This message was shared internally with our clients earlier this week.
We reflected on the FTX situation currently developing, and would like to share some recommendations, of which some are direct "lessons learned" from the fall of this exchange platform. These probably will not come as surprise to you, we hope nonetheless that the below thoughts will be of interest:
1. Rigorously manage your counterparty risk: as the security adage says: trust, but verify. Manage your counterparty risk with strict limits and continuous monitoring, both following established risk frameworks as well as ad hoc methodologies and tools.
Taurus-PROTECT allows you to monitor your vostro positions on exchanges, and integrates risk management features: it also allows you to block transferring assets to counterparties and exchanges, define rate-limiting rules in terms of maximum amounts per transaction, max number of transactions per day.
2. Prefer self-custody to sub-custody: we acknowledge that sub-custody can be necessary. Yet, as a general rule, (i) a sustainable digital asset strategy must include full control of the assets, hence self-custody, (ii) do not let your assets on exchanges and repatriate them immediately or within the same day within your set risk limits, (iii) always have rule number 1 in mind.
Taurus-PROTECT allows you to promptly withdraw assets from exchanges or selected third-party of your choice, based on your internally defined limits.
3. MPC – control ALL your shards: if anything needs to be reminded, “too big to fail”, “too shiny to fail”, as well as “too supported by the who's who of VC's too fail” is NO guarantee against failure. If you use third-party software-based custody solutions such as a MPC for example, request a product where at any time your organization can sign transactions and restore full control of the assets, without the involvement of a third party or their technology.
Taurus has published the first open-source implementation of the MPC-CMP algorithm in the world. Some large-custodians started using it; all have control of their shards.
4. Independently audit your custody partners: especially auditing the source code is a critical element of assurance. Do not accept "it's too sensitive" types of answers.
Since day 1, Taurus has a full transparency policy with clients where we either share our source code audits (incl. the most sensitive IP parts of our technology) and/or encourage our clients to appoint the trusted auditor of their choice.
5. Value transparency and proofs of reserve: in the wake of the FTX situation, where client assets were likely misused, the market realized the importance of a transparent and irrefutable proof of reserves statement. Such proofs can address both liquidity and insolvency risks.
Taurus-PROTECT integrated proof of reserve capabilities last year already. It allows clients to cryptographically validate their reserves and ownership of assets towards auditors and clients, without leaking on-chain information that a proof of reserve was requested.
6. Always favor more regulation and experience over less regulated newcomers: this provides you with further controls, regulatory obligations’ duties, independent oversight, and some assurance that the company’s strategy is not short-term and high-risk. Exuberant promises, be it in terms of financial gain or technology reliability, must pass the test of time no matter how exciting said promises appear to be.
Feel free to contact email@example.com for further information.