All workHanoi · —:—
Sunday/Work/№ 03 · PYXIS SAFE

PYXIS.

Multi-signature safe for the Cosmos interchain — co-owners share custody of digital assets, M-of-N approval required to move funds.

ORG
Aura Network
Year
2023
Role
Frontend developer
Timeline
v1 mainnet → EVMOS
Live
pyxis.aura.network ↗
Pyxis Safe banner
01

The brief

Context · what existed before

The Cosmos interchain had wallets and chains, but nothing that let a team share custody of a treasury — no Gnosis Safe equivalent, no shared transaction history, no proposal flow that worked across IBC chains.

DAOs and protocol teams on Cosmos were running treasuries out of single-signer wallets or multisig modules buried in the SDK with no UI. Funds moved via raw CLI commands, every approval was a screenshot in a Telegram thread, and rotating a co-owner meant redeploying.

Aura Network wanted a Cosmos-native Safe — Gnosis-grade UX, but built for IBC accounts, CosmWasm contracts, and any chain that speaks the standard SDK. One product surface to create a safe, propose a transaction, collect signatures, and execute on-chain.

The job: design and ship the frontend for the safe creation flow, transaction proposal and queue, signature collection, asset and history views, and a wallet layer that handed off signing to Keplr and Coin98 without ever touching a private key.

02

What changed

Outcome · since mainnet
5+
Cosmos chains supported
Aura, Cosmos Hub, Evmos, IBC-enabled
M-of-N
Threshold approvals
co-owners pick the rule on creation
0
Private keys touched
all signing handed to user wallet
2
Wallets out of the box
Keplr · Coin98
03

How it got built

Process · five moves
  1. 01

    Mapped the Cosmos multisig primitive before the UI.

    Cosmos has multisig at the SDK level but no shared UX layer. Spent the first sprint inside the auth and bank modules, mapping how threshold accounts get derived, how partial signatures get aggregated, and what the wallet boundary actually was. The proposal flow followed that primitive — not a Gnosis port.

  2. 02

    Built the proposal queue as a deterministic state machine.

    Create → propose → collect signatures → broadcast → confirm. Each proposal lives in an explicit state with named transitions, so a co-owner who reloads mid-collection sees the same queue, the same signers, and the same tx hash — no orphaned drafts.

  3. 03

    Treated the wallet boundary as sacred.

    Pyxis never sees a private key. Built the signing layer so every transaction is encoded in the app, handed off to Keplr or Coin98 for signing, and only the signed payload comes back. Aggregation happens server-side over signed objects, never raw secrets — the audit story stays simple.

  4. 04

    Shipped the assets + history view as one ledger.

    Co-owners want to know two things on landing: what's in the safe, and what moved. Built a unified ledger that joins balances, IBC denoms, in-flight proposals, and confirmed history in a single read — so opening a safe answers both questions in one scroll.

  5. 05

    Extended to EVMOS without forking the codebase.

    After the Cosmos SDK launch, the next chain was EVMOS — same SDK, different account model. Generalised the chain abstraction so adding a new chain is config + a sign-bytes adapter, not a fork. EVMOS shipped behind the same proposal queue, same UI, same audit surface.

04

What it’s built on

Stack · cosmos · multi-chain
Frontend
ReactTypeScript· strictSass
Cosmos
CosmJSCosmWasmKeplr· walletCoin98· wallet

Cosmos-native multisig with Gnosis-grade UX — five chains, two wallets, zero private keys ever held.

— Pyxis Safe · Aura Network, 2023
Treasury or DAO tooling?sunday19x3@gmail.com
Next case study →Dichung