Bitcoin custody has become a major stumbling block in the cryptocurrency’s evolution from a renegade asset to a legitimate investment vehicle. In its January letter outlining concerns for a bitcoin ETF approval, the SEC mentioned custody as a problem area. Per a 1940s act, funds are required to maintain commodities with a custodian approved by the agency. While there are companies that offer custodian services for bitcoin, none of them has yet been approved by the federal agency.
But that may change soon.
Investment bank Goldman Sachs is reportedly getting into the bitcoin custody game. Japanese bank Nomura Holdings has already announced a partnership with France-based crypto wallet company Ledger to “explore” building a custody solution. North America’s biggest cryptocurrency exchange Coinbase is also getting into custody solutions. Online publication Wired recently published an interesting article about the process by which Coinbase plans to secure customer bitcoin.
How Does Coinbase Custody Work?
The “ceremony”, as Wired calls it, occurs inside a silver tent that acts as a Faraday’s cage, cutting off electromagnetic radiation within its enclosed confines. A brand-new laptop (selected through a coin flip from two randomly chosen machines) without a hard drive and a WiFi card is used generate custom keys. The machine runs Linux, a free operating system with enhanced security features, and custom software used solely to generate and encrypt keys.
Once they have been generated, the encrypted keys are split into a series of QR codes, which are transferred to an Apple Mac even as the laptop used to generate the keys is destroyed. “It’s just way easier printing from a Mac,” Zak Blacher from Coinbase’s security team told Wired. A binder is used to store the paper with QR codes and stored in a secure facility somewhere in San Francisco. Backups for the QR codes are stored in USB sticks and hard drives.
As can be imagined, retrieving bitcoins from Coinbase’s custody for customers is not easy and involves multiple layers of access. This is because the system implements a concept called “layered security”. Philip Martin, Coinbase’s security head, explained it in a Youtube interview. Inspired by boxer Mike Tyson’s quote that everyone has a plan until they are punched in the face, the underlying assumption in this type of security is that the malicious actor or hacker has already found their way into the system. As such, the system’s designers use a tiered approach to prevent a single point of attack.
According to the Wired article, a customer request is typically processed in one or two days. The first step consists of establishing the requester’s identity through a video call. Another group, called the “Sages”, further verifies the request’s credentials and uses encrypted keys to communicate with the “librarians” who have access to the pieces of paper with the QR codes to unlock private keys for customers bitcoin. That is the final leg of the journey to access bitcoin for customers in Coinbase’s custody solution.
The chances of institutional investors requesting access to their bitcoin is remote, however. According to Caitlin Long, a Wall Street veteran who writes about bitcoin, institutional investors almost never have control over their assets due to the SEC’s ruling on custodianship. “If the custodian tells them that their asset is there, then it is there,” she said.