Our Thinking
Apr 8, 2020

Securing and Managing Cryptoassets on-exchange

In this blog post by Trustology senior software developer Giulio Pezzulli, we explain the merits behind having an on-exchange wallet with Trustology.

Trustology on-exchange wallet
Imagine you are:
  • An Institutional Investor, and you’ve recently invested a lot of money into a promising crypto fund
  • A Hedge Fund, and you have received a lot of money from investors
  • A Crypto Trader, and you trade on multiple exchanges
  • Any high net worth Individual or Company that frequently sends crypto to and from multiple exchanges

How do you sleep? Do you turn and tumble at night worrying about the fortune you have sitting on the exchange? Good, Because you should worry! There are so many things that could go wrong, here are just a few…

  • One of your teammates withdraws all of the funds to his account and disappears
  • You mistype a withdrawal address and send it to someone random or worse to no one at all
  • The government comes knocking at your fund’s door and slaps you with a heavy fine for not using a third party, independent custodian
  • You wake up, with a gun to your head and are forced to withdraw all the funds to an unknown account.

These are very real problems which are unique to crypto.

Here is how Trustology solves it.
Securing cryptoassets on-exchange

First and foremost, all clients that wish to sign off on transactions must have downloaded Trustology’s Trustvault iOS app and completed the simple sign up process.

Then we go through an initialisation process where the Trustology staff and client will create two api keys for every exchange. One api key is permissioned only to trade and is kept with the client to use and manage their portfolio. 

The other key is permissioned to withdraw only and that is held by Trustology acting as an independent, insured custodian. Any time a client wishes to withdraw funds (to other exchanges or whitelisted addresses) they have to get approval from as many members of their team as noted on their wallet account. (known as a Multi Signature policy)

Another thing to take note is that two factor authentication (2FA) is enabled on all the exchanges, and the 2FA ‘secret’ is kept by Trustology. This stops people withdrawing funds by simply logging into the exchange and executing withdrawals.


Great! We now have locked down the permissions so any withdrawal has to go through Trustology’s system.


So what does a withdrawal look like?

Take a sneak peek at the demo video below and read the supporting explanation to learn more.


Here is the description of the video above:
  1. One of your team initiates a transaction from one exchange to one of the whitelisted addresses using Trustology’s desktop client portal 
  2. The transaction then appears in the TrustVault iOS app’s inbox of all users of the multisignature policy (this could be you, your directors, your investors, key traders, head of operations, grandma, anyone you choose basically)
  3. A minimum number of users have to sign the request from their phones (this minimum is specified by you when you create your accounts e.g. 3 out of 4 directors must sign)
  4. Once signed the withdrawal is handled by Trustology’s firmware which validates all the signatures within an HSM (hardware secure module) and calls the exchange API’s to execute the transfer. The funds will appear a few minutes later (the arrival time will vary depending on the exchange and blockchain you are using).

What’s important to note is that this is all automatic, no manual or human steps involved. Signatures cannot be faked or copied, they must come from the device you own and have authenticated with (read more here about trustology’s usp). Worse case scenario the funds are sent to an exchange/address that you control.

To summarise the on-exchange wallet feature and functionality was built to lift the heavy burden of safekeeping exchange keys and controls while providing 24×7 lightning-fast abilities to enforce audited multisig and address whitelisting controls, thereby demonstrating to investors and regulators that the custodial and fiduciary risks have been minimised. It allows investors, fund managers and traders to sleep easy at night knowing they are invulnerable to theft from the outside world and, more importantly, from within their own walls. Moreover, with Trustology’s built in compliance controls such as KYC and KYT, they have laid the groundwork for a robust security infrastructure; compliant with any forthcoming regulation with a reliable account recovery process in place. Therefore clients can never lose their keys. This allows all users, be it an investor or fund manager, to focus more time on what matters – managing portfolios and growing operations. 

About the author

Giulio is a senior software developer at Trustology where he’s helped build the features talked about in this blog first published on medium. Giulio has a deep interest in blockchain and distributed ledger technology and is thrilled to be part of this movement.


Related content:

Trustology Rolls Out Credentials Wallet For Crypto Funds To Manage On-Exchange Risks