Why Are Secure and Flexible Custodial Solutions Necessary for Exchanges and Banks?
Written by:
Reading Time:
~
6
min

When a digital exchange or bank chooses a custodial solution to safekeep digital assets for its clients, there are several critical aspects it should consider.

Without a doubt, security is at the top of the list. In 2019, a Fidelity Investments survey showed that 76% of institutions and business entities that consider entrusting their digital assets to a custodian pointed out security and safety as the most important factors.

However, securing digital assets presents a challenge of its own. For exchanges, it means adapting IT infrastructure designed for the Web 2.0 era to blockchain-based tokens. The inefficiency of this approach was shown through a long history of insolvent exchanges and hacking attacks that has led to $9.8 billion in losses since 2011.

For banks, on the other hand, dealing with digital assets is a whole new, iconoclastic world of Web 3.0, tokenized assets, cryptographic key management and specific cybersecurity practices.

Still, digital asset custody is much more than simply securing keys. One crucial aspect is often overlooked: flexibility. Key storage without robust speed, performance, governance and compliance is not sufficient. The ecosystem is evolving at incredible speed with a constant stream of new assets emerging and entering the market.

Any institution providing related services should be able to develop technical and operational flexibility to quickly and easily embrace new innovations. The white paper “Cracking Crypto Custody” published by KPMG, states the ability to “track emerging developments and develop the technical and operational agility to quickly embrace new innovations” as one of the key success factors for current and aspiring digital assets custodians.

At RIDDLE&CODE, we believe that exchanges and banks providing custody of digital assets should be equipped and backed up with both a secure and flexible solution. In this blog post, we will explain why.

WHY IS SECURITY A CRITICAL FACTOR WHEN IT COMES TO DIGITAL ASSET CUSTODY?

IT TAKES ONLY ONE KEY MISUSE TO COMPLETELY EMPTY A WALLET

With digital assets, the crucial information that has to be secured is the keys. While with traditional assets, keys, credentials and passwords protect the assets, with digital assets, the key is equal to the assets. Blockchain networks usually assume that digital assets are a form of bearer instrument, with the private keys controlling the ability to spend the assets (“unspent output”).

The key itself is very small. For example, in the case of bitcoin, it’s only 32-bit long, but it can contain extremely high values. Think about it: A 32-bit private key is the only thing standing between hundreds of millions of dollars in value (in some cases) and fraudsters. And it takes just one malicious key usage for someone to empty a wallet and get away with the funds. Undoubtedly, securing keys should be the number one priority for custodians.

CRYPTOASSETS HACK ATTACKS HAVE RESULTED IN $9.8 BILLION IN LOSSES SINCE 2011

Digital exchanges are particularly attractive targets for all kinds of malicious attacks. According to the Crypto Crime Report published by Chainalysis, hackers have breached 11 major crypto exchanges and stole more than $283 million worth of cryptocurrency in 2019 alone.

With $105 million reportedly stolen, crypto exchange CoinBene holds the infamous first spot. Although the exchange denied the attack, Chainalysis showed that the attackers withdrew funds from CoinBene’s hot wallet. The result was the theft of 109 different types of ERC-20 tokens.

And probably the most famous example that showed us that even the most prestigious platforms can be compromised is the hacking of Binance’s hot wallet. Attackers gained access to the hot wallet through a combination of phishing and viruses and stole around $40 million worth of bitcoin, two-factor user codes and API tokens.

THERE IS NO WAY BACK

When it comes to blockchain-based assets, the lack of ability to reverse transactions between two addresses due to the blockchain’s immutable nature is a very lucrative aspect for fraudsters.
In a nutshell, once the transaction has been executed, the blockchain technology itself prevents rolling it back. However, the problem of blockchain’s irreversibility goes beyond security. For instance, in the case of AML checks, transactions that are completed can’t be undone.

WHY SHOULDN’T FLEXIBILITY BE OVERLOOKED?

THE DIGITAL ASSETS ECOSYSTEM IS EVOLVING AT INCREDIBLE SPEED

At the moment, there are more than 1,500 types of digital assets on the market, while new assets continue to emerge.

Different types of assets have different types of code base and cryptography implementations. And that’s where problems arise. Supporting the different cryptographic algorithms requires (manual) customisation, which is impracticable, time-consuming, and expensive.

For this reason, a platform for digital assets custody should be comprehensive enough to support a broad range of assets while being extensible to support new assets in real-time and with as little customisation as possible.

CUSTODY PROVIDERS HAVE TO MEET THE NEEDS OF A WIDE RANGE OF CUSTOMERS

The expansion of digital assets has brought various entrants in the market, from single entities to large investors. Each of them has their own demands.

For example, some of them may want to include approval policies that match an organization’s governance and processes and require parameters such as time of day, asset value, asset type and even the zip code from which the transaction is initiated to be taken into account. Being able to customise operations and tailor them to specific scenarios and requirements is essential.

COMPLIANCE REQUIREMENTS ARE EVOLVING AND CHANGING

As regulations continue to evolve, regulatory bodies are increasing demands and calling for assets to be managed in segregated accounts with transparent governance and audit trails.

In addition, custodians have to improve their surveillance practices and be able to detect possible fraud and market manipulation. Consequences of noncompliance are severe.

In order to successfully respond to current and future regulatory requirements, a digital asset custody solution should have a flexible architecture to successfully integrate both existing and new policies.

MOST CUSTODIANS HAVE TO RELY ON FRAGMENTED SOLUTIONS TO KEEP THE BALANCE BETWEEN SECURITY AND FLEXIBILITY

To safekeep digital assets, custodians have to rely on so-called wallets.

Commercial wallets that are used for storing and securing digital assets can be divided into two basic categories: cold storage and hot (online) wallets.

Cold storage solutions successfully address some of the security flaws, yet they are unable to provide institutional-grade flexibility or allow their users to keep up with the necessary liquidity requirements.

On the other side, while hot (online) wallets provide the necessary speed and liquidity, they fall short when it comes to protection of assets, as evidenced by numerous security breaches.

As a result, custodians are forced to leverage co-wallet operational strategies in order to balance both requirements. In a co-wallet strategy, a small amount of funds (around 5%) is kept in centralized hot wallets to be available for trading, while most of the funds (around 95%) are placed in cold storage.
Unfortunately, this is still problematic and insufficient from both a security and operational standpoint.

Transferring assets in and out of cold storage comes with significant delays and brings in security risks (due to human error). For example, transfer of funds from cold storage to hot wallet can take anywhere from two hours to seven days and requires manual, cumbersome work. Custodians are bound to have less money in the hot wallets to reduce risk, and hence respond to customers’ sell-buy orders slower than the customers demand.

Most importantly, neither cold storage nor hot wallets can fulfill regulatory requirements such as providing segregated accounts for its customers, transparent governance and audit trails available on demand and in real-time.

As shown above, neither cold, hot nor a co-wallet solution can provide a complete digital asset custody solution.

CONCLUSION

At RIDDLE&CODE, we are dedicated to enabling current and aspiring custodians to embrace and govern digital assets in a secure, flexible and regulatory compliant manner.

By combining hardware and software with a set of innovative features and functionalities, our Digital Asset Custody is able to successfully fulfill any financial institution’s custody needs.

Our solution leverages proven, secure multiparty computation to ensure that keys never exist in a complete form, thus eliminating the most vulnerable vector in the majority of the attacks: single point of failure architecture.

Moreover, our solution is strengthened by a dedicated Policy Layer that enables custodians to define their own business roles and rules and govern operations in compliance with regulatory and business requirements.