Bitcoin was designed so you can be your own bank. So why on earth would you now use three? An exploration of the trade-offs of reintroducing banks into your Bitcoin security setup.
Can you believe that it was just two years ago that FTX collapsed sending the entire ‘crypto’ industry into a tailspin?
For those unfamiliar with the story, FTX was a major crypto exchange that collapsed in spectacular fashion in November of 2022. To cut a long story short, it transpired that FTX had been channelling customer funds through their sister company Alameda Research to gamble on high risk shitcoins.
To add insult to injury the CEO Sam Bankman-Fried and his colleagues were doing all of this from a swanky penthouse in the Bahamas, while high on stimulants.
As you might expect when degenerates are taking drugs and gambling on meme coins, it eventually ended in tears. FTX collapsed and the chaos it caused triggered a ripple effect that would reveal a whole host of other poorly managed ponzi schemes that had been defrauding their customers. There was a long list of casualties including names like BlockFi, Genesis, Celsius and Voyager Digital. All of which ended up filing for bankruptcy. Confidence was destroyed and the whole ‘crypto’ market imploded causing billions in losses.
Unsurprisingly the legacy media were quick to proclaim the imminent demise of Bitcoin. Even the European Central Bank couldn’t resist trying to kick Bitcoin when it was down.
Whilst a lot of people did lose faith in Bitcoin based on what happened during the FTX explosion, those who had done their homework knew that Bitcoin wasn’t going anywhere. The events that unfolded never revealed any fundamental flaws in Bitcoin. All it really showed is that you should never trust third parties with your money as they are likely to gamble, cheat and steal.
The reality is that FTX was a great advertisement for Bitcoin, it highlighted once again that a currency that does not require trust in third parties is exactly how we avoid such calamities in the future.
Now in 2024, and in painfully predictable fashion, Bitcoin has once again risen ‘from the dead’ as its price in US Dollars is nearing new all-time highs.
But claiming that Bitcoin has ‘risen from the dead’ is a ridiculous statement for a couple of reasons. Mainly because to rise from the dead you first have to die, and Bitcoin never did. Throughout the entire FTX debacle Bitcoin never missed a beat and just kept doing its thing and producing new blocks of transactions roughly every ten minutes. It’s just software. It cares not what ridiculous things humans decide to do with it.
Another important thing to remember is that the price of Bitcoin is the least interesting thing about it. The price plummeted because some degenerates were gambling with customer funds and a bunch of ‘investors’ got their fingers burned. This led to a market full of fools losing interest in Bitcoin because they equated FTX’s failure to some sort of inherent flaw with Bitcoin.
Because these people never did their homework, they failed to recognise the irony in 3rd parties proving themselves untrustworthy and Bitcoin being designed to solve that very problem. They didn’t recognise that the only things that ‘die’ are trusted third parties.
Nevertheless, Bitcoin’s price is rising once more. This time spurred on by Wall Street’s Bitcoin ETFs, growing political support, and of course more endless monetary expansion.
And as always, as Bitcoin’s price rapidly increases, the same people who got their fingers burned last time are coming back to buy Bitcoin in their droves. Some will have learned their lesson, but many won’t have. And accompanying them will be the next wave of beginners who will start ‘investing’ in Bitcoin before truly understanding it.
So what mistakes are these people likely to make this time round? It always starts with outsourcing their trust to third parties, but what new pitfalls await them in 2025?
In this article we want to explore one of the latest ways that third parties are trying to remain relevant and claim that your Bitcoin is ‘safer’ in their hands. Let’s take a look at one of the latest trends in securing your Bitcoin, Multi-Institutional Custody.
Multi-institutional custody pretty much does exactly what it says on the tin. Rather than securing your wealth yourself, these companies want to entice you into entrusting your wealth to a quorum of institutional third parties. They offer a custody setup that creates a multi-signature wallet shared between multiple separate companies.
The idea behind this is that each of these companies will hold a private key to ‘your’ Bitcoin wallet. The key feature is that ‘your wallet’ requires the keys held by more than one institution to sign a transaction and move any funds. None of these companies can move your Bitcoin by themselves.
And because multi-sig is such a useful tool, this kind of setup comes in multiple flavours….
In this model all the keys to your Bitcoin are distributed between multiple companies. You hold none yourself. None of these organisations can move your funds by themselves as each only holds one private key and it requires more than 1 to sign a transaction.
In this model you don’t hold any of the private keys to your Bitcoin, preventing you from making transactions without first having to seek permission. Not ideal for a permissionless currency.
In this model you gain slightly more control. Typically, you will retain control of one key and two or more counterparties will hold also hold a key. Again, it will take more than one key to make a transaction.
In this setup you still cannot make a transaction without first seeking permission and having one of your counterparties co-operate with you.
These two parties could collude with one another to move your Bitcoin without you but the expectation is that trust, ethics and the rule of law means they won’t.
Finally, you could opt for a setup where you hold the majority of the private keys to your wallet. This gives you the advantage of being able to send transactions without seeking permission and move funds to a new address where only you have sole control.
This is a slightly better setup because your counterparties can't move your Bitcoin even if they collude with one another.
However, their usefulness is diminished by this. If you manage to lose all your keys at once, then they have no way to help you restore access. You have potentially reintroduced a single point of failure again.
Each of the multi-institutional setups described above live on a spectrum of how much control you have over your money. Each time you take slightly more responsibility you gain slightly more control, and your risk model changes slightly. To simplify things, we have listed below the main selling points used by those who promote these kinds of services:
- It’s more convenient
Proponents would argue that less responsibility means more convenience. If you don’t have to manage private keys, you apparently have one less thing to worry about.
- No single Point of Failure
Because you are not trusting a single custodian and you don’t hold all the keys yourself you have spread the risk far better than leaving your coins on an exchange. You also have a recovery method should you lose your keys.
- Harder to Steal Your Bitcoin
One argument that proponents also lean heavily on is that it makes it far harder to steal your funds either through hacking or physical attacks.
It all sounds so simple and of course, any good marketing pitch always is. But as with any security model you choose to protect your Bitcoin, it comes with its own set of trade-offs that are rarely explored closely enough by customers.
At The Bitcoin Way we don’t offer multi-institutional custody services or partner with anyone who does, and you won’t see us offering these services at any point in the future either. But why not?
Let’s explore the security trade-offs of multi-institutional custody in a bit more detail…
The trade-offs associated with using institutions to help custody your Bitcoin are often glossed over, and the benefits oversold. So, let’s take a closer look at the drawbacks and proposed benefits to see if they are all they are cracked up to be.
One of the big selling points used for multi-institutional custody providers is that it offers the user more convenience. By outsourcing trust, you seemingly lower the burden that rests on your own shoulders to keep yourself secure.
On the surface of things this seems to make some sense. But can you really just dump your responsibilities like that without a care in the world? If you’re protecting generational wealth this strikes us a little cavalier. How much due diligence do you plan on doing on your counterparties?
- Have you verified that their Bitcoin storage solution is robust?
- How do they generate keys? Will you be able to verify that the addresses you create are your using open-source tools?
- How do they manage the keys? Are they in cold storage or available via an API? How robust is the companies’ overall cybersecurity beyond just Bitcoin?
- Can you access the multi-sig files and verify your balances are true via your own node?
- If you were going down this route, were you even planning on running your own node?
- If a custodian goes offline is there a viable method for key recovery? Do you understand it? Would you have to learn how to run a Linux computer and use the command line to do it?
We could go on, but the bottom line is that if you’re not doing your due diligence like this then you’re simply not taking the protection of your wealth seriously enough. The trouble here is that to appraise all of the above is going to require some concerted time and effort on your part. Ultimately, you might even find you’re not able to get answers to all of these questions anyway. Some of them won’t be answered based on the institution’s security concerns.
All of a sudden, the idea that this is an extremely convenient way to secure your Bitcoin starts to fade quite rapidly. If you’re doing things properly then you’ll still find yourself running a node and learning key generation and management. This begs the question that if you’re having to learn these skills anyway, how exactly is it more convenient?
It turns out that absolving yourself of all responsibility isn’t actually possible unless you’re willing to just throw caution to the wind and hope for the best.
That’s rarely a good strategy.
The other main argument supporting multi-Institutional custody is that there is ‘no single point of failure’ and to a large extent this is true. But not always.
For example, if you go for a setup where you hold the majority of the keys, then you’ve removed a single point of failure when itcomes to potentially losing them. But you still have a single point of failure when it comes to having the keys you’re controlling stolen and used to move your funds.
So, things are a little more nuanced than they first look. You have removed one scenario that has a single point of failure, but not all of the scenarios You’re still going to have protect the keys you hold properly, the same way you would in self-custody.
In alternate multi-institutional setups where you don’t control enough keys to transact, you do lower the risk of theft due to a single point of failure. But you can only do so by giving up any autonomy over using your Bitcoin without the permission of a third party.
It’s also important to point out that all of this is predicated on the assumption that the distinct entities you choose will never collude with one another. Remember that this is always an assumption, and you are only trusting that this won’t happen. It’s not impossible. Have you appraised how interconnected they are? Do they have the same VC backers? Who ultimately controls them?
In this love triangle you’ve found yourself in are they particularly friendly? Do the CEOs regularly ‘do lunch’? Sounds cosy. What might happen if they were both like SBF and Mashinsky?
And how likely are these counterparties to co-operate with Governments if forced to?
The point is you can’t eliminate risk completely. You may be able reduce some risks, but only by raising others. You may be able to reduce the risk of a physical attack, but only by risking your exposure to potential government sanctions.
Perhaps it all depends on how much trust you have ininstitutions. We find that ours has completely run out.
We have already alluded to this slightly, but one of the biggest claims that multi-institutional custody providers claim is that this model makes it much harder to steal your Bitcoin.
But an interesting question here might be. Harder for who?
Would it be harder for a thief to steal from you? Arguably yes, how would they get multiple counterparties to sign off on transactions without alerting the authorities?
But would it be harder for these organisations to collude to steal your Bitcoin? Well clearly not, they have enough private keys to make transactions, it would be unbelievably easy. A 5-minute job. Is it likely? That’s up for debate. Could multiple parties be easily coerced by powerful governments? Again, it’s up for debate, but these companies act as more attractive honeypots than the resource intensive process of trying to shakedown individual Bitcoiners.
And the real kicker in all of this is that there is absolutely no reason, none at all, that you couldn’t create your own multi-Sig setup to mitigate single points of failure. It’s important to understand that Bitcoin is open-source software. Anything an institution can do, you can do yourself. You can distribute keys and form your own collectives with people you love and trust. Don’t for a second believe that you can’t adopt a distributed multi-sig setup without the help of an institution.
The biggest elephant in the room when it comes to multi-institutional Bitcoin custody, as with any form of collaborative custody, is the complete loss of any financial privacy.
When you create a multi-sig setup with any third-party institution, you're essentially giving them the ability to track ALL of your financial activities associated with that wallet. Not only will they be able to monitor everything you do with your Bitcoin, they will also wrap up all your mandatory KYC information, linked with information about your Bitcoin stack, into a tempting little honeypot for potential hackers. Nice.
A lot of people don’t care enough about their privacy and may dismiss these issues. But if you can’t imagine a future where your Government sanctions certain Bitcoin services and addresses then perhaps you didn’t notice a certain Mr Trudeau blocking people’s bank accounts for opposing a protest against his government’s policies.
As always, all these risks are hypothetical, but they all exist within the realms of possibility. Giving up hope of any financial privacy for wealth you’re trying to protect for generations seems cavalier. There is no predicting how governments and institutions might shift and change over time and how various threats might evolve. Having all your financial information available to third parties is something that could turn out to be a costly mistake.
And arguably it’s an unnecessary mistake. Especially when you consider that there’s nothing stopping you from creating your own multi-sig solutions that don’t require you to bend over and bare all when asked.
Hopefully that gives you a better understanding of where some of the hidden trade-offs with these kinds of custody setups lie. It’s always good to appraise all of your options. We couldn’t cover everything but there is more information on this topic that you might find interesting here.
The main take away from this should be that no security model is 100% perfect. There might be a case for large companies to use multi-institutional custody setups but in those circumstances those in senior positions act more like stewards of the company’s wealth rather than direct owners.
In the case of protecting personal wealth, we think the trade-offs of working with institutions simply aren’t worth it and that the benefits aren’t as great as they seem. They are only more convenient if you are willing to just YOLO and not do any due diligence and they don’t mitigate every threat of losing your funds. And of course, any setup offered to you by an institution can be created all by yourself.
If you think the same way that we do then let us show you that it’s quicker, safer and easier to learn the skills to become fully self-sovereign. You can take control of your wealth yourself in any type of setup that best matches your unique circumstances.
If you love freedom money because you want to be totally free, then you should probably give us a call.
Learn from our 25 years of cybersecurity expertise