Centralized & “trusted” third parties are a risk and always have been. Minimize trust, mitigate risks, and perform check-ups often.
Perhaps you’ve seen some of the “domino” liquidations across the defi space in recent months, with platforms once thought rock-solid buckling under exploits, market downside, loans coming due, or any number of other issues.
You might think of this as an emerging problem, but it’s actually something that happens at least once every cycle. Sure, defi has seen the problem grow in scale, but the root is still the same:
Centralization & “trusted” third parties are a risk.
They always have been.
It’s kind of funny to me that even after more than a decade of Bitcoin & its children being developed, our answers to most problems are routinely still heavily centralized, or require a high degree of trust.
After all, one of the key reasons for Bitcoin’s creation was limiting third-party risk, and enabling a more trustless financial ecosystem.
If you’ve learned anything from following Wendy O, or reading our articles in the Whitepaper every week, it should be this: minimize trust and mitigate risks as often as possible, and perform check-ups regularly to see if there is more that you can de-risk.
Do we use centralized protocols and services? Absolutely. I love them. Especially the ones that let me connect using my wallet, and without formal registration or KYC. That said, I do not keep significant amounts in anyone else’s custody. I may stake the occasional NFT or token, but I limit that exposure to a fraction of my total account, and if it becomes unprofitable to stake, then I move it back to self-custody.
Check Your Self-Custody
So, what is “self-custody”?
Well, self-custody is making certain that no one has access to your assets except you and those you approve. Self-custody also means taking a lot more responsibility for those assets, as there is no insurance or business to blame if you make a mistake and lose access to your funds.
Self-custody presents dangers of its own, and more than a few questions.
Questions like, “Where do I keep my assets?”
There are myriad solutions for that, and I’m not going to dive into every cold storage solution on the market, because there’s everything from etched seed phrases in metal plates, all the way down to your standard hardware wallets like the Ledgers and Trezors.
I’ve also seen plenty of enterprising individuals come up with simple solutions using fresh mobile phones without service that they manually add wallet apks to & create a fresh address, without ever connecting to wifi after. Two of those stored off-site (safety deposit box) or in a fireproof safe can be a cheap & simple solution for folks without a lot of skin in the game or money to drop on a hardware wallet.
I’ve got at least three or four older mobile phones lying around that I can wipe at any time & use for this purpose, so it’s essentially just creating a fresh wallet, mirroring on a second device, and sending assets to that address for “cold storage” that I only briefly connect to known-good (home) networks if I need to swap something back to my hot wallets.
Another cheap solution is to use Gnosis Multisig for limiting risk by requiring a majority of signatures to move funds.
One “low-tech” way to accomplish the same thing is to break your seed phrase into three or four groups of words, say, A, B, C, and D. You make two or three copies of each group, and store them in separate, secure locations. Or maybe you include a spouse or child, and have them keep a copy of one group.
If one copy is lost, your risk is still zero and you then know to collect a full set and move funds. If you pass away and your family knows where B and D are and you have A and C on you, then they can move funds with limited knowledge of wallet recovery.
However you tackle the problem of where to store your funds, the process and where to safely store any phrases or hardware solutions should be something you think long and hard about before you ever invest substantial money in crypto.
Self-custody, moving forward
If this all sounds a bit complicated, it’s because it is. We have tutorials on specific cold storage solutions, and we’re constantly reviewing more, but in the end what most folks envision would be a simple, trustless solution that allows easy recovery while limiting risk and exposure.
This is something folks like Vitalik Buterin have mulled over for quite a while, with some ideas such as a list of “guardian accounts” that could transfer contract access & assets to a different public key, if you lose access.
Think of this essentially like contract-specific multisig, as it functions on Loopring currently, you can add multiple guardians for your address, and transferring requires a majority. So if you have three guardians, you need two of them to sign in order to transfer access to a new public key.
This is an interesting thought, although I can definitely imagine some exploits that add guardians to your wallet & then transfer access to the hacker. The problem with automating recovery through the contract is that it still requires a certain degree of trust, albeit not with a centralized platform or exchange.
Instead, the trust is with the guardians you select, or the wallets you both utilize.
If I had to hazard a guess, I’d say that this will continue to be the problem until someone finds a simple, elegant, and secure solution that is intuitive enough for the everyday user.
That will be hard, as there is always a trilemma at play. If you automate, outside risk increases due to exploits or hacks. If you self-custody, operator errors increase. If you trust a third party for custody, then they become the risk.
It’s really a question of who you trust: yourself & your custodial processes, the contract, or the exchange/platform? Regardless of who that answer ends up being, I encourage you to always research more, and trust less.