XDRIPACADEMY
Sign in

Lessons·Self-custody·10 min·Advanced

Custody choices for allocators

When you hold crypto for clients, partners, or beneficiaries, custody is not a personal preference. It is a fiduciary question with auditable answers. Here is the honest map of the options.

Everything in this pillar so far has been written for the individual. The threat model, the hardware versus software question, the exchange-versus-wallet line: all of it is calibrated to a person making decisions with their own money, accepting their own consequences.

Allocators do not have that freedom.

When you hold crypto on behalf of someone else (a client, a fund's investors, a family across generations, a corporate treasury, a DAO), every custody decision is a fiduciary decision. You are not allowed to lose the keys because life got busy. You are not allowed to keep the keys on a hot wallet because withdrawals are tedious. You owe a standard of care that an individual does not owe themselves. The custody model has to support that standard, not just feel reasonable.

This lesson is the honest map of how serious operators actually solve that problem.

The four custody patterns

Allocator-grade custody, across most of the industry, lives in one of four shapes. They are not exclusive (most operators use a combination), but every approach you read about, sold under any branding, fits into one of these.

  1. Qualified custodian. A regulated third party holds the keys. They produce statements, undergo audits, carry insurance, and handle the operational burden. You retain a contractual claim.
  2. Self-custody multi-signature. The keys are held by your team, but no single person holds enough to move funds. A defined number of signatures (M of N) are required for any transaction. Geographic and procedural separation between signers is the entire point.
  3. MPC custody. Multi-party computation distributes pieces of a single key across multiple devices or parties, such that the full key never exists in one place at any time. From the chain's perspective the wallet looks like a normal single-signature wallet. From the operational perspective it works closer to multi-sig.
  4. Hybrid models. A primary qualified custodian for the bulk of holdings, a self-custody multi-sig or MPC layer for operational accounts, and a clearly defined process for moving between them.

Each pattern answers a different question about what you are afraid of.

Key takeaway

Qualified custodian, self-custody multi-sig, MPC, or a hybrid. Every serious crypto custody program is one of these four. The choice is a function of which threat you are most willing to accept and which one you cannot tolerate at all.

What each pattern actually defends against

Read this section as a map. The right pattern for your fund or family is the one whose defended threats match the threats you have, and whose accepted threats are ones you can live with.

Qualified custodian. Defends against operational error by your team, key loss, and most categories of attack on your own infrastructure. Accepts counterparty risk on the custodian (insolvency, regulatory action, single-point-of-failure events). Accepts reduced privacy. Accepts limits on what you can do operationally without going through the custodian's flow.

Self-custody multi-signature. Defends against single-point-of-compromise on your own team and against external counterparty failure. Accepts that your team must run the security program competently, every day, with no outside backstop. Accepts higher operational complexity. Accepts that key holders must be people you can trust over a long horizon.

MPC custody. Defends against single-device compromise, supports flexible policy on who can sign, looks like a normal address on chain. Accepts vendor risk on the MPC implementation (the math is settled, the implementations are not all equal). Accepts dependence on the vendor's tooling for ongoing operations.

Hybrid. Reflects the reality that no single pattern is perfect for every dollar in the fund. Accepts the additional complexity of having more than one custody system to operate.

The right answer is rarely "pick one and stop." It is "match the layer to the use case." A fund's long-term cold position can sit with a qualified custodian. The operational treasury runs on multi-sig. A small hot working balance lives in MPC for transaction velocity. Each layer is sized to its job.

The questions a real diligence pass actually asks

If you are evaluating a custody arrangement, your own or a third party's, the diligence questions that matter cluster around a small number of properties:

  1. Who can move the funds, and what would have to fail for them to move without authorization? Number of signers, location of keys, attack surface of each signing device, recovery procedure.
  2. What happens if a key holder dies, leaves, or becomes compromised? The protocol for rotating, replacing, or removing a key holder is the protocol you will execute under stress someday. It needs to exist before that day.
  3. What is the recovery story? For lost keys, lost devices, destroyed locations. The recovery story for an allocator is more demanding than the recovery story for an individual, because "the funds are gone, sorry" is not a fiduciary outcome.
  4. Where is the audit trail? Who can produce a third-party-verifiable record of every transaction, every signer, every approval, on demand. The chain provides one half of this. The internal-process layer provides the other.
  5. What is the insurance posture, and what does it actually cover? Custodial insurance is real but bounded. Read what is covered and what is excluded carefully. Most policies cover external theft, not internal loss or operational error.
  6. What is the regulatory standing? Custody of client assets is a regulated activity in most jurisdictions. Operating outside of it, even unintentionally, is the category of mistake that ends careers.

A diligence file that answers these six questions, with documentation, is the difference between a custody program and a hope.

Watch out

"We use a hardware wallet" is not a custody program. It is a tool. Without policies on who has the device, how the seed is backed up, who can authorize withdrawals, and what happens if the holder leaves, the tool is decoration. Every fund that has lost client funds in the past five years had hardware wallets. They were missing the program around them.

The estate-continuity dimension

For family offices, generational holdings, and any fiduciary horizon longer than a single team's tenure, custody must survive the people running it. This is not a self-custody problem. It is an inheritance problem, and it has its own pillar.

For now, the relevant point is this: any custody arrangement that depends on a specific person being available to authorize transactions has a lifetime equal to that person's reliability. Real allocator-grade custody plans for the day the original signers are no longer in the picture. That plan is part of the diligence file or the diligence file is incomplete.

Several recent custody products explicitly include estate-continuity protocols (XColdPro's Lazarus Protocol is one, covered later in the inheritance pillar). Whether you use a vendor solution or build your own, the requirement is the same: a documented, tested, executable procedure for what happens if the principals are no longer available.

A short list of mistakes allocators make

Pattern recognition from the failures of others, ranked roughly by frequency.

  1. Treating custody as a one-time setup decision. Custody is an operating program, not a configuration.
  2. Assuming a qualified custodian eliminates risk. It changes the shape of the risk. Counterparty failure is a real category, and several large custodians have failed in specific ways within recent memory.
  3. Building a multi-sig with insufficient geographic and procedural separation. Three keys held by three people in the same office is not real M-of-N protection.
  4. Skipping the recovery rehearsal. The first time you execute the recovery procedure should not be the first time you need it.
  5. Not aligning the custody model with the regulatory posture. Operating an unregistered custody service for clients is the kind of mistake that does not unwind cleanly.

What this gives the rest of the operation

The custody program is the foundation under everything else the fund or family does in crypto. Allocation, trading, lending, RWA participation, the full DeFi stack: all of it sits on top of the assumption that the underlying assets are still there at the end of the day. When the custody layer is right, the rest of the program has somewhere to stand. When it is wrong, no amount of upstream sophistication compensates.

The honest summary: pick the pattern that matches your threats, document the program around it, rehearse the recovery, plan for continuity, and treat the diligence as ongoing. There is no clever shortcut.

Key takeaway

Allocator custody is one of four shapes (qualified custodian, multi-sig, MPC, or hybrid), each defending different threats and accepting different ones. The tool matters less than the program around it. Diligence asks who can move funds, what happens when people change, what the recovery story is, and how it survives the principals leaving. Get that program right, and the rest of the crypto operation has a foundation. Get it wrong, and nothing upstream matters.

Track your progress

Create a free account to mark lessons complete and unlock pillar discounts.

← All lessons