Open in app

Sign in

Write

Sign in

Custodial Microservices

A new paradigm for managing digital assets

Tamlyn Rudolph
salt
6 min readNov 14, 2023

--

As business activity on-chain increases, coordination of asset management becomes a very real problem to solve. Granular access controls and redundancy based signing schemas are examples of features sought by organisations in their quest for balancing security and usability of crypto financial rails.

Below we outline how the “pull” of such requirements is being met by a “push” of technology advances (decentralised MPC) ushering in a nascent but growing market-based paradigm where entities can compete to provide co-signing services under various scenarios. The open architecture lends itself nicely to expansion of such markets into other asset management type microservices.

The Growth of Programmable Custody

For Founders and CEOs of organisations the problem of how to manage the access and security of digital assets in their workflows or on their balance sheets is a well trodden path of pain. “Not your keys not your crypto” is a terrifying reality — nobody wants to be the CEO who lost the company’s assets. Typical approaches range from trying to “hide the keys under the mattress” (cold storage) through to the “trusting the other guy” (centralised custodian or exchange).

With the growth of DeFi, digital asset wealth management has increasingly required wallets to remain online (hot). This has led to adoption of more sophisticated techniques such as multiparty computation (MPC) where 3rd party technology providers generate and split up an organisation’s private key in shards and distribute these across multiple people and devices for safekeeping and risk management. However, the rarely acknowledged flaw of these MPC providers is that their centrally managed, private solutions place an organisation at risk of having their assets frozen. This is by virtue of a trust architecture that relies on a single entity to perform critical roles such as running key management servers (which can be shut down) or holding onto some of the organisation’s key shards (which can be withheld). See our exploration of this topic here.

To address this, decentralised MPC (dMPC) has emerged, allowing an organisation to create and shard their own accounts by paying blockchain validators for the infrastructure rather than relying on centralised entities. The most intuitively decentralised version of dMPC involves delegating the job to existing L1 blockchain validators, an idea explored by a University of Vienna team in 2019 and being implemented by developers today. It’s worth noting that while other dMPC approaches such as Qredo, Odsy and Guardian Labs shard an MPC key across an L2 blockchain, this introduces the need to trust a new set of validators to guard the honeypot assets.

Both MPC and dMPC offer more programmable paradigms for custody. However, the openness of decentralised MPC means that:

  1. AI can access this technology permissionlessly, allowing for creation of wallets that are owned across chains and compatible with DeFi. For example:
    - A Polygon DeFi protocol that auctions key-shares to an “omni-chain” wallet — i.e. selling ownership for the wallet across all EVM blockchains.
  2. Co-signatory roles can be bought and sold as custodial primitives, such as:
    - a lawyer to act as a co-signatory on an organisation’s account for account recovery
    - a qualified custodian that provides regulatory signing services for asset managers
  3. Unbundling of custodial services unlocks the unbundling of broader asset management services. For example:
    - automated provisioning of temporary wallet withdrawal control to a quant risk manager during a period of high volatility.

While some of the above examples are technically possible at an individual blockchain level using account abstraction, the omni chain controls of MPC & dMPC are significantly more powerful; a set of signatories can auto-control assets across cryptographically compatible blockchains by virtue of cryptography. Additionally, the rotation of signatories does not trigger alterations to the underlying wallet address.

Programmable custody allows an organisation to:

  • Architect their own custody stack and change it relatively cheaply
  • Vary their custody stack across their business streams and according to differing regulatory regimes
  • Co-manage customer accounts with other service providers
  • Source external providers in a competitive marketplace
  • Gain access to a network of counterparts using an unbundled 3rd party identity mechanism.
  • Avoid paying a premium to sign up to a single “walled garden” bundled service.

We believe that these benefits will propel forward a marketplace for unbundled, custodial services.

Custody Microservices

When considering how to secure a digital assets treasury, there is not just one problem to solve. In fact, tied up in the notion of “custody” are multiple jobs across multiple functional layers. The question is: to what extent can these be unbundled and sold to companies as distinct services? Below, we unbundle “custody” into five distinct jobs.

Unbundling of custodial services unlocks the unbundling of asset management services.

Augmenting this marketplace of the 5 jobs tabled above are a wealth of adjacent services that can be used to deliver the jobs. A non-exhaustive list includes:

  • Asset management — advising on / making decisions on what to transact
  • Quant risk evaluation of portfolio ahead of approving transactions
  • Transaction simulations and risk scores
  • Credit risk management ahead of approving transactions
  • Insurance of individual wallets, a subset of wallets or a full portfolio
  • KYT / KYC used in the decision making process while considering approving a transaction
  • Credential issuance to validate that the cosigners of an account are authorized representatives of an organization
  • Quotes and execution

Signing Threshold Management

From a pure signing threshold point of view we outline below a few example design patterns that an organization could adopt.

Example 1 — A lawyer provides the microservice of account recovery.

Consider an organisational split of key material as follows:

  • 40% is held by the Board
  • 40% is held by the Executives (CEO, CFO, CIO)
  • 20% is held by a lawyer
  • All transactions require 40% of signing material to form a threshold signature.

The implications of this are:

  • Operationally the company executives are able to transact by aggregating their signature material.
  • If the company’s executives lose their key material or are compromised, the board is still execute on the wallet.
  • If the dMPC account rotation threshold is also set to 50% the board and lawyers can replace the executive’s as cosigners without requiring their consent.

Example 2 — A qualified custodian provides a microservice for SEC compliance according to the Safeguarding Rule.

The SEC requires customer funds to be segregated (not pooled), and requires a qualified custodian to do the job of “possession or control” of advisory client assets. We propose the following potential key allocation to be both compliant and flexible.

An asset manager holds client’s assets in segregated MPC accounts:

1 x account for each customer with key split:

  • 20% is held by the Asset Manager
  • 40% is held by the client
  • 40% is held by a qualified custodian (who plays this role may vary by customer)

Thresholds on the customer accounts are set as such:

  • All transactions require 30% of signing material to form a threshold signature. This means:
  • The client may transact without further cosigning
  • The custodian may transact without further cosigning
  • The asset manager may only transact if they attain a co-signing by the custodian or the client.

The implications of this are that the client retains the ability to withdraw their assets if the custodian fails. Moreover, if the client loses their key material, the custodian can perform account recovery. The custodian jointly offers services of transaction signing (Job-4) and account recovery (Job-3) which collectively meet the bar of “control” in terms of the SEC Safeguarding rule.

Conclusion

Our thesis is that over the next decade the demand side for MPC type custodial services will grow driven by A) an increased adoption of digital assets by organisations, particularly in the developing world and B) the evolution of AI-driven asset management.

We believe that the high costs, inherent risks and the walled garden exclusions of centralised MPC providers will drive organisations to increasingly adopt dMPC. As such we expect a microservices model to emerge, allowing each organisation to access and move between solutions at a granular scale.

Acknowledgements

Huge thanks for hashing these thoughts out and providing valuable insights & feedback: Gavin from Knowable, James Bourque from Intu & of course my cofounder Jason Rudolph from Kagami.

Custody
Cryptocurrency
Technology
Self Sovereign Identity
Digital Assets Management

--

--

Tamlyn Rudolph
salt

Written by Tamlyn Rudolph

83 Followers

Buidler in DeFi since 2018. Building Salt which coordinates programmable ownership for organisations.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams