Crypto Winter teaches tough lessons about custody and taking control
The crypto winter has pumped new life into the adage “Not your keys, not your coins,” especially after the collapse of some high-profile businesses like Celsius Network, whose funds were frozen in June. Just last week, Ledger CEO Pascal Gauthier hammered home the point, warning: “Don’t trust your coins and your private keys to anyone because you don’t know what they’re going to do with it.”
The basic idea behind the saying, familiar to many crypto veterans, is that if you don’t personally have your private keys (ie passwords) in an offline “cold wallet”, then you don’t control your digital assets. But Gauthier also put the problem in a larger context as the world moves from Web2 to Web3:
“A lot of people are still in Web2 […] because they want to stay in the matrix where they’re controlled, because it’s easier, it’s you know just click yes yes yes and then someone else will deal with your problems.”
But giving up control won’t set you free. “Taking responsibility is how you become free.”
Gauthier does have a vested interest here — Ledger is one of the world’s largest suppliers of cold wallets. Then he might as well have stated the obvious. In May, Coinbase recognized in an SEC 10-Q filing that if it ever went bankrupt, customers who entrusted their digital assets to the exchange “could be treated as our general unsecured creditors,” i.e., could find themselves at the back of the creditor line in bankruptcy proceedings.
“It doesn’t matter that the exchange’s contract with you says you ‘own’ the currency,” Georgetown University law professor Adam Levitin told Barron’s at the time, “it doesn’t matter what will happen in bankruptcy.”
But Gauthier’s statement also raises other questions. This notion of seizing “control” over one’s keys and coins may become more complicated given recent regulatory proposals in Europe, as well as an important interpretation by the authorities in the United States. Also, as the world transitions from Web2 to Web3, is it really that certain that centralized solutions like Coinbase and others might not still have an important role to play in terms of custody and, yes, even privacy?
Learning the hard way
In general, it seems that consumers still do not understand the potential risks when transferring their private crypto keys to centralized platforms and exchanges.
“It’s been made abundantly clear that even the most seemingly trustworthy custodians can still make serious missteps with user funds,” Nick Saponaro, CEO of the Divi Project, told Cointelegraph. “The promise of self-sovereign ownership of your money is immediately obliterated when users hand over their private keys to a third party, regardless of that third party’s genuine intent.”
“All crypto users should learn and be responsible for the security of their own coins by storing them securely on hardware wallets,” Bobby Ong, co-founder and COO of CoinGecko, told CoinTelegraph. “However, this is not a popular move. because for most crypto users, it is probably more convenient to store them on centralized exchanges.”
Recent: Blockchain firms fund university research hubs to fuel growth
Still, a centralized exchange (CEX) can be useful at times, and perhaps we should expect to live in a hybrid crypto-overseas for a while, with both cold and hot wallets, centralized and decentralized exchanges (DEX).
“There is a case for using centralized exchanges to send funds to others to not doxx your crypto addresses,” said Ong. “This is because when you send a transaction to someone else, they will know your address and can see your balance, historical transactions and all future transactions.”
In fact, Ong tweeted recently: “The basic advice now is to have multiple wallets for different purposes and to fund these wallets using centralized exchanges. This works well, but it is not good enough. If you use FTX or Binance, Uncle Sam and Changpeng Zao will know all your wallets and they can profile you instead.”
Continued Ong, “To get full privacy for your new wallet, a service like Tornado Cash is necessary. True, it is probably more expensive, slow and tedious, but having such an option would ensure privacy and make crypto behave more like cash, he added.
Justin d’Anethan, institutional sales director at Amber Group, agreed that trade-offs remain. “You can’t do as many sophisticated trades from a private wallet as you can on a centralized platform, or at least not as easily and efficiently,” he told Cointelegraph. Large, sophisticated traders will always need to hold some of their holdings on exchanges to optimize returns. In his personal case:
“I have some of my core holdings in private wallets, but I definitely have some assets on centralized platforms for yield generation, some rebalancing, etc.”
In particular, corporate entities may not want to handle the operational side of a trade, including investment and custody, and they may also want to interact with a recognized and established centralized entity that can perform due diligence. In addition, companies may want to have an identifiable and liquid entity to sue “in the event of a failure,” d’Anethan added.
On the retail side, setting up a private wallet can still be intimidating, which may explain why so many leave private keys to CEXs and the like, even if it’s not always the best way. As d’Anethan told Cointelegraph:
“You may not know how – or have the motivation – to buy a private wallet, set it up to hold your private key and bear the risk of losing it. So the path of least resistance wins.”
“Don’t regulators get it?”
Elsewhere, self-hosted wallet providers may soon face tough regulation in Europe if and when the EU’s Transfer of Funds (TFR) proposal is adopted. It could overturn this whole notion of taking control of one’s private keys and coins.
“Effectively, it would amount to a ‘de facto’ ban on self-hosted wallets by forcing the linking of personal identities with self-hosted wallets,” wrote Philipp Sandner and Agata Ferreira.
Mikolaj Barczentewicz, associate professor at the UK’s University of Surrey, told Cointelegraph:
“The TFR proposal does not ban self-sufficient wallets, but it encourages service providers to treat them as ‘high risk’ for money laundering.[…] It can become practically very difficult to transact using self-hosted wallets.”
Defenders of the TFR may respond that it’s not regulators’ fault that companies aren’t better at risk-based analysis and at distinguishing situations with a genuinely high risk of crime, but “I don’t think that answer works,” Barczentewicz continued. “It shows a lack of understanding – or care – about the fact that regulations need to be designed to be workable in the real world. The EU is basically saying to businesses: ‘You figure it out.’
However, the biggest threat to self-service wallets in Barczentewicz’s view is “something like the scenario we’ve seen in response to Tornado Cash being sanctioned by the US: Companies are scared and engage in over-compliance, doing more than the law requires.”
As reported, on August 8, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued legal sanctions against digital currency mixer Tornado Cash for its role in laundering over $455 million worth of cryptocurrency stolen by North Korean-linked companies. hacker organization Lazarus Group.
According to data analysis firm Chainalysis, the obligations of non-custodial crypto wallet providers are now unclear under OFAC’s recent designation: “An extreme interpretation could mean that non-custodial wallet providers may also need to block transfers to the sanctioned addresses, even though this would be outstanding.”
At a minimum, government actions like these suggest that cold-wallet solutions to help crypto users take control of their private keys could become more problematic – not less – at least in the immediate future.
An education that is necessary?
Overall, does the crypto industry face an educational challenge here, i.e. explaining the importance of cold storage and individual “responsibility” to both individuals and decision makers?
“I think we have to be honest with ourselves,” Saponaro replied. “Yes, education can help some individuals avoid the pitfalls we’ve witnessed in recent months, but most people won’t read every article, watch every video, or take the time to educate themselves.” Developers have a responsibility to develop products that guide users “to learn by doing”.
“The crypto community, including in the EU, can still do a lot more to educate politicians,” Barczentewicz added. “But this education can’t be limited to just explaining how crypto works. It’s a mistake to think that once politicians get the hang of it, they’ll come up with sensible rules on their own.”
The crypto community needs to be proactive in proposing detailed technical and regulatory ideas on how to fight crime and abuse without giving up key benefits of crypto, such as self-storage, he said. “It’s not enough to just mention buzzwords like ‘zero knowledge evidence’ and then expect politicians to do the hard work.”
Is it really important to take “control”?
What about Gauthier’s larger point that people simply need to learn to take “responsibility” for their possessions — digital and otherwise — because “taking responsibility is how you become free?”
“Crypto is a game-changer because we now have full control over our money without having to rely on any third party,” Ong said. That said, some people “may choose to offload responsibility and rely on a third-party custodian who may be better equipped to store their coins safely — and that’s acceptable as well,” he told Cointelegraph.
Recent: Crypto Volatility May Decline Soon Despite High Correlation With TradFi
“In the crypto space, you usually have very binary opinions about how things can grow from here. I think the truth is a little bit in the middle,” d’Anethan said, adding:
“You’re delusional if you think that every single person and business is going full DeFi tomorrow. But you’d also be delusional if you think the growing digital world will forever remain within the Web2 infrastructure.”
What might be best is to have both centralized and decentralized platforms, “so that the user base can gradually shift to where it sees the most value — however long it takes,” he said.