Double-Counting Prevention: How Greentruth Locks Out Double Issuance, Double Use, and Double Claiming

Double-counting prevention is the central integrity question in environmental markets — the question that breaks down most often when a registry tries to bolt verification onto an instrument that wasn't designed for it, and the question every credible disclosure framework expects a clean answer to. This page explains what double counting actually is, what the three industry-standard failure modes look like in practice, and how Greentruth's registry architecture closes each one structurally rather than by policy.

Double-counting prevention, in one paragraph. Double-counting prevention is the practice of ensuring an environmental attribute is issued once, used once, and claimed once — preventing the three failure modes the industry commonly cites: no double issuance, no double use, no double claiming. Greentruth's Quantified Emissions Tokens (QETs) close all three structurally: single-mint enforcement at issuance, irrevocable on-chain retirement at use, and methodology-versioned retirement records that anchor each claim to a specific reporting period and entity. The mechanisms are properties of the EarnDLT registry, not policies that depend on participant honesty.

What a QET is in the first place

Double counting is the umbrella term for any failure that lets an environmental attribute substantiate more than one claim. The failure can happen at issuance (two certificates issued for the same physical unit), at use (the same certificate applied to two different claims), or at claiming (two different reporters claiming the same retirement). Each failure mode is a different break in the integrity chain — and each one has historically been the way registry-grade systems lose credibility.

For QETs specifically, the question is sharper than for traditional carbon credits because QETs are fuel- or electricity-attribute certificates, not offsets. The integrity question is not whether an unrelated tonne of CO₂e was avoided somewhere; it is whether the verified attributes of a specific physical unit of fuel, electricity, or stored CO₂ have been used exactly once. Attribute uniqueness, not offset arithmetic, is the load-bearing concept.

Three frameworks make double-counting prevention non-negotiable in practice, not as a "nice-to-have" but as a precondition for the disclosure to land:

• GHG Protocol Scope 2 Quality Criteria — for market-based electricity reporting, retirement is required and uniqueness is presupposed.
• GHG Protocol Scope 3 Standard, Category 3 — the fuel-attribute claim is anchored at retirement, so any retirement that isn't unique invalidates the claim.
• SBTi Corporate Net-Zero Standard — abatement and neutralization instruments alike depend on uniqueness; a non-unique retirement is not a credible input.

How the GHG Protocol structures these criteria

How SBTi treats these instruments

The cleanest way to read double-counting prevention is as three discrete failure modes the integrity architecture has to close. A credible double-counting prevention story is not one mechanism; it is three:

• No double issuance. A specific physical unit produces exactly one certificate. Two certificates representing the same MMBtu of gas or MWh of electricity cannot exist.
• No double use. A certificate, once retired against a claim, cannot be used again. Retirement is permanent.
• No double claiming. Two different parties cannot claim the same retirement against their respective inventories. Each retirement record is owned by one retiring entity, for one reporting period, against one disclosure line.

The failure modes are independent: a system can prevent the first and still fail at the second; a system can prevent the first two and still fail at the third if retirement records are not cleanly attributable. A credible registry has to close all three.

How attribute-based discovery surfaces only minted, non-retired records

For the foundational QET overview

Greentruth's first structural answer is single-mint enforcement. Every QET on the EarnDLT registry is anchored to a specific verified physical unit — one MMBtu of natural gas, one MMBtu of RNG thermal energy, one MWh of electricity, or one tonne of geologically stored CO₂ — and the mint pipeline structurally rejects any attempt to issue a second token for the same unit.

The mechanics behind that enforcement:

• Verified primary data feeds the mint. Producer- and operator-side data flows through accredited third-party verification under ISO 14064-3 reasonable assurance before any token is created.
• On-chain issuance is single-pass. The mint transaction records the unit, the methodology version, the R&D GREET 2025 reference dataset version where applicable, and the verifier of record. Subsequent attempts to mint against the same physical unit are rejected by the registry, not by a human reviewer.
• The Hedera Hashgraph anchoring is tamper-evident. Once written, the mint record is part of the public-distributed-ledger record. It cannot be retroactively edited to "make room" for a second issuance.

The result is that the first leg of double-counting prevention — no double issuance — is closed structurally. The answer to "could this MMBtu have been tokenized twice?" is no, by design, not by policy.

How minting actually works

The second structural answer is irrevocable on-chain retirement. When a buyer retires a QET against a specific reporting claim, the retirement transaction is written to the EarnDLT registry on-chain — and the token cannot be transferred, retired again, or otherwise reused.

The mechanics:

• Retirement is a registry transaction. Not a policy attestation, not an off-chain workflow that depends on the holder remembering not to use the token again. The retirement is a state change recorded on Hedera Hashgraph via the EarnDLT registry.
• The retirement record is permanent. It does not expire, it does not roll forward into a subsequent reporting cycle, and it cannot be reversed. A retired token is a closed record.
• The retirement record is attributable. It links the specific QET — and therefore the specific verified physical unit and all its attributes — to the retiring entity, the reporting period, and the disclosure line the buyer is substantiating.

The second leg of double-counting prevention — no double use — closes here. The answer to "could this token be applied to two different claims?" is structurally no. Once the retirement is written, the token's lifecycle ends.

How retirement actually works

How acquisition feeds retirement

The third structural answer is the claims-integrity layer on top of retirement. The retirement record doesn't just confirm that a token has been used — it carries the methodology version, the reference dataset version, the verifier of record, and the chain of provenance back to the original mint. This is what closes the no-double-claiming gap.

Why it matters for the auditor on the other side of a buyer's disclosure:

• A reporting framework's verifier can reconstruct what the buyer claimed. Methodology version, GREET version, verifier of record, geography, MRV tier — all present on the retirement record. The verifier doesn't have to take the buyer's word for any of it.
• The claim is uniquely attributed. One retired QET, one reporting entity, one reporting period, one disclosure line. There is no way for two different reporters to point at the same retirement record and claim it independently.
• Methodology versioning travels with the claim. If a framework guidance update (CNZS V2.0, GHG Protocol Scope 2 Guidance update) lands later, the retirement record makes clear which version of which framework the claim was built against. The historical claim doesn't get retroactively invalidated, and the audit trail doesn't need to be reconstructed.

This is the layer that traditional registries most often get wrong. Attribute uniqueness without methodology-versioned attribution leaves the claims-integrity gap open even when issuance and use are clean — so the third leg of double-counting prevention closes here, not at retirement itself.

How retirement records feed framework exports

How TCR-aligned reporting consumes retirement records

How ISO 14064-3 verification underpins this

A real-world question that affects double-counting prevention more than the architecture-internal mechanisms: what about legacy registries, M-RETS-style certificate systems, and the historical procurement records buyers have on the books? The honest answer is that cross-registry visibility is a live integrity problem in the industry — and one Greentruth addresses through migration paths rather than ignoring.

Specifics:

• Migration to Greentruth supports importing legacy certificates with mapping back to their original registry of origin, so the same physical unit cannot be tokenized in two registries simultaneously.
• Optional export back to external registries is supported (per the QET-RNG methodology, among others), preserving chain-of-custody when a buyer's program requires interaction with a legacy framework.
• Methodology versioning at the QET level ensures that even where data flows across registries, the audit trail remains reconstructible to the version of each methodology in force at issuance.

How migration from legacy registries works

How GasTrace integrates with downstream reporting

GHG Protocol Scope 2 Quality Criteria

GHG Protocol Scope 3 Standard