Why KPMG is mistaken about crypto custody

A new report by consultancy giant KPMG says crypto custodians have ‘tremendous’ growth potential

Copper Team

A recent KPMG report shines a spotlight on the vast potential for growth in the field of crypto custody.

Strong institutional custody is the key, it says. In that it is entirely correct. It is also right to say that cryptoassets are a unique form of bearer asset. However, contained in the report is a worrying lack of understanding around the mechanics of private key management.

KPMG identifies three main types of cryptoasset custody:

Self custody: Users, mostly retail investors holding their digital assets in off-the-shelf private hot (internet-connected) or cold (offline) wallets.

Crypto exchanges: Coinbase, Gemini and the like, holding assets in digital wallets while also making them available for trading through a central order book.

Qualified custodians: “Qualified custodians maintain control of private keys as part of their role alongside record of asset ownership,” the report says, identifying examples like banks or trusts chartered by a regulatory body.

The final group mentioned by KPMG here is the clear point of concern. Holding private keys in their entirety does not make for safe crypto asset custody — as it might if these custodians were holding traditional bearer assets like bonds or gold.

Cryptoassets simply do not work in this way. Custodians who hold private keys in their entirety — without the share signing responsibility below — do nothing to properly secure cryptoassets. This serves only to provide a single point of failure that cryptoassets are designed to avoid.

Public/private

The public address of your cryptocurrency wallet is transparent and open to anyone to view. Clients can look up your public key to send you funds.

To access your wallet and transfer digital assets, what you need is a private key. Traditionally, if you forget your private key and have not stored the seed code in a safe place, then access to the wallet and the digital assets therein is lost. There is no recourse.

Not your keys, not your coins

Wired famously wrote in 2018 how it lost $100,000 in BTC mined in the early days of the cryptocurrency. The tech site’s then-head of engineering, Stefan Antonowicz, had mined 13 BTC but shredded his hard drive containing the private key needed to access this wallet. “I didn’t make a copy of the paper, or commit the 64 characters on it to memory,” he said.

For institutional managers handling a large amount of cryptoassets this would be an untenable situation.

While there is little reporting on the amount of Bitcoin lost permanently because private keys have been forgotten, misplaced or stolen, a 2017 study by research firm Chainalysis suggests the figure stands between 17% and 23%: up to 3.79 million BTC. This is above and beyond the multi-billion dollar exchange hacks that continue to blight the industry.

Threshold signature wallets with multi-party computation (MPC)

Because of the intense growth in institutional interest in holding digital assets, traditional custodians accustomed to holding stocks and bonds for their clients are under extreme pressure to offer their own custody systems. But most do not have the system architecture knowledge to be able to build these kinds of technically-challenging cryptoasset custody solutions.

Copper Unlimited, a proprietary form of cryptoasset custody, employs multi-party computation (MPC) protocols to create and distribute key shards to the user and two trusted third parties. The key shards are password encrypted and crucially, do not exist on any one machine, server or device. Alone, the key shards are useless, but when using zero knowledge proofs they can sequentially co-sign transactions and access the offline, optically air-gapped cold wallet.

It makes sense that clients managing large portfolios would choose qualified custodians where possible. Most do not want to be their own bank. And yet as we reported last year, an incredible 92% of funds and market makers with allocations up to $25m still keep their coins on insecure exchanges, even though most recognise that third-party custody is important.

Institutional crypto key management is a nascent segment within a new industry. Huge strides have already been made on the technology side, and the sector faces an enormous boost as legacy institutions begin to harness and realise the potency and potential of this new asset class.

Independent custody
connected to multiple exchanges
Our settlements and clearing service is backed by our award winning custody technology