Token creators / issuers and investors need to safekeep their tokens. This can either be done through self-custody or by working with a third-party custodian (a bank or regulated financial institution that holds a custody license).
At the heart of token custody is the management of cryptographic keys. Someone who owns digital assets typically sees their so called public key or address. If you want to receive tokens, you need to give your public key to the token sender. You will normally find this key in your wallet.
If you want to send your tokens to another wallet (e.g. because you sold tokens to someone else), you will need their public key. When you send tokens, your wallet will sign the transaction with your private key.
In order to make sure that nobody can spend your funds or tokens, the private key needs to be managed in a highly secure way. At the same time convenience is important, so that tokens can be sent when necessary without an overly complicated approval process.
Custodians take the responsibility of managing private keys for investors and issuers in a secure and compliant way. They are therefore an important component in the whole setup of token offerings.
As the issuer of a token you normally don't hold tokens for a long time. Typically tokens are distributed to investors shortly after they are minted.
However, often additional tokens need to be minted after the primary issuance. Sometimes certain properties of tokens need to be changed. Only if you can be sure, that additional token minting, burning or other configurations will never change after the primary issuance, the issuer account key for a particular token can be deleted or token ownership can be explicitly renounced. This is a non-reversible action that disables further changes to the token configuration.
In all other cases, issuer keys need to be kept in a safe location from where transactions can be signed ideally in an automated way. At Bitbond we work with several regulated custodians and can recommend partners for you.
For robust, large-scale production deployments, we advocate for implementing a transaction authorization policy or transferring token contract ownership to a multi-signature wallet. Such precautions minimize risks associated with a singular point of failure, such as key leaks or the potential misuse of ownership rights by a malicious actor. Requiring multiple approvals from the team that oversees the token increases security. In certain scenarios, teams opt to organize themselves as a Decentralized Autonomous Organization (DAO) to further bolster decentralization and enhance transparency in their operations.
If you create tokens on an EVM chain with Bitbond Token Tool, there are the following ways to manage your issuer keys.
You can work with a custodian as described above. The custodian needs to support Web3 login through Wallet Connect. In such cases the custodian can log in to Token Tool from within their key management software and create tokens, manage tokens and distribute tokens on behalf of the issuer.
If as an issuer you want to be independent of a custodian when it comes to token management, you need to maintain a key management solution yourself. There are several secure and convenient solutions in the market, some of which are listed here.
Fireblocks is a sophisticated key management software that has very comprehensive functionality around digital assets. It can store nearly all currencies and tokens that currently exist and lets you configure sophisticated governance and approval rules.
Typically custodians would utilize Fireblocks. If you need to manage multiple keys for several tokens and need a more sophisticated approach to governance, Fireblocks is they right way to go.
With Fireblocks you can log in to Token Tool with Wallet Connect.
Ledger is one of the leading hardware wallets. You can use it with Token Tool directly or use it as a more secure way to mange keys behind Metamask and log in to Token Tool with Metamask. For institutions, Ledger Enterprise provides bank-grade key custody infrastructure.
Metamask is a simple and convenient way to log in to Token Tool. However, from a security standpoint it should not be used for transactions and tokens of higher value because it is not built for an institutional but rather a consumer context.
Safe is another secure and convenient way to manage issuer keys. It allows you to use Metamask or Wallet Connect to log in to Token Tool.