01
Institutional treasury custody
Multi-signer hardware-backed cold storage, MPC for hot operations, time-locked withdrawal patterns, and the operational runbook for moving funds under duress.
Loading…
Blockchain & Web3 · MESH
Custody & Wallets.
MPC custody, hardware-backed signing, account abstraction, and the operational discipline institutional custody actually requires. Engineered against the trust model — not the marketing slide.
- Practice
- Blockchain & Web3
- Department
- MESH
The problem
Most custody solutions are a multisig with a vendor SDK — until the multisig is the single point of failure.
Custody failure modes are uniquely unforgiving. A single compromised key, a recovery seed in a desk drawer, a multisig with two signers on the same Yubikey, an MPC vendor whose service degrades under load, an admin pattern that lets one person move treasury — and the loss is permanent. Most custody implementations look secure on the architecture diagram and decompose under operational analysis.
We engineer custody for the actual trust model. MPC threshold signing where the operational benefits earn their complexity, hardware-backed cold storage for treasury, multisig with named human owners and explicit time-locks, and recovery patterns that survive personnel changes. Operational runbooks that assume hostile environments. The custody pattern that ships is the custody pattern that survives an attempted theft, a personnel turnover, and a vendor outage — not just the architecture review.
Where it ships
5 use cases, in production.
Specific applications we’ve built and operated. Not speculative — every example below is grounded in a real shipped engagement.
- 02
MPC wallet infrastructure
Threshold-signature schemes (FROST, GG18/20) for operational hot wallets. Vendor-backed (Fireblocks, Copper) or self-hosted; we tell you which fits.
- 03
ERC-4337 smart accounts
Account abstraction with social recovery, session keys, sponsored gas, and batched operations. Audited bundlers, paymaster integration, and the operational story for upgrades.
- 04
Application operator wallets
App-side hot wallets for protocol operations (gas tank, oracle bots, automation) with bounded permissions, monitoring, and circuit breakers on anomalous behavior.
- 05
Compliance-aware custody
Sanctioned-address screening, jurisdictional access controls, audit-trail tooling, and integration with the regulatory-reporting infrastructure institutional custodians require.
How we engage
4 phases, named in the SOW.
Each phase has a deliverable, an owner, and an acceptance criterion. Not slogans — operating rules.
- 01
Trust model first
Discovery: who can do what, under which constraints, with which recovery path. We design the trust model on a whiteboard before picking a vendor or pattern. The model lands in writing — including the failure modes and the response when each one materializes.
- 02
Pattern selection
MPC vs multisig vs smart-account custody — picked by fit, not by hype. We model operational complexity, vendor risk, recovery-pattern viability, and regulatory constraints. Some engagements end with 'don't build custody, use Fireblocks / Copper / BitGo' and we say so.
- 03
Engineering with adversarial discipline
Every custody flow modeled adversarially — what does an attacker do if they compromise one signer? Two? The vendor? Time-lock and circuit-breaker patterns sized to the threat. Test suites against the threat model, not just the happy path.
- 04
Operating discipline
Monitoring on signing patterns, time-lock states, withdrawal flows. Runbook for incident response, vendor outage, personnel turnover, and the duress signaling pattern. Quarterly tabletop exercises against the runbook.
Capabilities
What’s in scope.
- MPC threshold-signature schemes (FROST, GG18/20) — vendor or self-hosted
- Hardware-backed cold storage with HSM integration
- Multisig governance with time-locks and named human owners
- ERC-4337 account abstraction: smart accounts, paymasters, session keys
- Application operator wallets with bounded permissions and circuit breakers
- Sanctioned-address screening and jurisdictional access controls
- Operational runbooks: incident response, recovery, duress signaling
Stack
Tools we use in production.
- MPC
- FireblocksCopperBitGoCurv (legacy)Self-hosted FROST
- Multisig
- Safe (Gnosis)Squads (Solana)Time-locksCustom guardian patterns
- Account abstraction
- ERC-4337PimlicoStackupBiconomySafe modules
- Hardware
- YubiHSMAWS CloudHSMLedger VaultTrezor
- Compliance
- ChainalysisTRM LabsEllipticCustom screening
Selected work
Quantified outcomes, not adjectives.
Common questions
Asked before the first call.
- 01
MPC, multisig, or smart accounts?
Threat-model dependent. MPC for operational hot wallets where the signing flow needs no on-chain footprint and the trust model can absorb vendor risk. Multisig for treasury where on-chain auditability is critical and the governance group is small. Smart accounts (ERC-4337) for consumer-facing wallets where social recovery and session keys earn the complexity. Most institutional setups use all three at different layers.
- 02
Should we build custody or buy from Fireblocks / Copper?
Buy, in most cases. The operational discipline required to run custody at institutional grade is hard to achieve from scratch. Build only when (1) the use case is consumer-facing and the vendor solutions are wrong shape, (2) the regulatory frame requires self-hosted, or (3) the operating economics genuinely justify the engineering investment. We tell you which case applies, in writing.
- 03
How do you handle key recovery?
Designed up front. Hardware-backed share distribution with explicit reconstruction quorum, stored in geographically and organizationally distributed locations. Recovery procedure rehearsed quarterly. Personnel-turnover scenarios planned. We will not deploy a custody pattern whose recovery story is 'three people remember it'.
- 04
What about regulatory compliance?
Sanctioned-address screening (Chainalysis, TRM, Elliptic) integrated at the transaction level. Jurisdictional access controls where the regulatory frame requires. Audit-trail tooling that reports to the regulator's expectations, with explicit retention. We've shipped this for institutional clients across multiple regulatory frames.
- 05
Can you support multi-chain custody?
Yes. EVM-chain custody is straightforward; Bitcoin, Solana, Cosmos, and other non-EVM chains each have their own MPC / multisig story. We've shipped multi-chain custody for institutional clients with the operational tooling that makes the chain differences invisible to the treasury operator.
- 06
What does a custody engagement cost?
Trust-model design: 4–6 weeks, $80K–$200K. Operational custody build (vendor-integrated): 3–6 months, $300K–$1M. Self-hosted MPC infrastructure: $1M–$3M. Smart-account / AA wallet platform: $500K–$1.5M. Managed Services: $40K–$150K monthly retainer. External audit and HSM costs pass through. Brackets published honestly so visitors self-qualify before the first call.
Within Blockchain & Web3
Other capabilities in this practice.
Talk to us
Bring a custody & wallets problem. We’ll bring a senior engineer.
A senior engineer plus the MESH department lead joins the first call. No discovery gauntlet, no junior reps.