> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blend.money/llms.txt
> Use this file to discover all available pages before exploring further.

# Accounts & Custody

> Every user gets their own Gnosis Safe. No pools, no omnibus accounts. Blend cannot move assets outside the mandate.

Most platforms hold customer funds in one big pool. That creates two problems at once. Shared risk: one exploit or one bad actor touches everyone. And zero per-user control: you cannot screen, freeze, or report on a slice of a pool.

When pooled platforms fail, it gets worse. Courts ruled that Celsius deposits belonged to the company's estate. Users became unsecured creditors.

Blend flips the structure. Every user gets a dedicated [Gnosis Safe](https://safe.global) smart account, one per user per product. There is no omnibus account anywhere in the system.

## Pooled accounts vs. Blend

|                                             | **Pooled accounts** (most apps)                              | **Blend's SMA model**                                                                                      |
| :------------------------------------------ | :----------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------- |
| **How funds are held**                      | Everyone's money in one pool                                 | **Each user gets their own Safe**                                                                          |
| **What a hack means**                       | Entire pool drained. Everyone loses.                         | **Only the affected Safe is at risk.** An attacker would need to break into thousands of Safes one by one. |
| **Who controls the money**                  | Often the platform or its admins                             | **The user.** They are the only signer on their Safe.                                                      |
| **Can you screen one user?**                | No. On-chain, the pool is one address.                       | **Yes. Every account is screened individually,** before creation and on an ongoing basis.                  |
| **Can you export one user's history?**      | No. One ledger for everyone.                                 | **Yes. Every account keeps its own audit trail.**                                                          |
| **Whose property is it in a failure?**      | Contested. Pooled deposits have been ruled company property. | **The user's.** Assets sit in their own Safe, verifiable on-chain.                                         |
| **What happens if the platform disappears** | Users may lose access                                        | **Users keep full access** through safe.global                                                             |

<Info>
  Think of it like having your own vault at the bank. Same bank, but only you have the key.
</Info>

## One address, every chain

Blend derives each user's Safe address before deployment. The user gets the same address on every supported chain.

That means one address to screen, one address to whitelist, and one address to reconcile. Your ops team sees a single identity per user across all [supported chains](/blend/chains-tokens).

## The custody test

The question that matters: can Blend move user assets outside the user's mandate?

It cannot.

The mandate is the permission set granted up front: this user's account, plus a whitelist of approved venues. Within the mandate, Blend routes capital without per-transaction signatures. That is the product. Outside the mandate, nothing moves. Not to an external address. Not to an unapproved venue. Not by Blend. Ever.

<Snippet file="snippets/custody-test.mdx" />

This is not a policy choice. It is a structural property of the protocol, and you can verify it on-chain.

## Why isolation is the compliance foundation

You cannot attach a control to a slice of a pool. You can attach one to an account.

Because every user has their own account, every control operates per user. Screening runs per account. The audit trail is per account. Caps and reporting are per account. That is what makes [Blend's compliance controls](/blend/compliance) possible at all.

<CardGroup cols={2}>
  <Card title="Compliance Controls" icon="shield-check" href="/blend/compliance">
    See the controls that run on every account today.
  </Card>

  <Card title="Yield on Blend" icon="chart-line" href="/blend/yield">
    The flagship product built on this account model.
  </Card>

  <Card title="Security" icon="lock" href="/blend/security">
    Five defense layers and the real failures they prevent.
  </Card>

  <Card title="Architecture" icon="cube" href="/architecture/overview">
    The contracts behind the account model.
  </Card>
</CardGroup>
