Centralizing SaaS wallets: Killing autonomy for the sake of convenience? | Opinion

As a seasoned researcher and former Naval Officer with over two decades of leadership, engineering, and educational experience under my belt, I’ve seen my fair share of technological innovations that promise convenience but fall short on delivering true control and security. The rise of SaaS-based MPC wallets in the crypto landscape is no exception.


In the cryptocurrency world, software-as-a-service (SaaS) multi-party computation custodians are frequently viewed as the “easy” option for managing decentralized assets. However, upon closer examination, these services often come with a multitude of limitations, hidden risks, and difficulties when considering the technical aspects of safeguarding digital currency.

Regardless of your decentralization versus centralization stance, it is essential to recognize that the appearance of private key control can be skewered by a lack of control in policy governance and infrastructure you do not run yourself.

The rise and risks of SaaS-based MPC wallets 

The rise of Software-as-a-Service (SaaS) Multi-Party Computation (MPC) wallets has substantially reshaped the cryptocurrency environment, offering businesses a user-friendly and seemingly secure method for handling digital assets. These wallet services are often supplied by tech companies that are increasingly marketing themselves as non-custodial service providers. However, even with this label, these solutions necessitate users to rely on a centralized entity for secure signing and key generation, which positions them towards the higher end of the custody spectrum in terms of control over assets.

Relying on a single service provider for your needs can lead to a scenario where the institution doesn’t have complete control or maximum security over their operations. Although these tech companies aren’t like traditional third-party custodians such as BitGo or Anchorage, they do introduce a central point of control and potential risks. MPC (Multi-Party Computation) technology, employed by both SaaS providers and traditional custodians, addresses this issue by dividing the cryptographic keys necessary for transactions into several pieces, which are then distributed among various parties. This method increases security by reducing the vulnerability associated with a single point of control.

In the realm of Software as a Service (SaaS) solutions, when power is centralized among a select few dominant players, it introduces fresh hazards. One such risk is that these service providers become alluring targets for cybercriminals due to their extensive control over numerous clients’ assets, resembling the vulnerability present in centralized exchanges. Another concern is that this centralization not only magnifies security risks but also indirectly restricts the independence of crypto businesses.

By trusting an outside company to handle vital security matters for their digital assets, institutions could face limitations when it comes to creating and enforcing policies, procedures, and overall control of their asset management. This approach, which centralizes power, is contrary to the decentralized philosophy of the cryptocurrency world, where each user’s autonomy over their own digital assets is highly valued.

The challenges of dependency and trust in MPC custodians 

As an analyst, I’ve come to realize that while MPC (Multi-Party Computation) wallets are marketed as non-custodial due to the partial key ownership by the institution, the reality is more nuanced. The heavy reliance on third-party vendors for daily operations, security, and service availability introduces substantial risks. Although the customer institution holds a portion of the key, all other factors influencing the use or potential misuse of these key shares are under the vendor’s control. This setup exposes vulnerabilities related to key signing integrity but also significantly impacts the user experience with operational inefficiencies. For example, any policy changes may take several weeks if not prioritized by the vendor, resulting in significant delays and operational inefficiencies.

Let’s delve deeper into these potential issues: MPC wallets might experience extended transaction periods, and their dependence on vendors for everyday account adjustments and maintenance could lead to complications. For instance, if an employee departs, rescinding their access may depend on the vendor’s pace, potentially leaving a vulnerable window for asset security. Furthermore, routine downtimes for maintenance during business hours can disrupt regular operations. Moreover, in emergency situations, recovering assets could take as long as 48 hours—an unacceptable timeframe for organizations handling significant transactions. Essentially, these operational dependencies can cause inconvenience and pose security risks that run counter to the very essence of decentralization, which involves self-management of wallet infrastructure.

For financial entities or businesses with high-security standards, these dependencies can be major deal-breakers. This is due to the significant risks and costs typically linked with using third-party MPC wallet solutions, which are often deemed unacceptable by internal risk management teams. These professionals find it challenging to accept the uncertainties and possible delays that come with such products. As a result, many MPC wallet solutions do not meet the stringent criteria of assessments carried out by institutions seeking top-tier security and operational control.

A new paradigm for crypto custody

Instead of solely relying on existing Software-as-a-Service (SaaS) solutions that operate under a ‘trust us’ model, it would be beneficial to move towards a model that combines ‘trust and verify’, eventually reaching ‘never trust, always verify’. This transition allows customers to have the option of either partially or fully managing the software themselves, giving them control and ownership over crucial IT infrastructure.

Improved control enables more effective risk handling, empowering institutions to swiftly respond to market fluctuations, which in turn boosts financial expansion and has a beneficial effect on their profit margins.

A user-friendly approach merges essential management and policy guidelines into a unified system, enabling organizations to oversee their digital possessions under a zero-trust protection structure. This setup continually verifies every exchange, removing assumed trust and fortifying security. With a service-based design, institutions can customize the platform according to their specific needs, ensuring flexibility, optimal performance, and strong security.

As an analyst, I am advocating for a shift in the current market trends that predominantly depend on SaaS-based Multi-Party Computation (MPC) wallets. These solutions ask us to blindly trust vendors who manage all critical aspects, such as cryptographic processes, keys, policies, and transaction data. To enhance security, reduce risks, and uphold the principles of decentralization more effectively, it’s crucial for institutions to transition towards solutions that allow them to retain control over their digital asset infrastructure’s vital components. This transformation is indispensable in fostering trust and ensuring security in the fast-paced crypto environment.

Presently, institutions should assume responsibility for their policies. By implementing strategies that offer some or full authority over crucial management and policy execution, these entities can more effectively match the appropriate handling and supervision of service providers or outsourced tasks. This transition in perspective is vital for the industry’s progress, as it serves to protect cryptocurrency’s fundamental principles while fostering further advancement and trust.

Centralizing SaaS wallets: Killing autonomy for the sake of convenience? | Opinion

Haden Patrick

As a seasoned crypto investor with a rich background spanning 24 years as a Naval Officer, I’ve honed my skills in team leadership, engineering, and education. Currently, I’m the Director of Business Operations at Cordial Systems, a trailblazer in institutional-grade self-custody software, embracing a robust zero-trust security model. Prior to this, I co-founded SoloKeys, an open-source pioneer in security key solutions. My journey in the crypto space also includes managing projects that bridged web3 and traditional finance at a prominent trading firm, before finding my current home at Cordial Systems.

Read More

Sorry. No data so far.

2024-09-06 14:18