Day 11 — Custody at scale: who is actually holding your money?
On Day 4 we introduced the three custody postures: custodial, software self-custody, hardware self-custody. Today we go deeper, because the question of "where do you store this" gets fundamentally different once the numbers get bigger, and almost nobody walks new users through how the tiers escalate.
Here is the practical reality. Custody is not one question. It is a layered set of decisions about convenience, control, single-points-of-failure, and inheritance. Different layers of your holdings live in different places. Getting this structure right is the single highest-leverage decision you will make in this space.
Let me walk the tiers.
Tier 1: Operating balance on a reputable CEX.
This is what you keep on Coinbase, Kraken, or whatever your primary on-ramp is. It is the money you might trade with this week. The convenience is real: fast execution, fiat on-ramps, customer service, regulatory protections in some jurisdictions. The risk is also real: CEX failure (Mt. Gox, FTX), regulatory freeze, hacks. The amount should be the amount you would not mind losing entirely if that CEX collapsed tomorrow. For most people that number is small. For active traders, it might be larger but should still be capped.
Tier 2: Hot software wallet for daily use.
A non-custodial wallet on your phone or browser. MetaMask, Phantom, Trust Wallet, Rabby. You hold the keys. The seed phrase is yours. The wallet connects to dApps for DeFi, NFTs, on-chain commerce. The risk shifts from "the exchange fails" to "your device gets compromised." Malware, phishing sites, malicious approvals. The amount you keep in a hot wallet should be the amount you can replace without changing your life if it gets drained.
Tier 3: Hardware wallet for serious holdings.
A physical device (Ledger, Trezor, GridPlus, Coldcard) that holds your keys in an offline chip. You connect it to your computer to sign transactions; the keys themselves never touch an internet-connected device. This is the standard for "I'm not actively trading this, I'm holding it." For most serious individuals, the bulk of holdings should be here.
The most common mistake at this tier is buying a hardware wallet, setting it up, writing the seed phrase on a sticky note, and putting the sticky note in a desk drawer. That defeats the entire point. The seed phrase should be stored carefully (etched on metal, distributed across geographic locations, etc.) because if you lose it, the device can be replaced but the funds cannot.
Tier 4: Multisig for high-value or shared holdings.
A wallet that requires multiple keys to authorize any transaction. The standard setup is 2-of-3 (any 2 of 3 keys can sign) or 3-of-5. The keys can be held by different people, on different devices, in different locations. Even if one key is compromised, the funds are safe. This is the structure institutions and family offices use. Services like Casa and Unchained make this accessible for individual holders with significant balances.
Multisig solves the most damaging single point of failure: one key, one device, one human. It does this by spreading the trust across the structure. The tradeoff is operational complexity. Signing a transaction requires coordinating multiple keys. For day-to-day activity, that is overhead you don't want. For long-term storage of significant balances, the overhead is exactly the point.
Tier 5: Institutional custody.
Above a certain size, the right answer is to hire a custodian. Coinbase Custody, BitGo, Anchorage, Fidelity Digital Assets. These are regulated, insured, audited services that hold assets on behalf of institutional clients. They charge basis points on assets under custody. They handle the operational complexity of multisig at scale, key recovery, compliance, regulatory reporting, and disaster recovery.
You probably do not need this tier yet. But it exists, and you should know that when a foundation, a family office, or a fund wants to hold meaningful crypto exposure, this is where they go. The custodians are real businesses. Most are licensed as qualified custodians under SEC rules.
A few cross-cutting concepts worth understanding.
Account abstraction is the technology that lets smart contracts act as wallets. Instead of a private-key-controlled address signing transactions, a smart contract enforces custom rules. You can build wallets with social recovery (your friends can help you regain access if you lose your keys), spending limits, transaction whitelists, multi-factor authentication. Implemented as ERC-4337 on Ethereum, account abstraction is one of the most underappreciated improvements in crypto UX over the last three years. Smart wallets like Argent, Safe (formerly Gnosis Safe), and Coinbase's smart wallet products are the leading edge of this category.
Inheritance planning. This is the question almost nobody addresses until it is too late. If you get hit by a bus, can your spouse or your kids access your holdings? If the seed phrase is in a safe and only you know the combination, the answer is no. If the seed phrase is in three pieces across two attorneys and one trusted friend with instructions on how to recombine, the answer might be yes. Services like Casa and Unchained offer formal inheritance products. Even without them, you should have a plan that survives your absence. This is not morbid. It is the responsible version of holding assets that can't be recovered through traditional channels.
Key compromise vs. lost keys. These are different threats with different mitigations. A compromised key (stolen, phished, malware-exfiltrated) is moved against you in real time; the only defense is layered approvals (multisig, time delays, allowlists). Lost keys (forgotten password, destroyed seed phrase, missing device) are different; the defense is redundancy (multiple backups in multiple locations) and recovery procedures (multisig with a recovery key, social recovery, professional custody). The mistake people make is solving for one and forgetting the other. Plan for both.
A practical decision framework for everyone reading this:
- If you have less than $5,000 in crypto, hardware wallet for the bulk + small CEX balance for liquidity is fine.
- $5,000 to $50,000: hardware wallet, treat seed phrase with proper discipline (metal backup, multiple locations), start thinking about a will or trust that includes recovery instructions.
- $50,000 to $500,000: multisig setup (Casa, Unchained, or DIY with multiple hardware wallets). Real inheritance plan. Operational separation between hot wallet (small) and cold storage (everything else).
- $500,000 and up: serious multisig structure, institutional custody option, professional advice from someone who has done this before. The downside of getting it wrong at this scale is too large to figure it out yourself.
The right answer is not the most paranoid setup. The right answer is the setup that matches the size of what you're protecting, scales with your holdings over time, and you will actually maintain.
Tomorrow we move from where assets are stored to how they're produced. The difference between mining and staking, and where "yield" in crypto actually comes from.
Glossary
| Term | Definition |
|---|---|
| Custodial | An arrangement where a third party (exchange, custodian) holds your keys. |
| Self-custody | An arrangement where you alone hold your keys. |
| Hot wallet | A wallet whose keys are on an internet-connected device. |
| Cold wallet | A wallet whose keys are stored offline. |
| Hardware wallet | A physical device that holds keys in an offline chip and signs transactions with a button press. (Ledger, Trezor, Coldcard, GridPlus.) |
| Multisig | A wallet that requires multiple keys to authorize a transaction. Standard setups are 2-of-3 or 3-of-5. |
| Institutional custody | A regulated, insured custody service designed for funds, foundations, and family offices. (Coinbase Custody, BitGo, Anchorage, Fidelity Digital Assets.) |
| Qualified custodian | A custodian licensed under SEC rules to hold client assets. |
| Account abstraction | The technology that lets smart contracts act as wallets, enabling custom rules like social recovery and spending limits. (ERC-4337.) |
| Social recovery | A wallet recovery mechanism where designated trusted parties can together help you regain access if you lose your keys. |
| Inheritance planning | The set of arrangements that allow heirs or designated parties to access your crypto holdings after your death. |
Reality check
You hold $250,000 in crypto across three different chains. Walk through where you would actually store it, in what proportions, and what your inheritance plan would be.
There is no single right answer, but there is a coherent answer. If yours doesn't address (1) operating balance, (2) hardware storage for the bulk, (3) multisig consideration at this size, and (4) some form of recovery plan if you become unavailable, you are missing layers. The point is not to be paranoid. The point is to think about the structure before you need it, because the people who think about it after they need it usually do not get a second chance.
Read deeper
1. What is MetaMask? by The Block (revisited from Day 4)
The most-used hot wallet, with a sharper look at safety practices.
Read on IMPCT (curated commentary) | Read original (theblock.co)
Deven's take. Revisit this if you haven't gotten comfortable with MetaMask yet. The two ongoing risks worth knowing: (1) malicious dApp approvals (you sign a transaction that gives a contract permission to drain a specific token), and (2) phishing sites that impersonate real ones. Tools like Revoke.cash let you check and revoke approvals you've granted. Bookmark it. The whole hot-wallet category requires more user vigilance than CEXs because the customer service line doesn't exist.
2. What is the Phantom Wallet? by The Block
The Solana wallet, increasingly multi-chain.
Read on IMPCT (curated commentary) | Read original (theblock.co)
Deven's take. Phantom has the cleanest UX of any major wallet in 2026. If you're doing anything on Solana, this is the default. They've also expanded to Ethereum, Bitcoin, and other chains, which makes them a credible multi-chain alternative to MetaMask. The UX gap between Phantom and MetaMask is one of the things that makes the "chain abstraction" conversation interesting: better wallets reduce the user's exposure to which chain they're actually on.
3. What is a multisig wallet? by The Block (revisited from Day 4)
The pro-grade setup for serious balances.
Read on IMPCT (curated commentary) | Read original (theblock.co)
Deven's take. Don't skip this if you've crossed into "this is a meaningful amount of money" territory. Multisig eliminates the most-damaging single point of failure. The setup is more involved than a single hardware wallet, but the protection it offers is categorically different. Casa, Unchained, and Safe (formerly Gnosis Safe) are the three services I'd point you at depending on what you're trying to do. Casa is the most retail-friendly. Unchained is Bitcoin-focused with strong inheritance products. Safe is the standard for DAOs, protocols, and DeFi-native institutions.
4. What is blockchain abstraction? by The Block
The future of wallet UX.
Read on IMPCT (curated commentary) | Read original (theblock.co)
Deven's take. Optional read. Worth it if you find the current crypto UX clunky (it is) and want to understand where it's heading. Chain abstraction is the idea that users should not have to know which chain they're transacting on. You hold "dollars," not "USDC on Base." You send "ETH," not "ETH on Arbitrum." The wallet figures out the bridging and routing for you. The technology is maturing. In two or three years, most users will not know or care which chain they're on, the same way most internet users do not know which network their packets are routed over. Account abstraction is the technical foundation for this shift.
5. Casa and Unchained (services for serious custody)
The two leading consumer-grade multisig + inheritance services.
Deven's take. Worth knowing about before you need them. Casa runs from $250 to $25,000+ per year depending on tier. Unchained has tiered services starting around $250 per year. Both handle the operational complexity of multisig, key recovery, inheritance planning, and integration with hardware wallets. For anyone holding meaningful balances who is not technically inclined enough to roll their own multisig setup, these are the path of least resistance to a structurally safer custody posture.
6. Safe (formerly Gnosis Safe) — the standard for organizational custody
Used by DAOs, protocols, and institutional users.
Deven's take. Skip this if you're a personal user. Bookmark it if you are or will be operating any kind of organizational crypto treasury. Safe is the de facto standard for multisig wallets in DeFi, DAOs, and crypto-native institutions. Most of the on-chain treasuries you'll hear about in the news (Aave, Uniswap, MakerDAO, ENS) are managed through Safe. Useful to know about for the inevitable day when you or someone you work with needs to manage assets on behalf of an entity rather than an individual.
Tomorrow
Where yield actually comes from. Mining vs staking, proof-of-work vs proof-of-stake. The basics of how new tokens enter circulation and why some chains pay 3% for staking while suspicious projects offer 25%. By the end of tomorrow you'll be able to evaluate any "earn yield on crypto" claim against the small number of mechanisms that produce real yield.
See you in the morning.
Preview reader
You are reading a private preview of IMPCT Institute. If something landed, didn't land, or felt confusing on this lesson, tell us. Short notes are useful. Long notes are useful. No notes are also fine.