27 Jan, 2023

Common Risks for Crypto Custodians

Category: Education
Graphic of blue, purple, and pink squares and lines over a wave graphic made of net like lines on a navy background

The kind of math that makes cryptocurrency work relies on two cryptographic keys — one public and the other private. The private key, usually 32 alphanumeric characters long, must remain private, because whoever has it also has control of its associated digital assets.

The original Bitcoin whitepaper envisioned a thoroughly decentralized system of value exchange between peers, with private keys stored on the asset owners’ devices. In such a world, the main risk of losing access to one’s keys was hardware loss or failure. Of course, crypto has evolved in ways nobody could have expected in 2008, spawning centralized exchanges that act as custodians of asset owners’ private keys to facilitate the use of their platform.

In a custodial setting, the biggest threat to one’s digital assets is theft by a bad actor, and given the large rewards for succeeding, many sophisticated bad actors are working hard at it – typically attempting to hack into the custodian’s network.

Alternatively, an attacker may exploit bugs discovered in the custodian’s transaction logic thereby generating and stealing tokens in ways unanticipated by the platform. This kind of attack directly impacts custodians and indirectly impacts their customers by devaluing the purloined asset and threatening the solvency of the platform.

Evertas provides coverage to custodians, not their customers. In the event that a custodial exchange loses access to digital assets due to a covered event, a claim is filed, and funds are promptly returned to the custodian.

We categorized the risks confronting custodians into three categories: technology, business, and operational.

Technology Risks

Technology risks are those related to how the custodian stores, accesses, moves, processes, and handles private keys from the moment of their creation to deletion. These are challenges confronting all custodians, though each solves them in their own way, with varying levels of risk.

From there, depending on the nature of the business, different factors may apply. For example, the insured may or may not employ staking, smart contracts, or other on-chain codes, tools, or systems. In each of these, there are unique risks.

Vitally, technology risks also encompass the custodian’s software development and testing processes. This is especially important as this is where bugs and potential exploits are best identified and fixed. Clearly, it would be impossible for an underwriting without an understanding of coding and security to assess this risk.

Business Risks

Business risks are those related to the real-time transactions and decisions that give an enterprise life. Unique to crypto custodians is the firm’s tokenomics, meaning: the business utility of their proprietary tokens and how these are issued, managed, and maintained compliant.

Moving beyond the token, a custodian’s business risks begin to resemble those facing most enterprises, namely: matters of ethics, corporate governance, transparency, and reputation. Evertas examines all of these. 

Operational Risks

Physical, personnel, and network security are primary areas of focus when identifying operational risks. This assessment also examines the mechanics of customer interaction with the platform’s trading interface, to spot opportunities for exploitive transactions. 

Finally, internal controls meant to ensure accurate accounting and tax compliance are reviewed to assess their soundness.

What You Can Do to Protect Your Crypto Assets

Many crypto custodians disclose whether or not they carry insurance in the assets they store. Indeed, it’s a strong selling point. If you can’t find that information, it’s a good idea to ask. If you don’t get a response, that’s a worrying sign and you may consider entrusting your digital assets to a firm that protects them with insurance.



Related Articles