Aqua0
Security & Trust

Non-custodial design

What “non-custodial” means in Aqua0, and what it does not mean.

What it means

In Aqua0, the protocol does not take custody of user funds in the way a traditional pool does.

Practically:

  • users remain in control of their assets
  • execution is coordinated so liquidity can be accessed when needed
  • the system focuses on minimizing “funds parked in a pool doing nothing”

What it does not mean

Non-custodial does not eliminate:

  • smart contract risk
  • chain risk
  • bridge/messaging risk in cross-chain flows
  • off-chain trust in the team's signing keys (see below)

Off-chain trust model

The protocol holds three privileged off-chain identities, each tied to a single slot on the SLP and rotatable only by the contract owner:

  • backendSigner signs V4 JIT payloads and repayment withdraw payloads.
  • repaymentWorker is the only EOA permitted to call slp.withdrawForRepayment.
  • operator is the only EOA permitted to call slp.shipStrategy, slp.dockStrategy, and slp.reshipStrategy.

LP capital custody is non-custodial in the sense that the SLP itself holds the tokens and only the LP can withdraw their own balance. But per-LP attribution and the strategy lifecycle authorization both live off-chain and trust these signing keys. A leak of backendSigner or operator does not let an attacker drain LP balances, but it does let them mis-attribute swaps or ship invalid strategies until the key is rotated.

See Risks & disclosures for a clear breakdown.

Status & errors

How to track swaps safely and what to do when things fail.

Risks & disclosures

The main risks users and integrators should understand.

On this page

What it meansWhat it does not meanOff-chain trust model