← Home

Building a custodian wallet when crypto was still the Wild West

14 Nov, 2016 · 4 min read

Mid-2016. I built a custodian wallet service supporting Ethereum, Bitcoin, and Stellar Lumen. No established patterns existed. No frameworks. No "best practices" blog posts to follow. Just whitepapers, source code, and the knowledge that if I got the key management wrong, someone could lose real money.

Key management

The core problem is simple to state and brutal to solve. You need to sign transactions on behalf of users. That means you hold their private keys. That means you are the single point of failure between them and their money.

Key derivation. HD wallets. BIP32 paths. Generating deterministic keys from a master seed so you can back up one thing and recover everything. The math is elegant. The implementation is terrifying because one off-by-one error in a derivation path and a key is gone forever.

Cold and hot

Hot wallet rotation. Cold storage. The split between "keys that need to be online to process withdrawals" and "keys that should never touch a networked machine." I had to think about how much to keep in the hot wallet. Too much and a compromise is catastrophic. Too little and withdrawals queue up and users get nervous.

Backup strategies. What happens when a hard drive dies with someone's life savings on it. Encrypted backups on separate physical media. Geographic distribution. Testing the restore process regularly because a backup you've never restored is not a backup. It's a hope.

Trust and paranoia

The security architecture I designed for that wallet taught me more about trust, redundancy, and paranoia than any enterprise security framework. When the asset is a bearer instrument and transactions are irreversible, your threat model gets very honest very fast.

Those principles still show up in everything I build. Assume the network is hostile. Assume the disk will fail. Assume the backup is corrupt until you've tested it. Design for the worst case and be pleasantly surprised when things work normally.

The crypto market has changed a lot since 2016. The engineering lessons haven't changed at all.