The web is full of horror stories of people who got their cryptos stolen, or just misplaced the information necessary to access their holdings.
The challenge of custody remains, in my opinion, one of the biggest impediments to the mainstream adoption of Bitcoin.
On the other hand, several companies have been working on coming up with a solution for the custody challenge. Multisig solutions, in particular, have really taken the forefront in 2020, and I expect more innovations in 2021.
In an ideal world, everybody would self-custody their Bitcoin and cryptos, as this is the most censorship-resistant and secure way of custody, provided you know what you’re doing and can handle the responsibility that comes with it.
There are several leading self-custody hardware devices:
Ledger and Trezor are easier for those doing self-custody for the first time, while the Coldcard is a magnificent Bitcoin-only device that is used by those who want more security and are technical enough to be able to set it up. Blockstream Jade is a very new product from a very reputable company in the space.
Keep in mind that when you use one of these hardware wallets, you should also host your own full node for maximum privacy and security. Sadly, the number of Bitcoin nodes in the world is still low, as can be visualized here. At the time of writing, there are 11289 running nodes.
With nodes, there is the caveat that having your IP address associated with a node means effectively broadcasting in an open way your deep interest in Bitcoin. Hackers or thieves might assume that you also hold some Bitcoin based on this interest, and make you a more likely target to them. You can use Tor to anonymized your IP address when using a node to counter this risk.
Older and Discarded Options
More advanced options
Yeti is a script by JW Weatherman that installs bitcoin core and then walks the user through the setup of a cold storage solution. There are several advantages and some disadvantages listed on its Github repo page.
Here’s another thread that focuses on challenging the use of HWW:
— Robert Spigler 🔑 (@RobertSpigler) December 30, 2020
Collaborative custody is a newer form of custody service offered by two main companies, at the moment:
Under this model, the crypto funds are secured using multiple signatures. That means that any time the funds need to be moved, there will have to be multiple keys that sign off the transaction. The multiple keys might be held by multiple people or it could be the one owner of the assets having keys held in different geographical locations.
Casa and Unchained Capital, in turn, hold one of the keys, and they offer support in setting up the multisig system as well as ongoing support when needed. It is important to understand that these companies are not custodians, they only hold one private key of multiple keys, and therefore cannot initiate any transactions unilaterally.
There are many benefits to this model, especially for those retail investors holding significant funds. Typically such investors don’t want to have the single point of failure issue that comes with storing private keys on a hardware wallet with a 24-word seed backup phrase.
They also want better security. With collaborative custody, it becomes very difficult for a physical attack on the crypto holder to result in the draining of his funds, because the keys are spread over multiple locations rather than held in one device.
Casa and Unchained Capital have different fee models, and I think Casa is best for those who have less technical knowledge, while Unchained is better for more advanced users who don’t fancy paying the monthly fees charged by Casa.
When it comes to disadvantages, in Casa’s case it would be the fact that they use a closed source app on your phone, so you don’t really know what the app is doing as you cannot inspect the code. There’s also the fact that they will be able to look at your balance and transactions as you need to use their server, just like you do when using a Ledger Nano, for example. However, in Ledger’s case, they have now provided a way to use a self-hosted node to eliminate this issue, as I mentioned earlier on. Casa’s monthly fee, while being core to their business model, is something that some users might not like. The alternative would be to invest more time and money up front in building your own system for cold-storage, but then have it be cost-free for the rest of your holding period, which for many people will be many years, so it would make sense to want to avoid paying monthly fees.
The disadvantage of Unchained Capital is that they only offer 2-of-3 multisig at the moment. I wouldn’t feel that comfortable using just 3 keys – I think Casa’s 3-of-5 option is much more secure especially for larger holdings of Bitcoin.
Here’s a good thread about multisig wallets:
IMO it's too early for most people to use multisig. Wait 6 months.
— 6102 (@6102bitcoin) January 3, 2021
When relying on a custodian, you are giving them your private keys to hold them securely for you in exchange for a monthly or yearly fee.
Some of the most trusted third-party custodians at the moment are:
- Gemini Custody
- Bitcoin Suisse Vault
- Coinbase Custody
- Fidelity Custody
- Knox Custody
- Kingdom Trust
- Genesis Custody
It’s also important to note that crypto custodians are typically targeting institutional clients with large holdings ($1m plus) of crypto assets, and are thus not suitable options for the average retail Bitcoin investor.
A few of them also offer insurance, although the terms can be pretty restrictive. It’s quite commonly pooled insurance rather than insurance on specific client accounts, so at the moment I view it as more of a marketing ploy and very basic coverage rather than something to rely on.
There are several risks that you are taking when you entrust a third-party custodian with your crypto assets:
- Hacking risk – Since the custodians are well-known, they are prime targets for hacking attempts. When we talk about hacking, it can either be via software attacks or via social engineering and infiltration into the organization in order to gain access to the security structure holding the custodian’s private keys. Since most funds are held in cold storage, this is arguably a more dangerous threat than the pure software play that has led to exchanges like Mt Gox lose millions in client funds in the past.
- Transparency risk – Unless there is a daily third-party audit, you never know whether the custodian is actually running a full reserve of the funds deposited. Moreover, funds are often commingled and in that case, there is a risk of loss in the case of insolvency.
- Compromised user accounts – If a client’s login is compromised, an attacker can make unauthorized transfers and drain the user’s account. There are measures to mitigate this risk, so I wouldn’t consider this a big risk, but it requires the user to exercise a degree of responsibility by properly storing their login details and using a secure form of 2FA.
- Censorship/frozen accounts – Just like in the traditional banking system, a government can ask the custodian to freeze your accounts. This action can also be performed by the custodian and they can cite a million reasons for doing so, just like banks do.
Ultimately, as the saying goes – not your keys, not your crypto.
For publicly traded companies and some types of private companies, using a custodian is currently the only practical route to holding Bitcoin and crypto, because there are many audit requirements that must be met, and the system is currently built on trusting third parties. Just like no company keeps their treasury money locked up in a safe at their HQ, but instead use banks or brokers instead.
This is a good point to mention Ledger Vault, which is an innovative product that aims to bridge the gap between self-custody and third-party custodians. With this system, you retain self-custody but get the tools that companies need compliance and access control. It also comes with a pooled insurance offering. I’ve seen several companies using this solution, including one of my favorite crypto borrowing and lending companies – YouHodler.
I am looking forward to more innovation in the space of crypto custody, but at the moment, it seems that the best options are quite clear.
Keep in mind that if you’re interested in earning a return on your cryptos, you’re most likely going to have to give up your private keys and trust a third-party lending platform like BlockFi. You can even earn a good return by staking cryptos like Polkadot or Ethereum on the main exchanges, such as Coinbase and Kraken.
For corporate treasury purposes, BitGo is a good option. If you’re building a crypto company and need to hold client funds, then you should look at all the other custodians I mentioned and take a special look at Ledger Vault if you really value self-custody.
- 10X Bitcoin Security Guide
- Econo alchemist – lots of great guides
- Keep it simple bitcoin – great custody guides
- Matt O’dell guide
- Bitcoin Backup overview
- No Bullshit Bitcoin – Telegram group
Smart Custody project
- List of HWW hacks to date
- Security – HWW vs offline laptops
What are our thoughts on Bitcoin and crypto custody? Let me know in the comments section.