Exploring the Landscape of Crypto Custody

The emergence of blockchain technology and cryptocurrencies has led to a new challenge: the safekeeping or “custody” of digital assets. Crypto custody involves managing the cryptographic keys associated with these digital currencies and ensuring secure transactions. Blockchain wallets are made up of two keys: a public key and a private key. Public keys are built to be accessible, this key allows users to send and receive transactions. Private keys should never be shared, acting as the administrative password to user wallets.

Self Custody and Third-Party Crypto Custody

Self-custody is when individuals or organisations hold and manage their cryptographic keys. This approach allows for full control and ownership of digital assets, yet requires a relatively high degree of technical competence and responsibility. The security of the assets is entirely dependent on how well these keys are protected and managed. The very nature of crypto enables sovereignty through self custody, which as a standalone feature, is enough for many users to rush to the asset class. However, ownership comes with its own risks and self custody is not for everyone. For the general public, key management, in addition to the immutable nature of blockchains, makes a recipe for a user experience (UX) nightmare which can result in hacks, extortion or just simply lost keys. 

Third-party custody, on the other hand, involves entrusting the management of cryptographic keys to an external service provider. However, not all third-party custodians are created equal. For example, the accused fraudulent exchange, FTX, was considered a third-party custodian. This exchange did not provide any insurance to its customers and in the event of its insolvency, left customers empty-handed. Conversely, insured custodians offer assurances regarding the security of user assets, giving users a legally binding level of protection. This solution is often used by institutional investors and individuals who prefer not to handle the complexities of key management. Yet, these services generally come at a price. Insured custody providers typically need to be compliant with regulatory standards relevant to the region where the firm is domiciled.

Traditionally, third parties like banks or centralised exchanges hold custody of our assets, but this arrangement carries significant risk, especially in cases of liquidity crises, financial distress or security breaches as seen with the recent bank run FTX, QuadrigaCX and Mt.Gox. With the advent of cryptocurrency, self-custody, or total control over one’s assets without the need for a third party, has been re-popularised. While the ability to self-custody assets is a major selling point for digital assets in general, the implication of the need for self-custody also creates a barrier to entry for non-technical users. Blockchain users might also consider whether they want the responsibility of managing their keys themselves at all. Various trusted third-party crypto custody solutions exist, although the trade-off of these options is the need to trust these parties to securely manage keys and mitigate hacks. There is no one-size-fits-all solution to key management, hence each user should be encouraged to analyse and identify the right key management solution for their needs.

Hot and Cold Wallets

Hot wallets and cold wallets are two types of storage methods for digital assets. The definition of a hot wallet is defined by its connectivity to the internet. Hot wallets allow for quick and convenient transactions, making it a convenient option for frequent transactors. Hot wallets are typically used on online platforms such as cryptocurrency exchanges where users can trade and transact cryptocurrencies instantly. However, since they are connected to the internet, hot wallets are more susceptible to hacks and are generally considered less secure than cold wallets.

A cold wallet refers to an offline wallet used for storing digital assets. Unlike hot wallets, cold wallets are not connected to the internet, making them immune to online hacking attacks. These wallets store a user’s private key on something that is not connected to the internet, such as a specially designed hardware device, or a piece of paper. Given their offline nature, cold wallets are often used for the long-term storage of large amounts of cryptocurrencies, particularly by those who prioritise security over convenience. Nevertheless, they can be less user-friendly and take more time to set up and transact compared to hot wallets.

Crypto Custody Methods

Throughout the years of blockchain innovation, various companies and individuals have developed creative methods of private key management on various levels of the spectrum of security and accessibility. In many cases, both highly secure and highly accessible key management infrastructure is needed, similar to a savings and spending account in traditional banking systems. The writing below gives a comprehensive overview of various key management options available today:

Paper Wallets

Paper wallets are a form of cold storage where a user’s private keys are printed on a piece of paper. The keys are often represented as a QR code and a string of characters. Although immune to online attacks, they are susceptible to physical risks like theft, fire, water damage, or accidental loss. Storing them requires care, often involving making copies and using secure, damage-proof storage locations. Paper wallet users can also get creative with their key management, storing various components and numerous copies of their private key in different locations so that in the event of a physical theft, the chance of stolen assets is less likely.

Hardware Wallets

Hardware wallets such as Ledger and Trezor are physical devices designed to securely store a user’s private keys offline. These wallets offer an extra layer of protection against online threats and hacking attempts, making them an ideal choice for individuals seeking enhanced security. Hardware wallets are generally password protected, so in the event of physical theft, the thief would have to guess the password protecting the keys. A common misconception is that the private keys within hardware wallets never leave the device. However, a recent controversy regarding Ledger’s “Recover” product highlighted that in order for a hardware wallet to update its firmware, which is needed to be compatible with improvements of various blockchain protocols, the hardware wallet must have the ability to send private keys externally.

Multisig Wallet

A multisig (multi-signature) wallet in cryptocurrency is a wallet that requires multiple keys to authorise a transaction, enhancing its security. Similar to a joint bank account requiring all parties to sign for a withdrawal, a multisig wallet needs approval from multiple parties for a transaction. For instance, a 2-of-3 multisig wallet has three private keys, two of which must be used to sign a transaction for it to be authorised.

The multisig setup enhances security by preventing transactions if one key is compromised and ensures redundancy by providing access through remaining keys if one is lost. It’s also useful for collective fund management, as it necessitates majority agreement for transactions. Multisig wallets, due to these features, are popular among businesses and organisations of more than two parties. There are various multisig wallet providers such as Safe and Juicebox. Alternatively, users can code their own Multisig wallet using a Gnosis Safe Template on Remix.

Secure Multi-Party Computation (MPC)

Multi-Party Computation (MPC) is a cryptographic protocol that enables multiple parties to jointly compute a function over their inputs while keeping those inputs private. One of the most common applications of MPC is key management for digital assets. In this context, MPC is used to distribute the private key for a digital wallet among multiple parties, who must then come together to sign a transaction.  

For example, a business could have a Bitcoin wallet and they want to ensure that no single employee can perform transactions independently. They might use an MPC protocol found in service providers such as Fireblocks to distribute pieces (or shards) of the private key to several employees. To sign a transaction, a certain threshold number of those employees would need to participate in the protocol. This not only enhances security but also ensures operational continuity in case some employees are not available.

MPC provides a way to interact with digital assets in a secure, private manner that minimises trust in any single party. This can be very beneficial in situations where security is paramount, such as in the handling of large quantities of digital assets. Notably, however, while MPC offers strong security properties, its implementation must be done carefully to avoid any potential pitfalls or vulnerabilities. Care should be taken to ensure that the protocol is secure against malicious parties and that the key shards are stored and transmitted securely.

Social Recovery

In the realm of crypto custody, social recovery emerges as an innovative mechanism designed to reestablish user access to their accounts in the event of private key loss. The underlying premise of this mechanism is the utilisation of a preselected network of trusted connections, typically referred to as “guardians.” These guardians can be acquaintances, family members, or any trusted individuals elected by the user. The operational procedure of social recovery involves the user selecting a set of guardians during the account setup process. The guardians are subsequently entrusted with segments of the user’s private key, albeit not the complete key. If a circumstance arises where the user loses access to their account, they can initiate contact with their guardians, who can provide their respective key segments. Upon accumulating a sufficient number of these parts (commonly a majority), the user can successfully reconstruct their private key and regain account access.

Account abstraction plays a pivotal role in enabling social recovery. Its capacity to define transaction validation rules on an account-specific basis allows for the creation of accounts recoverable through a social recovery process. Rather than relying exclusively on a single private key for transaction validation, an account can be configured such that a transaction’s validity can be confirmed via a multi-signature process involving the user’s appointed guardians. Given that Ethereum only recently applied the upgrade allowing ERC-4337: Account Abstraction using Alt Mempool, innovation in social recovery wallets is still immature and not ready for mainstream use. 

Regardless, social recovery provides a contingency plan for users who lose their private keys; they can recover their accounts by obtaining signatures from their guardians. This approach to wallet recovery would not be feasible without account abstraction, as traditional Ethereum accounts only recognise transactions signed by the account-associated private key.

Conclusion

Crypto custody is a complex tapestry that interweaves technology, human behaviour, and regulatory dynamics. The industry has evolved significantly since the advent of cryptocurrencies. From self-custody to third-party services, hot and cold wallets and all of the innovative mechanics for key management that lie between these methodologies. As the market matures, the need for secure, reliable, and user-friendly custody solutions will continue to grow. It is clear that the custody strategies of today may need to be reimagined tomorrow as technology advances and regulatory landscapes shift. Despite the challenges, the future of crypto custody looks promising, with technological advancements and increased institutional participation contributing to the overall maturation of the industry. The continued innovation in this space is likely to provide more secure, accessible, and efficient custody solutions for digital assets in the coming years.

About Zerocap

Zerocap provides digital asset liquidity and custodial services to forward-thinking investors and institutions globally. For frictionless access to digital assets with industry-leading security, contact our team at [email protected] or visit our website www.zerocap.com

FAQs

What is the primary distinction between self-custody and third-party crypto custody?

Self-custody involves individuals or organizations directly managing their cryptographic keys, granting them full control and ownership of their digital assets. In contrast, third-party custody entrusts the management of these keys to an external service provider, often offering additional layers of security and regulatory compliance.

How do hot wallets differ from cold wallets in terms of crypto storage?

Hot wallets are connected to the internet, facilitating quick and convenient transactions, but are more susceptible to online threats. Cold wallets, on the other hand, are offline storage methods, making them immune to online hacking attacks but potentially less user-friendly.

What is a multisig wallet, and how does it enhance security?

A multisig (multi-signature) wallet requires multiple keys to authorize a transaction. For instance, a 2-of-3 multisig wallet would need two out of three private keys to validate a transaction. This setup enhances security by necessitating majority agreement for transactions and provides redundancy in case a key is lost.

How does Secure Multi-Party Computation (MPC) contribute to key management?

MPC is a cryptographic protocol that distributes the private key for a digital wallet among multiple parties. These parties must collaborate to sign a transaction, ensuring enhanced security and operational continuity. This method is especially beneficial for businesses wanting to ensure no single employee can perform transactions independently.

What is social recovery in the context of crypto custody?

Social recovery is a mechanism that uses a network of trusted connections, or “guardians,” to help users regain access to their accounts if they lose their private keys. During account setup, users select guardians who are given segments of the user’s private key. If access is lost, the user can retrieve these segments from the guardians to reconstruct their private key and regain account access.

DISCLAIMER

Zerocap Pty Ltd carries out regulated and unregulated activities.

Spot crypto-asset services and products offered by Zerocap are not regulated by ASIC. Zerocap Pty Ltd is registered with AUSTRAC as a DCE (digital currency exchange) service provider (DCE100635539-001).

Regulated services and products include structured products (derivatives) and funds (managed investment schemes) are available to Wholesale Clients only as per Sections 761GA and 708(10) of the Corporations Act 2001 (Cth) (Sophisticated/Wholesale Client). To serve these products, Zerocap Pty Ltd is a Corporate Authorised Representative (CAR: 001289130) of AFSL 340799

All material in this website is intended for illustrative purposes and general information only. It does not constitute financial advice nor does it take into account your investment objectives, financial situation or particular needs. You should consider the information in light of your objectives, financial situation and needs before making any decision about whether to acquire or dispose of any digital asset. Investments in digital assets can be risky and you may lose your investment. Past performance is no indication of future performance.