Understanding the Current Landscape of Digital Asset Wallets — Hot, Cold, Warm
Private keys are frequently a single point of failure in the world of digital assets. First-generation security solutions feature a range of designs to address this issue, and while some schemes are better than others, nearly all of them force a painful tradeoff between security and speed of asset availability. At Curv, we’re confident the future will look very different — institutions managing digital assets will enjoy the best of both worlds. For now, let’s explore the three common wallet schemes — cold, hot, and warm — that many exchanges, OTC desks, asset managers, and custodians employ in some combination to protect their private keys.
A cold wallet is any air-gapped (i.e. not internet-connected) device that stores private keys. To date, the digital asset market has been educated to associate cold wallets with maximum security. And while it is true that an air-gapped device stored in a protected environment should minimize the risk of private key compromise via adversarial (not insider) attacks, cold wallets necessarily force a latency problem for on-chain transaction settlement.
Given this challenge, the most appropriate use case for cold wallets is long-term holding, rather than scenarios that require frequent transactions. Entities holding large amounts of digital assets, like exchanges, try to maximize the portion of their assets they keep in cold storage and ideally seek to rebalance between hot and cold wallets as infrequently as possible, keeping the minimum balance in hot wallets to meet near-term liquidity needs and regulatory requirements.
The most advanced cold wallet offerings feature distributed models where keys are stored in multiple locations around the world, further minimizing risk of key compromise for any given client. But even the best cold wallet schemes encounter difficulties with transaction latency, scalability, and protocol dependence.
The latency issue stems from the need for humans to engage with physical devices. To coordinate transactions that rebalance funds from a cold to hot environment for on-chain execution, for example, a “trusted” human — i.e. an employee at a third party — must engage with that device. In a distributed model, many humans must engage — making the scalability challenge more pronounced. The more distributed devices that are present in a scheme, the more humans are involved and the likelier there will be a latency obstacle (and increased operational risk).
Brian Armstrong of Coinbase recently wrote how cold wallets can still support most liquidity needs, and while this is true to a degree, there is no way around delayed on-chain settlement with this scheme. A cold wallet model will not work for clients with low latency needs, such as high frequency traders. But even those who are willing to wait for delayed settlement still potentially lose via slippage risk. A booked OTC trade of assets in a cold wallet environment is simply trading security risk for market risk — and that risk will likely be reflected in the spread on the transaction. Whether the client or the exchange, somebody pays for this risk. And of course — the more volatile the market, the greater the risk.
Finally, cold wallets are less equipped than hot wallets to handle upgrades, forks, and new protocols. Deploying upgrades requires engaging with offline devices and in some cases requires provisioning new hardware altogether for new types of protocols. As the universe of digital assets continues to evolve, the ability to quickly update supporting wallet infrastructure is critical.
Hot wallets store private keys for transaction signing in internet-connected environments so transactions can be broadcasted to a public blockchain network, and are typically deployed as a software application.
We touched on the challenges of hot wallets a bit in the cold wallet explanation. Essentially, hot wallets are as vulnerable as the IT networks they reside in, so entities using them will be susceptible to the full range of traditional attacks on enterprise IT environments. Hot wallets at large exchanges and custodians of digital assets are particularly ripe targets because they represent pooled risk that bad actors can exploit: large AUM and frequent on-chain transaction execution that requires private key signing in most existing schemes.
Of course, the business case for hot wallets is clear: clients need hot wallets so they can access public blockchains and market liquidity; exchanges, prime brokers, algorithmic traders, and custodians need them to service their clients and make money.
Ultimately, hot wallets are an unfortunate necessity in their current form. The graveyard of attacks on them is vast and growing. As hot wallets improve and no longer require private key assembly to sign transactions, they will play an increasingly important role in the digital asset market. Today, the vast majority are not there yet.
Warm wallets are similar to hot wallets as they are deployed on an internet-connected endpoint and are used to manage liquidity. But they differ slightly in that they provide an additional layer of security and are designed for more limited use cases.
In some schemes, warm wallets have strict whitelist permissions, e.g. they will only send funds to hot wallets that are known to be within the user’s control. For example, in a three-wallet (hot, cold, warm) scheme where the cold wallet is designed only to receive deposits for long-term storage, a warm wallet could be configured to receive funds from the cold wallet, then only be able to send outgoing transactions to the known hot wallet that is designated for short-term storage. Warm wallets are usually disconnected from the application server, having a reduced cyber-attack surface.
While warm wallets can provide additional security in certain situations, their very existence is a testament to the shortcomings of today’s cold and hot wallet designs and should not exist in the long-term.
The market in its current state features a range of wallet designs which, more frequently than not, force suboptimal tradeoffs for digital asset users. Fortunately, this won’t be the case for long — private keys will disappear with the advent of multi-party computation protocols and no longer be required to generate new wallets and sign transactions. At Curv, we believe participants in the digital asset economy should expect cutting edge infrastructure that allows them to take full advantage of the incredible attributes of digital assets and blockchains. 24/7/365 instant liquidity, maximum security, and scalability — across humans within an enterprise and in supporting any protocols — are all feasible with a modern security model and software-defined scheme. We are excited to be redefining the frontier of what’s possible for digital assets. Stay tuned for more coming soon.