The Custody Dilemma: A Spectrum of Solutions
The majority of losses by cryptocurrency users have a single cause; Custody. Both a strength and weakness in blockchain technology, depending on the choices users freely make. Especially considering the failures we witnessed last year from FTX, Three Arrows Capital (3AC), Celcius (CEL), and more.
We, as the users of cryptocurrency, are empowered to prevent such losses from occurring again by educating ourselves on custody and security, as there is no perfect single solution.
I will cover self-custody, exchanges, and custodians in this article. I cannot simply recommend pure self-custody for everyone. This might be controversial, but it is the truth. We have to balance all of the risks against each other, including human error, theft, and third parties. This forces a pragmatic approach in all cases, as security has to be contextually based on the individual circumstances and abilities of the user.
For both small and large users, I highly recommend using Hardware Wallets: There are plenty of great manufacturers out there; I can recommend both Ledger and Trezor.
We can break this type of custody into four stages of sophistication in order to scale security with capital:
- In the first stage, use the Hardware Wallet as the manufacturers recommend and follow their instructions strictly, and you will have achieved a low level of self-custody.
- In order to achieve the next level of security, I do not recommend keeping your Hardware Wallet and seed phrase in your home. Unless it represents an insignificant amount of capital. Therefore ironically, the next best solution is keeping your seed phrase and Hardware wallet in a bank vault; as it turns out, banks are very good at securing cryptocurrency assets.
- Hardware wallets are great, but they still represent a single point of failure and vulnerability; therefore, resetting your Hardware Wallet removes that vulnerability. Leaving you with just a seed phrase, which can be split into six parts, which can then be divided between 3 parties; now be careful! Do not attempt to do this without significant knowledge and practice! The upside is that a 24-word seed can be turned into a 2 out of 3 sharded key using this method. The hardware wallet acts as a more secure means for the creation and recovery of this sharded key, which can then be stored in separate bank vaults.
- On a high level, this should be accompanied by extensive cryptographic rituals, four-eye principles, multiple parties, cryptographic signatures, secure rooms, and multiple checks and balances.
Be Your Own Bank
Self-custody is great in theory, but in practice being your own bank comes with new challenges. For a start, more significant capital requires increasingly more sophisticated methods of storage. Requiring progressively higher degrees of expertise, as I have just demonstrated.
I do not want to discourage self-custody. However, the risk of a loss occurring due to key mismanagement has to be accounted for. Therefore self-custody requires the highest degree of education, as liberty requires greater self-responsibility from its participants.
If this seems like a bit much, it is because it is; this is why so many people opt to trust third parties with their funds, especially at higher levels of capital. However, there is a big difference in quality and security between third parties, from exchanges to custodians:
Starting with exchanges, a necessary evil, as we still require on and off-ramps. Ideally, you should aim to hold as little capital as possible in exchanges. However, the reality is that not everyone is as comfortable with self-custody, requiring a personal balancing act.
We should always demand blockchain-based proof of reserves on any exchanges we choose to use; I can recommend both Coinbase and Kraken. Both have excellent long-standing reputations with audits, good security, and proof of reserves. Still, never put all your eggs in one basket!
Moving on to custodians: Custodians take security very seriously. This option can be expensive, so it is usually reserved for professional investors or high-net-worth individuals. I can recommend both BitGo and Sygnum.
The fund I manage at Cyber Capital uses BitGo. Good custodians such as BitGo have world-class security; multiple physical vaults, armed guards, video verification, multi-signature, manual approvals, custom hardware, insurance, and legal protection, all with a pleasant personal touch.
Keeping your money in DEXs and DeFi is just self custody which I described earlier. However, using such networks layers more risk on top of self-custody as you become exposed to smart contract risk, where a single bug in the underlying code could lead to a loss of funds.
We have to also be aware of admin keys, which in most cases can steal user funds; this is why it is so critical to also avoid any networks that use admin keys, such as Polygon and Arbitrum, for example.
When in doubt, it is best to assume that any assets stored in such protocols are at risk of theft or accidental loss unless you have done extensive due diligence in order to ensure that is not the case.
You can have the best custody humanly possible and still suffer significant losses due to a lack of investment diversification.
LUNA was an example of this, the only major event in 2022 which did affect the Cyber Capital fund. As this was a systemic failure of a decentralized cryptocurrency as opposed to a direct failure of a centralized custody provider. Diversification, fortunately, saved the day in this case.
It can not be understated how vital investment diversification is in avoiding unnecessary losses, as the possibility always exists of unpredictable black swan events, as the technology of blockchain is still nascent.
We can also think of diversification in terms of custody distribution. If you have to have exchange exposure, it is better if you spread that out across multiple reputable exchanges, for example.
Five Dollar Wrench Attack
If you are a super geek who can set up air-gapped Linux machines running your own custom code. Congratulations, you are in a tiny minority who possess such skills. This is why I cannot recommend it to most people and kindly remind all of the computer wizards out there of the $5 wrench attack:
Last but not least, there is Fundamental Analysis. Researching the code, the people, and the organizations. Gives a deeper insight into assessing risk. That is how Cyber Capital managed to avoid any FTX exposure.
This type of research can be extended to all sorts of organizations and projects, providing another layer of security. I recommend applying very high standards to people and having an extremely low tolerance for any red flags.
This alone will protect you from the majority of threats in this ecosystem, even if it is an inexhaustible task, as is the case at Cyber Capital, which has specialized in cryptocurrency fundamental analysis since 2016, supported by a team of full-time cryptocurrency researchers.
This article is far from complete and is not a guide! Only a starting point.
There are also more methods I did not cover, and there is no one fits all solution. It is, in fact, highly contextual and custody has to evolve over time, including balancing human error against theft.
We are all only human; we can all be wrong. The general approach I outlined here has allowed the fund I manage not to experience any significant losses due to custody failure since its founding in 2016. Which I hope at least gives me some credibility on this subject.
Cyber Capital has maintained its own self-custody based on the fourth stage of Hardware Wallet security I described earlier in this article. Last year we finally moved to BitGo as our primary custodian after years of discussions with many major parties whose names I cannot disclose.
I am a decentralization and self-custody advocate, yet I run a centralized investment fund. Because I understand the pragmatic reality of cryptocurrency security and investment, I choose to serve as a reputable bridge between both worlds.
We need different solutions for diverse groups of people who are at distinct phases of investment and usage. Self-custody in the form of a simple Hardware Wallet to support commerce for a small mom-and-pop store is probably fine. However, an individual investor who has invested a significant amount of his own capital should definitely invest more in advanced forms of security.
If you want to go down the self-custody route, you have to educate yourself on operational security, investing significant amounts of time in your own education. When I first started to go down this route, I taught myself how to use Linux, spent hundreds of hours absorbing security content, and worked closely with real experts in the form of white hat hackers. As I am not a security expert, but I have educated myself sufficiently for the role I occupy while also having the critical support of real hackers.
Because the landscape for custodians in 2016 was insufficiently developed, the fund I manage developed its own self-custody solution. A successful solution as evidenced by its track record, but not as good as BitGo, due to specialization and scale. While adding another third party is a positive in the context of a registered cryptocurrency investment fund, as this adds to the trustworthiness of Cyber Capital as a financial institution. Reinforcing the fact that there is no one fits all solution.
So whether you choose to trust others or become your own bank: The devil, as always, is in the details.