Nickel Research Centre

Independent custody for crypto hedge funds trading on multiple exchanges

Problem: Self-custody for crypto hedge funds

We believe that self-custody for crypto hedge funds trading on multiple exchanges is not a viable institutional solution (see this article on self-custody we wrote earlier). In short, although many custodians claim to have institutional custody, in practice they lose control of the fund’s crypto assets as soon as they are sent to an exchange.

At Nickel Asset Management, we have been seeking to set up a crypto arbitrage fund for some time, but we decided to launch only once a solution to self-custody was available. To achieve this, we have been working with the London-based custodian, Copper, who have developed a working solution to the self-custody problem.

Solution: The Walled Garden
This solution creates a wall that surrounds the fund’s custodian and the exchanges on which the fund trades. Inside the Walled Garden, crypto transfers can be made frequently, rapidly and safely. Moving crypto funds outside the Walled Garden, if ever needed, requires signatures of multiple independent parties for maximum safety.

The diagram below illustrates the key points of the Walled Garden solution:

1. All the fund’s transfer requests pass through the custodian, and the custodian instructs the exchanges on receipt of a transfer request.

2. The investment manager does not have access to the exchanges for transfers, while continuing to have access to the exchanges for trading.

3. A fund transfer outside of the Walled Garden requires cooperation between the custodian and the administrator. No one entity is entitled to make such a transfer.


The Walled Garden

In order for any exchange to operate within the Walled Garden effectively, it must provide the following functions[1]:

permissioned API keys (for withdrawals only, for trading only and for reading only)

a REST API for withdrawals

a whitelist of addresses for withdrawals

Permissioned API keys enable the various parties of investment manager, custodian and fund administrator to perform their roles:


The REST API for withdrawals enables the custodian to create an automated front-end solution for investment manager to request transfers (e.g. via the custodian’s website). These can then be automatically initiated via an API request to the exchange.

Whitelisted addresses for exchange fund withdrawals ensure that, once they have been set up and the exchange security credentials have been secured, withdrawals from exchanges are restricted to blockchain addresses within the Walled Garden. The only blockchain addresses that will be whitelisted are the fund’s blockchain address (controlled by the custodian) and the exchanges’ blockchain addresses for the fund’s accounts.

How do we add an exchange to the Walled Garden?

The Walled Garden doesn’t appear out of nowhere and it needs to be established. This is our current setup, process which will no doubt be improved upon as exchanges and service providers mature:

1) The investment manager gathers the fund’s KYC documents necessary to open an exchange account and (with fund directors, if necessary) opens the exchange accounts.

2) The investment manager sets up the whitelisted blockchain addresses for the custodian’s account for each crypto used as margin on the exchange (in our case BTC and some stable coins).

3) The investment manager generates the trade-only and read-only API keys for the exchange. The read-only key is given to the administrator.

4) The investment manager passes the exchange security credentials (username and password) to the custodian. No 2FA has been set up as this will be set up by the custodian.

5) The custodian checks whether the whitelisted blockchain addresses set up by the investment manager are the valid addresses of the fund and the fund’s account addresses at other exchanges. The custodian then adds the fund’s new exchange account addresses to its own whitelist.

6) The custodian generates the exchange transfer API key and incorporates it into their system for exchange-to-custody and exchange-to-exchange transfers.

7) The custodian changes the exchange account’s security credentials (email and password) and adds 2FA to the account. This process is actually slightly more involved than this, although for security purposes we do not disclose it fully.

8) The custodian securely stores exchange security credentials and passes an encrypted copy to the administrator to store in case of corruption of the custodian’s systems.

9) The custodian passes the 2FA device to the administrator.

Note that, by this stage:

logging in to the exchange requires cooperation between the custodian (who has sole access to email and password) and the administrator (who has sole access to 2FA)

the fund manager no longer has access to the account’s security credentials

no crypto funds have yet been transferred to the exchange

10) The investment manager can now ask the custodian to send crypto assets to the exchanges for trading and margin. These transfers can only be sent to verified exchange addresses that have previously been whitelisted by the custodian.

Note that, in this setup, crypto withdrawals from the exchange to the custodian or directly to other exchanges (i.e. staying inside the Walled Garden) can be made by the investment manager using the custodian’s system, allowing for efficient cross-exchange trading.

Crypto withdrawals to any other address (i.e. going outside the Walled Garden) are prevented by the exchange’s and custodian’s whitelists and would require an approval from both the custodian and the administrator.

Fiat withdrawals from the Walled Garden are made by the custodian at the request of the fund manager, and only to the fund bank account, operated by the administrator.

What are the drawbacks?

As is often the case, the security of the Walled Garden brings some minor drawbacks in usability, as follows:

Direct access to exchanges

Unless the exchange support sub-accounts, the investment manager does not have direct trading access to the exchange. In order to trade, they have to use the exchange API with a trading bot or an EMS such as Coinigy or Caspian (we will soon publish a review of crypto EMSs). In practice, most managers will use an EMS so they can use more sophisticated orders than those currently offered by the exchanges (e.g. Iceberg).

Changes to exchange account

Occasionally, the investment manager may need to make necessary changes to the exchange account. If the changes are simple, the administrator and the custodian working together can make the changes without providing the investment manager with security credentials.

If the changes are complex, the custodian and administrator can remove the 2FA and reset the exchange security credentials so the manager can assess the account to make the changes. Before this takes place, the manager ought to send all the crypto on the exchange account back to custody. In this way, the manager would only be accessing an empty account.

Summary

The Walled Garden solution, with Copper as custodian, now exists for crypto hedge funds trading on multiple exchanges. This creates a secure area for the fund’s custodian and the exchanges on which it trades. Within the Walled Garden, transfers can be made frequently, rapidly and safely between custody and the intra-mural exchanges. Individually, neither the investment manager, custodian nor administrator could be forced by a criminal party to transfer the fund’s crypto assets from the exchanges.

Institutional investors in hedge funds operating this solution can now be confident that the funds they invest in crypto hedge funds are not self-custodied when held on exchange.

To learn more about the solution contact Copper at hello@copper.co

To learn more about crypto arbitrage contact ir@nickel.am

Written by Michael Hall and Alek Kloda December 2018

[1] Some exchanges also allow main account and sub-accounts making exchange operations simpler. Exchange sub-accounts enable the investment manager to log on to the exchange to trade without having to use an Execution Management System (EMS). This is a feature that only a few exchanges currently offer, although, as the space institutionalizes, it should become widespread. In practice, most investment managers will use an EMS or trading bots to improve market access and reduce slippage.
In-Depth Series