You are getting ready to send funds to an exchange from your hardware wallet. You copy the public address from the exchange and into the wallet software. After triple-checking the address, you are confident you are not a victim of clipboard hijacking and have copied it correctly. Holding your breath, you click to approve the transaction. Now you've sent your funds to the chain and there is no turning back. Waiting in suspense, you check the transaction on the chain explorer, and you can see that it has one confirmation. Then two, then three. It finally settles, you exhale, and go on about your business.

Those of use who have been a part of the space for a while are very familiar with this sense of unrest. Whether you're a newb or a maxi from the early days, we've all been there. And most of us started by always sending a small test transaction first. The truth is that confidence in making these transactions grows only through proper vigilance, but for some, it was unfortunately learned by making costly mistakes. After all, a core property of blockchain is finality - sending to the wrong chain or address is effectively irreversible.

In part, what makes blockchain transactions irreversible is that there is no centralized party to appeal to. There is no singular body to trust. The network must reach final agreement via cryptographic consensus, making a blockchain a trustless financial system of record.

On the contrary: self custody (the practice which allows us to "be our own bank") is not necessarily trustless. It does, however, reduce exposure to financial intermediaries, so it empowers us with more financial sovereignty. And in an era where central banks consistently prove greedy, taking self custody of funds is an alluring prospect for new buyers. But it can also be daunting. Indeed, hardware wallets were designed to solve many of the associated fears of self custody. By abstracting away private key custodianship, hardware wallet manufacturers have created new trust relationships.

Because of this, anyone who plans to self-custody "crypto" should have at least a primitive understanding of public key cryptography, which is used to ensure blockchain transactions are authorized. Even though the word crypto often carries a negative connotation in the community, the term should not be considered taboo. Cryptographic consensus is the very foundation of our trust in valid transactions and blocks because it allows all nodes to synchronize sets of transactions independently.

Cryptography indeed enables secure monetary systems, networks, and data transactions. It is used to verify private keys without directly accessing them; it also verifies the owner of the wallet using signature algorithms. Still, vectors of trust and risk do permeate self-custody practices in the crypto space, which introduces this paradox of self custody and trust.

In Crypto We Trust

Those who willfully enter the crypto space are indeed trusting many things including cryptography, consensus mechanisms, and game theory equilibria. While it isn't ignorant to trust in cryptographic protocols, implementations of crypto wallets have always carried known risks.

In How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys (PDF), researchers show how a wallet sending transactions could fall victim to malicious implementations. Elliptic Curve Cryptography, for example, is what is used to generate public-private key pairs and digital signatures, and early implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA) had known vulnerabilities. In this research example, the point along the secp256k1 elliptic curve is chosen by the wallet software instead of the algorithm's libraries. Under this configuration, the randomness with which that point is selected is external to the ECDSA algorithm.

Nefarious code can then choose a point along the secp256k1 elliptic curve that is non-random or predictable, allowing for the effective forgery of digital signatures. Later implementations adhering to RFC-6979 helped mitigate this by selecting random numbers deterministically. This mechanism - internal to the algorithm's libraries - ensured that the nonce (i.e., number used only once) is not reused across multiple digital signatures.

The point is that most in the space implicitly trust cryptography. In doing so, we may blindly assume blockchain security models are robust enough. One such blind spot is the expectation that blockchain consensus is quantum resistant, which is an arguably negligible threat. Perhaps more critically, we must acknowledge our trust in consensus game theory principles. Hashpower must be decentralized enough to protect against coercion, collusion, and censorship. Ultimately, the longest chain needs to win to achieve immutability and to maintain trust in the consensus.

This much should be clear, but things can get fuzzy on the question of trust when talking about wallet transactions. Bottom line, funds would never be sent anywhere on the blockchain without some piece of code being executed on a device. When the wallet holds the private keys, self custody is then a bit of a misnomer. And perhaps the entire community is doing itself a disservice by not making one important distinction:

Self custody is not necessarily self hosting. The storage device or software can be the key custodian, even when the owner is its sole operator. Self custody then does not equate to trustlessness; it is just a form of financial choice and control. Any notion that trustlessness can be achieved in some pure, unadulterated sense must be a logical fallacy.

And so we also trust in wallet manufacturers, third-party chip certifiers, sellers, shippers, code auditors, and - biggest of all - firmware developers. Maybe you do have a truly airgapped, offline solution. Or maybe you have a paper wallet, but even then you are trusting in seed generation methods (i.e., entropy). Above all else, you are trusting yourself and your own environment. But as members of the crypto community, what we can focus on is what we can control.

In Why We Need Wide Adoption of Social Recovery Wallets, Vitalik Buterin writes:

This power of choice cannot be overstated. Choosing to self-custody is empowering, and with hardware wallets, it may feel safer and more secure. Indeed, private keys are isolated, and as the sole operator, you can maintain control. Risk management is therefore vital, but the question of acceptable risk is a highly subjective one. It is largely determined by a user's knowledge of options, their technical skill, operational security, and overall risk tolerance. While the problems of malicious software may never fully be solved, hardware wallets can significantly reduce the risks of such key exposure or loss of funds. To restate the obvious, however, fears about private key leakage or disclosure are still valid.

Holding this frame, users' perceptions of hardware wallet security were recently shaken by announcements of key recovery features. And by extension, so was trust in many types of self custody. Given this shift in user psychology, an opportunity is presented to take back our choice of control. Future adoption of Bitcoin and other digital assets will rely upon these security perceptions. An improved user experience for those who wish to self-custody their funds. To combat new risk vectors, what users can do is to choose their own cryptographic circles of trust.

The Circle of Trust

Secret Sharing and Social Recovery

Most in the community are familiar with ever-growing estimates that ~4 million BTC are assumed lost forever, a number roughly equal to 20% of the final Bitcoin supply. Others may have heard the stories of Bitcoin being lost on the legendary "boating accidents". While the latter is mostly anecdotal, the former statistics do highlight the need for improved self-custody methods especially to protect novice users from loss. While private key recovery is controversial (and with good reason), it is because of lost funds that social recovery features may be both desirable and in demand. Regardless of any user preferences, there is some historical precedent here.

Secret sharing was first introduced by Adi Shamir in 1979 as part of his paper How to Share a Secret (PDF). The idea behind it was simple yet powerful - divide something (like a private key) into multiple parts so that only specified combinations could unlock it. Still today, this method provides enhanced security against unauthorized access, but it poses challenges when users lose portions of their keys. Because losing private keys means losing access to assets permanently, social recovery is a natural evolution of secret sharing. In social recovery systems, a group of trusted guardians are chosen to hold an encrypted share of the seed.

When needed, these contacts can come together and decrypt the respective portions to reconstruct or recover the original seed. Verifiable Secret Sharing (VSS), an extension of Shamir's initial concept, plays an important role in enhancing trust within such social recovery systems. VSS allows any participant in the scheme to verify whether their share is correct without revealing it. Ensuring integrity while maintaining confidentiality, VSS checks that guardians hold valid shares before they attempt to reconstruct the original key. Without these verification measures, malicious actors can potentially provide incorrect shares and compromise the entire process. Social recovery is then akin to multi-sig schemes, where wallet owners can require M of N key shard custodians to process a transaction.

Both social recovery and multi-sig schemes require a high level of trust that one's guardians or custodians will cooperate when needed. Assuming you can rely on enough of your custodians, such methods have no single point of failure, or put another way, no single point of vulnerability. Such methods can distribute risk; they can also displace or redistribute trust. Multi-sig then ensures that no single person can access funds without agreement from multiple parties. With social recovery, key reconstructions are also only possible with a trusted circle of one's choosing.

Hardware wallet manufacturers have responded with similar recovery features. Ledger, for example, launched a recovery feature in which they effectively choose your custodians for you. These custodians holding private key fragments could be viewed as "key escrow firms". Under this configuration, users do give up some degree of control. Whatever option users choose, proper self custody or hosting takes technical prowess and vigilance.

Ultimately, users need to assess the risk and trust vectors to make the right choice for their needs. Some may actually want self-custody options that protect them against user error, where others will want to internalize as much risk as they can by self-hosting. At the end of the day, the Bitcoin blockchain is an open-source, peer-to-peer monetary network. Transparency is therefore the key to trust. This is why many people self-host, and why calls for open-sourced firmware for all hardware wallet manufacturers are both valid and critical for adoption.

Bigger picture, what self custody is really about is true ownership of assets. It speaks to an understated wisdom that centralized banking systems have inherent flaws as financial custodians. Power centers introduce greed, and greed begets power. The ability to self custody does not solve this, nor is trustlessness alone a solution. With self custody, though, we can regain some financial sovereignty. We can put our trust in systems we choose and control. And that is what this financial revolution is about. ✌🏼

You can check out an overview of Self Custody in the Chain Concepts wiki, along with:

- information on wallet attack vectors,

- atomic explanations of wallet types,

- and some examples of software and web wallets.

Subscribe or share now for early access to my next article under the working title You Cannot Decentralize Greed. Don't forget to revisit the wiki for upcoming updates. 🤙🏼

For many in the crypto community, the last 18 months have been a tumultuous journey. Many long-term holders have endured volatility before, but the Spring and Summer of 2021 undoubtedly kickstarted a hellish bear market. This market - filled with the usual amount of uncertainty - was still quite unique in its own right. Most notably, a seismic shift in Bitcoin hashpower began in May of 2021, during which roughly 50-60% of Bitcoin's computational power poured out of China. The price of Bitcoin (BTC) then experienced swings of ~40% in the span of days or weeks, demonstrating volatility the likes of which we had not seen since the 2017 bull run.

Still, the Bitcoin network proved resilient in the face of major migrations, bolstering its claim as a decentralized and secure monetary network. Despite the looming bear market, some remained incredibly bullish. Companies like MicroStrategy, for example, was investing hundreds of millions of dollars in BTC. Under this light, the digital asset landscape was looking more stable and secure, making it palatable for investors of all kinds.

Of course, market cycles do exist, and the Bitcoin Halving is a key part of that. But just like in 2017, many arrived late to the party in 2021 and locked in severe losses. Around the same time, some holders were staying in the game with serious conviction, locking up their Ethereum on-chain prior to its migration to Proof of Stake. Then, at an uncertain point, the 2021 correction caused a shift in investor thinking.

In droves, retail investors sought refuge in stablecoin banks. Others placed their BTC and ETH into platforms for percentage yields in the mere single digits. Everyone wanted to earn while they waited on the sidelines. This trend rapidly normalized yield-seeking behavior, building a pyramid of liquidity pools with low-to-no oversight. Under this new normal, investors unwittingly exposed themselves to counterparty risk at a level never before seen. And the kicker? This was all done in an ecosystem that should’ve read the tea leaves of impending collapse.

Indeed, there were some signs, and then those signs turned into waving red flags. As firms like BlockFi agreed to pay regulators $100 million, the company was slowly reducing the yields in the name of "sound risk management". In Mid 2022, Voyager Digital even suspended customer withdrawals, later seeking out firms who could absorb their losses. And in spite of ongoing litigation, Voyager customers have only just received ~35% of assets back. As a stark example of this pyramid of illiquidity, the now-defunct FTX actually had plans to buy Voyager Digital.

Still today, the saga continues for those with funds frozen in the Gemini Earn program, who are collectively owed ~$900 million. Any investor with funds locked up, whether it's $1000 of BTC or $100k worth of USDC, has a daily reminder of the lessons taught by Satoshi Nakamoto's staunchest fans. Trite but true, conventional wisdom has always been Not Your Keys, Not Your Coins. It has been repeated so often that it must be considered dogma.

With untold losses too many small fortunes to count, all too many have lost funds to theft, scams, centralized exchanges, forgotten memories, and simple human error. So now, there is another side to this coin. Many investors decided to promptly exit exchanges and move funds to cold storage, reemphasizing the importance of proper self custody. Just a few months later, many who had blind faith in cold storage have had their conviction shaken yet again, bringing us to version 2.0 of Not Your Keys, Not Your Coins.

Cold Storage - Maybe It's Not So Cold Anymore

In mid-May, Ledger announced a recovery feature for its hardware wallet that would allow a user to back up their seed to three separate companies: Coincover, Ledger, and EscrowTech, where each company secures one fragment of the encrypted pre-BIP39 version of your private key. To enable the feature, users must cryptographically sign from their hardware wallets in the same way they would send funds. Still, doubts about the security of the firmware, and fears of backdoors, thundered across the crypto community. This all came in the form of cries about censorship or potential seizure, where key custodians may be coerced by centralized agents of control. No matter where you land on this issue, it is true that having cloud custodians of your keys, whether divided or not, introduces very real attack surfaces.

The overall response has still been relatively mixed. Some took hammers to their Ledger device, and others silently reassessed their self custody practices. Some take the view that nothing fundamental has changed with respect to transaction processing or hardware. Others question manufacturer integrity and by extension the device itself. Sentiment from social media suggested that Ledger owners had an expectation that their keys could never be extracted from the device.

Many cited the Tweet above as the reason for their stance, while others may have been in denial of the fact that they trusted the manufacturer implicitly. Prior to this feature announcement, consumer opinion was that the Ledger wallets were a black box, and the device itself can only ever know the key. Community backlash then came in the form of demands for open-sourcing the code. Ledger rather swiftly rolled back their plan, releasing the Ledger Recover Technical White Paper and vowing to open-source code prior to the feature's release.

We don’t yet know how this will play out. What is obvious is that recent events have sparked a debate with some incredibly nuanced, albeit technical talks on what "trustlessness" practically means. This has forced many to ask the hard question: Is there a form of self custody that is truly free of trust?

To delve deeper into this, what follows is an article entitled The Paradox of Self Custody and Trust. It includes core concepts of cryptographic transactions, consensus, and trust. It examines the perils of taking full custody of digital assets, while comparing industry options to more “pure” forms of self custody. It will also take a clear-eyed view of how self custody methods can affect adoption. Feel free to like, share, or subscribe to spread the word!