Custody is the most consequential infrastructure decision an institution makes when it starts moving digital assets. The technical surface is familiar to crypto-native teams, but for treasurers, CFOs, and heads of compliance coming from traditional finance, the question comes across differently. There is no chargeback, no fraud department and no court order that reverses a transfer once it is signed. Whoever controls the private key controls the asset.

This is the framing of Range's third stablecoin report, Custody Solutions: a practitioner's framework for digital asset custody. It is built for operators who have to deploy and run an institutional custody stack, not for the architects of a single product. The summary below covers the core framework. The full report goes deeper into every layer.

Custody is the answer to three questions

Strip away the vendor categories and the acronyms, and custody resolves to three questions:

1. Who holds the private keys?

2. Who can move the assets?

3. What rules govern access?

The answers determine your regulatory posture, operational risk, insurance coverage, and ability to survive a bad day. Every major loss event in the history of digital assets, from exchange collapses to insider theft to irrecoverable key loss, traces back to a poor answer to at least one of those three questions. $2.2 billion was stolen across 303 incidents in 2024, with private key compromise accounting for 43.8% of the total. It was the largest single attack category by a factor of five. And the problem has not slowed, with $3.4 billion stolen across crypto in 2025, a 55% jump on 2024.

Four custody models

There are four operating models, and the distinction between them is legal, not technical. The same underlying technology can underpin any of them.

Self-custody means the institution generates, stores, and controls its own keys. No third party has independent authority to move funds. This includes an organization running its own HSMs or a 3-of-3 MPC setup where the institution holds every share. The defining test is whether any external party can unilaterally move assets. If not, it is self-custody.

Third-party custody delegates key control to a specialized institution under a contractual relationship. This is the qualified custodian pattern that US Investment Advisers Act registrants and most regulated funds operate under. The trade is operational simplicity and regulatory cover for counterparty risk and withdrawal latency. This is how most US-registered fund managers operate today and what made bank custody viable after the repeal of SAB 121.

Exchange custody is the riskiest profile. The exchange's core business is trading, not safekeeping, and the regulatory posture often reflects that. FTX, Celsius, and Voyager are the reference cases. The institutional pattern is to use exchanges for execution only and withdraw to custody promptly.

Hybrid custody distributes key control across the client and one or more providers, with threshold cooperation required to sign. A typical 2-of-3 MPC configuration places one share with the client, one with the provider, and one offline as backup. The full key is never reconstructed in any single location. This is the dominant institutional pattern in 2026.

Read the full report >>

Six key management technologies

Beneath those models sit six technologies, often layered together in mature stacks:

• Single key (EOA): one key, one account. Universal but single point of failure. Reserve for small balances.

• Multisig: multiple keys, threshold required. On-chain, transparent, auditable. The standard for DAO treasuries and protocol governance. Safe alone secures $100B+ across EVM chains.

• MPC: a key split into encrypted shares across separate parties. Off-chain, chain-agnostic, sub-second signing. Fireblocks reports $10T+ transferred across 2,400+ organizations.

• HSM: tamper-resistant physical hardware. Keys never leave the device. FIPS 140-2 Level 3 or higher. The standard for cold storage.

• TEE: hardware-isolated enclaves on general-purpose processors. Cloud-native, scalable, remotely attestable. The foundation of Turnkey's wallet-as-a-service architecture.

• Smart contract wallets: programmable account logic via ERC-4337 and EIP-7702. Session keys, social recovery and spending limits are enforced on-chain.

The technologies are not mutually exclusive. They are complementary, and the discipline is in how they are layered.

The hot, warm, cold stack

Every mature institutional setup partitions assets across three operational tiers.

The hot layer holds the minimum balance required for automated operations: customer withdrawals, payment processing and market making. Keys sit in a hybrid MPC for sub-second signing, with policy engines enforcing transaction limits, destination whitelists, and velocity caps. Risk is highest, so balances are right-sized to actual cash flow rather than a fixed percentage.

The warm layer is semi-operational, available within hours rather than seconds. Multisig with explicit human approval, often with one to four hour timelocks. This is where day-to-day treasury management lives.

The cold layer holds the majority of assets. HSM-based, geographically distributed multi-party authorization, 24-72 hour timelocks, destination whitelists, and out-of-band verification. Speed is the trade. That is the feature.

Above this sits a governance layer (policy engine, role-based access, change management) and below it a monitoring layer (real-time anomaly detection, circuit breakers, escalation). 

The Drift protocol hack in April 2026 is the case study in what happens when those layers are missing. Attackers drained $285 million over 2.5 hours after exploiting the absence of timelocks on admin actions. Two pre-signed transactions, one second apart, transferred full control.

The regulatory picture in 2026

The regulatory environment has materially shifted in the last eighteen months. MiCA is now in full effect across the EU, requiring CASPs to be licensed, segregate client assets legally and operationally, and carry insurance or capital buffers. In the US, SAB 121 was repealed in early 2025, removing the balance sheet penalty that had made bank custody economically unviable. Banks can now offer crypto custody with their existing regulatory infrastructure, deposit insurance, and audit posture. For corporate treasurers and fund managers with banking relationships, the options have expanded.

The qualified custodian question remains the binding constraint for US-registered investment advisers. SEC Rule 206(4)-2 limits client asset custody to banks, broker-dealers, FCMs, and certain trust companies. That is why crypto-native firms have pursued NY, SD, and WY trust charters: not to add capability, but to qualify.

The classification of hybrid custody is an open question. A service is custodial when the provider has the unilateral authority to move the client's assets. The architecture decides that, not the marketing. For procurement, the practical implication is that the technology questionnaire matters less than the contract, the recovery posture, and a clear test of whether the provider can move assets without you.

Monitoring sits on top of any stack

The best custody stack in the world is blind without monitoring, and monitoring without response capability is just a log. Whatever custody model an institution chooses, the operational reality is that signing infrastructure, governance processes, and human operators all need real-time observation against the policies they are supposed to enforce.

This is the layer most custody decisions miss. Range Treasury Monitoring is the independent system of record across whatever custody stack an institution chooses, custodians, multisigs, exchange venues, and self-managed wallets, with 500+ configurable rules to escalate events based on your risk exposure and governance policies. It is vendor-neutral by design, because monitoring that runs through a custodian is monitoring of, not over, the custodian. Range is trusted by the Solana Foundation, Circle, Stellar, and Squads. The full report walks through where these controls fit at each layer of the stack.

Read the full report here, or get in touch to talk through how monitoring fits into your custody stack.