Why we built LOSURIA — a non-custodial Ethereum sniper, in public, in 14 weeks

The pain point that wouldn't go away

For two years we used the same MEV-protected sniper everyone in this space uses. You know the one. Telegram bot. Holds your keys server-side. Five layers of "trust us, bro." Slick UI, twelve-figure aggregated volume, audits behind paywalls.

We watched users lose meaningful capital to that bot in 2025 when one of its co-founders left and the server-side wallet was paused for 9 days during a token-event some had armed. No reply on Telegram. No post-mortem. Funds returned eventually, no explanation. The user-discord pretended it didn't happen.

That was the last time we let a custodian hold private keys while users traded MEV.

We went looking for a non-custodial alternative. There wasn't one. The "non-custodial" snipers we found:

• stored private keys in browser localStorage (read by any extension you install),
• required you to upload your seed phrase to a "secure HSM" managed by them,
• had passkey UI but server-side key derivation (the passkey was just a 2FA prompt),
• or were dead repos from 2022.

Nothing where the private key lived in hardware-bound secure enclave and never touched a server. Nothing with a local node so the operator couldn't see the user's arming signals before the chain did. Nothing where every contract was Sourcify-verified and the bytecode hash was pinned on a public audit page.

So we built it.

What it is, in one paragraph

LOSURIA is a non-custodial sniper + launchpad on Ethereum mainnet. Backend is Rust + tokio + axum, single binary behind Caddy. The hot path uses our own Reth node over local IPC — no third-party RPC dependency. Order submission goes through a 4-builder private bundle (Flashbots, Beaverbuild, Titan, Lightspeed), no public mempool. Wallet is a Coinbase Smart Wallet derived from a WebAuthn PRF passkey + HKDF-SHA256 — keys never leave the device's secure enclave, there is no seed phrase, no server-side key material, no recoverable backup. The Founders Pass V2 NFT (live now, 500 hard cap, ~€200 oracle-priced) unlocks Day-1 access and 1 governance vote per Pass.

Every contract is on Sourcify with exact_match status. The audit page lists all six addresses with one-click Sourcify lookup. Bytecode sha256 is pinned. The Operator Treasury EOA is a Ledger hardware wallet. The fee-collector contract has no owner role at all (owner() reverts) — TREASURY, STABLE (LUSD), WETH and UNIV3_ROUTER are immutable constructor-set slots. A compromised operator key cannot redirect fees, change the sink stablecoin, or swap in a malicious router. Verify it: cast call 0x36d4d58fe37871121c1A16220517578C3eF20cbf "TREASURY()(address)" --rpc-url <your-rpc>.

Why local Reth, not Alchemy/QuickNode

In a MEV-sniper hot path, your read-side and your write-side cannot share fate with anyone outside your trust boundary. Public RPC providers see your eth_call and eth_getLogs traffic patterns before the chain does. They see the contract you're about to interact with. They see the value you're about to send. They see the calldata you're about to sign.

That is not theoretical leakage. There are well-documented cases of RPC-side trade leakage. Even Alchemy and QuickNode's most expensive private plans don't give cryptographic non-leakage guarantees — only contractual ones.

So we run our own Reth node. Local IPC socket. The hot path issues eth_calls over /host-tmp/reth.ipc — they hit no network at all. The submit path goes via private builder bundles to four different blockbuilders. The wallet's quote-and-sign cycle reads from our Reth, signs locally on the user's device, and submits to the bundle. There is no external RPC in the trade-critical loop.

What this means for the user: every trade decision lives on the user's device hardware secure enclave and inside our server. No third party gets a "preview" of a trade.

Why passkey + Smart Wallet, not seed phrase + EOA

The single largest UX failure in DeFi is "back up your seed phrase." Eighty percent of self-custody losses happen because of seed-phrase mismanagement, not protocol exploits. The other twenty percent are protocol-exploits where the user signed an eth_signTypedData for something they didn't understand.

Passkeys solve the first problem. A WebAuthn passkey lives in Apple Secure Enclave / Android Keystore / YubiKey. It cannot be extracted, exfiltrated, or backed up to plaintext. The passkey signs a deterministic challenge; we derive a 256-bit secret from the PRF extension (webauthn-rs v0.5); that secret seeds an HKDF-SHA256 derivation to produce the smart-wallet owner key. The same passkey on the same device deterministically reproduces the same wallet. Cross-device: register a second passkey, derive a second sub-account.

There is no seed phrase to lose. There is no recovery file. If you destroy your device and didn't register a second passkey beforehand, the on-chain funds are recoverable only via the Smart Wallet's social-recovery quorum (not yet wired in V1, on the roadmap).

Why all six contracts are Ownable to the same Ledger EOA

Most "decentralized" protocols brag about renounced ownership. Practically, that's a feature theater — renouncing ownership means giving up the ability to fix bugs, pause hostile flows, or adjust oracle parameters when ETH price feeds drift catastrophically.

We made the opposite choice and tried to be honest about it.

The four Ownable contracts (Founders Pass V2, Token Factory V3, Treasury Sweeper V1, LSR Airdrop) have owner = the Operator Treasury EOA = a Ledger hardware wallet declared as Company property in the Operating Agreement Art. V §5.1. The Fee Collector (LUSD) and the LSR Token are Ownable-less — owner() reverts on both. So the fee-flow path (where revenue lives) has no admin key at all, while the configuration-flow path (where mint price, phase cap, base URI live) is human-controllable for legitimate operational reasons.

What can the operator do?

• Raise phaseCap on the Founders Pass V2 from 500 up to MAX_TOTAL_CAP=1500. We will not do this. Operator-committed cap is 500. After the 500th mint, we will call renounceOwnership() to make the cap technically immutable — same week, the tx will be on chain.
• Adjust mintPriceUsdCents within a 50%-200% corridor of the initial price ($216). This exists for ETH-crash scenarios.
• Update _baseTokenURI for metadata changes.

What can the operator NOT do?

• Mint a Pass to themselves bypassing the cap (no admin-mint function exists).
• Withdraw mint proceeds anywhere except treasury (the address is immutable, set in constructor).
• Redirect fee-collector flows. The four immutable slots (TREASURY, STABLE, WETH, UNIV3_ROUTER) are constructor-set.
• Mint new LSR tokens. Fixed supply, no mint() function.
• Pause user-side functions. There is no pause() on mint() or any user-facing function.

That's the trust model. Read the source on Sourcify. If anything we wrote here doesn't match the bytecode, please tell us.

Why a Founders Pass at €200, not a free public mint

We considered three pricing models: free, €50, €200.

Free attracts everyone, including spam-mints by bots farming for the LSR airdrop. Net effect: 500 Passes minted in 12 minutes by 8 wallets, real users locked out.

€50 filters most spam but doesn't filter "casual interest." Net effect: lots of mints, low engagement, governance becomes noise.

€200 in ETH (oracle-priced via Chainlink ETH/USD) filters everything except people who actually intend to use a non-custodial sniper + governance. Plus there's a parallel anti-sybil layer: a €15K read-only portfolio threshold on the user's own non-custodial wallet (read against addresses they specify themselves; not a custody check, just a self-selection gate). Combined: you need both the €200 mint cost AND the €15K self-declared portfolio to engage. That's a hard floor for anything resembling spam at scale.

Each Pass also carries 500K LSR airdrop allocation (1 Pass = 1/500th of the 250M-LSR airdrop pool) + 1 governance vote (signed EIP-191 ballots in-app, balanceOf at vote-time as voting power). It is not a JPEG. It is a working membership.

The 14-week build, transparently

• Weeks 1-3: Rust backend skeleton, axum router, single-binary deploy via Docker Compose.
• Weeks 4-5: Coinbase Smart Wallet integration, WebAuthn PRF passkey signing.
• Weeks 6-7: Reth node bring-up on Vultr, IPC integration, hot-path profiling.
• Weeks 8-9: Four-builder private bundle, MEV simulation, slippage modelling.
• Weeks 10-11: Founders Pass V1 → V2 (V2 is USD-stable mint price via Chainlink).
• Week 12: Sourcify exact-match verification of all six contracts.
• Week 13: Pre-mint smoke testing on mainnet with three test wallets.
• Week 14: Day-1 launch (today).

We shipped lean. No outside capital. The mint revenue from the first 50 Passes funds the next quarter of Base + Monad + Solana node infrastructure.

What's next, and what we are committed to

The roadmap is funded by mint revenue, not pre-sold. Concretely:

• Base (own co-located full node, Aerodrome integration) — first tranche after 100 mints.
• Monad (Mainnet TBD, observer node now) — second tranche after 200 mints.
• Solana (own validator node + Jito block-engine submit path) — third tranche after 350 mints.
• Tier-1 third-party audit — fully published, regardless of findings, post-500-mints.
• Holder fee discount + snipe-priority queue — Q3 2026 roadmap.

What we are NOT committed to:

• Token speculation, social-media engagement loops, or AMA-circuits. We post and walk away.
• Onboarding non-MEV-protected wallets (the €15K floor stays).
• A community-managed Discord. We run the protocol. Governance happens via signed ballots, not Discord vibes.

Where to look

• Mint: losuria.com
• App: app.losuria.com
• Audit: losuria.com/audit
• Source: github.com/LOSURIA/contracts (public since Day 1)
• Receipts: /trades (live MEV-audit ledger), /latency (p50/p95/p99 per chain)
• X: @LOSURIAOFFICIAL
• Farcaster: farcaster.xyz/losuria

If you want to read the bytecode before minting, you should. Open losuria.com/audit, click any contract, follow to Sourcify, read the Solidity. The whole point of this project is that you don't have to trust us. Verify.