As someone who has worked for and/or audited most major crypto custody companies, I am sad to report every single one takes shortcuts that give single individuals acting alone the power to move billions of dollars in value. They also never review third party dependencies. They blindly merge any code dependabot tells them to merge from internet randos and give it control of the funds.<p>This level of negligence should be illegal, but it isn't. Negligence is the default in crypto custody. There are no useful security regulations in this space.<p>Even the ones that think they have a good split custody solution or claim to use HSMs always let an IT manager have remote access to all workstations involved or a release engineer build the software that is used shifting the centralized power and risk to them.<p>Kidnappings and torture are becoming common as people realize this<p><a href="https://github.com/jlopp/physical-bitcoin-attacks">https://github.com/jlopp/physical-bitcoin-attacks</a><p>If you directly or indirectly control secret keys of any significant financial value on your own, you are endangering yourself and your family.<p>Even if you only maintain an open source library used by crypto custodians that do not review the code you write, someone has good reason to coerce you into sneaking in malicious code.<p>To engineers working at custodians: Make your employers manage keys with a quorum of geographically distributed individuals with HSMs, immutable time delayed access controls, and a software supply chain that is full source bootstrapped, reviewed, compiled deterministically, and signed by multiple people so no single person can manipulate the flow.<p>My team and I open sourced a lot of tooling to do this safely. Please use it, or use it for reference to ensure your internal tooling meets the same bar.<p><a href="https://trove.distrust.co" rel="nofollow">https://trove.distrust.co</a>