:
| Blockchain | Cost per transaction | Smart contract? | Confirmation time |
|---|---|---|---|
| Stellar | ~0.00001 XLM | No | ~5 s |
| Ethereum | Variable (gas) | Yes (Solidity) | ~15 s to minutes |
| Bitcoin | Variable | N/A | ~10 min |
5.4 Fast finality
Transactions confirmed in approximately 5 seconds, with absolute finality. No need to wait for multiple confirmations as in proof-of-work blockchains.
5.5 Public and decentralized network
Anyone can query data from any account (Stellar Explorer, Horizon API), verify history and audit records independently. This transparency is essential for a trust layer that does not depend on a centralized entity.
5.6 Governance
The network is maintained by the Stellar Development Foundation (SDF), a non-profit organization dedicated to protocol development and global financial inclusion.
6. Feasibility and scalability
Favorable cost: Cost per registered slip is orders of magnitude lower than the average loss from a single fraud. XLM reserve: Each Manage Data entry consumes a small reserve on the company account; at scale, it is manageable and predictable. Scalability: Stellar processes thousands of transactions per second with ~5 s confirmation; the API is stateless and horizontally scalable. Addressable market: 4 billion slips/year in Brazil, with an estimated 15% annual growth.
7. Security, privacy and compliance
7.1 Immutability
Once recorded on Stellar, a Manage Data entry can only be changed by a new transaction signed by the account key. Third parties cannot tamper; any change generates a visible transaction in the history.
7.2 Key protection
The company's Stellar account private key is the only sensitive asset. It must be stored in a secure environment (digital vault, HSM or encrypted storage) and never exposed to the end user. The API must operate with mandatory HTTPS.
7.3 Privacy by design β LGPD
No personal data is stored on the blockchain. The barcode and metadata do not identify the payer. Name, CPF/CNPJ and address are never recorded on-chain. The system is LGPD-compliant by design.
7.4 Transparency and auditing
Data on Stellar is public. Anyone can audit via Stellar Explorer; regulators can verify integrity; the company demonstrates transparency with no extra effort.
7.5 Production infrastructure
| Requirement | Description |
|---|---|
| HTTPS | All ERP, API and user communication encrypted |
| Key backup | Private key with secure and redundant backup |
| Monitoring | Alerts for transaction failures, unavailability or anomalous use |
| Auditable logs | Record of all operations for internal traceability |
8. Adoption strategy
Partnerships with ERP consultancies: Certified consultancies (TOTVS, Sankhya, Omie) have direct access to client bases. Native integrations: Modules in leading ERPs, available on official marketplaces. White-label model: The solution can be rebranded by ERPs and fintechs. Direct corporate contracts: For large companies with high issuance volume, with customizations and differentiated SLAs.
The more companies adopt, the more slips are registered, the more users validate, the greater market trust β creating a virtuous adoption cycle.
9. Future vision
Boleto Guardian is the first step of a broader digital trust platform. The same architecture can be extended to other critical documents:
- Phase 1 β National standard for slips: Consolidate as the reference for slip validation in Brazil, with integration in major ERPs and recognition as a security seal.
- Phase 2 β Electronic invoices: Validate NF-e and NFS-e, combating fraud in tax documents.
- Phase 3 β Digital contracts: Immutable record of terms, signatures and contractual changes.
- Phase 4 β National trust infrastructure: Platform as Brazil's digital validation layer, with public APIs for government and private documents.
"In 5 years, Boleto Guardian will be synonymous with digital trust in Brazil, just as the SSL lock represents security on the web. Every validated document strengthens the trust network."
10. Conclusion
The Brazilian slip market moves billions of transactions annually, and fraud represents one of the biggest financial security challenges. The absence of a public, immutable and accessible verification layer between issuer and payer is filled by Boleto Guardian in an elegant and efficient way.
By using the Stellar blockchain and its native Manage Data operation, the solution dispenses with complex smart contracts, operates at minimal cost and offers confirmation in seconds. The barcode as query key ensures the user needs no technical knowledge β just have the document in hand.
Every validated slip is a secure slip. Every secure slip strengthens trust in the Brazilian financial system.
11. References
- Stellar Development Foundation β Stellar protocol documentation.
- Stellar Horizon API β Reference for account and data queries.
- FEBRABAN β Data on slip volume in Brazil.
- ClearSale (2024) β Digital fraud report in Brazil.
- Finsiders (2024) β Analysis of losses from fraud in slips and PIX.
- Central Bank of Brazil β Slip regulation and payment system.
- LGPD β Brazilian General Data Protection Law (Law 13.709/2018).