Initially published on the blog of Knox Custody.
In any case, holding Bitcoin keys involves no magic tricks but only trade-offs.
Custody, the act of holding and using private keys, is arguably one of the most critical activities around Bitcoin as a monetary protocol for the Internet. There are many ways to do it as an individual holder, and a variety of methods to do it as a company, with multiple individuals and degrees of trust. Each distinct custody setup comes with trade-offs. Security, simplicity and sovereignty are the three main parameters that can be tuned when electing a method of holding Bitcoin. Usually, two out of these three parameters can be fully optimized, while a third may need to be partially compromised.
Companies, individuals and other organizations have distinct risk tolerance, internal rules and controls, and different sizes of holdings, which warrant completely different custody setups. Based on a custody risk spectrum, one can build a useful mental model for how to decide on the right configuration for their own needs. There is no one-size-fits-all approach.
Bitcoin custody involves decisions around complexity-adjusted security.
Security is important, as mentioned, but it has a diminishing rate of return when it comes to the amount of complexity it generally triggers. As the popular saying goes: complexity is the enemy of security. Now that mainstream businesses such as MicroStrategy are announcing that they use Bitcoin as a treasury reserve asset, or that funds such as Paul Tudor Jones’s hedge fund use it as a hedge against inflation, the discussions around custody trade-offs are timely and important.
How does a regular business, private or public, hold Bitcoin securely without too much complexity? How much should a company trust another specialized custodian for safekeeping? Is the dependency on a third party Bitcoin custodian even worth it? How does insurance for theft and loss fit into the equation? Is that even scalable? Is collusion and internal employee theft a risk that can be mitigated in the absence of an independent custodial agent? How should backups be managed for responsible business continuity? How do legal and technology stop gaps mitigate the main risks around Bitcoin custody? Any limitations with certain corporate governance models?
Trade-offs, no Magic Tricks
All these previous questions are operational concerns that give responsible companies looking to hold Bitcoin to protect their balance sheets cold feet. In this short article, we attempt to clarify the tradeoffs and provide categories of custody based on unique preferences and risk appetite.
As mentioned, Bitcoin custody is a tradeoff between security, simplicity and sovereignty. There is no way around that, so there is no perfect setup or standard that fits all businesses and/or individuals. Companies have many distinct internal requirements, operational constraints and jurisdictional restrictions, which demand more sophisticated configurations than individual holders, so most consumer setups don’t cut it.
On one extreme end of the custody risk spectrum lie the simplest custody options, and on the other hand the most secure alternatives. Between these two extremes, a variety of options are available, which balance the third main concern: sovereignty and the ability to remain fully independent as a business holding Bitcoin for the long term.
On the extreme end of the custody risk spectrum lie configurations with high simplicity and low security—the reign of centralized Bitcoin exchanges. Exchanges remain the most popular venues to hold Bitcoin. Empirically, holding bitcoin for their clients has been the cost of doing business for most, if not all centralized exchanges serving retail consumers. As businesses, they take on additional risk providing custody services and are usually not compensated financially in return. Exchanges may pass on the fee to maintain a costly internal custody infrastructure in the form of a wider spread on their spot markets, or simply charge additional fees, but generally, the amount of risk emanating from custody does not make much economical sense for exchanges.
Traders tend to leave their Bitcoin on execution venues for capital efficiency when it comes to entering a market position but companies looking to hold Bitcoin as a long term treasury asset will most likely not be comfortable with that level of counterparty risk. Indeed, exchanges have risk in the execution and custody, which concentrates risk to one entity pre and post trade settlement.
Exchanges should do what they do best, which is allowing market participants to discover prices buying and selling bitcoin against other fiat currencies, and quite often with other adjacent cryptocurrencies. Building an order book with deep liquidity and an order matching technology to fill orders efficiently is hard, requires dedicated focus and specialized attention. In securities markets, exchange venues provide execution services while custodians provide custody services. Forward-looking Bitcoin exchanges are realizing that and moving to specialized custodians such as Bitbuy out of Canada, the world’s only exchange to have 100% of the value of their users’ Bitcoin cold storage insured while other popular exchanges such as Gemini, Coinbase or Kraken still hold no or fractional insurance coverage, putting their clients’ holdings at risk of principal loss of funds in the worst case. With comprehensive insurance products now available to a limited number of Bitcoin custodians, it remains to be seen how long it takes for users and traders to demand that centralized exchanges be fully insured across the board. We shall let the market decide.
Exchanges are inherently taking on operational risks that they are not designed to assume with no insurance or other stop gaps, putting their users at risk of theft and loss, which can be unacceptable for responsible business owners managing a Bitcoin treasury who understand that such risks are quite material. Notably, lots of consumers still trust exchanges to hold their keys as it is the most convenient scenario, which does not require sovereign custody.
Single Key Storage
Many solutions exist, mostly for consumers, where a user can hold their own key by using some sort of software to securely hold private keys and sign transactions. While there are many single key wallets on mobile and desktop platforms, specialized hardware devices are usually the preferred method for sovereign key storage.
Multiple providers offer specialized hardware with custom firmware, which reduces the attack surface of self-custody as the hardware devices are generally kept offline for transaction signing and have less code running, reducing the number of potential attack vectors that could result in Bitcoin key theft or loss. Certain hardware wallets such as ColdCard have secure elements and open-sourced blueprints of their chips and firmware, which make for one of the most reasonably secure options in that Bitcoin storage category.
Single key hardware storage providers, commonly referred to as hardware wallets, provide a balanced trade-off between simplicity and sovereignty but have security risk when it comes to reliable seed backups as users are usually on their own, which introduces a new layer of concerns and risks to mitigate. This setup falls short when it comes to having multiple people collaborating together in an enterprise context.
Having the capability to construct bespoke logic when it comes to user access and permissions for transaction signing or key backup recovery is essential for businesses with multiple internal trusted agents managing corporate treasury. Novel solutions brought by Coinkite Bunker allow for such setups.
Multiple Keys Storage
Bitcoin as a protocol has a built-in multisignature feature, which enables multiple keys to be used to secure holdings, allowing for more sophisticated rules for fund access control and transaction authorization. No single points of failure. Multisignature configurations, often referred to as multisig vaults, provide good security with added redundancy of keys, and allow holders to remain sovereign, though complexity tends to rise in certain setups.
Multisig vault providers such as Unchained Capital out of the US provide tools to make multisignature more usable, while maintaining an optimal level of security and sovereignty for their clients. Companies can bring their private keys to Unchained to participate in a multisig quorum. This means that companies do not need to trust Unchained to generate seeds for them, they only need to trust that Unchained can protect their key.
Recently, Unchained released a product for enterprise allowing businesses to create custom permissions that meet their internal control requirements—a first in the industry. Multisig vaults preserve sovereignty and security but tend to increase complexity as multiple agents are involved in holding keys that can be lost or stolen. As Phil Geiger from Unchained Capital mentioned:
Multisig eliminates single points of failure, so if one bad actor loses or steals a key, they can't access the bitcoin without a combination of another key and wallet information.
In environments where all keys are held by employees in a firm, there needs to be strict processes that are exercised vigorously to prevent collusion. If not followed adequately, internal policies are not sufficient to prevent internal collusion—the predominant cause of theft and loss of Bitcoin holdings.
Strict, computer-enforced rules for Bitcoin vault management is essential for security where agents cannot be 100% trusted, which is rarely the case. Additionally, some companies acting as fiduciaries towards their shareholders are not authorized to custody assets, thus holding their own Bitcoin keys, which forces them to use other trusted agents as key storage providers. This can be an issue if the custody agents are not to be trusted with security, which is often the case as trusted third parties are security holes. Where does that bring us?
Companies providing specialized custody services such as Fidelity Digital Assets, BitGo or Gemini are well-known for their custody services, but originate levels of risk that would be unacceptable to most institutional investors or enterprises with fiduciary obligations to external shareholders. Most trusted custodians operate according to discretionary security standards that can expose customers to levels of risk that are not adequately disclosed, or often not well understood by them, providing a false sense of security.
In traditional securities markets, if insolvent on their demand deposits, fractional reserve custodians can be, have been, and will be, made whole by central banks that will inject liquidity into these entities to limit exposure to the risk of systemic collapse with institutions that share many assets and liabilities across distinct balance sheets. In a Bitcoin monetary system, there are no bailouts and no lender of last resort, which makes trusted custodians with fractional reserves highly risky. Due to the economic incentives behind fractional reserve banking, rehypothecation is becoming increasingly popular among Bitcoin custodians, which can lead to systemic risk and unsustainable growth in the industry, exposing clients of these entities to catastrophic risk of theft and loss.
Customers should demand that all custodians provide verifiable proof of solvency attesting that the Bitcoin they hold (assets) match their clients’ demand deposits (liabilities) such as Kraken and Bitbuy. Security through obscurity is a short-sighted strategy when it comes to information security, and in particular when digital information has monetary value such as Bitcoin holdings. Trusted custodians ought to operate according to rigorous security principles that we highlighted, in part, in the Knox custody risk management registry. This is not meant to be a comprehensive list in any shape or form, but should be the base security standard for custodians acting as trusted key storage and transaction signing agents for their clients.
Trusted custodians should strive to distinguish blind faith from intelligible trust, by being open about their security models and risk management principles. In that setup, security and simplicity can be fully optimized but sovereignty is affected due to the reliance on a trusted third party. Often seen as a controversial activity that is antithetical to Bitcoin, trusted custody can only be done reasonably with adequate risk transfer mechanisms, which protect clients financially from theft and loss events, including internal collusion. Comprehensive insurance policies and legal agreements acting as fallbacks in case of a total failure of the custodian should be put in place, at minimum.
Knox has built a custody model that we came to appreciate as a reasonable tradeoff on sovereignty for uncompromising security and simplicity of usage. All transaction signing operations happen offline in a secure air-gapped infrastructure (also called cold storage), which is designed such that no single employee or group of employees can collude to steal the funds of our own clients. Knox staff, employees, directors and officers are completely locked out of our clients’ Bitcoin vaults, such that we cannot ever sign a withdrawal without the explicit request from clients holding account access keys. We are cryptographically locked out. Holding multiple millions of dollars worth of Bitcoin in distinct client accounts required us to enforce a true segregation of accounts down to the entropy level, such that no private key material is ever shared across client accounts. All customer backups are stored in physical vaults in distinct cities by a partner security firm, which has a different balance sheet and management team. Additionally, in this arrangement customers are made the sole owners of the recovery backups.
All these properties that we validated with our insurance partners allowed us to bind an insurance policy that covers our custody operations against theft and loss of Bitcoin, whether internal collusion or external attacks. We are capable of servicing each client with dedicated insurance allocations in 1:1 capacity, such that if a client holds $20 million or $150 million worth of Bitcoin, their account can respectively be insured with $20 million and $150 million of dedicated insurance coverage. Each customer limit can be certified by our insurance broker, Marsh, such that controllers, CFOs, directors and officers can report to their board, and shareholders and meet their internal risk management needs. This is a first in the industry and to this day remains unique. While we are happy that this is the case, we believe that more trusted custodians should work with insurance markets who act as the ultimate risk pricing mechanism and arbiters of the security of a system. If custodians cannot afford to get a reasonable insurance policy on their systems, their clients should demand why that is the case. A well-capitalized balance sheet and a high pedigree brand should not be enough in the medium to long term to act as a reasonable financial stop gap.
With trust comes risk, and as the OCC suggested recently, US banks will now be capable of servicing their clients with Bitcoin custody services. As a trusted custodian, we recommend that companies and other Bitcoin holders do their own research when it comes to picking the right custody setup, whether non-custodial, trusted, single key or multisig. We are aware that our solution is not the perfect solution for all businesses, funds or individuals (usually UHNW due to monthly minimums) as it can not be, but we do understand that certain market participants would be better off not holding their own keys, or simply can’t afford to.
We remain available to discuss available options and act as trusted and responsible agents in your search for the right partner, or setup, whether you wish to optimize simplicity, security or sovereignty. And remember, custody is a tradeoff, as are many things in business and life.