The Crypto Custody Problem
Counterparty Insights #5
TL;DR
We analyzed just under 4,000 crypto operational loss events1 and found that custody-related events dominate operational losses in the digital assets industry. Over the past year, total operational losses amounted to $3.5 billion, with around 70% of these losses related to custody, totaling to approximately $2.4 billion.
Private keys are ubiquitous in crypto, meaning practically every organization is affected: custodians, DeFi, RWA, funds, exchanges, OTC, prime brokers, and even traditional firms like RIAs.
Attempts to mitigate these risks (if mitigation attempts are made at all) have either focused on checking for traditional risk audits not built for crypto (e.g., SOC 2, ISO 27001), or simply checking if “trusted” custody technology providers are used in an operation without evaluating the methods of integrating that technology.
Market participants should begin demanding greater transparency regarding the custody setup of their counterparties, investment vehicles, and scrutinizing their own custody setup. Beyond disclosures, the industry should begin relying on frameworks that are purpose-built for evaluating crypto custody.
The Elephant in the Room: Custody Risk
The recent dramatic loss of $1.5 billion involving the Bybit crypto exchange has brought custody risk back to the forefront of everyone’s mind. Strangely, it seems only a few investors are truly pressuring their counterparties or investment managers to adequately expose their custody practices, instead of relying on SOC 2 checks, or other frameworks that were not built for cryptocurrency custody.
In this article, we will look at the digital asset industry’s operational loss data to show that custody risk is the dominant operational risk factor in the digital asset class, and how it affects all operations.
As mentioned in the TL;DR, custody risk has absolutely come to dominate operational losses. You can see this in the following chart of losses over the last year. Even if the Bybit event was excluded, custody risk would still be the largest loss vector.
Custody Risk is Accelerating
While point-in-time snapshots of data are useful, it is also helpful to visualize the trends so we can understand how these risks are evolving. Here we show losses over a one year rolling window, comparing smart contract vulnerability losses to custody losses. You can see the custody losses are accelerating rapidly.
This trend is likely due to the increasing number of modifiable contracts in DeFi and RWAs (especially “vault” structures), the existence of more crypto hedge funds,
Side note: Even though we see a substantial contraction in smart contract vulnerability losses, the takeaway should not be to abandon smart contract audits. That would be akin to the classic WW2 bomber survivorship bias example. If anything, props to those who have put in place good best practices on smart contract development and evaluation.
What is Crypto Custody Risk?
In digital assets, the movement of tokens are governed cryptographically by signing transactions using private keys. Custody security and risk surround the usage and storage of this private key material.
Another important note is that the bearer nature of digital assets means a custody loss event can be instant and irrecoverable.
Here are a few examples of what the “usage and storage” of key material could be (these examples are far from an exhaustive list):
Transaction Verification: How does the entity signing a transaction verify that the parameters of a given transaction are not giving control of funds to a malicious entity? This is what happened in the case of Bybit when a malicious transaction was signed.
Secure Storage: Can the key material be accessed by a malicious entity? This affects everyone, but DeFi and RWA protocols are frequently affected due to poor private key storage, which has allowed attackers to gain access to the key material and perform harmful modifications to smart contracts.
Disaster Recovery: Is the key material sufficiently backed up to allow recovery in a disaster while preventing a malicious party from performing that disaster recovery? Prime Trust, the U.S.-registered custodian, was a great example of this, where they failed to properly back up their key material and went bankrupt after losing access to user funds.
Why Everyone is Affected… Yes Everyone
Custody risk affects anyone with key material and an operation surrounding that key material. It is rare for a digital asset operation to not have any private key material at all.
To illustrate this point, the table below shows custody loss events across a range of entity types. Notice it even includes an RIA firm. These scenarios generate not only massive financial risks, but compliance risks as well. For many of these entities these events led to not only massive financial losses for investors, but also the complete shuttering of their entity, and legal consequences.
Please understand the intention of this list is not to throw stones at anyone. We are all in this together in this young industry. The objective is to highlight that custody risk is a problem affecting everyone in the asset class, not just a small subset of entities.
How Can These Risks Be Mitigated?
When addressing these risks, we see two major problems:
Overreliance on Traditional Finance Audits and Certifications: Many organizations rely on a checklist of traditional finance audits and certifications, like SOC 2 and ISO 27001, without considering their limitations. Numerous entities that experienced private key failures had these audits and certifications. The reality is that these frameworks were not designed with crypto in mind.
Trusting Big Name Service Providers Without Evaluating Integrations: The Prime Trust custodian bankruptcy is a great example. Despite using Fireblocks, there were issues in the integration. Users who relied on Prime Trust as custodian may have felt safe because Prime Trust used Fireblocks, only to become participants in the proceeding insolvency because they did not evaluate how Prime Trust used Fireblocks in the operation.
So, what can be done?
Demand Greater Transparency: We need to demand greater transparency from counterparties and investments, including both centralized and decentralized entities. Being told that your counterparty’s custody is “battle-tested” is not good enough. The required information extends beyond standard due diligence questionnaire (DDQ) checks and should include areas like thorough technical evaluations, along with evaluation of and adherence to policies.
Adopt Audits and Operational Evaluations Built for Digital Asset Custody: The industry, investors, and regulators should realize that the idiosyncrasies of our asset class need specific audits and operational evaluations. For example, the CryptoCurrency Security Standard (CCSS) is the only audit standard purpose built for evaluating private keys within the context of crypto operations. Where an organization does not have the resources to take on an audit like CCSS, they should still undergo operational evaluations built for crypto custody and not rely on a DDQ.
The Good News
Tokenization and DeFi rails are rushing into mainstream finance, but one failure point blocks capital: private-key custody.
The good news is that these custody challenges are something that can be mitigated today. Purpose built audits like the CCSS, rigorous integration testing, and operational analyses give boards and investment committees a clear playbook.
If you are concerned about your organization’s or investments’ custody risk, feel free to email us at info@digopp.group. We can have a brief call to discuss your or your counterparty’s custody risk.
About Our Work at DigOpp
At Digital Opportunities Group, we conduct risk assessments, in-depth operational due diligence (ODD), and CCSS audits to help institutional investors evaluate digital asset infrastructure. Our focus is on identifying operational gaps, custody risks, and regulatory blind spots, so investors can make informed decisions with confidence.
Our reports are available through Counterparty Catalogue, where users can explore over 100 service provider profiles, request due diligence assessments, and share or read feedback from industry peers, and more.
Recent ODD Reports:
More reports coming soon!
To learn more, contact us at info@digopp.group.
Disclaimer
We, Digital Opportunities Group Enterprises, Inc. are not providing investment or other advice. Nothing that we post on Substack should be construed as personalized investment advice or a recommendation that you buy, sell, or hold any security or other investment or that you pursue any investment style or strategy.
Case studies may be included for informational purposes only and are provided as a general overview of our general investment process. We have compiled our research in good faith and use reasonable efforts to include accurate and up-to-date information. In no event should we be responsible or liable for the correctness of any such research or for any damage or lost opportunities resulting from use of our data.
We are not responsible for the content of any third-party websites and we do not endorse the products, services, or investment recommendations described or offered in third-party social media posts and websites.
Nothing we post on Substack should be construed as, and may not be used in connection with, an offer to sell, or a solicitation of an offer to buy or hold, an interest in any security or investment product.
Data sources included: de.fi (see their REKT database), web3isgoinggreat, rekt.news, hacked.slowmist.io, and our own manual entries.