Crypto custodians should learn from TradFi 

Right now, crypto platforms and custody services live in the shadow of a legacy of security failures — and it shouldn’t be that way

OPINION
article-image

Artwork by Crystal Le

share

In the fast-developing blockchain world, theory can become big-money practice in the blink of an eye. 

That’s what has happened in recent months with putting “real-world assets,” or RWAs, on blockchains. After floating around for years as an idea, mainstream players like BlackRock and HSBC are now tokenizing bonds, gold and more.

It’s exciting stuff, but there’s a serious problem: The crypto-native systems that would handle these tokens often fall short on cybersecurity.

I’ve worked in cybersecurity across crypto and traditional finance for two decades now, and the gap is unambiguous: Compared to the traditional finance and banking world, crypto firms are less likely to have rigorous risk control procedures. 

There’s a widespread lack of oversight, redundancy and resiliency among the firms and projects eager to use tokenized gold or Treasurys for swaps or collateral. 

And the main culprit is underinvestment. Based on available data and my own observations, crypto custodians may need to increase security spending by a factor of 10 to match the rigor of the major financial institutions tokenizing RWAs.  

A major long-term goal of RWA tokenization is to bring the efficiencies of blockchains’ automated clearance and settlement abilities to traditional assets, but that hinges on being able to truly trust what a blockchain says. If tokenized RWAs are stolen as the result of a hack of a third party, issuers like BlackRock could find themselves censoring stolen tokens and re-issuing them to the “real” owners of the underlying assets. 

In that scenario, RWA tokenization could amount to nothing more than extra paperwork and reputational risk — likely slowing or halting adoption of the technology just as it’s getting started. If you don’t want your protocol or platform to be the culprit in such an industry-damaging fumble, there are a few clear steps to take.  

Raising the security standards in tokenization

As a tokenization and custody security expert, I see no underlying reason that blockchain systems should be as vulnerable to exploitation and hacking as they’ve proven to be in practice. In fact, it should be quite the opposite — blockchains themselves have lived up to the promise of being fundamentally unhackable.

Almost all “crypto hacks” are actually either DeFi market manipulation, exploits resulting from social engineering, phishing or other off-chain vectors. Banks and traditional finance systems are also vulnerable to credential theft, but those organizations have built robust security practices and cultures that have been increasingly effective at keeping them safe. 

There’s no reason crypto firms can’t do the same. But right now, crypto platforms and custody services live in the shadow of a legacy of security failures and weak assurance procedures. That includes custodians formerly considered top-tier within the industry, such as Prime Trust, which lost the keys to an active deposit wallet and, in turn, close to $80 million worth of crypto. 

Much like spotting one cockroach on your kitchen counter, Prime Trust’s blunder suggests a swarm of unseen problems hidden in the broader ecosystem. 

Beyond proof-of-reserves: Building a more secure framework for token custody

Some of the needed solutions to crypto’s security woes are technological and crypto-specific, while others are more generalized issues of process, training and culture.

Castle Island Ventures Founder Nic Carter has championed the concept of proof-of-reserves for off-chain crypto exchanges — a way of making holdings fully transparent and verifiable to avoid another catastrophe like FTX. PoR remains an important starting point for responsible custodianship (Disclosure: Castle Island is an investor in Halborn).

But in the Prime Trust case, we saw that crypto keys can be carelessly lost, and keys can also obviously be stolen and misused. Both scenarios could undermine the results of a seemingly healthy PoR report. We can strengthen PoR by adding two more real-time cryptographically verifiable proofs for custodians: proof-of-key-ownership, and proof-of-key-exclusivity.

Read more from our opinion section: Proof-of-reserves never cut it — and never will

Proof-of-key-ownership is fairly simple: using zero-knowledge proofs to affirm that an entity holds the private keys to all the accounts it claims to control. 

Proof-of-key-exclusivity requires more steps, involving the generation and sequestration of keys within a hardware enclave, such as a hardware security module (HSM) and the cryptographic proof of that protection.

Specific solutions like these, however, must be part of broader changes. Digital asset custodians must also adopt proven institutional standards for a formal, comprehensive and systematic approach to risk management. 

One approach widely used in legacy finance is known as the “three lines of defense” (or 3LOD) risk management model. The 3LOD model clarifies responsibility for assessment, mitigation and oversight. 

How does that work? Front-line workers (first line) would implement security practices established and monitored by a risk management and compliance team (second line). An internal oversight or audit team then makes sure those practices are fully implemented and effective.

The three lines of defense model is often adopted progressively over time as a company goes from private operation towards an IPO, when the number of stakeholders and the degree of oversight ramps up. This is not unlike the situation the crypto-custody world as a whole finds itself in right now, as digital assets transition from the fringes of finance into the mainstream. 

Those hoping to be part of the RWA transition must be sure their practices are keeping pace — and the pace for cybersecurity is now being set, not by competing crypto firms, but by huge, legacy institutions. 

Money fixes everything: The financial backbone of safe crypto custody

There is a final inconvenient truth about crypto custody risk: The industry needs to be spending more to address it. Maybe a lot more.

We can make a rough comparison to spending by banks: McKinsey estimates that banks spend an average of 2.5% of their budgets on risk assessment and mitigation. A 2023 Deloitte report found that cybersecurity accounts for roughly 0.5% of the annual spend of financial institutions. 

Those might not sound like large numbers, but they’re skewed downwards by scale — the calculations include banks with tens or even hundreds of thousands of employees. Few if any crypto custodians come close to that size. Coinbase, the largest US crypto exchange and the main custodian for new bitcoin ETF products, has around 3,000 employees.  

In theory, that would mean a crypto firm the size of Coinbase should spend more than ten times the banks’ average proportion of its budget on risk and cybersecurity — on the order of 30% or more. Though such budgets are generally not public, that’s clearly not the reality across the industry right now. Congress and the SEC’s reluctance to regulate crypto means there are no clear standards for risk management, leaving the incentives fairly abstract — until one of the risks you didn’t see coming sneaks up and takes millions of dollars out of your pocket.

In fact, crypto firms may actually need to spend proportionally more on cybersecurity than traditional firms precisely because of the efficiencies the technology brings to other functions. Blockchain systems automate many functions that conventional banks have to dedicate staff to, but front-end cybersecurity and robust security practices remain just as labor-intensive as in any other sphere. 

Spending on risk management will grow naturally as custodial firms for crypto assets, including tokenized real-world assets, continue to expand. But the sudden surge in RWA interest may mean that right now is the time for aggressive investment. Being able to point to bank-quality risk management and cybersecurity practices could be key to doing business with titans like BlackRock as they seek trusted companions for their adventure into the relative wilderness of crypto.



Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

4.png

Research

This months PPGC covered four main areas. Firstly, debriefing the progress and status of the mainnet implementation of the Ahmedabad hard fork. Secondly, a retrospective on the testnet phase of the Ahemdabad Hard Fork. Thirdly, an update on PIP-36 which involves replaying failed state syncs. Lastly, PIP-47 which pushes upgrades to the Polygon Protocol Council.

article-image

Institutions to test out the settlement of “digital assets and currencies” on a network that annually carries more than 5 billion financial messages

article-image

After Bitwise’s XRP ETF filing this week, one industry watcher notes: “Politics will determine whether this happens soon or in a few years”

article-image

Plus, a look back at some of the SEC’s biggest enforcement moves under Gurbir Grewal

article-image

The forward-looking financial system is being championed by several contributors to India’s UPI digital money system

article-image

Multiple teams are pursuing integration cross-chain and off-chain

article-image

An SEC spokesperson told Blockworks the Ripple judgment clashes with Supreme Court precedent and securities laws