If you have ever paid online with Stripe’s new Link wallet, autofilled a checkout with Apple Pay, or topped up a Revolut account, you have used a piece of financial architecture that took decades to perfect. Sadly, for crypto and all its talk of reinventing money, the crypto industry has stubbornly failed to catch on.
The principle is so simple it feels obvious. The thing you tap to pay should not be the thing that holds your money.
When you use Apple Wallet, your real money sits in your bank or on a credit line at a card issuer. Apple Wallet is a key. The bank is the vault. When you check out with Stripe’s Link, the funds are charged to your linked debit card or bank account. Link itself holds nothing. Revolut takes a hybrid approach: a small balance for daily spending, with the rest of your financial life parked in linked accounts and cards. In every case, the architecture is the same: the spending interface and the store of value live apart. The interface is exposed to the world. The vault stays sealed.
Crypto’s approach to wallets is decidedly the opposite.
A crypto wallet, as the industry has built it, is not a wallet at all. It is a vault with a public-facing slot. Open MetaMask, Phantom, or any of the dozen consumer wallets that dominate the space, and what you are looking at is your entire net worth balance: Every token, every position, every digital deed, sitting at a single address controlled by a single private key. Each time you connect that wallet to an application, sign an approval, or send a transaction, you re-expose the whole thing to the open internet.
The consequences are not theoretical. Last year, on-chain analytics firm Chainalysis tallied billions of dollars stolen through phishing signatures, malicious approvals, and so-called drainer kits. Pre-packaged scams that wait for a user to connect to a compromised site and empty the wallet in seconds. These are not edge cases. They are the predictable consequence of a category mistake. The wallet is the vault. Drain one, and you have drained both.
Compare the failure modes. If your Link credentials are compromised, the bank’s fraud system reverses the charges. If your Apple Wallet is stolen, the tokenized card numbers are revoked, and your underlying cards remain untouched. If your MetaMask is drained, the funds are simply gone. There is no hotline, no chargeback, no insurer.
How did the industry that markets itself as the future of finance design something this fragile? Three reasons, none of them flattering.
The first is ideology. “Not your keys, not your coins”, the founding slogan of self-custody, was read as a license to collapse every function into a single key. The second is history. The one-key-one-address model was an early simplification when crypto was worth pennies, never engineered to carry a trillion-dollar weight. The third is inertia. Once millions of users learned the habit, the industry papered over the cracks with warning pop-ups instead of redesigning the foundation.
The fix is not better warnings. It is architectural and, crucially, does not require giving up on self-custody. It requires extending it.
The wallet of the future should look more like Link than like MetaMask. The money lives in a vault. The wallet is what you carry to the door. Both belong to you. Both are under your control. What changes is that the two are no longer the same thing.
That separation is the whole point. The wallet handles the transaction. The vault handles the money. If your wallet is compromised through a bad signature, a fake site, or a careless click, the damage stops at the wallet. The vault does not move. At worst, you lose what you were about to spend. You do not lose what you saved.
Today, in crypto, those two functions are fused. Compromise the wallet, and you compromise everything. Tomorrow, they need to be separate. The wallet will carry only what a session needs: a spending limit, allowed destinations, and a time window. When the session ends, its authority expires. The vault stays where it was, like a secure bank account.
It’s worth asking, of course, whether such a fundamental change is feasible or if, after 15 years, crypto is too locked in by path dependency to alter its design course. Fortunately, the evidence suggests not only that a change is possible, but that it might be underway.
Consider how Ethereum’s 2025 Pectra upgrade allows the front end to control a vault via a cryptographic authorization of the action. This lets existing wallets like MetaMask and Coinbase Wallet borrow these superpowers without moving funds or changing addresses.
The rails exist. What’s missing is the framing: the industry has been selling convenience when the deeper offer is structural. Three years ago, a wallet start-up called Chamber attempted this separation, but didn’t get traction. More recently, the Porto wallet development framework supports this functionality, and it is no surprise that it was recently acquired by Tempo, the Stripe-backed blockchain.
Stripe, notably, is from the world of fintech, which baked in the critical wallet-vault separation at the outset by relying on third parties to handle the vault portion. Crypto can do the same, but while leaving the vault in the user’s own hands. That is self-custody that scales: sovereignty without the booby trap.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
The post Crypto users keep getting robbed because of a simple design flaw—but a solution is at hand appeared first on Fortune.
