Topic: Custodial accounts for bitcoin the more important than could have ever thought (Read 285 times)

Imagine running a large pension fund or institutional firm like that. Your expertise is in market hedging, not network and key security. With billions of dollars on the line, do you really think it's wise to gamble on self-storage? You're going to be a big target for hackers.

That's going to be the mindset of most (if not all) institutional traders. I don't like it but I also don't see any way around it.

You do realize that in bitcoin world you can always have your own wallet right? Like the options are not exchanges or hackers, we actually could have our own wallets without relying into anything at all, or anyone at all. I could download bitcoin wallet to my computer, which would take a long time to sync obviously but I could do that and after that I could simply just put all my money there, so at the end of the day it will be on my computer and nowhere else. Want better protection?

I could buy a hardware wallet, which would require the hacker to get a hold of my hardware wallet which makes it not only a hack but also theft as well, and after that know all my passwords or whatever those words are called. So basically you can be protected quite easily in bitcoin world, no need for custodial accounts at all.

Actually been trying to convince my bank for more than 10 years to please help me get off SMS 2fa! I travel to places not even roaming covers so getting my banking done sometimes is a problem but they told me the same thing actually that trialling other methods simply don't work for majority of their users, as SMS 2fa was already a huge achievement... although now for higher limits they enforce alternative 2fa that needs a phone app. They've been kind to me over the years and despite me not being a wealthy client, the local branch manager already knows me quite well because of the weird stuff they've had to do for me over the past 20 years!

So yeah you're right, exchanges and banks probably could funnily even hurt their business by making things more secure...

that only applies to SMS 2fa. offline TOTP authentication (like google authenticator) can't be targeted that way, and is far less susceptible to social engineering attacks in general.

exchanges should really stop supporting SMS 2fa, but it's one of those trade-offs i guess. they know SMS is way more intuitive for noobs and they are therefore more likely to use 2fa. if they offer TOTP only (requires a smartphone app and an unfamiliar process) then less people are gonna use 2fa at all.

Probably? Almost absolutely the case actually haha. At least with 2fa loss of access there are ways to recover still, especially when you can reverify and rekyc, but yes, support is a huge drain on account loss, and yeah 2fa just opens most people up to that problem for some reason.

I loved some that new idea from some sites that let you recover by signing from a btc address but yeah again, most of us just ain't ready for that kind of security.

Also, though, doesn't sim swapping or sim spoofing defeat 2fa?

The average person can handle an online brokerage account, can't they? Schwab, Fidelity, Etrade, etc. A lot of retail traffic will hit platforms like that, where they'll access regulated derivatives and securities (not BTC), especially once we see instruments easily accessible through retirement accounts.

Other retail investors will turn to Robinhood, E-toro, and platforms like that. No major risks when nobody can withdraw crypto from their account, right?

As far as institutional investment goes, most firms will have zero interest in taking custody of their own coins either. Leave it to Bakkt, Fidelity, etc.

That just leaves spot exchanges and unregulated crypto-backed derivative platforms like Bitmex. Sometimes I think they would do well to mandate 2FA (and a few exchanges do this) but then again, they would probably get inundated by careless customers losing access to their accounts.

The most gaping one to me is customers not taking their own account security seriously enough and leaving their email and sim card open to hacking and emptying their account. And the likelihood of this happening is way, way higher than it happening with even the crappiest of phone wallets.

The average person is fooking hopeless with online security and no matter how much shouting somewhere custodial will give them they're going to say 'yeah, yeah' and disregard it. Then they'll squeal long and loud when their account gets drained.

Since custodial will attract more average and therefore careless people they're going to have their work cut out to force them to up their game. They're probably going to fail at it. I dunno how they're going to square this circle.

One of the "exchanges" I use (I'm fully verified and use it for convenience purposes in current location, being properly licensed and regulated etc) actually only allows withdrawals to a whitelisted account, which must be applied for, and can only bear the same name and address used to verify the account. I always thought this was a good method for preventing someone to withdraw my money (even if they hacked it, they couldn't withdraw my money). Same for BTC, you whitelist an address and to change it you need to reverify all over again.

But as jseverson and gentlemand and others point out:
- This doesn't still prevent someone from hacking the exchange and withdrawing THEIR funds, though, does it? And then they couldn't pay you anyway.
- There's still no real way of knowing if they have the funds, how they store and manager, or do bookkeeping
- even if you have a reputable underwriter or auditor, it's just more parties to trust and rely on, takes 1 of many to fail for you to lose it all. Every single Big Four auditor's been found guilty of helping banks and companies hide or cover up holes.

So it's really still a matter of who you trust more. Yourself, or an institution. And from my experience, a lot of people don't trust themselves. Not to remember an email account password, much less store and protect private keys...

I wonder what's buried in their terms and conditions about such a situation. It must be in there somewhere.

It would certainly focus a few minds and likely not for the better. These big bucks rolling in should really give this more thought. It's not like anything else they've ever gotten involved in in this particular aspect.

Dollar redemption is the obvious one but no one will be insured for a cold storage heist. And hot wallet coin insurance is yet to be put to the test either.

This is something I actually worry about. Imagine a future where custodians like Bakkt and Fidelity control a significant chunk of the Bitcoin supply. What happens when they get hacked, and then we get a state-backed rollback attempt?

That'll up the ante far beyond what we saw in 2017 with the 2x posturing from Bitcoin startups. Imagine the US government backing a hard fork.

that still doesn't mean custodial "accounts" are safe or important or should even be used. they should always be avoided no matter how safe they look like. not to mention that the "custodial exchange accounts" are only used by traders and we don't want more traders, we want more adoption and that is the way to go to higher bitcoin values not by having more speculators that make money by shorting bitcoin as much as they make money when price goes up.
both liquidity and security can still be achieved without leaving your funds on an exchange, not to mention there are a lot of good work being done in decentralized exchange scene.

Custoidal accounts are worst ever. If you cant withdraw those coins are never really yours. That company can go bankrupt and you lose everything. Or whatever crap they do. When you hold your coins there is zero worry about what someone else will do. Only what you will do. All is on you. 

Cold wallets of big exchanges never got hacked, afaik. You could argue that Gox was the case, but at that time Bitcoin wasn't that big. Plus, it wasn't regulated - if regulators participate in multisig, and inside job or exit scam can be nearly impossible.

I'm not talking here about was it objectively the best method to hold money, but in the modern world rich people don't hold their assets in their desk, it's all managed by professionals, because many people don't want this responsibility.

Aye. I guess it's about risk. To many of us lot the risk comes gravitating towards such a set up. For the probable majority it's the direct opposite.

As above it would be interesting to see how a legit hack would be handled by a legit company, not a wing it special like Bitfinex. I presume if such a service were to have verifiable coins they'd go with a proven custodian. And if THEY got hacked the entire scene would certainly pivot.

I get your point about custodial accounts being safe but the one operating such service is what most people are worried about. While true that personal accounts on such services cannot easily be compromised due to a number of security features and all other implementations, there's really nothing a user can do if the whole service itself gets hacked. No safety nets, no guarantees, no assurance--just another creditor shouting scam and just waiting for whatever money the service can give back as means of 'honoring' their word to avoid jail time.


Let's say that that's the case. Complete audits, the service has weight and enough credibility and money to operate. At the end of the day, data leaks and inside jobs can still happen and you are still doomed to fall under a sad, sorry state. Even exchanges with the 'best' security implementations and features such as multisig wallets and cold storage have fallen victim to hacks and inside jobs. The point is, if the price is right, operators will risk it--even the regulators can be an accomplice.

Personally, I prefer depositing and taking my coins without any hassle or whatsoever, which is why I will always choose an exchange. The liberty it offers to my coins is simply preferable rather than having someone hold your coins for you, and if you want to take it out, you have to do it on their terms. Whatever floats your boat, I guess.

But it can be done in an auditable way, custodians can keep the coins in cold storage and sign with their addresses to prove that they have coins, then auditors just need to look at the client's investments and verify that it it all balances. And with schemes like multisig, you can have regulators hold one of the keys, so that the custodians won't have a temptation to steal the coins.

It's all whacky from a point of view of a bitcoiner, but some investors are not here for the ideology, they just want to make money, and that's okay.

When you deposit to a bank you are giving up your money and accepting an IOU. This is exactly the same but also worse as you've no idea if there's any real Bitcoin backing it, at least a straightforward bank failure has an element of government protection. If the company becomes toast then you're just another creditor and one at the bottom of the list.

With a proper exchange or any service that allows the real deal in and out you have the option of complete control over your destiny even if many won't take it up.

custodial accounts are the worst thing that has ever happened to bitcoin and will always be that way. they are not at all needed for growth, in fact if anything they could be keeping bitcoin back with all their shenanigans. each time we see a price rise their servers magically crash, each time things are good one big (but shitty) exchange gets hacked and loses millions of dollars worth of bitcoin and later we find out they didn't even know what the word "security" means!
not to mention that they are centralized and practically act like a bank (they control your money and can decide not to let you use it) which is against what bitcoin stands for.

While this is true, most of the concerns regarding personal custodial solutions don't really have much to do with individual accounts being hacked. The most glaring problems with them, IMO, are that the exchange itself could be hacked (which has happened a lot of times, albeit to much lesser exchanges), and that they could lock you out of your account of their own discretion (regardless of whether it's justified or not). I don't hear too much about individual accounts being compromised, probably precisely because of the reason you stated, as well as two-factor authentication systems, etc. that have been commonplace for a while now.

I also get what you're trying to say, but are there any data to suggest that OTC markets are lacking in liquidity?

I don't know about "important." I would say inevitable. Wall Street firms aren't trying to do their own in-house crypto storage. That would be insane! Immature custody solutions have always been a major impediment to institutional adoption. I think Bakkt and Fidelity are opening a lot of doors in that respect.


And maybe huge ask liquidity too.

The rise of institutional trading is not all good. Leverage and rehypothecation can artificially inflate supply, keeping a lid on prices. I'm not saying that's guaranteed, but it's a counterpoint to the idea that Wall Street is guaranteed to pump BTC.