Token custody

Token creators / issuers and investors need to safekeep their tokens. This can either be done through self-custody or by working with a third-party custodian (a bank or regulated financial institution that holds a custody license).

At the heart of token custody is the management of cryptographic keys. Someone who owns digital assets typically sees their so called public key or address. If you want to receive tokens, you need to give your public key to the token sender. You will normally find this key in your wallet.

If you want to send your tokens to another wallet (e.g. because you sold tokens to someone else), you will need their public key. When you send tokens, your wallet will sign the transaction with your private key.

In order to make sure that nobody can spend your funds or tokens, the private key needs to be managed in a highly secure way. At the same time convenience is important, so that tokens can be sent when necessary without an overly complicated approval process.

Custodians take the responsibility of managing private keys for investors and issuers in a secure and compliant way. They are therefore an important component in the whole setup of token offerings.

As the issuer of a token you normally don't hold tokens for a long time. Typically tokens are distributed to investors shortly after they are minted.

However, often additional tokens need to be minted after the primary issuance. Sometimes certain properties of tokens need to be changed. Only if you can be sure, that additional token minting, burning or other configurations will never change after the primary issuance, the issuer account key for a particular token can be deleted or token ownership can be explicitly renounced. This is a non-reversible action that disables further changes to the token configuration.

In all other cases, issuer keys need to be kept in a safe location from where transactions can be signed ideally in an automated way. At Bitbond we work with several regulated custodians and can recommend partners for you.

For robust, large-scale production deployments, we advocate for implementing a transaction authorization policy or transferring token contract ownership to a multi-signature wallet. Such precautions minimize risks associated with a singular point of failure, such as key leaks or the potential misuse of ownership rights by a malicious actor. Requiring multiple approvals from the team that oversees the token increases security. In certain scenarios, teams opt to organize themselves as a Decentralized Autonomous Organization (DAO) to further bolster decentralization and enhance transparency in their operations.

If you create tokens on an EVM chain with Bitbond Token Tool, there are the following ways to manage your issuer keys.

Custodian

You can work with a custodian as described above. The custodian needs to support Web3 login through Wallet Connect. In such cases the custodian can log in to Token Tool from within their key management software and create tokens, manage tokens and distribute tokens on behalf of the issuer.

Self-custody

If as an issuer you want to be independent of a custodian when it comes to token management, you need to maintain a key management solution yourself. There are several secure and convenient solutions in the market, some of which are listed here.

Fireblocks

Fireblocks is a sophisticated key management software that has very comprehensive functionality around digital assets. It can store nearly all currencies and tokens that currently exist and lets you configure sophisticated governance and approval rules.

Typically custodians would utilize Fireblocks. If you need to manage multiple keys for several tokens and need a more sophisticated approach to governance, Fireblocks is they right way to go.

With Fireblocks you can log in to Token Tool with Wallet Connect.

Ledger Enterprise

Ledger is one of the leading hardware wallets. You can use it with Token Tool directly or use it as a more secure way to mange keys behind Metamask and log in to Token Tool with Metamask. For institutions, Ledger Enterprise provides bank-grade key custody infrastructure.

Metamask

Metamask is a simple and convenient way to log in to Token Tool. However, from a security standpoint it should not be used for transactions and tokens of higher value because it is not built for an institutional but rather a consumer context.

Safe

Safe is another secure and convenient way to manage issuer keys. It allows you to use Metamask or Wallet Connect to log in to Token Tool.

Phantom

Phantom is a popular wallet for the Solana ecosystem, offering a user-friendly interface, integrated token management, and built-in support for NFTs. It is ideal for users managing Solana-based tokens and supports the newer Token-2022 standard. While Phantom is primarily a consumer wallet, it is a practical option for Solana token issuers and investors in lower-risk scenarios.

Freighter

Freighter is a non-custodial browser extension wallet for the Stellar network. It is specifically designed to interact with Stellar-based tokens and decentralized applications. Freighter offers an easy way for issuers and investors to manage Stellar accounts and sign transactions securely. It is well-suited for token issuers working within the Stellar ecosystem who require a lightweight and secure self-custody solution.