REPORT
Custody Solutions
Open
Custody is a legal construct, not a technical one. The same MPC, multisig, HSM, or TEE infrastructure can underpin self-custody, third-party custody, or a hybrid setup, and the choice has direct consequences for security, regulatory standing, and recoverability.
This report breaks the decision into three independent dimensions: who controls the keys, how the keys are protected, and how the layers fit together. With a decision framework for corporate treasury, fund managers, exchanges, protocols, and operating with digital assets.
About the report
Custody Solutions is a chain-agnostic report covering the four custody models (self, third-party, exchange, hybrid), six key management technologies (EOA, multisig, MPC, HSM, TEE, smart contract wallets), and the institutional stack that layers them.
The report is written for practitioners making real custody decisions:
Corporate treasury teams holding stablecoins for cross-border payments, supplier payments, and reserves
Fund managers and asset managers subject to qualified custodian rules and LP insurance requirements
Exchanges and lending protocols managing high-volume hot, warm, and cold layers under proof-of-reserves expectations
DeFi protocol teams designing on-chain governance, treasury, and admin controls after incidents like Drift, Bybit, and Radiant Capital
DAOs operating multi-million dollar community treasuries through Safe, Squads, or native multisig
Our analysis draws on published 2024 industry loss data, Trail of Bits' maturity framework, primary documentation from Fireblocks, Turnkey, Safe, Ledger Enterprise, and others, and recent incident post-mortems including the $285M Drift Protocol hack and the September 2025 npm supply chain attack. Regulatory framing covers MiCA, the SAB 121 repeal, and US qualified custodian rules.
The report is organized around three findings that hold across use cases.
Custody is a legal construct, not a technical one. The same underlying technology can underpin self-custody, third-party custody, or a hybrid arrangement. What matters is whether any external party can unilaterally move assets, and what the contractual, regulatory, and recovery posture looks like around that question.
Defense in depth, with hot, warm, and cold layering. No single technology solves custody. Mature institutional setups layer MPC for fast operational signing, multisig for governance, HSMs for cold vault storage, policy engines for enforcement, monitoring for detection, and timelocks for response. Each layer compensates for the weaknesses of the others.
Hybrid is converging as the institutional pattern. Pure self-custody is operationally heavy and carries full disaster recovery responsibility. Pure third-party introduces counterparty risk and reduced control. Hybrid configurations, where the client retains policy control and at least one key share while offloading signing infrastructure, are the dominant institutional pattern in 2026.
These takeaways are unpacked through the full custody model comparison, key management technology breakdowns, and a use-case-driven decision framework.
About Range
Range is the stablecoin treasury and risk management platform for financial institutions, trusted by the Solana Foundation, Circle, Stellar, and Squads. Range Treasury Monitoring is the independent, cross-custodian system of record for digital asset treasuries, with 500+ configurable rules, OFAC, sanctions and PEP screening, and an immutable audit trail.
Next step
The best custody stack in the world is blind without monitoring, and monitoring without response capability is just a log. If you are designing, reviewing, or defending a custody setup this quarter, we can map the report's framework to your existing stack in a 30-minute call.
