System state:Live system with real users and funds under custody
01
Durability
Proven in production
Panther Wallet completed a live migration from non-custodial to custodial architecture under real user balances, with no loss of funds.
Migrated under active user balances while the system stayed live,
No loss of funds through the non-custodial to custodial transition,
Operating under full custody responsibility since the migration.
That durability came from isolating custody as its own responsibility layer before the migration, not from patching it afterward.
02
Launch context
Panther Wallet initially launched with a non-custodial wallet model, where users retained direct control over their funds.
As the product evolved, requirements expanded to include:
Centralized custody of user assets,
Crypto payments and card flows,
Coordinated system management.
This required a fundamental architectural transition while the system was already live, with active users and balances. Once custody was introduced, the system assumed full responsibility for:
•Private key management,
•Transaction execution,
•Controlled operational actions affecting user funds.
There was no rollback path for architectural decisions.
03
Core risk
Primary risk
Migrating from non-custodial to custodial wallet architecture transfers irreversible responsibility for user funds to the system operator.