5 Survival Tips for Institutions in Digital Assets
Attracted by unbridled financial innovation, a growing number of institutions are moving into digital assets.
Yet the same unique qualities that enable such financial innovation — including open source code, permissionless development, and irreversible transactions — have created a precarious security landscape. More than $3 billion dollars worth of digital assets were lost in 2022 alone, from incidents including wallet hacks, protocol collapses, and social engineering exploits.
To help your organization survive these security threats, here are five tips for securely navigating the digital asset market.
1. Treat centralized exchanges with care
Crypto exchanges, which often double as custodians for users who choose not to withdraw their assets, make lucrative targets for hackers. In total, more than $2 billion has been stolen from roughly 40 different platforms since 2012.
Plus, as the recent collapse of FTX illustrates, even widely trusted of exchanges can be tempted into misusing client assets. This event alone is thought to have left more than a million customers out of pocket after at least $1 billion of crypto vanished.
The risk of falling prey to such threats can be mitigated by not leaving assets on exchanges for longer than absolutely necessary, and making sure that you have good answers to these questions before you deploy assets to an exchange:
- Is the exchange regulated?
Crypto exchanges are often unlicensed and may operate without regulatory oversight. Top-tier platforms, however, will typically hold authorizations, licenses, and accreditations from relevant authorities.
- Does it run on secure infrastructure?
Standard security practice involves holding the bulk of customer assets offline in air-gapped cold storage. But such systems can still be vulnerable to social engineering attacks. Ultimately, the most secure exchange infrastructure is non-custodial — enabling users to maintain control over their own assets.
- Does it offer proof-of-reserves?
In the absence of self-custody, being able to view exchange assets via a real-time audit is the next best thing.
- Does it have insurance?
Historically, hacked exchanges have failed to reimburse users for the lost funds, but this is beginning to change as more exchanges provide forms of insurance.
2. Do your due diligence on DeFi protocols
DeFi promises to create an immutable and transparent foundation for global finance, liberated from the opacity, corruption, and human error of centralized systems. But this new breed of blockchain-based finance also brings unique types of risks.
Smart contract hacks, which account for around 90% of all attacks, represent the biggest risk. But organizations must also contend with the possibility of fraudulent developers absconding with funds (known as "rug pulls"), governance exploits, issues with underlying blockchains, and unsustainable tokenomics.
Separating flawed and fraudulent projects from robust decentralized financial infrastructure requires both experience and a keen eye for both technical and economic risks.
To kick off your due diligence efforts, here are a few questions to consider before using a decentralized protocol:
- Has the protocol been audited?
Poorly conceived code has given hackers access to hundreds of millions of dollars worth of crypto. Much of this could have been prevented if the protocols were tested with rigorous code audits.
- Has it stood the test of time?
Protocols that have proved their resilience and weathered multiple market collapses are often more trustworthy. This can be indicated through metrics such as age, transaction count, and verification status — all of which are being factored into early efforts to build trust scores for DeFi.
- Is the team verified?
Some of the most innovative decentralized protocols were created by anonymous developers. Yet this anonymity can also increase the risk of “rug pull” tactics, where unscrupulous developers abandon a project and run off with investors’ funds.
- Are there obvious points of control?
Tokenomics schemes, governance structures, and private key custody arrangements should be examined carefully as they can lead to a concentration of power. In some cases founders may retain clandestine control over a purportedly decentralized protocol, or governance schemes may be vulnerable to flash loan attacks.
- Is it too good to be true?
The promise of unrealistic returns or risk-free yields way above the market rate is often the biggest red flag of all.
3. Roll out your own governance policies
Rarely discussed is the fact that insiders such as employees, partners, and customers are routinely at the center of digital asset losses.
Some of these losses stem from negligence — such as overwriting private key files, failing to notice phishing attempts, or making fat-fingered typos when sending digital assets — while others are more malicious, for example losses resulting from coercion or collusion among team members.
Protecting assets against such insider threats is a matter of finding adequate responses to these questions:
- How do you control who signs and approves transactions?
Exercising tight control over transaction workflows ensures that when employees do make mistakes (or fall prey to phishing and malware) then the damage is limited.
- How do you securely share private keys and exchange credentials?
It is critical to be able to share control over assets, without opening yourself to the possibility of team members running off to Mexico with company funds.
- How do you monitor and record activity?
Capturing the details of all activity — from custodial policy changes to withdrawals — minimizes the possibility that suspicious transactions will go unnoticed.
4. Make sure your private keys are safe
Behind protocol and application layer exploits, exploits around private keys are the third most frequent type of hack.
As strings of cryptographic code, typically represented as twelve words, private keys are one of the key characteristics that distinguishes digital assets from traditional assets. This is what enables you to “download” your money to your computer and practice self-custody — something that is often impossible with traditional assets like stocks and shares or physical commodities.
Yet private keys are also the Achilles' heel of the digital asset ecosystem; a single point of failure that is irresistible to hackers and at the center of countless heists and accidental losses.
Many digital asset custody solutions — including hot wallets, cold wallets, and multisig — fail to remove the risk of theft, loss and human error that comes with managing private keys directly.
Only the revolutionary cryptographic technique of multi-party computation offers the potential to decentralize the signing process and completely remove this single point of failure.
5. Take self-custody
Over the last year, the collapse of some of the most popular CeFi platforms and DeFi protocols has made the importance of self-custody crystal clear.
In practice, what this means is that across all your activity in the digital asset ecosystem — between DeFi and CeFi — your priority should be returning assets to the security of self-custody. This is because the longer assets are held on an exchange or protocol, the more you are exposed to what are ultimately unknown risks.
Taking self-custody, on the other hand, gives you the opportunity to fully control decisions made about your assets, and assume full responsibility for safeguarding them.
Until recently, however, it has been difficult for institutions to actually take self-custody; managing private keys directly is fraught with risks and impractical as an organization, and building a sophisticated solution in-house can be costly and equally risky.
Thankfully, Qredo is changing this by enabling institutions to easily adopt the best practice of self-custody.
Qredo decentralized custody
Through the innovation of decentralized multi-party computation (dMPC), Qredo is creating a way for institutions to store assets with zero private key risk, implement sophisticated governance policies, and securely deploy assets across DeFi protocols and CeFi trading platforms — all on independent infrastructure under your control.
About the Author
Article authored by Qredo