Crypto custodians should learn from TradFi

In the fast-developing blockchain world, theory can become big-money practice in the blink of an eye.

That’s what has happened in recent months with putting “real-world assets,” or RWAs, on blockchains. After floating around for years as an idea, mainstream players like BlackRock and HSBC are now tokenizing bonds, gold and more.

It’s exciting stuff, but there’s a serious problem: The crypto-native systems that would handle these tokens often fall short on cybersecurity.

I’ve worked in cybersecurity across crypto and traditional finance for two decades now, and the gap is unambiguous: Compared to the traditional finance and banking world, crypto firms are less likely to have rigorous risk control procedures.

There’s a widespread lack of oversight, redundancy and resiliency among the firms and projects eager to use tokenized gold or Treasurys for swaps or collateral.

And the main culprit is underinvestment. Based on available data and my own observations, crypto custodians may need to increase security spending by a factor of 10 to match the rigor of the major financial institutions tokenizing RWAs.

A major long-term goal of RWA tokenization is to bring the efficiencies of blockchains’ automated clearance and settlement abilities to traditional assets, but that hinges on being able to truly trust what a blockchain says. If tokenized RWAs are stolen as the result of a hack of a third party, issuers like BlackRock could find themselves censoring stolen tokens and re-issuing them to the “real” owners of the underlying assets.

In that scenario, RWA tokenization could amount to nothing more than extra paperwork and reputational risk — likely slowing or halting adoption of the technology just as it’s getting started. If you don’t want your protocol or platform to be the culprit in such an industry-damaging fumble, there are a few clear steps to take.

Raising the security standards in tokenization

As a tokenization and custody security expert, I see no underlying reason that blockchain systems should be as vulnerable to exploitation and hacking as they’ve proven to be in practice. In fact, it should be quite the opposite — blockchains themselves have lived up to the promise of being fundamentally unhackable.

Almost all “crypto hacks” are actually either DeFi market manipulation, exploits resulting from social engineering, phishing or other off-chain vectors. Banks and traditional finance systems are also vulnerable to credential theft, but those organizations have built robust security practices and cultures that have been increasingly effective at keeping them safe.

There’s no reason crypto firms can’t do the same. But right now, crypto platforms and custody services live in the shadow of a legacy of security failures and weak assurance procedures. That includes custodians formerly considered top-tier within the industry, such as Prime Trust, which lost the keys to an active deposit wallet and, in turn, close to $80 million worth of crypto.

Much like spotting one cockroach on your kitchen counter, Prime Trust’s blunder suggests a swarm of unseen problems hidden in the broader ecosystem.

Beyond proof-of-reserves: Building a more secure framework for token custody

Some of the needed solutions to crypto’s security woes are technological and crypto-specific, while others are more generalized issues of process, training and culture.

Castle Island Ventures Founder Nic Carter has championed the concept of proof-of-reserves for off-chain crypto exchanges — a way of making holdings fully transparent and verifiable to avoid another catastrophe like FTX. PoR remains an important starting point for responsible custodianship (Disclosure: Castle Island is an investor in Halborn).

But in the Prime Trust case, we saw that crypto keys can be carelessly lost, and keys can also obviously be stolen and misused. Both scenarios could undermine the results of a seemingly healthy PoR report. We can strengthen PoR by adding two more real-time cryptographically verifiable proofs for custodians: proof-of-key-ownership, and proof-of-key-exclusivity.

Read more from our opinion section: Proof-of-reserves never cut it — and never will

Proof-of-key-ownership is fairly simple: using zero-knowledge proofs to affirm that an entity holds the private keys to all the accounts it claims to control.

Proof-of-key-exclusivity requires more steps, involving the generation and sequestration of keys within a hardware enclave, such as a hardware security module (HSM) and the cryptographic proof of that protection.

Specific solutions like these, however, must be part of broader changes. Digital asset custodians must also adopt proven institutional standards for a formal, comprehensive and systematic approach to risk management.

One approach widely used in legacy finance is known as the “three lines of defense” (or 3LOD) risk management model. The 3LOD model clarifies responsibility for assessment, mitigation and oversight.

How does that work? Front-line workers (first line) would implement security practices established and monitored by a risk management and compliance team (second line). An internal oversight or audit team then makes sure those practices are fully implemented and effective.

The three lines of defense model is often adopted progressively over time as a company goes from private operation towards an IPO, when the number of stakeholders and the degree of oversight ramps up. This is not unlike the situation the crypto-custody world as a whole finds itself in right now, as digital assets transition from the fringes of finance into the mainstream.

Those hoping to be part of the RWA transition must be sure their practices are keeping pace — and the pace for cybersecurity is now being set, not by competing crypto firms, but by huge, legacy institutions.

Money fixes everything: The financial backbone of safe crypto custody

There is a final inconvenient truth about crypto custody risk: The industry needs to be spending more to address it. Maybe a lot more.

We can make a rough comparison to spending by banks: McKinsey estimates that banks spend an average of 2.5% of their budgets on risk assessment and mitigation. A 2023 Deloitte report found that cybersecurity accounts for roughly 0.5% of the annual spend of financial institutions.

Those might not sound like large numbers, but they’re skewed downwards by scale — the calculations include banks with tens or even hundreds of thousands of employees. Few if any crypto custodians come close to that size. Coinbase, the largest US crypto exchange and the main custodian for new bitcoin ETF products, has around 3,000 employees.

In theory, that would mean a crypto firm the size of Coinbase should spend more than ten times the banks’ average proportion of its budget on risk and cybersecurity — on the order of 30% or more. Though such budgets are generally not public, that’s clearly not the reality across the industry right now. Congress and the SEC’s reluctance to regulate crypto means there are no clear standards for risk management, leaving the incentives fairly abstract — until one of the risks you didn’t see coming sneaks up and takes millions of dollars out of your pocket.

In fact, crypto firms may actually need to spend proportionally more on cybersecurity than traditional firms precisely because of the efficiencies the technology brings to other functions. Blockchain systems automate many functions that conventional banks have to dedicate staff to, but front-end cybersecurity and robust security practices remain just as labor-intensive as in any other sphere.

Spending on risk management will grow naturally as custodial firms for crypto assets, including tokenized real-world assets, continue to expand. But the sudden surge in RWA interest may mean that right now is the time for aggressive investment. Being able to point to bank-quality risk management and cybersecurity practices could be key to doing business with titans like BlackRock as they seek trusted companions for their adventure into the relative wilderness of crypto.

David Schwed serves as the Chief Operating Officer at Halborn, an elite blockchain security firm. Prior to Halborn, he was the Global Head of Digital Assets Technology at BNY Mellon, the world’s biggest custodian bank, where he integrated the IT strategy for the company’s digital asset services. David was also CISO for Galaxy Digital, where he led the development of information security and IT infrastructure, and served as a risk committee advisor, evaluating emerging threats in financial services. He also founded the Cybersecurity Master’s Program at Yeshiva University’s Katz School of Science and Health, sharing his expertise as a practitioner-in-residence.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.