The rapidly expanding digital asset market soared beyond two trillion dollars in collective value in 2021. Yet in the same year, criminals exploited custodial weaknesses to siphon off a record $14 billion from the expanding ecosystem.
These losses highlight the importance of secure custody infrastructure, which is only becoming more significant as institutional players with higher standards of security and compliance enter the market.
In this post, we cover what custody is, how this core financial service applies to the world of digital assets, and where Qredo fits into the custody infrastructure landscape.
Digital asset custody is the protective care or guardianship of digital assets, typically provided by a third party for a fee.
In this sense, digital asset custody is similar to custody of traditional financial assets. However, the unique nature of digital assets means that digital asset custody works differently — and is even more critical to preventing losses.
Unlike traditional assets, digital assets are controlled by a “private key" — a string of letters and numbers that acts like a password, unlocking the right to manage and spend the assets.
The power conferred by possession of the private keys makes it vital that they remain just that — private. The owner should never share them with anyone else because they can be used to irreversibly transfer funds out of the wallet.
Nevertheless, digital asset custodians — e.g. for bitcoin custody and ethereum custody — are essentially just third party companies that store crypto assets under their own private keys, effectively taking ownership of the assets in their care.
The digital asset custody landscape has rapidly shifted in the last few years, and most offerings now fall into one of three distinct categories:
Early exchanges acted as de facto custodians, with catastrophic consequences. The collapse of Mt Gox in 2014 was the first major incident, and it was followed by many other exchanges that suffered breaches after prioritizing growth over security. Today, security is much higher on the agenda and many of the most established exchanges have their own dedicated custody branches. Some of which are also licensed and regulated in local jurisdictions.
Specialized custodians are typically either crypto-native companies, or traditional financial services firms — such as Fidelity and BNY Mellon — that have increasingly started supporting crypto in response to demand from customers.
For individuals, self-custody is often the most popular route. This means taking full control of private keys — typically on a hardware wallet — and removing reliance on any third party. In short, following the "not your keys, not your coins" ethos.
Until Qredo, it was very difficult for institutions to realize independent self-custody.
However, Qredo's decentralized Multi-Party Computation (dMPC) — which is covered in detail in the next section — removes the need for third-party custodians, enabling organizations to take full control of assets and still be protected by institutional-grade governance controls.
Custodians typically rely on a few different forms of technology for protecting private keys. Each type takes a different approach to balancing the need for security with accessibility and operational flexibility.
Cold wallets maximize security at the expense of accessibility. Private keys are stored offline, where they cannot come into contact with any online systems and so can't be hacked. However, accessing funds can be a slow process that requires manual human approvals.
Historically, the first forms of cold storage were simply laptops disconnected from the internet. Other early forms involved printing out private keys on paper. Today, the most common forms of cold storage are hardware wallets that store private keys on secure chips.
Hot wallets prioritize accessibility over security. The private keys controlling digital assets are kept in wallets connected to the internet. This ensures assets are quickly accessible, but also makes them vulnerable to loss from thefts and hacks. As a result, hot wallets are typically only used to hold a small amount of digital assets for day-to-day transactions.
The hot and cold wallet combo
The compromises of each type of custody means crypto firms typically rely on a combination of both hot and cold wallets, often protected by an additional layer of governance in the form of multisignature schemes. The vast majority of funds are held in cold storage, and then a small percentage in hot wallets to ensure there is enough liquidity for customer withdrawals — just like keeping $100 in your pocket wallet and the rest of your savings in the bank account.
Multi-party computation (MPC) is increasingly being used for digital asset custody. This is a revolutionary cryptographic technique that allows multiple parties to jointly perform mathematical computations without any party revealing its secret to the others.
What this means is that multiple computers holding private key data can work together to solve signature equations without ever creating a private key — or exposing any critical information to one another. Thus potential hackers cannot obtain the private key by compromising a single device, and the single point of failure of centralized custody can be eliminated.
MPC also offers important advantages over multisig in terms of governance and operational efficiency. For example, the signing threshold can be easily changed if all signers agree, rather than having to create a completely new wallet as with multisig — an operational burden that increases the likelihood of funds being sent to the wrong address.
However, despite these big potential benefits, most implementations of MPC still either hold sensitive private key data, making them de facto centralized, or give sensitive private key data to the customer — raising the possibility of permanent loss through theft or error.
Qredo resolves these issues by decentralizing private keys completely with a novel implementation of MPC we call decentralized multi-party computation (dMPC).
Qredo's unique innovation is multi-party computation driven by blockchain consensus.
From the private key controlling the digital assets, Qredo's MPC protocol generates independent secrets that are distributed between MPC nodes on a fast-finality blockchain. In most MPC implementations, these nodes are typically controlled by the same organization, leaving assets exposed to rogue employees, conspiring cloud providers, or other colluding partners that could potentially abscond with the funds.
In Qredo's decentralized MPC, each MPC node is housed in a security-hardened tier 4 data center, and these data centers are distributed across financial hubs around the world, from London to Chicago and Hong Kong. When the pathway to decentralization is complete, each MPC node will then be controlled by an independent validator.
When an asset owner wants to send funds, they coordinate with their appointed approvers via the Qredo network to confirm asset ownership on the blockchain, creating a consensus that enables the asset owner to invoke the MPC nodes to run the MPC protocol from their Qredo wallet. The MPC protocol then generates a digital signature for the underlying blockchain to send digital assets from that address.
Taking self custody simply means possessing your own private keys.
This is easy for individuals, who can simply put keys on a hardware wallet for safekeeping and instantly follow the cypherpunk Satoshi ethos of "not your keys, not your coins" — removing any need to trust centralized third parties.
Until now however, such self custody has been impossible for organizations. Private keys pose challenges for institutions , which have governance needs and so need institutional-grade controls which don’t depend on a single passcode accessed by a single user.
Qredo Wallet brings the "not your keys, not your coins" ethos to institutions. It transforms private keys into a flexible governance layer, allowing organizations to take full independent control and protect their assets with institutional controls — all without the need to trust a third party.
Coming soon, Qredo's computational custody upgrade will introduce full automation. It will allow all custodial actions to be based only on the laws of math, with transactions automatically and independently assessed according to specific criteria — such as size, parameters, origin, or destination — without any reliance on third party custodians or human oversight.
In jurisdictions such as the US, traditional financial custodians are subject to regulation.
Digital asset custodians, which have access to assets and participate in signing transactions, fall into this same category — meaning they must seek approval and authorization in every jurisdiction they serve.
As a decentralized custody network, Qredo does not fit into this category of centralized custodians. Rather, Qredo is a custody tech provider — more akin to a bank vault manufacturer rather than bank.
As such, Qredo doesn't hold private keys and cannot intervene in transactions or seize funds, so it doesn't need a crypto custody license.
As traditional assets migrate to the blockchain and novel cryptographic assets such as NFTs become more embedded in global finance, digital asset custody will play an increasingly important role.
At present, however, it is at risk of replicating the same vulnerabilities seen in traditional asset custody.
In traditional finance, custodians have consolidated over time. Economies of scale have helped larger players to take the lead by offering lower prices and greater efficiency. This has created centralized points of systemic risk, echoing structural issues like those that preceded the financial crisis of 2007–2008.
Crypto custody is now at risk of following a similar trajectory. We are seeing the entry of major players from traditional finance, and the prevalence of traditional custody tech based on an old centralized paradigm — including cold storage, hot wallets, and implementations of MPC that require customers to surrender control of assets.
Qredo believes in an alternative vision: A future of decentralized custody for decentralized assets, in which organizations can be fully secure and compliant, without compromising on the independence and self-sovereignty that is granted by cryptographic assets.