Digital assets may be bought on an exchange, with the blockchain’s consensus mechanism assigning the asset to a digital wallet associated with the buyer. The wallet is accessed through the control of private keys. Custodians are responsible for securing these private keys to access the asset on behalf of the asset holder client. Corporate actions and other rights and entitlements may be managed via smart contracts or the ledger.

Ledgers are either permissioned or permissionless and may (or may not) use third parties to establish consensus. In the case of permissionless ledgers, third parties that are used for this purpose are paid by the fees charged by the network for transactions to be validated.

In a custody context, interoperability refers to the extent to which a custody solution can:

• Support multiple assets across multiple networks
• Integrate with existing systems

These considerations can be grouped logically, with different risk factors and mitigants per group.
 

Interoperability among off-chain services
Most custody services are off-chain. While they connect to distributed ledger technology (DLT), and submit transactions into networks, they predominantly operate within off-chain — often legacy technology — environments such as accounting and reporting systems. These are likely to require integration for automation.

Examples of required interoperability include:

• Ability of custody or portfolio management systems to detect and accurately interpret asset activity across multiple networks
• Compatibility of network activity monitoring services (such as anti-money laundering transaction monitoring/alerting services) with local blockchain nodes across different networks
  
  

Interoperability within a DLT network
Interoperability within a network refers to different types of tokens that are configured in different smart contracts. Networks are supposed to ingest all these contracts in order for the transactions to be executed. This is a key consideration, as different process flows are able to span across multiple smart contracts. Examples of required interoperability include:

• Tokens on a blockchain with multiple smart contract elements (i.e., a fungible token with an embedded non-fungible token for additional data storage purposes)
• Smart contracts that are triggered based on live events resulting in automatic minting of new tokens
  
  

Interoperability between networks
The transfer of digital assets from one chain to another is known as “cross-chain bridging.” As various participants in an ecosystem may implement different networks, it is crucial that these networks are able to communicate with each other to enable the seamless transfer of assets or data.

When considering interoperability between networks, the consensus mechanism, smart contract language and authorization components are key factors in determining the settlement finality of the transaction. It would also ensure the records are appropriately updated on each ledger to display the ownership of each asset for custody purposes.

Examples of required interoperability include:

• Interoperability between public blockchain networks, like Ethereum to Polygon
• Interoperability between private networks and public networks (and vice versa)
  
  

Risks to be addressed
The interfaces and protocols through which off-chain and on-chain applications connect with nodes to send and receive information vary considerably across networks. This presents interoperability challenges to custody providers wishing to use common software to manage activity across multiple DLT networks. This introduces a risk of inadequate reporting due to various data sources and network monitoring tools.

Cyber threats and incidents have occurred because of vulnerabilities that were detected in smart contracts and interoperability protocols. The complex nature of the code – combined with a limited number of experienced engineers – poses an inherent risk where assets on-chain may be exposed to cyber hacks on public networks. This impacts the level of insurance a custody provider may purchase and offer as a mitigant to clients to safeguard their assets.

Assets that reside on one network may not be compatible with other networks, making the transfer of those assets difficult to complete. In terms of data, different DLT networks utilize widely varying methods for structuring and storing data, typically requiring specific adaptation among off-chain services. It is also worth noting that DLT may not be compatible with legacy systems, causing potential downtime and increased resource consumption to process data into a digestible format for reporting.

There are various components within the networks that are technical in nature and are not easily digestible. These include zero-knowledge proofs (ZKPs), oracles, virtual machine standards and contractual language differences. Institutional investors may not be interested in the detail of these technical concepts, and therefore undertake the risk of relying on third-party vendors. The cryptographic methods utilized within system procedures – such as digital signature generation and validation – can vary between different blockchain networks. This affects the ease with which off-chain applications can interpret or validate data within such systems.
 

Potential risk mitigants
Risks could be mitigated by simplifying the investor strategy based on the offerings of one or two custodians. This makes it easier for the investor to classify counterparty risks. Given the large amounts of data noted within public networks, adapting traditional monitoring tools to ingest data from the ledger would help reduce risk. Additionally, data could be easily transferred with the use of Application Programming Interfaces (APIs). APIs are considered more mature and can easily be adapted for the use of blockchain interoperability.

While there are new cyber threats introduced with smart contracts, there are many new participants in the market who focus on smart control audits and penetration testing to ensure there are no bugs within the code.
 

Barriers to risk mitigation
There are various types of digital asset tokens (security, utility, etc.) across various networks with different types of fungibility. Due to the range and diversity of digital assets, an investor holding multiple different assets may find it difficult to ensure the safe custody of all assets. There is no “one-size-fits-all” solution, and investors and custodians should consider which solutions best suit their needs.

Due to market volatility and the technical complexities of institutional grade custody, there may be a limited number of firms that offer custody services to institutional investors across multiple digital assets. This results in investors being restricted to having only a small group of custodians to choose from based on their portfolio.
 

Conclusion
Many principles that apply to traditional custody can and should be applied to digital assets custody (DAC). It is particularly important that the industry draws valuable lessons from recent industry failures and firms offering DAC meet the regulatory standards applicable to custodians of traditional assets.

The opportunity to rethink financial market structures must be tempered with understanding and commitment to the protection of investors’ assets from fraud, malfeasance, misuse, misappropriation, or exposure due to operational or performance failures.

This article is taken from “Digital Asset Custody Deciphered – A Primer To Navigating The Challenges Of Safeguarding Digital Assets,” a report produced by the Custody Working Group (CWG), a joint initiative of GBBC Digital Finance (GDF) – the financial services arm of the Global Blockchain Business Council (GBBC) – and the International Securities Services Association (ISSA). State Street is a co-chair of the CWG, and several State Street Digital^® executives contributed to the full paper.