A Bold New Era: Crypto’s Evolution into Custody

The evolution of crypto asset custody is a pressing issue that requires strict audit controls and new-age key management to rebuild trust.

Following the 2022 crypto market crash, concerns about counterparty risk have become a hot topic in crypto risk management discussions and will be one of the main drivers shaping the future of custody in 2023 and beyond.

As this future becomes a reality, the regulatory framework around custody becomes clearer, and anything deemed operationally unwise or inappropriate will face intense scrutiny . FTX’s previous approach to crypto — a single key wallet storing assets on a cloud server, lacking a cybersecurity team, and not having systematic key management in place — will no longer be acceptable to customers and regulators.

Mick Horgan, Head of Custody at Bullish, said: “I remember browsing one of the FTX websites, trying to figure out their custody, trying to understand their underlying custody system. I had read about their fast withdrawal times for large trades, while seemingly keeping most of their assets in secure custody. How did they do that? I couldn’t figure it out. The answer, of course, is that FTX operates in the exact opposite way to how Bullish operates.”

As digital asset adoption continues to grow and the failures of 2022 become a thing of the past, how third-party digital asset custodians ensure the security of their funds will receive unprecedented attention, both from crypto participants and from regulators attempting to establish new, safer standards for the crypto industry.

The key to this evolution is the widespread implementation of a multi-layered custody system based on two fundamental pillars: key management and strict audit controls. Doing so will raise the minimum acceptable security level for asset custodians, better promote the growth of crypto by re-establishing and strengthening institutional trust while preventing new black swan events such as sudden trading platform crashes.

1. Keys are of paramount importance

Arguably, there is nothing more important than secure custody of your assets when it comes to crypto participation, so why aren’t third-party custodians held to a higher standard of key management? In the case of FTX, when the company finally implemented a multi-signature wallet, they stored all three keys in the same online location, defeating the purpose of a multi-signature wallet.

“It’s the equivalent of buying a secure premium vault, stuffing all your valuables in it and then walking away and leaving the door open,” – says Mick Horgan, head of custody at Bullish.

To move forward as a smarter, stronger industry, making key management a priority in a multi-layered custody system is a clear baseline for third-party custodians. The following are the key features that Bullish recommends all custodians should implement.

2. Decentralized private key storage

To ensure that there is no single point of failure, if compromised, private keys should never be stored in just one place. Instead, they should be isolated from each other and stored offline.

In a well-designed multi-tiered custody system, key distribution to the custodian will be done using a combination of cold, warm, and hot wallets to facilitate transfers while minimizing the risk of loss or theft. As a best practice, most assets will be securely stored in offline key-protected wallets.

3. Ensure hardware, software and operational safeguards

When it comes to key management, it is critical to build safeguards into every layer of the custody system. Once established, they will provide institutional and individual crypto participants with the confidence they need to participate in third-party custody options. Here are some best practices that should be implemented:

1) Hardware support

All offline private keys are isolated from each other and stored on a secure storage device.

Store online keys in a secure module on a protected cloud server.

Ensure effective use of cold storage by storing the majority of your digital assets held offline in cold wallets.

2) Software Assurance

All managed software components and operating systems should be cryptographically signed.

The signing process should be distributed among independent participants via multi-signature wallets to improve protection against collusion.

Leverage blockchain-based oracles to verify the provenance of escrow operations and prevent man-in-the-middle attacks.

3) Operational support

The protocol dictates which wallets interact with each other, which keys are required to sign transactions, and limits on transaction size and speed.

Asset custodians can implement disaster recovery systems to back up keys, meaning that not everything is lost in the worst-case scenario.

Key backups can be stored at remote locations in secure facilities around the world, ensuring maximum security.

4. World-class control, or nothing

As organizations and individuals explore the world of encryption, they all face a question: “If I lose my key, is everything gone?”

This is a major bottleneck moment in the crypto industry today, where people either decide to rely on themselves or hold back due to fear of losing their keys and its consequences. Most institutions don’t want to manage their keys, but they care deeply about how the custodian they choose manages those keys on their behalf; full trust is a make-or-break move for their entry into the crypto space.

“FTX’s failure highlights the importance of custody. Custody, simply put, is about the security of keys and can only be truly effective if there are strong internal controls, thorough recordkeeping procedures, and an obsession with the safety of customer assets,” said Mick Horgan, head of custody at Bullish.

Establishing rigorous, audited controls is critical to helping institutions weather difficult times by instilling confidence in their third-party custodians. These controls can take a variety of forms, each of which is an important component of building a comprehensive security system.

1) Internal Control

Internal controls help protect customer assets; if implemented correctly, they should be able to detect, prevent, and limit potential customer wallet issues. Here are the controls Bullish has implemented internally, setting a clear example for other companies:

- Separation of Duties - Duties such as key generation, storage, and transaction approval should be separated to reduce the risk of fraud and theft due to collusion.

- Wallet Recovery - Companies should implement controls to securely recover wallets at any time to prevent any loss of key access.

- Private Key Management - Most assets should be stored offline in multi-signature cold storage wallets to reduce the risk of online attacks.

- Risk Assessment and Management - Companies should continuously conduct security assessments and critical scenario analyses.

- Asset Segregation - Client funds must be kept separate from company assets, ensuring that they are not commingled in any account or blockchain address.

- Monitoring - Real-time monitoring of wallets/transactions and reconciliation of all wallets and accounts should be implemented. In the best case, a dedicated cybersecurity team will lead this control.

- Access Control - More than 80% of security breaches are password related, so in an industry plagued by cyber attacks and fraud, passwords are no longer enough. Strict access control and multi-factor authentication should be implemented for access to all privileged systems.

- Employees - Cybersecurity teams should implement an in-depth security training program to ensure every level of the company is protected from contributors.

All internal controls and security policies should be reviewed and audited regularly by external auditors, which is the basis of external controls.

2) External Control

In order to supplement internal controls and better meet the needs of institutions, third-party crypto custodians need to upgrade their audits to at least the standards of traditional finance (TradFi). To this end, each custodian needs to implement regular independent audits by qualified auditors (such as the Big Four accounting firms).

These audits should assess the custodian’s internal controls and overall security, ensure that customer assets are segregated from custodian assets, and analyze the custodian’s solvency by completing a proof of reserves audit.

Planning for a Secure Future in CryptoFor the crypto industry to continue its journey toward global adoption, past shortcomings must remain in place, especially when it comes to crypto custody. If there’s one lesson to be learned from FTX, it’s this: crypto can’t rely solely on governments, auditors, and regulators to protect its participants. Instead, every participating institution and individual needs to do their part to hold asset custodians accountable . If everyone plays their part, the industry will rise to a new standard and become a leader in transparency, risk management, and security in global finance.