by Uri Eden
It is impossible to overlook the impact digital assets are having over the monetary world. In the past months, BNY Mellon and Fidelity, among others, have announced intentions to store and manage digital assets, which is an important building block for enterprise adoption. As more enterprises such as StateStreet, Walmart and others consider digital assets as part of their value propositions, various solution providers safeguarding private keys have emerged. While private key protection has been a point of focus in the industry to date, we believe there is a broader topic of internal controls and governance that is being overlooked. In this post, we seek to highlight the key controls enterprises will need to adopt to successfully use digital assets at scale and discuss the various mechanisms to implement them.
From physical to digital controls
Before the Internet, an enterprise could choose to self-custody its cash and gold by applying internal controls such as secure safes, physical guards and internal policies, but these valuables were in danger of being stolen by thieves or even the organization’s own employees. Due to lack of security and controls, most organizations deposit their liquidity and valuables at a qualified custodian such as a bank, thus moving the risk to another entity they trust. These traditional custodians have been around for centuries and have evolved and developed control mechanisms over time. Modern custodians have controls governing their physical and digital safes, preventing insiders from embezzling their accounts or cybercriminals from stealing them.
Governing digital assets – the problem
Today, digital asset owners are opting to use third party actors who are sometimes unregulated to hold their funds, not realizing that they are ill equipped to store digital information. Usually these third party actors choose to keep the funds in cold storage hardware solutions with the belief that it will give them security and control, but, by doing so, they give up the control and instant liquidity their own customers need.
The concept of cold storage is to isolate the secret, or private key, on a single machine. While this has advantages to protect against cyber criminals, it opens new gaps about who has access to those machines and their integrity.
This gap is widened by the fact that many employees in an enterprise all need to access a single secret in a specific location.
The institutional needs
Zooming out, there is a handful of key controls and governance capabilities that any institution that holds digital assets will need:
- The signing mechanism can be distributed among multiple employees and groups in a secure way. This means that if any individual employee is compromised or goes rogue there is no risk of asset loss. [See Quadriga as an example]
- Be flexible to adopt any digital asset and blockchain. Its likely that enterprises will engage with many digital assets and blockchains and thus will need one constant governance policy that can be applied to all.
- Transparent policies that govern the assets using business and financial logic and language (whitelisting addresses, approval process, etc).
- Built-in redundancy, including a disaster recovery mechanism built for institutions.
- Logging and auditing of administrative, security and operational activities.
Current Approaches – Tradeoffs between availability, security and governance
The main solution for this availability-security-governance tradeoff problem in most common cases is increasing the number of signatures required to approve withdrawal from an account by applying smart contracts or multi-sig protocol wallets.
Although this method may increase the security and allow the institution to remain in control, it can introduce other issues such as smart contract bugs and additional costs. Furthermore, the solutions are tied to the specific implementation of the digital asset and thus require a new implementation for every asset.
Smart contracts were designed to enable to build applications on top of the blockchain technology and not as a security layer, therefore they are very limited in their capabilities. For example, smart contracts do not allow the institution to set restrictions on transactions occurring outside business hours, excessive velocity use and more. Most importantly, once the institution has chosen to set these restrictions or “policies”, it is not possible to change or adapt it without moving the funds to a different wallet.
Curv’s Approach – Decoupling the signature from the policy
Curv’s approach is to decouple the signature from the policy using Multi-Party Computation (MPC). By decoupling the signing mechanism from the policy engine, Curv’s digital asset wallet-service enables institutions to (i) eliminate the single point of failure emanating from the private key, (ii) access a cloud based always available solution and (iii) tailor the control policies to their own requirements and change them as required.
Below are several examples that illustrate the types of policies and controls that can be put in place using Curv’s wallet-service application.
Example #1 -Transaction policy generation and enforcement limits
Let us take for example Securefunds, a traditional fund moving to a new digital asset trading platform. Securefunds has a few different functions in its organization such as traders, managers, and a CFO. Up until now, Securefunds used traditional hardware wallets in cold storage moving it in and out of their safes with internal procedures to ensure that only approved transactions are signed. This method is of course very cumbersome and is prone to having human errors by its nature as it is still based on human actions. Additionally, employees with access to the cold storage facility, have access to all of SecureFund’s liquidity.
By using Curv’s cloud-based service and decoupling the control from the signature, the organization can now create software-defined policies, such as: (i) allow traders to create transactions up to 10 BTC without any additional approvers; (ii) transactions between 10 and 100 BTC will require at least two managers to approve; (iii) transactions over 100 BTC will require the approval of the CFO. The organization can also set caps on the total amount of funds that can be transferred per hour/day/week as well as the number of transactions allowed. Another capability is to whitelist specific addresses (e.g internal wallets or trusted counterparties) to allow large transfers without going through the standard approval process.
Example 2 – Employee onboarding / exiting
Through combining this advanced off-chain policy engine with the MPC protocol, SecureFunds can decide which devices will have “cryptographic material” and will be allowed to sign transactions. It can easily provision new devices with key shares and de-provision lost devices. When an employee is leaving the organization, there is no need to worry about them stealing information or funds, since the policy can easily be adapted to remove the user from the approving process or the approved device list.
The policy, groups and users who need to approve as well as the threshold of approvers can be changed at any time and will not require moving the assets while benefiting from the high availability of the service.
This decentralized signature and policy approach allows organizations to keep their assets under their control securely and without depending on third party vendors, which themselves are prime targets for cyber attacks.
No single point of failure
Policy governance – Administrator quorum
Designing a solution that lets you change and adapt policies raises an important issue: who in the organization is capable of creating and changing policies.
The Curv platform uses “Administrator Quorum”. This group, comprised of all the administrators in the account, serves collectively as the decision making center of the organization’s account. Together, they vote on risky operations, such as changing spending policies, adding entries to the whitelists, updating system settings, etc. By default, the system comes with two administrators who have to cooperate in the voting process. The threshold of administrators necessary to effectuate changes can be altered to better reflect the organizational needs of the customer, but it must include at least two administrators. We recommend institutions have at least three active administrators for redundancy purposes.
Disaster recovery mechanism
As mentioned before, one of the key requirements for an institutional solution is the option to recover all the funds and assets in case one of the party is no longer available or the key shares are lost. Curv’s backup solution allows an institution to recover their funds in case all shares are lost or in the catastrophic event that Curv service becomes unavailable.
With Curv’s solution users create encrypted copies of the key shares and keep their decryption key in an offline location until needed. Each piece of the recovery puzzle by itself does not allow any access to the funds and the organization can keep the pieces separate between two different departments and locations, thereby always ensuring an attacker never gets a hold of the complete key.
We believe that we are going to see greater demand from institutions to have security, control and access to their assets, whether they are stored within their own wallets or with a custodian such as crypto exchanges. Curv is designed as a one stop shop solution that will give such holistic governance and control while not compromising on the security of your digital assets.