Skip to content

Security & threat model

v.04

Keys stay with you. We hold zero.

This is the long version of our threat model. What we protect. How. Who holds what. And where the real risks are. We don’t say “we take security seriously.” We tell you what we do, what we don’t, and what could still go wrong.

01 · Custody 0 shards held by Normies Labs. We cannot sign, freeze, or recover your wallet.
02 · Withdrawal 1 tx No lockup, no unbonding, no multi-sig approval path between you and exit.
03 · Signing 2 / 3 MPC Threshold to sign. Full private key is never assembled in any one place.
01

Custody model

How the key that controls your balance is generated, stored, and used.

Your wallet is created and operated through Privy, a SOC 2 Type II infrastructure provider. Privy splits the private key into three shards via multi-party computation (MPC):

  • Device shard, stored in your phone's secure enclave. Lost with the phone, replaceable with the other two shards.
  • Auth shard, derived at login time from your email + passkey. Never written to disk on our side.
  • Recovery shard, held by Privy under access controls they publish and audit against SOC 2.

Signing a transaction requires any two of the three shards to co-produce a signature. The full private key is never reconstructed on any machine, including yours. Normies Labs holds no shard and has no path to derive one.

If Normies Labs disappeared tomorrow, your balance would still be yours, still be on-chain at the same address, and still be recoverable through Privy's standalone wallet export flow.

02

System architecture

Where value moves. Yellow blocks are things you control; white blocks are counterparties.

Fig. 01 Custody & settlement topology, April 2026
You control
A

Your device

Device shard in the secure enclave. Biometric unlock required to initiate a signature.

B

Your on-chain wallet

An address on Base (Ethereum L2). The only party that can move funds is a 2-of-3 signature.

Counterparties · audited, opt-in
C

Privy MPC

Auth + recovery shards. Co-signs only after your device presents a valid share.

D

Aave V3

Optional yield. Address supplies USDC; withdrawable in a single on-chain tx.

E

Circle USDC

Stablecoin issuer. 1:1 cash + short-duration US Treasurys, attested monthly.

F

Rain

Visa issuer. Just-in-time USDC pull at swipe. No float held by Normies.

You control (keys, addresses) Counterparty (audited, opt-in) A signature requires any two of A, C to authorize a transfer from B.
03

Who we work with, and what they actually do

Short version of the counterparties above, what each one is responsible for, and the failure mode if they're compromised.

PrivyWallet & MPC signing
Failure mode Can’t sign without you. Can’t forge without you.
CircleUSDC issuance & reserves
Failure mode Peg dislocation. See threat model.
RainCard issuance, Visa network, KYC, POS FX
Failure mode Card declines. Balance unaffected.
04

What Normies can and can't do

A plain accounting of our capabilities, not our intentions.

What Normies can do

  • Show you your balance, transactions, and yield history.
  • Assist with passkey recovery via Privy's documented flow.
  • Disable a card at Rain's issuer console (fraud, loss, reported theft).
  • Pause new deposits into yield if a protocol risk event is active.

What Normies cannot do

  • Sign a transaction on your behalf. We don't hold a shard.
  • Freeze, seize, or claw back your on-chain balance.
  • Lend your balance, rehypothecate it, or lend to ourselves.
  • Operate an omnibus/custodial account, there isn't one.
  • Restore your wallet if you lose your device and your login passkey. Keep a recovery code.
05

Threat model, honest accounting

The risks that remain after self-custody removes the custodial ones.

Smart contract risk (highest residual risk)

Aave V3 has been audited multiple times by independent firms and has run $30B+ through overcollateralized lending since 2020. A critical undiscovered vulnerability in Aave would put supplied balances at risk. You can opt out of yield at any time and hold raw USDC at your address.

Stablecoin peg risk

USDC is 1:1 backed by cash and short-duration U.S. Treasurys, attested monthly by an independent accounting firm. A depeg is unlikely but not impossible; we'll publish a status page notice and pause yield deposits if USDC trades below $0.995 for more than four hours on major venues.

L2 liveness risk

Balances live on Base, an Ethereum L2. If Base's sequencer halts, funds remain yours and on-chain but may be temporarily non-transferable until the sequencer resumes or an escape hatch is used. Base has published an escape-hatch spec; we'll document our recovery procedure before it's needed.

Device & phishing risk (your side)

The single most likely attack on your money isn't a smart-contract exploit, it's phishing your login + a malicious prompt to approve a drain transaction. Normies will never ask you to sign a transaction from an email, DM, or support ticket. Approvals only happen inside the app, on your device, with biometrics.

Partner compromise

If Privy's recovery-shard infrastructure were compromised, an attacker would still need your device shard and your auth shard. Losing one shard is recoverable; losing two approaches unrecoverable. This is why the three shards are architecturally independent.

06

Audits, reviews & incident history

What we inherit from counterparties, what we've commissioned, and what's happened in production.

  • Apr 2026. pre-launchNormies app is pre-launch. No customer funds in production. No production incidents.
  • Counterparty audits (inherited)Privy: SOC 2 Type II. Aave V3: multi-firm audit record and formal verification. Circle USDC: monthly attestations by independent accountant.
  • Planned, Q3 2026Third-party security review of the Normies application layer (integration points, transaction construction, UX around signing). We'll publish the report.
  • Planned, alongside mainnetPublic bug bounty program. Scope, payouts, and safe-harbor language will be published before the program opens.

We won't list an audit firm on this page until an engagement letter is signed. We'd rather be boring than wrong.

07

Reporting a vulnerability

Good-faith security research is welcome. We read every report.

Coordinated disclosure

security@normies.co

PGP key available on request. Include a proof-of-concept and a rough severity. We commit to coordinated disclosure and will credit you, or keep you anonymous, in the post-remediation write-up.

Email security@normies.co →

Acknowledge
≤ 1 business day
Triage
≤ 5 business days
Fix target
Severity-dependent
08

Change log

  • April 20, 2026Rewrote this page as a threat model. Added architecture diagram, capability matrix, vulnerability disclosure SLAs. Removed unsupported audit claims.

Not a security bug, just a question about this page?

legal@normies.co

Last updated April 20, 2026. This page describes security practices as of April 2026 and will be updated as the product ships. For binding obligations, see the Terms of Service and Disclosures. Normies is a pre-launch product; some capabilities described here are on the roadmap and not yet live on mainnet. Normies is not a bank. Balances are not FDIC insured.

Become a part of our vibrant tribe
Join waitlist
Join the Normies waitlist — become part of the community building the future of banking and crypto
The money app that speaks banking and crypto, so you don’t have to
Card
Blog
FAQ
Support
Contact
Partnerships
Careers
Security
Disclosures
Privacy
Terms
Support: support@normies.co
© 2026 Normies. All rights reserved.