Sep 27 | 8 min read
As DeFi continues to grow and more traditional investors and institutions enter the space, the ability to deter and prevent digital asset theft will only grow in importance.
With that in mind, Index Coop has partnered with Qredo, a leading self-custody platform, to bring you this overview of the basics of digital asset security. In it we’ll cover:
At the core of digital asset custody are wallets, which are simply storage vessels for digital assets. Contained within wallets are two types of keys—private keys and public keys—that facilitate digital asset transactions. These keys are randomly generated strings of numbers and letters that allow a user to manage their assets. The private key acts like a password with its primary purpose to authenticate and encrypt transactions. The public key acts like a username with its primary purpose to identify the individuals taking part in the transaction.
In DeFi, it is the private keys a user holds that unlock access to the user's assets. This differs from traditional finance (TradFi), in which users must work with banks to access their assets. Because keys unlock the entirety of an institution’s digital asset portfolio, institutions may find it difficult to securely manage them without using a custody solution.
To steal digital assets, cybercriminals most commonly exploit a user’s private keys, which allows them to control all funds. From there, attackers can transfer these funds from the victim’s wallet anywhere, like their own wallet.
Since the advent of cryptocurrency, digital asset users have accidentally discarded, overwritten, or lost private keys in different ways. Equally, users have suffered huge losses through private key hacks by cybercriminals and malware.
Private keys are most commonly exploited in three ways:
A cybercriminal infects a server with malware that steals a victim’s private key.
A cybercriminal steals a hardware security module (HSM) authentication token and uses it to sign a withdrawal transaction of a victim’s account.
An authorized internal employee of a private key storage solution, like a centralized exchange, steals a victim’s private key.
Private key loss is a constant feature of the digital asset ecosystem. Because of this, digital asset custody providers have expended much effort to ensure secure solutions.
To mitigate private key risk, individuals and institutions use digital asset custody services. These typically fall into one of the following categories: exchange wallets, custodians, or self-custody solutions. Each has advantages and disadvantages. Some may be more appealing to institutions versus individual investors.
Exchange wallets allow users to maintain access to their digital assets through an online wallet, but they hand over control and management of their public and private keys to the exchange. Because the exchange holds the private keys, the exchange also holds the digital assets contained within the wallets. Examples are Coinbase, Binance, Okex, and Huobi.
Exchange wallets are a go-to choice for novice digital asset users; they allow for ease of access and provide a customer support team to assist with security inquiries. Users of exchange wallets face counterparty risk, the possibility that the exchange may default on the contractual obligations, therefore failing to secure or maintain the assets deposited. For example, exchanges may be declared insolvent, meaning they have more liabilities than assets on their balance sheet. Since users of exchange wallets do not hold the private keys to their digital assets, they would be unable to withdraw their digital assets. This happened most recently to the centralized exchange Celcius. In July 2022, Celcius declared bankruptcy, owing users $1.2 billion.
Custodians are one of the pillars of the TradFi system. In TradFi, custodians serve as vaults, safekeeping investors’ assets in both electronic and physical form in exchange for a fee. Custodians employ both buy-side and sell-side security mechanisms. These mechanisms facilitate timely transactions while minimizing the risk of fraud, theft, or loss of assets.
Digital asset custodians fulfill a similar role in protecting users’ assets. They update the methods of traditional custodians to meet the distinctive features of digital assets. Simply, they cryptographically secure assets through safe key management in exchange for a fee.
There are three significant ways digital custodians differ fromTradFi custodians:
Once digital assets are deposited to an exchange, they are not legally the investor’s property.
Very few jurisdictions around the world regulate digital asset exchanges, in contrast to the heavy regulation of traditional assets.
Digital asset exchanges do not only provide custody for assets; they also act as brokers, serving as a central marketplace for trading.
Additionally, the security technology of TradFi cannot be replicated in DeFi. TradFi security measures often create transaction delays. Requiring 24-48 hours to complete a transaction in DeFi would create capital inefficiencies because evidence shows that transfer speeds and profits are highly connected in the digital asset market. This means that TradFi custodians must adjust their methods to account for the need for faster transaction speeds in DeFi.
Custodians are important to institutions looking to secure digital assets for 4 reasons:
They’re safer than exchanges. Exchanges are more susceptible to insolvency, regulatory crackdowns, and cybercriminal attacks.
They provide a resource for investors. Most licensed custodians do not only serve as storage providers; they can provide or recommend risk assessment and insurance for institutions.
They provide some degree of operational efficiency. Custodians can ease the often daunting nature of digital asset trading and management by providing simple technology and expertise.
They reduce risk and improve security. They reduce risk and improve security. Custodians' resources provide institutions with safe, regulated storage for their digital assets.
Dedicated custodians can be crypto-native companies, like Coinbase Custody and BitGo, or forward-thinking TradFi firms that offer various levels of support for digital asset security, like Fidelity and BNY Mellon.
Self-custody solutions include hardware (“cold”) and software (“hot”) wallets. They allow users to maintain full control over their private keys, and by extension, their digital assets. Examples of cold wallets include Ledger and Trezor. Examples of hot wallets are MetaMask, Coinbase Wallet, and Argent.
The major advantage of self-custody solutions is control. Since users own their private keys, their digital assets cannot be stolen or lost. Self-custody solutions maximize security by holding private keys offline, but they come with the tradeoff of an inconvenient user experience and with a burden of responsibility. Users must safeguard their private keys themselves. If users of self-custody solutions lose their private keys, they will be permanently unable to access their digital assets.
MPC, or multi-party computation, is a novel cryptographic technique that allows multiple parties to make calculations using their combined data without revealing their individual input. This security mechanism addresses the risks faced by traditional digital asset custody solutions.
This tech was first invented in the 1980s and found its first major practical application in crypto. MPC replaces the private keys controlling digital assets with a distributed signing process.
Many custodians are now moving away from cold storage and hot wallet architecture towards infrastructure based on MPC. MPC enables flexible and sophisticated governance policies, and resolves the compromise between security and accessibility that is fundamental to hot and cold wallets. This technology even has the potential to completely decentralize private keys. But most MPC vendors haven't yet taken advantage.
Instead, most MPC custodians still operate in a centralized way that requires customer trust. They typically control sensitive key material used in the signing process and store customer ledgers in a trusted database.
This not only makes them a trusted third party that may be subject to regulation as a custodian, but it also negates the supposed decentralized security of MPC nodes. Any hacker or malicious insider aiming to attack such an MPC vendor could simply compromise the centralized database and rewrite the ledger, changing ownership policies and invoking transactions at will.
To offer truly decentralized custody, Qredo has built a blockchain-based implementation of MPC.
Shares of the private key are contained in the MPC nodes. Nodes are distributed across security-hardened Tier 4 data centers of global financial hubs.
And instead of being driven by a centralized database, the distributed MPC nodes are driven by a blockchain. This provides an immutable record to record asset ownership that cannot be tampered with. Each change to the custodial records, each ownership change, and each transaction must be confirmed by the blockchain validators. This creates an immutable record that is replicated by each node on the network and impossible to change without authorization.
Without the single vulnerability of private keys, there is no need for cumbersome hardware or manual operations. Assets can be made instantly accessible at the touch of a finger or transactions can be automated through API.
Index Coop is a decentralized autonomous organization (DAO) that powers structured decentralized finance (DeFi) products and strategy tokens using smart contracts on the blockchain. We offer a suite of sector structured products, leverage and inverse products, and yield-generating products. We aim to create products that are simple to use, accessible to everyone and secure. Our products are built on Set Protocol, a twice-audited, self-custodial DeFi tool that allows for the creation and management of Ethereum-based (or ERC-20) tokens. Among users, partner protocols, and our composable products, Index Coop maintains one of the largest partnership networks in the DeFi ecosystem.
First, you’ll need to create an Ethereum wallet like Argent, Metamask, Gemini, or Rainbow.
Next, you’ll set up your new wallet and connect your bank account.
You can also earn or buy DPI tokens directly via your favorite decentralized exchange.
Disclaimer: This content is for informational purposes only and is not legal, tax, investment, financial, or other advice. You should not take, or refrain from taking, any action based on any information contained herein, or any other information that we make available at any time, including blog posts, data, articles, links to third-party content, discord content, news feeds, tutorials, tweets, and videos. Before you make any financial, legal, technical, or other decisions, you should seek independent professional advice from a licensed and qualified individual in the area for which such advice would be appropriate. This information is not intended to be comprehensive or address all aspects of Index or its products. There is additional documentation on Index’s website about the functioning of Index Coop, and its ecosystem and community.
You shall not purchase or otherwise acquire any of our token products if you are: a citizen, resident (tax or otherwise), green card holder, incorporated in, owned or controlled by a person or entity in, located in, or have a registered office or principal place of business in the U.S. (a “U.S. Person”), or if you are a person in any jurisdiction in which such offer, sale, and/or purchase of any of our token products is unlawful, prohibited, or unauthorized (together with U.S. Person, a “Restricted Person”). The term “Restricted Person” includes, but is not limited to, any natural person residing in, or any firm, company, partnership, trust, corporation, entity, government, state or agency of a state, or any other incorporated or unincorporated body or association, association or partnership (whether or not having separate legal personality) that is established and/or lawfully existing under the laws of, a jurisdiction in which such offer, sale, and/or purchase of any of our token products is unlawful, prohibited, or unauthorized). You shall not resell or otherwise transfer any of our token products to any Restricted Person. The transfer or resale of any of our token products to any Restricted Person is not permitted. Click here to view the list of Tokens Restricted for Restricted Persons. You shall read the Terms of Service and use our Website in compliance with the Terms of Service.
Information is for educational and illustrative purposes only. The Index Cooperative is not engaged in the business of the offer, sale or trading of securities and does not provide legal, tax, or investment advice. Cryptocurrencies and other digital assets are speculative and involve a substantial degree of risk, including the risk of complete loss. There can be no assurance that any cryptocurrency, token, coin, or other crypto asset will be viable, liquid, or solvent.No Index Cooperative communication is intended to imply that any digital assets are low-risk or risk-free. The Index Cooperative works hard to provide accurate information on this website, but cannot guarantee all content is correct, complete, or updated.