Skip to main content
Most platforms hold customer funds in one big pool. That creates two problems at once. Shared risk: one exploit or one bad actor touches everyone. And zero per-user control: you cannot screen, freeze, or report on a slice of a pool. When pooled platforms fail, it gets worse. Courts ruled that Celsius deposits belonged to the company’s estate. Users became unsecured creditors. Blend flips the structure. Every user gets a dedicated Gnosis Safe smart account, one per user per product. There is no omnibus account anywhere in the system.

Pooled accounts vs. Blend

Pooled accounts (most apps)Blend’s SMA model
How funds are heldEveryone’s money in one poolEach user gets their own Safe
What a hack meansEntire pool drained. Everyone loses.Only the affected Safe is at risk. An attacker would need to break into thousands of Safes one by one.
Who controls the moneyOften the platform or its adminsThe user. They are the only signer on their Safe.
Can you screen one user?No. On-chain, the pool is one address.Yes. Every account is screened individually, before creation and on an ongoing basis.
Can you export one user’s history?No. One ledger for everyone.Yes. Every account keeps its own audit trail.
Whose property is it in a failure?Contested. Pooled deposits have been ruled company property.The user’s. Assets sit in their own Safe, verifiable on-chain.
What happens if the platform disappearsUsers may lose accessUsers keep full access through safe.global
Think of it like having your own vault at the bank. Same bank, but only you have the key.

One address, every chain

Blend derives each user’s Safe address before deployment. The user gets the same address on every supported chain. That means one address to screen, one address to whitelist, and one address to reconcile. Your ops team sees a single identity per user across all supported chains.

The custody test

The question that matters: can Blend move user assets outside the user’s mandate? It cannot. The mandate is the permission set granted up front: this user’s account, plus a whitelist of approved venues. Within the mandate, Blend routes capital without per-transaction signatures. That is the product. Outside the mandate, nothing moves. Not to an external address. Not to an unapproved venue. Not by Blend. Ever. This is not a policy choice. It is a structural property of the protocol, and you can verify it on-chain.

Why isolation is the compliance foundation

You cannot attach a control to a slice of a pool. You can attach one to an account. Because every user has their own account, every control operates per user. Screening runs per account. The audit trail is per account. Caps and reporting are per account. That is what makes Blend’s compliance controls possible at all.

Compliance Controls

See the controls that run on every account today.

Yield on Blend

The flagship product built on this account model.

Security

Five defense layers and the real failures they prevent.

Architecture

The contracts behind the account model.
Last modified on July 3, 2026