The Crypto Hedge Fund Self-Custody Problem
A short note on why on exchange crypto assets are insecure
Cryptocurrency fund custodians
A cryptocurrency custodian is a specialized financial institution responsible for safeguarding a firm’s or individual’s cryptocurrency assets. If a firm is only going to hold and not trade crypto assets then it doesn’t need a very sophisticated custody solution. However hedge funds that plan on trading crypto assets on multiple exchanges, require a different and more sophisticated custody solution.
The current hedge fund custody situation
The current trend amongst crypto hedge funds is to appoint a custodian and self-custody the crypto assets that are sent to exchanges.
The self-custody arises because the investment managers of the hedge funds open the exchange accounts on which the fund is going to trade, which means the investment managers have access to the exchange account security credentials. When cryptocurrency is transferred to the exchange for trading or margin, it goes out of control of the custodian and the investment manager is effectively self-custodying the funds.
The problem with self custody
There are three main problems with self-custody
First, it won’t pass the operational due diligence of sophisticated capital allocators whom the crypto industry needs to invest, support and validate the sector. Self-custody is a shirking of a manager’s fiduciary responsibility to its clients.
Secondly it puts the investors at risk of having their assets stolen by a dishonest investment manager. A manager who controls exchange credentials can just add their blockchain address to an exchange account and send themselves the AUM. Think of Madoff, self-custody is like self-administration except the manager can steal all the AUM sent to the exchanges.
Thirdly it puts the manager at risk of murder, violent home invasion and extortion by criminals trying to steal the fund’s crypto assets. There have been enough instances of this to cause self-custodying hedge fund managers sleepless nights. A manager of any fund trading crypto assets should be able to tell a would be attacker that there is no way to transfer the crypto outside the boundaries of a fund. It can only do this if it has an independent custodian that is at all times in control of the crypto assets.
Exchanges : The weak link in institutional custody
Currently many custodians are calling themselves “institutional” custodians. However there are many flavors of institutional custody: If all an institution wants is to go long crypto, then there are many custodians in the USA and Switzerland that will shard keys and store them securely. But if an institution wants to trade on various exchanges or invest in a fund that does, then the fund needs to move crypto assets to an exchange so locking the fund’s private keys away is not possible.
The vulnerability of the funds on the exchange stems from the custodian’s lack of control of the funds on the exchange. No custodians currently set up exchange accounts on behalf of hedge funds. This is currently done by the investment managers which means they then control the exchange security credentials. The exchange credentials can be used to make money transfers from the exchange without the custodian’s knowledge or approval.
Even if the manager were to set up for multi signature approvals for crypto movements (assuming the exchanges support this) the manager controls the account and so can remove the signatures later.
Prime Brokerage for crypto
Although the crypto world is different from the fiat one, there are many parallels between the fiat and the crypto world so when looking at crypto issues it often helps to think of the fiat solution. In the fiat world, hedge funds who trade on exchanges don’t have to open accounts on all the exchanges on which they want to trade. Usually they will appoint a prime broker (PB) or a futures clearer who will open exchange accounts on their behalf. The KYC/AML is done once by the PB and the exchanges either use this KYC or trust in the PB.
The problem with crypto brokers is that they add expense and introduce another level of intermediation.
What is currently missing from “institutional” custody solutions?
1) Exchange credentials should be held by the custodian.
2) Transfers from exchange to fund should be made by the custodian.
In order to control the safety of the assets held by a fund the custodian should be responsible for their movement both to and from exchanges. To do this the custodian should control the exchange credentials and move money from the exchanges back to the fund’s secure storage.
The exchange credentials (log on info, any 2FA) are important as they give access to the exchange account where security measures, such as whitelisted addresses, are setup and can be used to generate API keys to make crypto transfers. The exchange credentials are set up when the fund’s account is opened on the exchange.
Possible solutions to self-custody
A. The crypto custodian broker hybrid
One currently available solution is the crypto-custodian-broker hybrid which resembles a fiat prime broker (i.e. MS or Goldman). In this case the crypto hybrid implements a safe custody solution and opens accounts in its name on several exchanges. When funds want to trade they call the crypto hybrid. The crypto is always under the control of the hybrid.
The disadvantages of this model are that:
1) It’s expensive with some hybrids charging a 1% of volume fee and an additional 50bps custody fee;
2) The fund is limited to trading on the exchanges on which the hybrid has accounts;
3) The hybrids won’t let the managers use their API keys to trade, which rules out certain strategies and will hurt slippage (unless the hybrids have written sophisticated trading algorithms).
This solution doesn’t protect the fund from exchange hacks or exchanges socializing losses as the hybrid will pass on any losses to the fund. This approach means that institutional investor will be paying higher fees and trading with less flexibility than retail investors so it is unlikely to gain wide acceptance. Since when did wholesalers pay more than retail?
B. Digital Asset Receipts
The safest and simplest solution is a Digital Asset Receipt (DAR) AKA token on token. In this solution the fund sends fiat or crypto to the custodian who safely stores it. When the manager wants to trade on an exchange the custodian sends a DAR instead of crypto to the exchange.
The DAR is essentially and IOU that says that the fund is good for the crypto amount and the custodian has reserved it (meaning the manager can’t move it anywhere). When the manager want to take funds off the exchange the DAR custodian checks that that’s OK with the exchange and changes the amount of the DAR on the exchange. If the exchange is hacked, all the hacker will find is an IOU that the custodian can refuse to honor. The DAR is a token on a private blockchain. Inter exchange transfers can also be made very quickly. This approach also simplifies the running of exchanges as they no longer have to custody crypto so reducing the hacking risk. The only problem with this solution is that it isn’t here yet. Koine (koinefinance.com) are currently implementing this and expect to have several major exchanges signed up in Q1 2019.
C. Account opening by trusted third parties
In theory a trusted third party employed by the fund such as a director, administrator, auditor or custodian could open the exchange accounts. After all administrators often open fiat bank accounts for funds, why not exchange accounts?
Unfortunately most of these third parties are unwilling to go through the process of opening accounts in the name of the fund. A few years ago opening exchange accounts only required an email address, now the exchanges ask for extensive KYC and AML documentation.
An additional complication is that the exchange security credentials need to be kept as safe as crypto private keys as access to the exchange account enables moving funds.
Until a reasonably priced, safe end-to-end custody solution exists, self-custody is not viable for institutions investing in hedge funds.
There are currently no truly independent institutional custody solutions for hedge funds that trade on exchanges.
Although Nickel wouldn’t implement this solution itself , it is actively searching for and encouraging it .