Crypto Custodian Risks
The kind of math that makes cryptocurrency work relies on two cryptographic keys — one public and the other private. The private key, usually 32 alphanumeric characters long, must remain private, because whoever has it also has control of its associated digital assets.
The original bitcoin whitepaper envisioned a thoroughly decentralized system of value exchange between peers, with private keys stored on the asset owners’ device. In such a world, the main risk of losing access to one’s keys was hardware loss or failure. Of course, crypto has evolved in ways nobody could have expected in 2008, spawning centralized exchanges that act as custodians of asset owners’ private keys to facilitate use of their platform.
In a custodial setting, the biggest threats to one’s digital assets is theft by a bad actor, and given the large rewards for succeeding, many sophisticated bad actors are working hard at it – typically attempting to hack into the custodian’s network.
Alternately, an attacker may exploit bugs discovered in the custodian’s transaction logic thereby generating and stealing tokens in ways unanticipated by the platform. This kind of attack directly impacts custodians and indirectly impacts their customers by devaluing the purloined asset and threatening the solvency of the platform.
Evertas provides coverage to custodians, not their customers. In the event that a custodial exchange loses access to digital assets due to a covered event, a claim is filed, and funds are promptly returned to the custodian.
We organize the risks confronting custodians in three categories: technology, business and operational.
Technology risks are those related to how the custodian stores, accesses, moves, processes, and handles private keys from the moment of their creation to deletion. These are challenges confronting all custodians, though each solves them in their own way, with varying levels of risk.
From there, depending on the nature of the business, different factors may apply. For example, the insured may or may not employ staking, smart contracts, or other on-chain code, tools, or systems. In each of these there are unique risks.
Vitally, technology risks also encompass the custodian’s software development and testing processes. This is especially important as this is where bugs and potential exploits are best identified and fixed. Clearly, it would be impossible for an underwriting without an understanding of coding and security to assess this risk.
Business risks are those related to the real time transactions and decisions that give an enterprise life. Unique to crypto custodians is the firm’s tokenomics, meaning: the business utility of their proprietary token and how these are issued, managed and maintained compliant.
Moving beyond the token, a custodian’s business risks begin to resemble those facing most enterprises, namely: matters of ethics, corporate governance, transparency and reputation. Evertas examines all of these.
Physical, personnel and network security are primary areas of focus when identifying operational risks. This assessment also examines the mechanics of customer interaction with the platform’s trading interface, to spot opportunities for exploitive transactions.
Finally, internal controls meant to ensure accurate accounting and tax compliance are reviewed to assess their soundness.