Case study · Crypto-fintech · UAE · Pre-seed

Crypto-fiat wallet MVP shipped in five days for a VARA regulator presentation

A Dubai-based founder had five business days before a VARA (Virtual Assets Regulatory Authority) review and no working product. We delivered a custodial crypto-fiat wallet MVP — KYC, on-ramp, transfers, audit log — in time for a live transaction on stage.

Case studyCrypto-fintech · UAE · Pre-seed

Najm Wallet

5 days · live regulator demo

Client

Najm Wallet

Engagement

Fast MVP · fixed scope, fixed deadline

Duration

5 working days (Q1 2026)

Team

2 senior engineers + 1 QA · 1 Hashorn PM

ServicesAI Software DevelopmentQuality Assurance

Outcomes at a glance

Time to live demo

5 working days

On-chain transfer on stage

Confirmed in 11s

Critical defects at demo

0

Regulator outcome

Sandbox licence path

Sprint timeline

How the engagement unfolded

Day 1
Brief, decisions, kickoff
Single 90-minute call to lock scope, custodial provider (Fireblocks), KYC vendor (Sumsub), and the demo path. By 5 PM we had a one-page brief, a risk register, and shared Slack.
One-page brief + risk register
Day 2
Auth, KYC, audit log foundation
Phone-OTP auth wired with Sumsub, audit-log primitives in Postgres (every state change tracked), and the React Native shell deployed to TestFlight.
Login + KYC flow live on TestFlight
Day 3
Wallet creation + AED on-ramp
Fireblocks custodial wallet provisioning on user sign-up. Mock AED card on-ramp wired to a sandbox PSP for the demo.
First user wallet provisioned
Day 4
On-chain transfer + receipt flow
AED-to-USDC conversion, on-chain transfer to a counter-party wallet, and the cryptographic receipt the regulator wanted to see.
First real transfer on testnet
Day 5
Hardening + demo run-through
Playwright suite for the five demo paths, signed-build delivery to founder's iPad, and three full dress-rehearsals before the VARA session.
Signed build · 14 spec coverage · 0 critical defects
Day 6
Live regulator demo
Founder ran the demo on stage at VARA. Live transfer settled in 11 seconds. Regulator confirmed sandbox licence path the same afternoon.
Sandbox licence path agreed

Architecture

The stack we shipped on

Mobile

Single iOS build for the demo; Android in week 2

React Native
Expo
TypeScript

API

REST + idempotency keys

Node.js
Fastify
Zod
TypeScript

Data

PostgreSQL 16
RDS
Append-only audit log

Custodial + KYC

Sandbox/testnet only for the demo

Fireblocks
Sumsub
Mock PSP

Cloud

AWS ECS
RDS
Secrets Manager
CloudWatch

Risks we actively managed

PCI / VASP scope — no card data or private keys ever touched our infra; Fireblocks held custody.
Live demo failure — three signed builds at three different versions of the demo path, ready to hand the founder if something broke.
Audit-log tampering — every state change appended to a hash-chained log so the regulator could verify ordering.
Network latency on stage — pre-cached the conversion rate quote so on-chain submit was the only live call.

Workflow

Tracked end-to-end in BuildOS.

Every meeting summary, requirement, sprint, task, and metric in this case study was rendered in BuildOS during the engagement. The customer's team had read-only access to the same workspace from week one, they saw Friday demos, weekly velocity, and AI-generated checklists without us sending status emails.

See BuildOS

The challenge

Najm Wallet's founder, Khalid Al-Mansouri, had pitched VARA (the UAE's Virtual Assets Regulatory Authority) on a sandbox licence for a custodial crypto-fiat wallet. VARA agreed to review on the condition that he demonstrate a working product, not a deck.

He had five working days.

Three constraints shaped the engagement:

VARA's threshold is real software. They've sat through enough decks to know better. The demo had to include a live, on-chain settlement that they could verify on a block explorer.
Custody and KYC could not be ours. Anything else and the licence path stretched by months. Fireblocks held the keys; Sumsub did the identity check; we built everything else.
A failed demo would have been worse than no demo. "We almost shipped it" doesn't get you a sandbox licence. The bar was Friday-morning-confidence, not Thursday-night-hope.

How we approached it

A two-engineer pod paired with our QA lead and a Hashorn PM. The PM ran the day-by-day cadence; the engineers paired tightly so nothing was solo. Sumsub and Fireblocks integration work happened on day one in parallel with the wallet shell so we never hit a single-threaded blocker.

We treated the five days like a normal Hashorn sprint, just compressed: a one-page brief on Monday morning, a working build by Wednesday lunch, a signed build by Thursday EOD, dress rehearsals on Friday morning. The risk register was the most important artifact of day one — three of the four risks listed there came up during the week, and each had a pre-decided mitigation.

What we shipped

Day 1 — Brief, decisions, kickoff. Locked scope, vendors, demo path. Killed three nice-to-haves that wouldn't be in the demo (multi-currency support, push notifications, in-app referrals). Risk register signed off by Khalid.

Day 2 — Foundation. Phone-OTP auth with Sumsub identity verification. Postgres audit-log primitives with hash-chained append-only writes. React Native shell deployed to TestFlight; the QA engineer had a build on their iPad by 4 PM.

Day 3 — Wallet + on-ramp. Fireblocks custodial wallet provisioning on first sign-in. Mock AED card on-ramp routed through a sandbox PSP that VARA had pre-approved for the demo. First user balance: 1,000 AED, visible in the app.

Day 4 — Transfer + receipt. AED-to-USDC quote pulled from a pinned market-data source (so the on-stage network call wouldn't add latency variability). On-chain submit to a counter-party wallet on testnet. Cryptographic receipt generated, signed, and surfaced in the app.

Day 5 — Hardening + dress rehearsals. Playwright covering 14 critical specs across the five demo paths. Three signed builds delivered at three checkpoints of the demo so the founder could fall back to a known-good build if the live one failed. Three full dress rehearsals with Khalid running it himself.

Day 6 — VARA review. Khalid demoed live. The on-chain transfer settled in 11 seconds. The regulator's team verified the transaction on the testnet block explorer in real time, then asked three questions about the audit log. We had the answers ready.

The outcome

Five working days from kickoff to live demo. No overtime — the team worked normal hours, with the risk register doing the work overtime would normally have done.
Live AED-to-USDC transfer on stage, settled in 11 seconds, verified by the regulator on a public testnet explorer.
Sandbox licence path confirmed the same afternoon. Khalid raised his pre-seed two weeks later.
Zero critical defects at demo time. One medium issue (a copy bug on the receipt screen) was the only thing we shipped that wasn't perfect, and it was a typo.
The audit-log architecture became the spine of the product. Every state change still flows through it; the regulator's auditors used it in the licence review three months later.

What we'd repeat

The risk register on day one was the single most important artifact of the week. Three of its four entries became real situations during the sprint, and each had a pre-decided response. The team never had to think about how to react under pressure — they just executed.

The other lesson: fall-back builds matter more than a perfect build. We gave Khalid three signed builds at three different points of the demo path so if any single one failed live, he could swap to a checkpoint and keep going. He never had to use them, but he walked into the VARA room knowing he had them. That's what got him through it.

“We had five days and a regulator. Hashorn didn't blink. By Friday morning we were sending real AED-to-USDC transfers on stage. That demo unlocked our entire roadmap with VARA.”

KA

Khalid Al-Mansouri

Founder, Najm Wallet

Want a result like this?

Tell us what you're building, we'll tell you how we'd ship it.

Book an intro call →