The Institutionalization of Crypto Custody
Crypto custody solutions have become institutional grade. In 2021 alone, over USD3bn was invested into institutional focused custodians for digital assets, and some of the largest custodians in the world are now offering custody services for crypto. This institutionalisation of custodianship marks a significant U-turn for financial institutions and a welcome turn of events for investors in the digital asset space. This month we will dive into the technical details of how custodians work in crypto and the impact that they are having on the ecosystem.
The idea of the modern custodian dates back to the 1960s, when the Studebaker Auto Manufacturer went out of business in the US and failed to provide pensions to some 7,000 employees. The result of this was the Employee Retirement Income Security Act of 1974 that prohibited employers from holding and keeping their pension fund assets. In traditional finance (aka “TradFi”), investors now rely on custodians for a variety of services. Custodians safeguard physical or paper assets such as precious metals, stocks, bonds, and cash. By being the holder of these assets, the custodian is well placed to provide other services, such as arrange settlement in the purchase and sales of these assets and collect information and income from custodied assets.
When Bitcoin was released in 2009 it marked the creation of a new asset class, and an entirely digital one. For Bitcoin, there is no physical asset to be stored and no legal paperwork that lists ownership of BTC. Instead, ownership is determined purely through the possession of cryptographic “private keys”. These private keys act as a password that gives the holder the right to transact assets in a wallet. It is these private keys that must be securely held.
Since the creation of Bitcoin and digital assets, there have been numerous reported cases of crypto theft. Most of them occur when private keys are stolen, allowing the attacker to remove assets from the victim’s wallet. As a result of this, a top priority for crypto investors has been to secure their private keys to protect their assets. This has led to growing demand for crypto custodians.
Broadly speaking, crypto custodians can be broken down into two groups:
- Conventional custodians that hold crypto on behalf of their clients
- Technology providers that facilitate institutional level security for investors to self-custody
The leading conventional custodians include companies like Fidelity, OSL, Coinbase and Gemini. While these firms initially offered custody on only a handful of the largest digital assets, today offerings span a wide selection of prominent tokens. These custody providers have significant pedigree, and most offerings include a sizable level of insurance. As a user of these products, we can attest to them being reassuringly cumbersome to use. Withdrawal of assets is slow, with many layers of approval and verification. For the long-term holding of assets, these services are secure, reliable, and not prohibitively expensive.
For conventional custodians, internal security is paramount. We have reviewed the security architecture for many custodians and have found that most include:
- Digital defense: air-gapped infrastructure that intentionally removes hot wallets (connected to the Internet) from its design. Vaults are often equipped with military grade faraday cages to defend against electro-magnetic interference attacks.
- Physical defense: secure storage vaults designed with robust physical protection, requiring multi-party authentication for access and are 24/7 monitored.
- Process defense: custody systems and operations adhere to strict segregation of duties and are designed to combine physical, logical and technical controls.
- Slippage detection: 24/7 real-time monitoring of cold wallets and reconciliation against other blockchain nodes allows the custodian to detect any potential breaches and initiate crisis management procedures. Integrated blacklists and address whitelisting capability ensures custody wallets can only send to verified client addresses even in times of breach.
In addition to this security architecture, the process of depositing and withdrawing assets is designed to protect against social attacks. On setting up with a custodian, withdrawal addresses are whitelisted meaning that withdrawal can only take place to pre-approved addresses. Adding new whitelisted addresses requires corporate board resolutions and multiple verification checks. Even with these whitelisted addresses in place, the withdrawal process is multi-step involving many signing parties.
There are three weakness of conventional custodians that make them unfit for certain investors and purposes. Firstly, larger institutions may find the counterparty and balance sheet risk to be too great. While most custodians have insurance coverage, this may not stretch into the billions of USD. Secondly, withdrawals are slow, which in the high-paced world of crypto can be problematic for investors looking to trade. Thirdly, most conventional custodian services are not compatible with the emerging DeFi ecosystem. Rather than just holding an asset like ETH, an investor may wish to stake it or provide liquidity to a decentralized exchange. For these reasons, technology providers that offer institutional level security in a self-custodied solution have also become popular.
Technology providers such as Fireblocks and Ledger offer specialized software, hardware and training, to enable customers to self-custody their digital assets with institutional grade security. Security processes include:
- Multi-signature wallets: these are wallets that require signatures from two or more private keys to execute transactions. Multi-sig transactions are referred to as M-of-N transactions, with M being the required number of signatures or keys and N being the total number of signatures or keys involved in the transaction. So, a company could have 3-of-5 signatures required for a transaction to take place.
- Secure Multi-Party Computation (MPC): this is where a single key is split up into multiple parts and held by different parties. As with multi-signature wallets, M-of-N people are required to recreate the key and execute a transaction. The benefit of MPC is that it is protocol agnostic. A single MPC key could be used to manage numerous different protocols.
- Hardware Security Modules (HSM): these are physical devices that store private keys. These devices are built so that private keys are never exposed online, with transaction signing taking place on the device.
These processes can be used in tandem. For example, multi-sig wallets can be created using HSMs or MPC providers can enforce multi-sig rules. The major benefits of using these technology providers includes faster speed of transactions and the ability to interact with contracts on-chain while maintaining system security.
Crypto custodianship is now a big business. Almost USD3.5bn was raised in 2021 for institutional focused crypto custodian firms, dwarfing the USD471m that was raised in 2020.
Demand for crypto custodians will be directly correlated with inbound institutional capital entering the digital asset space. In addition, regulatory considerations are likely to amplify this demand. In the US, many institutions are required to use qualified custodians. Several crypto custodians now meet the qualifications with Bitgo, for example, being designated as the custodian for the U.S. Marshals Service.
At CMCC Global, over the last 5 years we have reviewed and tested out a variety of custody solutions. In our early days, we were forced to self-custody assets with air gapped computers that have never been connected with the internet as no tried and tested custodians existed. Today, we are able to rely on a variety of institutional grade providers who offer an excellent service, that includes insurance coverage at a reasonable price. We look forward to crypto custodians continuing to strengthen their services, further safeguarding digital assets and giving confidence to institutional investors looking to enter the space securely.
