Non-Custodial By Default: How Olbra Thinks About Keys

There are two ways to build a wallet. In the custodial model, the user signs in with an email and a password; the platform holds the keys; transactions happen because the platform decides they should. The user experience is excellent. It feels like a bank app, because operationally it is one. The trade-off is that the user is trusting the operator’s solvency, security, and integrity. If the operator fails, gets hacked, or simply chooses not to honour a withdrawal, the user’s funds are at risk no matter what the screen says. That isn’t hypothetical: Mt. Gox, FTX, Celsius, BlockFi: the list of users who learned this the hard way is long, expensive, and still growing.

In the non-custodial model, the keys live on the user’s device. The platform never sees them. Transactions happen because the user signs them, and only because the user signs them. There is no withdrawal queue, because there is nothing to withdraw from: the funds were never with the platform. The trade-off is symmetric: if the user loses access to the keys, no one can restore them. The platform genuinely cannot help.

We chose the second model. The reason is simple. Every custodial failure starts with a story about how the custodian was special, well-run, well-audited, well-regulated. Every one of those stories ends the same way. The structural protection, the property of the system that survives bad actors and bad luck, comes from the user actually controlling the asset. Anything else is a promise, and promises break.

What this looks like in practice

In the Olbra app, your private keys are generated and stored inside the secure element of your device: the iOS Secure Enclave, the Android Keystore, the protected silicon that already guards your fingerprint and your payment cards. The app never has access to the raw key material. Signing happens behind a biometric prompt: Face ID, Touch ID, fingerprint, whatever your device offers. The recovery phrase, twelve words generated on-device when you first set up the wallet, is the user’s responsibility. We can’t see it. We can’t reset it. That is the security model.

The cost of this is real. Non-custodial wallets are harder to build because you can’t hide the consequences of the model from the user. You have to make signing feel as smooth as a tap to confirm a card payment, even though under the hood it’s a cryptographic operation against a hardware-secured key. You have to absorb gas-fee complexity so the user never has to think about it, in our case via sponsored gas through Coinbase Paymaster, which means the same wallet sends a payment without the user holding any native token. You have to design recovery flows that don’t turn into single points of failure. None of this is free. It’s the work.

One wallet, every asset

The same key controls everything you hold in the app: the EUR-denominated stablecoin, the dollar one, the złoty one, the tokenized commodities, the supplied positions in DeFi lending markets. Adding a new asset doesn’t add a new account; it adds a new line in the balance view. That uniformity is only possible because the underlying primitive, the user-controlled key, is the same across all of them.

That’s the part that scales. As the app grows into more of life’s daily transactions, the security model holds. Whatever surface you’re spending on, your keys are still the thing controlling your money. The wallet doesn’t change shape because the use case changes. The lock is the same lock.

We will add features. We will simplify recovery. We will keep working on the surface so the security never feels heavy. But the primitive underneath is fixed: keys on your device, signed by your biometric, owned by you. More on the wallet.