Securing Digital Asset Custody in Web3

The concept of secure custody originated long before the blockchain. In traditional finance (TradFi), financial institutions maintain custody of a wide variety of customer assets and data. In this space, assets are largely static, and recovery may be possible in the event of a loss or theft. Since custody has been around for a long time, best practices and controls have been developed to manage the risks of this model.

In Web3, custody differs significantly from the traditional model. The nature of the blockchain and smart contracts that implement digital assets introduces new custody challenges and raises the stakes associated with a successful theft.

In Web3, options range from self-custody to entrusting assets to a third-party custody provider. These could be Web3 companies or TradFi institutions that are planning to move into the Web3 custody space, as Citi plans to do. However, all of these options involve security risks and challenges that organizations must overcome.

Web3 custody operates in a different paradigm from Web2. In this space, assets are implemented as tokens that are held and transferred on the blockchain. This is made possible by smart contracts that run on-chain and dramatically expand the potential capabilities of the assets under custody.

The differences between Web2 and Web3 infrastructure and the assets that they hold mean that Web3 custodians must manage unique threats that don’t exist in the Web2 space. At the same time, they still face the potential threat of theft, which is the most significant risk in TradFi custody.

In Web3, account security and secure custody depend on the security of a private key. Blockchain transactions are digitally signed, meaning that anyone who can access a private key and generate a valid digital signature can perform transactions on behalf of a blockchain account.

To establish secure custody, organizations must implement technical controls and processes to secure private keys against both internal and external risks. Potential risks include compromised keys, lost private keys, or malicious actions by parties with the authority to access and use these keys.

Traditionally, most assets that a financial institution held in custody were static. Fiat currencies, stocks, bonds, and other assets don’t do anything other than prove ownership of an asset with a certain value. As a result, the main threat that financial institutions had to protect against was the potential theft of the asset.

Web3 introduces another level of risk since tokens are implemented via smart contracts and are programmable. This means that the range of actions that the owner of a token can perform is much wider, expanding the potential risks associated with unauthorized access. Web3 custodians not only need to worry about theft but also misuse or abuse of the capabilities associated with the assets in their care.

To support their dynamic assets, Web3 ecosystems have a large and complex infrastructure stack. Tokens are implemented via smart contracts, which are hosted on a blockchain. They may also be interconnected with contracts on other chains and TradFi off-chain infrastructure.

This creates a significant attack surface for custody providers to manage, and the nature of the blockchain and smart contracts introduces limitations and other challenges. For example, the full transparency of smart contract code complicates deploying security controls like multi-factor authentication (MFA) on-chain, and smart contract determinism limits the data that a contract can access without relying on an external oracle (which can introduce additional security and centralization risks).

In the TradFi industry, many thefts are reversible to a certain extent. If money is stolen, a filed claim might result in the transaction being reversed. Physical assets, if stolen, may be insured or retrieved by law enforcement.

In the Web3 space, blockchain immutability significantly complicates custody and raises the stakes associated with a successful attack. Since transactions are irreversible on-chain, a successful theft is permanent unless assets are returned by the account to which they were sent after the theft. As a result, prevention becomes more important than ever for security, since a successful theft carries heavy costs either for the target, its users, or its insurance provider.

Historically, many of the biggest hacks in the DeFi space have involved social engineering rather than technical exploitation. Tricking someone into approving a malicious transaction or handing over a critical password or private key is often easier than exploiting a smart contract or breaking into a secure system.

Like other industries, secure custody providers in the Web3 space need to set up protections against social engineering and other trickery. However, the immutability of blockchain transactions raises the stakes of mistakes since a single error is sufficient to cause significant, permanent losses.

TradFi is a heavily regulated industry, meaning that traditional custody providers may labor under significant restrictions but are still aware of the rules of the road. Best practices are defined and codified, making it possible for organizations to implement due care and security.

In the Web3 space, the regulatory landscape is much more fragmented and unclear. Blockchains are global systems, but regulators in various jurisdictions have taken various approaches to the technology. As a result, custody providers may struggle to understand their responsibilities or reconcile them with the diverse and potentially conflicting requirements of the various jurisdictions where they provide services.

Secure custody in Web3 is a combination of policies and technical controls. While a custody provider must have compliant and secure processes in place, it also needs to be able to enforce these policies.

Designing and implementing effective controls requires an understanding of the complete technological landscape where Web3 custody providers operate. In addition to understanding smart contract security, custody providers must also have processes and controls in place to secure TradFi infrastructure, private key security, business processes, and more.

Halborn offers a range of Web2 and Web3 security testing and advisory services designed to help custody providers ensure the security of the assets in their care. To learn more about how Halborn can help your organization, get in touch.