Technology Security, Pillar 03
A private key stored insecurely is the most expensive single point of failure in Web3. Hardware security modules and multi-party computation eliminate that single point, but only if implemented correctly. The design matters as much as the technology.
Private key security is the foundational problem of Web3. Every other security control, smart contract audits, access management, multi-sig governance, ultimately depends on the keys that authorise critical actions remaining in the hands of the right people. A key stored in a plaintext file, a browser extension, a password manager, or an environment variable is a key that can be exfiltrated. The question is not whether it will be targeted, but whether the storage is hardened enough to resist when it is.
Hardware Security Modules (HSMs) provide tamper-resistant hardware that generates, stores, and uses private keys without ever exposing key material in plaintext. Multi-Party Computation (MPC) distributes key operations across multiple parties so that no single node or participant ever holds a complete key, threshold signing without the operational complexity of on-chain multi-sig. Cloud security services such as AWS KMS, Azure Key Vault, and GCP Cloud HSM provide managed HSM infrastructure for teams without dedicated hardware. We design, review, and implement key storage architectures appropriate to your protocol's scale, threat model, and operational requirements.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
Seed Phrases in Password Managers Led to $35M in Theft
“When LastPass was breached in August 2022, attackers obtained encrypted customer vaults. For crypto users who had stored wallet seed phrases in LastPass, treating it as secure storage, the protection was only as strong as their master password. Blockchain investigator ZachXBT traced over $35M in cryptocurrency thefts directly to decrypted LastPass vault data. The keys were stored. They were stored using a tool designed for passwords, not for the private keys controlling irreversible on-chain transactions. An HSM or purpose-built key management system is not overcautious, it is proportionate to the value of the assets the key controls.”
MPC Is Not Enough If the Signing Interface Is Compromised
“Bybit used Fireblocks, a leading MPC custody platform, for their cold wallet. The MPC key shards were never exposed. But in February 2025, attackers compromised Safe’s infrastructure and injected malicious JavaScript that manipulated the transaction displayed to signers. The three multi-sig participants each saw a legitimate-looking routine transfer. They co-signed a contract upgrade that handed control of the cold wallet to the attacker. The MPC architecture worked exactly as designed. The $1.5B loss came from the signing interface and the operational procedures around it, not the key storage.”
Cloud information security for cryptographic key material requires more than encrypting data at rest. The cloud security platform itself, KMS access policies, IAM bindings, audit logging, and key usage monitoring, must be correctly configured. A cloud-managed HSM with misconfigured access controls is not a security improvement over a plaintext key in the right hands.
The Options
There is no single right answer for every protocol. The appropriate key storage architecture depends on your threat model, operational requirements, and team structure. We design solutions using one or a combination of all three.
Dedicated tamper-resistant hardware, Thales Luna, AWS CloudHSM, YubiHSM, or equivalent, that generates and uses keys internally without ever exposing them in plaintext. Signing operations happen inside the hardware. The key never leaves. Requires careful initialisation, access control configuration, and backup procedures to realise the security benefit.
Distributed key generation and threshold signing, the key is split across multiple independent nodes so that no participant ever holds a complete private key. Signing requires a threshold of participants to cooperate. MPC wallets (Fireblocks, ZenGo, Silence Laboratories) provide managed implementations; we design and review bespoke MPC architectures for protocols requiring custom configurations.
Managed cloud HSM services, AWS KMS, Azure Key Vault, GCP Cloud HSM, provide hardware-backed key storage without dedicated on-premises hardware. Combined with secrets management platforms (HashiCorp Vault, AWS Secrets Manager) for API keys and operational credentials. Correct implementation requires careful IAM policy, audit logging, and access boundary configuration, which we review and design.
For keys that control the highest-value assets and sign infrequently, treasury wallets, protocol owner keys, air-gapped cold storage remains the highest-security option available. We design the operational procedures: initialisation, physical security, geographic distribution, signing ceremonies, and emergency access, so that the cold storage functions correctly when it needs to, not just in theory.
