DeFi's OPM era: The custody hurdle

Co-authored by Lucas Gaylord, co-founder & CEO of Eulith and Chris Powers, author of Dose of DeFi. Also published here.

DeFi has to date been dominated by investors with either niche technical know-how, or enough hubris to fly blind. Yet when trading goes beyond a browser plugin to institutional levels, a myriad of issues arise. The reality is, DeFi has evolved for a market of individual traders managing their own capital, but operational challenges arise when “OPM” comes into play. Since the beginning of financial markets, and across all asset classes and market cycles, traders have tended towards using more and more OPM. For those unfamiliar with the term, OPM lovingly stands for, “Other People’s Money”. This article is for traders and potential investors looking to evaluate the current landscape of institutional capital in DeFi. We will not be focused on market speculation, but instead survey the challenges traders and investors face today and how it impacts you.

Executive Summary:

There are roughly four institutional ways to custody in DeFi:

1. Hardware wallets
2. Smart contracts and trading bots
3. CeFi’s DeFi integrations
4. Simulation-based approaches

Simulation based approaches scored the highest across our metrics, while CeFi’s DeFi integrations appear to pose real and poorly understood threats to their clients. This was our most surprising discovery.

DeFi is still maturing. There is a small but growing industry of professional traders and fund managers in DeFi. If DeFi is to live up to its potential, this crowd will become very important. We believe this is worth paying attention to.

Separation of church and state

Over the last hundred years, traditional markets have evolved to enforce the separation of trading and administrative privileges at every layer of the organization. Furthermore, large legal and technical systems detail precisely what the rules are when it comes to any given financial product or service. These modern structures protect investors from excessive financial risk, internal collusion, theft, and other malfeasance.

Over the last few years, CeFi has started to trend in this direction (albeit in part through bankruptcy and arrests) and as regulation comes into play, one may expect the market to largely replicate this familiar model. Crypto is a different asset class but the underlying market structure is comparably similar: centralized ownership of assets, operated either on-premise or on cloud-hosted services, where the speed of trading and the security of the assets is ensured by a few institutional operators.

The non-custodial nature of DeFi, however, makes managing capital at scale a more challenging problem. If a “large” DeFi fund (which today would constitute assets on-chain of only $40–100M) wants to actively trade its book, it runs into challenges around custody, trade execution, and data integrity. We explore these nuances in detail below. By and large, the central problem is how a fund manages its transaction security, which in CeFi is encompassed by custody of the assets, but in DeFi takes on a broader context. In assessing their options, DeFi fund managers — and perhaps more importantly — their LPs are affected by a tradeoff between transaction security, automated execution (e.g. a stop-loss button), and the ability to dynamically adjust risk.

DeFi’s core ethos is to build a base financial layer with open and equal access for all investors. In order to grow and reach mass adoption, DeFi will need to serve professional fund managers, who serve you and I, and bring market efficiency and much-needed liquidity.

It all starts with transaction security

When Bitcoin emerged from the ashes of the Global Financial Crisis, one of its more popular memes was to “be your own bank”. Through public key cryptography, blockchains enable a string of characters (the private key) to unilaterally control an account (the transaction outputs of a public address). The idea is summed up in the phrase “your keys, your crypto”. With Bitcoin, the only thing to do is hodl, which doesn’t spur much of a conducive financial system. DeFi picked up where Bitcoin left off and facilitated trading, lending, and other financial services with self-custody — trusting only smart contracts to execute predetermined trade logic.

Allowing everyone to be their own bank means that everyone also needs to store their own keys. Storing a private key on a phone or computer is fine if there are only a few hundred dollars in the account, but the calculus changes if that number is $10m or more.

Until recently, the only solution for large investors came in the form of centralized custodians that look and feel like a more traditional SaaS or financial firm. Custodians such as Coinbase, Anchorage, and Paxos will safeguard a private key and come bonded and insured. The issue here is that these custodians are primarily designed to hodl, and so they don’t realistically allow their clients to participate in DeFi.

For investors who want on-chain exposure, there are four main custody options, as shown in the table above. From this, it’s clear that there’s no perfect solution as they all involve tradeoffs between private key security, automated execution, and the ability to easily modify trading strategies.

Hardware wallets: On the solo scale

Individual traders are typically comfortable using a hardware wallet, like a Ledger, and storing the private key someplace safe. The benefit is that private keys are offline, so even if a device was compromised, no trade could be executed.

Hardware wallets are highly flexible in their ability to interact with any DeFi protocol and on almost any chain. They typically ensure good private key security, because the private keys are not easily compromised. The downside is they’re not scalable and most importantly — humans don’t read EVM bytecode, which has led to the long list of hacks and theft headlining search results. Still, this may be a functional setup for a small-ish DeFi fund doing mostly simple swaps or yield farming. Using a Gnosis Safe with multiple hardware wallet signers adds redundancy, but also makes it difficult to act quickly, and doesn’t solve the core problem of screening for potentially malicious transactions (for which there are solutions described below). Importantly, multi-signature wallets enable only a half-solution to the problem of separating administrative and trading privileges.

Trading bots & smart contracts: Scalable, flexible, and secure… kind of

While some DeFi funds may be content with swapping and yielding, others are running more complex strategies across multiple protocols and chains. Human signatories cannot be relied upon here. In the time it takes to initiate and sign a transaction, the opportunity has likely moved on or the damage is done.

Instead of humans, bots running on servers execute predefined trading strategies dependent on various market conditions. This is what most MEV traders do. For instance, a bot could be running a just-in-time (JIT) liquidity strategy on Uniswap v3, where it monitors the public mempool and immediately supplies liquidity when it observes a big swap, to earn the LP swap fees. To do this, the bot server needs to store the private keys, meaning whoever has access to the server has access to the keys and all the funds it controls.

To solve this access problem, firms write smart contracts that restrict the total functionality of the contract custodying the assets. Consequently, even if a private key was compromised, a malicious actor could not steal or redirect the funds to its own address.

This approach has historically been the only realistic option for automated trading. While it sufficiently protects the private key (or more accurately, removes the singular dependence) and enables real automation, it has one major downside, namely, firms need to write, test, and deploy a new smart contract for every adjustment in the trade, resulting in two prohibitive problems:

1. Hedge funds, whose survival is predicated on reacting quickly to market conditions, are slowed to the speed of an engineering team who isn’t allowed to make mistakes.
2. It is prohibitively expensive to secure the long tail of smart contracts, and as a result, it typically isn’t. There are regular instances of MEV bot smart contracts getting exploited.

In essence, it is kicking the private-key-can down the proverbial smart-contract-road.

Automated trading systems are essential for most professional fund managers. Yet problems arise when automated trade execution meets custody. One potential workaround being explored is the use of CeFi custodians to manage private keys for DeFi funds.

CeFi’s DeFi integrations: The most popular, most expensive, and least secure solution

The most popular option for large DeFi fund managers comes in the form of a crop of CeFi custodians that offer DeFi integrations. These service providers’ core products are their custody solutions (typically multi-party computation or MPC wallets), OTC trading, and CeFi integrations. They offer a predefined policy engine that manages risk and allows fund managers to give certain permissions to different users on their team.

These CeFi custodians can be divided into three different groups.

1. The first offers the most vanilla on-chain services, like staking and on-chain governance. They’re firmly rooted in a “safety first” approach, but at the cost of minimal functionality. Anchorage Digital is the best example.
2. The second offers DeFi integrations through Metamask Institutional or some other browser wallet. Using these custodians — Bitgo, GK8 and Qredo, among others — is potentially useful for a fund that is doing basic DeFi activity, like yield farming, swapping, or lending but doesn’t expect to need more than a small handful of functions.
3. The last group of custodians — best exemplified by Fireblocks, Cactus, and Copper — brand themselves as essentially “DeFi native” firms. They advertise a number of flexible services, including a configurable policy engine and automated execution for DeFi strategies. This hypothetically allow programmatic access to on-chain contracts and code which can set triggers for customized liquidity management, trade execution, or exit strategies.

The third group is the most important, as it advertises the functionality that is necessary to trade professionally on-chain. In order to prevent malicious activity, these services apply a policy engine that whitelists certain smart contract addresses that traders are allowed to interact with. The problem is that while they advertise features such as the ability “to deploy systematic DeFi strategies while maintaining the highest level of fund security on an institutional-grade platform” and an API “that enables programmatic access to smart contracts, while extending security to every DeFi interaction” their policy engines do not actually check the behavior of on-chain transactions — neither for manual nor automated trading.

These firms only check high level ‘to’ and ‘from’ fields of a DeFi transaction, ignoring its behavior (encoded in what is called the “calldata”). This approach is the security equivalent of asking for one’s DOB on certain adult websites…

Consequently, firms and their investors are often under the impression they are being protected from theft or effectively separating trading and administrative privileges when they in fact are not.

This vulnerability indicates that these firms are adding DeFi functionality to an existing product, rather than building a DeFi-native system that understands the nuances of how blockchain transactions work. However, there is an emerging industry of DeFi native providers that have one important thing in common.

Simulation-based approaches: Perhaps the best we have, but not a silver bullet

Over the last two years, DeFi native startups tackling “the transaction security problem” have evolved into more dependable service providers. There are, so far, three groups of solutions, all with one thing in common — they all take a “transaction simulation based approach”.

Simulating the transaction allows either a person or a policy engine to look at the result of a transaction and judge whether it is secure. For example, if as a result of the transaction, funds end up in an account you’ve never seen, no matter how it happened, you likely want to reject that transaction.

Where these firms differ, is their approach to custody and private key storage. There are roughly three categories:

1. Custodians — Fordefi is a direct competitor to the likes of Fireblocks, Cactus, and Copper for their DeFi business. Unlike the CeFi custodians, their policy engine is based on transaction simulation. The upside is they credibly protect their clients in DeFi, in contrast to the aforementioned custodians. The simple downside is that most firms already rely on a custodian and changing can be a big headache.
2. Security analytics solutions — Examples include Pocket Universe for individuals and Hypernative, Redefine, Hexagate, and others for institutions. These solutions provide their clients with visual queues before a transaction takes place, allowing clients to avoid high risk transactions. These firms, in contrast to the custodians, do not manage any private key material, making them more of a “security advisor” than a custodian.
3. Co-signers — DeFi Armor (disclosure, built by Eulith) may offer the best of both worlds, but are also the newest of these three categories with DeFi Armor being perhaps the only product in this niche sub-industry. As is the case with the above two categories, they offer a simulation-based policy engine. The difference is in private key storage — their clients can choose their own custody solution and then separately “plug in” this co-signer, which stores an additional private key and rejects transactions automatically if they are unsafe.

While our research indicates simulation-based approaches are the best we have, they’re not a silver bullet either. There are two main downsides to be aware of:

1. A transaction simulation can take up to several seconds, which is too slow for certain strategies. In these instances firms are back to rolling their own smart contract security.
2. A simulation-based policy engine is not inherently bulletproof. As with any security system, there are ways to get it wrong. The most common way is ignoring the potential consequences of pre-trade state-change (a topic for another article!).

The bottom line is while simulation-based approaches appear to be the best, institutional firms should test these solutions before depending on them for large allocations.

DeFi is still maturing

We see the future of financial systems in DeFi because of the implications of self-custody, inherent transparency, and permissionless access. We’re concerned with maintaining a fair playing field, which motivated our research on MEV. DeFi’s non-custodial design actually gave individual investors a head start; even with the juicy yields of DeFi summer, the custodial options were not robust enough to justify the risk for fund managers. However, this is starting to change, and will be a huge net positive for the industry.

To accelerate this change, and to help DeFi to scale, the advancement of infrastructure specialized for investors to use is the next critical step. There’s currently a lot of focus on developing better wallets for retail users with social recovery, but what’s equally needed is a robust way for institutional investors to access DeFi without compromising risk management. Importantly, these innovations are being built on top of blockchains, and don’t require a compromise on DeFi’s commitment to a permissionless financial system.

Special thanks to the many dozens of firms who gave us their valuable time and insight in developing our research.