This lesson covers how crypto is actually held and protected: what a wallet really is, the difference between hot and cold storage, the choice between self-custody and a qualified custodian, and the multi-signature and MPC schemes that let an institution hold large amounts safely. The previous lesson framed the decision (“who holds the keys”); this one is the machinery behind it. For a trading firm, custody is not an afterthought. It is a core risk decision that shapes how fast the desk can trade and how much it can lose to a single failure.
Table of Contents
What a wallet actually holds
The word “wallet” is misleading. A crypto wallet does not hold coins the way a leather wallet holds cash. The coins never leave the blockchain; they are just ledger entries assigned to an address. What the wallet actually holds is the private key that controls that address. A wallet is a key manager, not a money container.
This single fact explains everything else. Securing your crypto means securing a private key. Lose the key and the coins are stranded on the blockchain forever, visible to all and spendable by no one. Let someone copy the key and they can move the coins instantly and irreversibly. So the entire field of custody is really the field of “how do we store a secret number safely while still being able to use it.”
The everyday version: think about how you hold money in real life. A little cash in your pocket is instantly spendable but easy to lose or have stolen. The bulk of your money sits in a bank, harder to get at minute-by-minute but far safer. A family heirloom might go in a safe deposit box you visit twice a year. You match the storage to how often you need the asset and how much it would hurt to lose it. Crypto custody is the same trade-off between accessibility and safety, and it produces the same tiered answer.
Hot wallets versus cold wallets
The first axis of custody is whether the private key is connected to the internet.
- Hot wallet
The private key lives on an internet-connected device: a phone app, a browser extension like MetaMask, or the wallet software an exchange runs for active trading. Hot wallets are convenient and fast, which is exactly what you need to actually transact, but being online means they are reachable by attackers. This is your pocket cash. - Cold wallet
The private key is kept on a device that never touches the internet: a dedicated hardware wallet (a Ledger or Trezor), or in the institutional case an air-gapped machine in a vault. To move funds you physically approve the transaction on the offline device. Cold storage is dramatically safer because a remote attacker has no network path to the key, but it is slower to use. This is your safe deposit box.
Every serious holder, retail or institutional, splits funds across both. A small “working” balance sits hot for day-to-day activity; the bulk sits cold. An exchange does the same thing at scale: a few percent of customer assets in hot wallets to service withdrawals and trading, the rest in deep cold storage. The split is a deliberate risk budget. How much are you willing to expose online in exchange for how much operational speed.
Self-custody versus third-party custody
The second axis is who holds the key at all: you, or someone you hire.
- Self-custody
You hold your own private keys. No counterparty can freeze, lose, or misappropriate your assets, because no counterparty is involved. The cost is that operational security is entirely on you: lose the key, mismanage a backup, or get phished, and there is no help desk and no recovery. The risk does not disappear; it moves from counterparty risk onto your own operations. - Third-party (custodial) holding
A custodian holds the keys for you. For most people this is just their exchange account. For an institution it is usually a qualified custodian, a regulated firm (Coinbase Custody, BitGo, Fidelity Digital Assets, Anchorage, and similar) whose entire business is holding client assets securely, often with insurance and regulatory oversight. You regain a help desk, professional security, and in some jurisdictions a legal requirement satisfied, but you take on counterparty risk: your access depends on the custodian staying solvent and honest.
This is the institutional version of “not your keys, not your coins” from the previous lesson, and it is genuinely a hard trade-off rather than an obvious one. Pure self-custody removes counterparty risk but concentrates operational and key-loss risk. A qualified custodian reduces operational risk but reintroduces the counterparty exposure that destroyed FTX customers. There is no free option, which is why this is a real decision for a desk and not a checkbox.
Multisig and MPC: removing the single point of failure
Both self-custody and custodians face the same structural weakness: if one private key controls the funds, then one stolen or lost key is a total loss. A single secret should never be able to move large sums. Two technologies fix this, and you should be able to tell them apart.
Multi-signature (multisig)
A multisig wallet requires several keys to approve a transaction, for example “any 3 of these 5 keys.” No single key can move funds alone. The keys can be held by different people, in different locations, on different devices. To steal the funds an attacker now has to compromise three independent keys, not one; to lose access you would have to lose three. This is the crypto-native equivalent of requiring two executives to co-sign a large cheque.
The “3-of-5” structure (a quorum) is the part to remember: you set how many signatures are required (the threshold) out of how many exist in total. A higher threshold is safer against theft but more fragile against loss, and vice versa, so the quorum encodes the firm’s risk preference directly.
Multi-party computation (MPC)
MPC reaches a similar goal by different math. Instead of having several complete keys, MPC splits a single private key into shares distributed across several parties. The signature is computed jointly from the shares without any one party ever holding the whole key, and the full key is never reconstructed in one place, even momentarily. To an outside observer there is just one ordinary signature on the blockchain.
The practical differences worth knowing:
- Where the protection lives
Multisig is enforced by the blockchain itself (the smart contract or script checks for enough signatures). MPC is enforced by cryptography off-chain, so the chain only ever sees one normal key. - Flexibility and privacy
MPC is chain-agnostic and reveals nothing about the security scheme on-chain, which institutions like. Multisig is transparent and auditable on-chain but is implemented differently on each blockchain.
Most institutional custody today uses one or both of these under the hood. The headline idea for an interview is simply that serious custody never lets a single key be a single point of failure.
Why custody is a trading decision
It is tempting to file custody under “operations” and move on. On a crypto desk you cannot, because custody choices directly shape the trade.
If your assets sit with a qualified custodian for safety, you cannot trade them on an exchange the instant an opportunity appears; you have to move them first, which takes time and leaves you exposed during the transfer. If your assets sit on the exchange so you can trade instantly, you are carrying full counterparty risk on that exchange, the FTX risk. Desks manage this tension with a mix of approaches: keeping only working capital on exchanges, using custodians that offer off-exchange settlement (so you can trade against a venue while your collateral stays in custody), and spreading assets across multiple venues so no single failure is fatal. Every one of those choices trades execution speed against safety. That is why custody belongs in a trading course, not just an operations manual.
How this shows up in an interview
The likely questions are practical risk questions. “How would you custody assets for a crypto trading desk?” wants the tiered answer: working capital hot and on-venue for speed, the bulk in cold storage or with a qualified custodian, no single key controlling material funds. “What is the difference between multisig and MPC?” tests whether you actually understand the mechanisms or just the buzzwords. And the synthesis question, “how does custody affect how you trade?”, wants you to connect the safety/speed trade-off to execution and counterparty risk. As always, naming the real example (FTX, off-exchange settlement, a 3-of-5 multisig) shows the knowledge is grounded.
Potential Pitfalls and Best Practices
- A wallet stores keys, not coins
If you describe a wallet as holding coins, you have the model wrong. It holds the private key; the coins stay on-chain. This is why backing up a key is backing up the funds. - Hot versus cold is about internet exposure
Hot keys are online and convenient but reachable by attackers; cold keys are offline and safe but slow. Tier your holdings across both rather than picking one. - Self-custody trades counterparty risk for operational risk
It does not make you safe; it changes which risk you carry. Lost keys are unrecoverable, so self-custody demands real operational discipline. - Never let one key be a single point of failure
For meaningful sums, use multisig or MPC so that one compromised or lost key cannot move the funds. Single-key custody of large balances is an amateur setup. - Custody speed and safety trade off directly
Maximum safety (deep cold, qualified custodian) slows your ability to trade. Maximum speed (everything on the exchange) maximises counterparty risk. The right answer is a deliberate split, not an extreme.
Where to go next
We have covered what crypto is, how ownership is proven, and how it is held. The next lesson sharpens the vocabulary: the difference between a coin and a token, the standards (like ERC-20) that let thousands of tokens exist on one chain, and the categories (governance, utility, stablecoin) that a trader needs to keep straight. Stablecoins in particular get a first mention here and a full treatment in Module 2, because they are the settlement rail of crypto trading.