Dear frontrunners,

As part of an analysis I’m writing on multi-sig wallet providers I decided to include a speed run on what it means to take custody of your crypto. After reading it, I came to the conclusion that despite its brevity, the answer to this question is so important that it deserves its own post. For those uncertain of what “not your keys, not your crypto” means please take a moment to read the remainder of this post.

What it means to take custody of your crypto

Taking custody of your crypto means having possession of your wallet’s private keys. Securing your wallet’s private keys proves that you own the funds held within the wallet. A normal Ethereum wallet is made up of a cryptographic pair of keys: public and private. The pair proves that a transaction was actually signed by the sender and prevents forgeries.

Share

• Your public key is what you share with other people to receive crypto assets.

• Your private key is what you use to sign transactions and send crypto assets.

• Your private key grants you custody over the funds associated with your account.

You never really hold any “crypto”, you hold private keys – the funds are always on Ethereum's ledger.

Centralized exchanges like Binance, Coinbase, FTX, Gemini and Kraken are all trust-based services that hold crypto on our behalf. Exchange operators are responsible for securing private keys to safeguard our crypto.

We must trust these operators to act with integrity and objectivity, similar to what we expect with cash deposit accounts at Bank of America or Chase. Unlike Bank of America, crypto exchanges operate with zero regulatory oversight and are not backed by the faith and credit of the United States Federal Deposit Insurance Corporation, an agency of last resort with a single mandate to protect depositor funds.

Moreover, exchange auditors withdrawing their existing attestations isn’t the vote of confidence we expect from operators responsible for billions of dollars in depositor funds.

Cassandra B.C. @michaeljburry

This is the problem. In 2005 when I started using a new kind of credit default swap, our auditors were learning on the job. That's not a good thing. Same goes for FTX, Binance, etc. The audit is essentially meaningless.

4:17 PM ∙ Dec 16, 2022

---

11,121Likes1,936Retweets

Given that the current landscape of crypto centralized exchange has no lender of last resort, is not backed by the faith and credit of any government regulator, and lacks a self-governing system of checks and balances, we are left with one solution: to take custody of our crypto by holding our private keys.

This process is simple. Buying a trezor or ledger hardware wallet or creating a metamask wallet is the first step of crypto sovereignty. When you create a wallet with one of the aforementioned products, you are provided with a seed phrase and private key. If you lose access to your wallet, your seed phrase is used for recovery.

• Seed phrases are your wallet’s recovery key

  • It is a mnemonic code consisting of 12-24 words that is used to recover your wallet

  • If a hacker obtains it they now have access to your entire wallet and its composition of public/private keys

  • One seed phrase corresponds to many private keys

  • Never share your seed phrase with anyone for any reason

This includes keeping a paper copy of your seed phrase in your wallet. It’s like having your social security number, date of birth, and bank account information in one document. Imagine if that piece of paper got into the hands of the wrong person:

Jameson Lopp @lopp

This video of cops in Nevada searching a suspect and finding a seed phrase is pretty wild. Imagine having your seed phrase become part of public record due to it being captured by an officer's body camera!

10:10 PM ∙ Dec 18, 2022

---

5,035Likes942Retweets

• Private keys are used to sign transactions

  • Public keys can be derived from private keys

  • If a hacker has your private keys they can sign transactions on your behalf and liquidate your wallet

  • One private key corresponds to one public key

  • Never share your private keys with anyone for any reason

• Public keys are used to receive tokens like Ethereum

  • It is OK to share your public key with the general public

• A public address is a shortened and hashed version of your public key

  • In Ethereum land its the “0x” prefix

Additionally, hardware and web wallets may offer an additional layer of application-specific security:

• Metamask offers an additional “password” layer which is used to secure access to the metamask application

• Trezor and ledger hardware wallets include a “pin” also used to secure access to the hardware wallet UI

Share

For those who need a more detailed explanation of seed phrases, private keys, and public keys, I’ve included additional links at the bottom of this note. Do not take custody of any crypto asset until you can articulate the differences between a seed key, private key, public key, and public address.

Again, when you use a tool like metamask, you are downloading a piece of software that provides you with a seed phrase and one or more private/public key pair combinations.

This is conceptually called a “wallet” in that it is where you keep your private keys. Your wallet does not hold any crypto, it holds a private key used to sign transactions. The individual funds are on the Ethereum ledger.

Closing thoughts and security check

Self-custody of assets is an ongoing journey and for new entrants into the crypto ecosystem, take your time. First acquire Bitcoin, Ethereum, or USDC in a centralized exchange like Coinbase. Then get a web wallet like metamask. Transfer some eth to an L2 like arbitrum then lend it as collateral on Aave. Buy some NFTs. Take out a small overcollateralized loan.

Eventually, you’ll achieve a level of comfort to propel you to take the next step to crypto-sovereignty: complete self-custody of your assets.

If after reading this article you’re questioning the thoroughness of your own personal steps to safeguard existing crypto, it’s ok, it’s not too late. It’s most likely the result of using a web wallet like metamask and allowing dapps permission to use/spend/transfer crypto on your behalf. This is called an “allowance”, see the screenshot below.

Maybe you’ve specified an allowance for a pre-determined amount, or maybe you just don’t remember. I recommend using a tool like Revoke.cash (compatible with all ERC20 tokens) which will tell you what dapps you’ve authorized with allowance permissions. You can then take steps to revoke apps you don’t remember. Do this sooner rather than later.

To knowledge and wisdom,

John Cook
December 17th, 2022
San Francisco, CA
www.frontruncrypto.com

📚 For more information on taking custody of your crypto please consider the following resources, ranked in terms of ease of understanding:

• Metamask: Secret Recovery Phrase, password, and private keys

• Ledger: Private Key and Recovery Phrase – What’s the difference

• How to protect your crypto assets

• Principle of storing cryptocurrency

• The only safe way to store crypto ← this is your goal!

Article cover generated by DALL-E: “An abstract painting of a robber stealing someone’s wallet”