The 50 Shades of Non-Custodial
Learn to Spot Fake DeFi and Enjoy the Benefits of True Non-Custodial Services
Non-custodial is one of those DeFi buzzwords.
You’ll likely find it in the description of basically every DeFi project, as it is almost synonymous with the key selling point of a decentralized financial system.
But what does non-custodial actually mean? And what are the different versions of non-custodial that we see in the wild today?
Non-custodial, in a nutshell, means that you as the user maintain control of your funds at all times — even when interacting with a DeFi service or protocol.
The implications are profound.
If a DeFi protocol is fully non-custodial, a definition we will examine in a moment, the protocol has no way to transfer your funds without your explicit consent; meaning while your funds are engaged in a specific financial service like trading or yield generation, they are fully protected from theft, confiscation and human error.
Essentially, non-custodial means you can have your cake and eat it too: You can enjoy the benefits of a financial service while maintaining similar security assurances of cold storage.
As with every concept this powerful, the devil is in the details of the implementation.
While every project even closely related to DeFi promotes its services as non-custodial, we see three distinct versions of it implemented today:
- Non-custodial theater (or fake DeFi)
- Partially non-custodial
- Fully non-custodial
Non-custodial Theater (Fake DeFi)
A project is engaging in non-custodial theater if their system gives one party, or two colluding parties, the ability to move your funds without your explicit consent.
Luckily these kinds of projects are easily spotted in the wild as there are two telltale signs of fake DeFi:
- The project operates its own wallet
- The project operates its own oracle or the oracle is highly centralized
If you don’t have to bring your own third party wallet to use the service or, in other words, if you sign up with an email and password instead of connecting your own wallet, there must exist a centrally controlled server that manages your private keys.
This is the definition of a custodial service.
If the protocol relies on an oracle with the power to move funds and that oracle is operated by the protocol itself, the service is custodial. Likewise, If the oracle is operated by a single third party we also consider the service custodial; the protocol operators can easily collude with the third party oracle to misappropriate funds.
Partially Non-custodial
Partially non-custodial projects avoid the obvious pitfalls of fake DeFi but still come with a major drawback: their system has the ability to freeze funds.
The ability to freeze funds is a major issue because it opens the door to confiscation and extortion.
A protocol that can freeze funds can (and eventually will) succumb to the pressures of government agencies that demand the confiscation of what they deem to be illicit funds. Like the trucker protests in Canada have shown, “illicit” can have a wide definition and can include merely speaking out against government action.
Moreover, the ability to freeze funds can be abused by holding funds hostage and extorting the user. This is especially relevant when considering the security against hacks (both external and internal) and protocol teams with malicious intent (scams and rugs).
Unfortunately, understanding if a protocol is only partially non-custodial is not as easy as spotting fake DeFi. There are no obvious outward signs of partial non-custodial systems as the root issue is generally due to excessive or poorly designed admin privileges. Only reviewing the documentation and especially the audit reports will allow you to accurately assess if a protocol is only partially non-custodial.
Fully Non-custodial
A fully non-custodial protocol fits the definition of what is commonly understood as non-custodial: the user stays in full control of the funds at all times. Put simply, there is no scenario where funds can be moved or frozen without the explicit consent of the user.
Creating a fully non-custodial system is hard to achieve because, from a security perspective, a system is only as secure as its weakest element. Meaning in order for a system to be fully non-custodial it has to avoid every element of even partial custody.
Apart from avoiding the obvious issues of non-custodial theater, a fully non-custodial system has carefully designed admin privileges that make it impossible to freeze funds.
The litmus test is simple: A fully non-custodial system can have its admin keys compromised by a malicious actor and the user can still withdraw all of their funds.
At Hermetica, this is the standard we hold all of our systems to.
All of our smart contracts are fully non-custodial. That means that our internal systems, including the private keys that control the admin privileges of our smart contracts, can be fully compromised by a hacker and user funds will still be secure.
We achieve this by combining a security first smart contract architecture with the risk management benefits of options strategies. Our smart contracts have a hard coded maximum risk (e.g. 1% of vault balances every month) that can be traded every epoch. A malicious party that gains access to our admin keys will only be able to misappropriate this 1% of funds, the remaining 99% stay secure in the vault contract and can be withdrawn by the user.
Join on our waitlist at hermetica.fi if you want to be among the first to get access to our ground-breaking DeFi products as we release them.
