Bold new era: crypto’s evolution to superior asset custody 

The evolution of crypto asset custody is an urgent matter—one needing rigorous, audited controls and new-era key management to rebuild trust


thinkhubstudio/Shutterstock modified by Blockworks


Following the 2022 crypto market crash, concerns around counterparty risk have risen to the forefront of the crypto risk management conversation, and will be one of the primary drivers in shaping the future of custody during the remainder of 2023 and beyond.

As this future becomes a reality and the regulatory framework surrounding custody becomes much clearer, anything deemed operationally insensible or inappropriate will face intense scrutiny. The crypto ways of old that FTX employed—storing assets in single-key wallets on a cloud server, a lack of a cybersecurity team, and the absence of systemized key management—will be entirely unacceptable to customers and regulators.

“I recall going through one of the FTX websites trying to figure out their custody, trying to understand their underlying custody system. I’d read of their fast withdrawal times for large transactions while seemingly maintaining the storage of the majority of assets in secure custody. How did they do this? I couldn’t figure it out. Of course, the answer was that FTX operated in a way that is the polar opposite to the way Bullish operates.”

Mick Horgan, head of custody at Bullish

As the adoption of digital assets continues to grow with 2022’s debacles in the rear-view mirror, how third-party digital asset custodians secure their funds will attract greater scrutiny than ever before—both from crypto participants and the regulators who aim to establish new, safer standards for the crypto industry. 

Essential to this evolution is the widespread implementation of multi-layer custodial systems built upon two foundational pillars: key management and rigorous, audited controls. Doing so will elevate the minimum acceptable level of security for asset custodians, and in turn, greatly contribute to the growth of crypto by reestablishing and growing institutional trust while preventing new black swan events, like sudden exchange collapses, from occurring.

Keys must be an obsession

Arguably, nothing is more important to crypto industry participation than the safe custody of assets, so why haven’t third-party custodians been held to a higher key management standard? In the case of FTX, when the firm did finally implement a multi-signature wallet, they stored all three keys in the same online location—defeating the purpose of a multi-signature wallet. 

“This is the equivalent of purchasing a secure high-grade vault, loading all your valuables into it, and then walking away leaving the vault door wide open.” – [Mick Horgan, head of custody at Bullish]

In moving forward as a wiser, stronger industry, prioritizing key management in a multi-layer custodial system is the clear benchmark for third-party custodians to reach. The following are key features that all custodians should implement, as recommended by Bullish.

Distribute private key storage

To ensure there isn’t one single point of failure that creates a catastrophic event if breached, private keys should never be stored in just one place. Instead, they should be isolated from one another and stored offline. 

In a well-designed multi-layer custodial system, a custodian’s key distribution would operate using a combination of cold, warm, and hot wallets to facilitate transfers while minimizing the risk of loss or theft. Under best practices, the majority of assets would be secured in wallets with keys secured offline.

Bullish’s wallet architecture | Source: Bullish

Enact hardware, software, and operational safeguards

Essential to key management is the establishment of safeguards across each level of the custodial system. Once in place, they provide institutions and individual crypto participants alike the confidence needed to engage in third-party custodian options. Here are some best practices to implement:

Hardware Safeguards

  • Keep all offline private keys isolated from one another and stored on secure storage devices.
  • Store online keys in secure modules on shielded cloud servers.
  • Ensure that cold custody is effectively used by storing a majority of held digital assets offline in cold wallets. 

Software Safeguards

  • All custody software components and operating systems should be cryptographically signed.
  • Signing processes should be distributed across independent actors via multi-signature wallets for collusion resistance.
  • Utilize blockchain-based oracles to verify the provenance of custody actions and stop man-in-the-middle (MITM) attacks.

Operational Safeguards

  • Protocols govern which wallets interact with one another, what keys are required to sign a transaction, and the limits to transaction size and velocity.
  • Asset custodians can implement disaster recovery systems that enable the backing up of keys, meaning all is not lost in a worst-case scenario. The key backups can be stored at remote locations in secure facilities around the world, ensuring maximum security.

World-class controls, or nothing

Everyone, whether an institution or individual, who has taken on the journey of discovering crypto has arrived at the question: “So if I lose my keys, that’s it…it’s all gone?”

This is a primary weed-out moment for the crypto industry today, where people either decide to bank on themselves or turn away due to the fear of losing their keys and its implications. The majority of institutions have no interest in managing their keys, but they care deeply about how their chosen custodians manage them on their behalf; adequate trust is make-or-break regarding their onboarding to crypto.

“The FTX failure reinforces the importance of custody. Custody, which at its simplest level is about the securing of keys, can only be truly effective with strong internal controls, thorough record-keeping procedures, and an obsession about the security of customers’ assets.”

Mick Horgan, head of custody at Bullish

Establishing rigorous, audited controls is essential in getting institutions over the hump by instilling confidence in third-party custodians. These controls can come in a variety of forms, each serving as a vital piece that contributes to forming a comprehensive security system.

Internal Controls

Internal controls help to safeguard customer assets; if properly enacted, they should detect,  prevent, and limit any problems with customer wallets that could arise. The following are controls that Bullish implements internally, setting a clear example for other firms to follow:

Segregation of duties – Duties like key generation, storage, and transaction approvals should be segregated to reduce the risk of fraud and theft stemming from collusion.

Wallet and disaster recovery – Firms should implement controls to recover wallets safely and securely at all times due to any loss of access to keys.

Private key management – The majority of assets should be stored offline in multi-signature cold storage wallets to mitigate the risks of online attacks. 

Risk assessment and management – Firms should continuously carry out security assessments and critical scenario analyses.

Segregation of assets – Customers’ funds must be segregated from company assets, ensuring that no co-mingling on any account or blockchain address ever occurs.

Monitoring – Real-time monitoring of wallets/transactions and reconciliation of all wallets and accounts should be enacted. In a best-case scenario, a dedicated cybersecurity team would take the lead in this control.

Access controls – Over 80% of security breaches are password-related, so in an industry plagued by cyberattacks and scams, passwords are no longer sufficient protection. Strict access controls and multi-factor authentication should be in place for access to all privileged systems.

Employees – Intensive security training programs should be implemented by a cybersecurity team to ensure each level of the firm is protected by contributors.

All internal controls and security policies should be regularly reviewed and audited by external auditors—this is the foundation of external controls.

External Controls

To complement internal controls and better appease institutions, third-party crypto custodians need to elevate auditing to, at the very least, the standards of traditional finance (TradFi). To do so, each custodian will need to implement regular, independent audits that are conducted by qualified auditors, such as the Big Four accounting firms

These audits should assess the custodian’s internal controls and overall security, ensure that customer assets are segregated from custodian assets, and analyze the custodian’s solvency by completing a proof-of-reserves audit.

Charting a secure future in crypto

For the crypto industry to continue its ascent to worldwide adoption, shortcomings of the past must remain exactly that, especially when it comes to crypto custody. If there’s one thing to take away from FTX, it’s this: crypto can not fully rely on governments, auditors, and regulators to protect its participants. Ultimately, it is up to each participating institution and individual to do their part in holding asset custodians accountable. If everyone plays their role, the industry will elevate to a new standard and become a global financial leader in transparency, risk management, and security.

For a preview of what’s coming next for the industry, look no further than Bullish. At the forefront of this movement, the firm is a reputable institutional exchange with leading industry security and velocity. It is a full reserve exchange audited by a Big 4 accounting firm, with a 1:1 reserve ratio firmly in place.

To learn how Bullish can provide peace of mind while maintaining custody of your institution’s assets, visit their website and follow them on X or LinkedIn.

This content is sponsored by Bullish

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research report - cover graphics (1).jpg


In this report, we dive into crypto private market data to gather insights on where the future of the industry is headed. Despite a notable downturn in private raises, capital continues to infuse promising projects that aim to transform payments, banking, consumer experiences, community, and more, with 2023 being the fourth-largest year for crypto venture capital.


BUZZ holds shares of Coinbase, Robinhood and MicroStrategy


Opinion: Even though I didn’t pay for my “Diamond Hands” burger with BTC, don’t let that fool you into thinking that crypto’s development is futile


The results mark “a major positive inflection point,” one analyst says, as the exchange carries net income momentum into a crypto rally


While the slate of 10 US spot bitcoin funds have tallied $4.6 billion of net inflows thus far, half of the field is lagging the leaders


Trading volumes totalled $154 billion in Q4, including $125 billion in institutional volume


DeFi on Bitcoin is all the rage right now and Stacks is positioned to benefit