Execution risk in Crypto is the new security risk.

Comment by: Ido Sofer, Sodot founder and CEO.

The crypto industry is typically ahead of the game when it comes to pure innovation and functionality, but security is another matter.

For years, security concerns in crypto have been defined by one fear: stealing private keys. The industry has responded by consolidating storage with cold storage, air-gap storage, MPC, and other methods. Although the keys remain safe, he realized that simply protecting the keys was not enough by introducing transaction security and policies. Both of these remain serious concerns, but focusing solely on private keys obscures deeper change.

Retention itself extends beyond private keys.

“Storage” once meant the protection of private keys. This definition no longer reflects reality. Custody has evolved into a complex, automated system with multiple types of transactions, across multiple locations, custodians, vendors, and internal systems. Modern businesses can move capital directly or indirectly through exchanges, staking platforms, liquidity venues, and infrastructure providers, each with API keys, authentication keys, deployment credentials, and system-level secrets.

Most of these credentials are stored in secret managers that, by design, return the full key to any authenticated process. Comfortable, yes, but structurally weak. If the execution environment is compromised, either by an external attacker, a compromised employee, or a malicious dependency, the entire key is compromised. Retention risk is extended beyond dormant chain keys to a live execution layer, where capital moves in milliseconds and exposure occurs in real time.

The evolution of conservation

Security has been improved at every level. First, the industry maintains private keys in storage. It then goes beyond storage, encryption policy, and multi-party control to manage how those keys are used in performance. The next step is inevitable: apply the same zero vulnerability and policy-driven discipline to every key and credential. API keys, deployment credentials, and execution secrets are at high risk in modern crypto operations. Extending private key best practices on this wide page is no longer an option. Performance risk is a critical challenge.

In recent years, performance risk has emerged as the single largest vector for large-scale exploits. Cybercriminals are bypassing on-chain security mechanisms and intercepting the soft underbelly, i.e. API keys, server credentials and other on-chain secrets needed to facilitate transactions, code deployment, maintenance and retention measures. Recent major breaches, including the Bybit hack, started with off-chain hacks and compromised credentials, which later resulted in on-chain financial losses.

How big is the risk of death?

It is large and structured. Asset managers, trading firms, custodians and payment companies interact with dozens of CEXs, DEXs, liquidity providers and other providers simultaneously. Each integration introduces its own credentials, access controls and operational dependencies. Managing these gaps across development, ops, business, risk and security teams creates complexity that compounds over time.

Maintaining these functions is a never-ending struggle. Maintaining consistent security policies and multi-vendor access is a major headache that is often done manually, leading to inevitable security gaps and configuration slippage.

Related: Bitcoin is infrastructure, not digital gold.

Enforcement risk is not automatic. It is a product of how marketing systems are historically designed. In many centralized exchange environments, API keys and functional credentials are stored directly in the business infrastructure to avoid latency. For marketers and businesses, speed isn't a feature, it's a business model. Even a marginal delay affects revenue.

Over time, full-key availability in live systems became commonplace as the easiest way to achieve high performance. Credentials are kept in a constant state of readiness so that transactions can be authorized instantly. The issue is not that capital is moving quickly. Unilateral authority is embedded in the operational infrastructure. And as authority accumulates where enforcement occurs, it becomes the most predictable vector of violence.

Existing controls are short

Given the complexity of modern enforcement environments, existing tools fall far short of what is required.

While crypto exchanges, custodians, and over-the-counter trading desks certainly employ strong security policies for certain operations, synchronizing those controls across such a fragmented ecosystem is incredibly difficult. In fact, it is nearly impossible to maintain consistent governance across forty-odd exchanges at any given time. Because it is made by hand, mistakes are inevitable in the silo and one mistake can jeopardize the cost of millions of dollars.

There is also proportional risk to consider. Exchanges and custodians can have their own vulnerabilities in the form of bugs, misconfigured infrastructure, and inconsistent policy enforcement mechanisms. If a business's internal security code requires geofencing, but one of the connected exchanges has difficulty implementing controls, it poses a risk when implemented.

The risk is unbearable

The lesson the industry has learned from private key security is clear: avoid full key exposure and enforce strict policy controls around usage. Those principles must now extend beyond the private keys on the chain to all credentials that can be used to allow the movement of value.

The solution is not simply better secret storage. Secret Managers are built for convenience; They return the full key to any verified process. In direct enforcement environments, that model distributes authority to multiple components of the system at the moment capital is in motion.

What is required is a zero-key vulnerability architecture systems where no machine or worker is in control, combined with enforceable policies that dictate how contextual evidence is used. Multiparty Computation (MPC) is one way to implement this model, but the principle is broader – spread private-key security best practices throughout the entire crypto execution layer.

Comment by: Ido Sofer, Sodot founder and CEO.