Treasury custody for stablecoins splits across three dominant models: multi-signature wallets (Safe), multi-party computation (Fireblocks, Copper, Cobo), and hardware security modules through institutional custodians (Coinbase Custody, Anchorage Digital, BitGo). As of Q1 2026, Safe holds $112B in TVL across roughly 280K active wallets per Safe's homepage stats; Fireblocks reports $5T+ in cumulative transferred volume since launch; Coinbase Custody and Anchorage together custody more than $310B in institutional assets. The choice between models is the most consequential treasury decision after asset and chain selection — it determines who can move funds, how fast, and what the recovery story looks like.
This guide covers how each custody model works, the trade-offs along control, speed, recovery, and regulatory dimensions, and which model fits which treasury type. The goal is a working framework for picking a custody architecture, including the increasingly common hybrid setups that combine all three.
What Is Stablecoin Treasury Custody?
Stablecoin treasury custody is the system that holds and authorizes movement of the private keys controlling treasury balances. Unlike a bank account, where the bank custodies the underlying value and the account holder authorizes transfers via passwords or signatures, onchain custody puts the keys themselves in someone's hands. Whoever controls the keys controls the funds.
The custody question is therefore not "where is the money" but "who holds the keys, how many keys are required to move funds, and what happens if a key is lost or compromised." Three distinct technical answers dominate.
Multi-signature (multi-sig). A smart contract holds the funds; the contract's authorization rule requires M-of-N signatures from a defined signer set. Safe is the dominant implementation. Funds move when M signers each sign with their own private key.
Multi-party computation (MPC). A single onchain key is split across N parties using cryptographic threshold schemes. No single party ever holds the full key. Transactions are signed via a multi-party protocol that produces a single onchain signature.
Hardware security module (HSM) custody. Keys are held in tamper-resistant hardware managed by a regulated custodian. Authorization to use the key requires authentication through the custodian's process (typically a combination of multi-factor authentication and operational policy).
Each model has different security properties, operational speed, recovery options, and regulatory treatment. The right choice depends on the treasury's signing tempo, the size of holdings, and any applicable regulatory regime.
How Does Multi-Sig Custody Work?
A Safe multi-sig is a smart contract deployed on each chain where the treasury holds funds. The contract maintains a list of signer addresses and a threshold (e.g., 3-of-5). To execute a transaction, signers each sign the transaction payload with their own private key; the contract verifies that at least the threshold number of valid signatures are present, then executes.
Mechanics. Each signer typically uses a hardware wallet (Ledger, Trezor) or an institutional MPC wallet (Fireblocks, Privy) to hold their individual key. The Safe UI (or a programmatic interface like the Safe SDK) coordinates signature collection. Once threshold is met, anyone can submit the bundled transaction to the chain. Gas is paid by the submitter; the contract executes regardless of who submits.
Strengths. Fully self-custodied — no third-party custodian holds funds. Onchain auditable — anyone can see the signer set, threshold, and historical executions. Composable — Safe integrates with virtually every DeFi protocol natively, and the Safe Modules system allows custom authorization logic (spending limits, time-locks, allowlists). Open-source and battle-tested — Safe has been audited extensively and survived the 2022 multi-chain stress tests without contract-level exploits.
Weaknesses. Slow signing tempo — coordinating 3+ signers for each transaction is a real operational drag, particularly across time zones. Per-chain deployment — a treasury operating on five chains has five separate Safes with independent signer sets, doubling reconciliation work. Recovery is via signer rotation, which itself requires threshold sign-off — if more than (N-M) signers lose keys simultaneously, the funds become inaccessible.
Common configurations. Small DAO operating treasury: 3-of-5 with core contributors as signers. Mid-size DAO: 4-of-7 or 5-of-9 with a mix of contributors and external signers (community delegates, professional signers). Large DAO with separated functions: separate 2-of-3 operational Safe (high tempo, lower amounts) and 5-of-9 reserve Safe (low tempo, large amounts).
How Does MPC Custody Work?
MPC (multi-party computation) custody splits a single private key across N parties using a cryptographic threshold scheme — typically Threshold ECDSA (TSS) or threshold EdDSA depending on the chain's signature scheme. Each party holds a "key share" that is mathematically meaningless on its own. To sign a transaction, the parties run a multi-round cryptographic protocol that produces a single onchain signature — without ever reconstructing the full private key.
Mechanics. Fireblocks, Copper, Cobo, BitGo's MPC product, and Cordial Treasury all implement variants of TSS. The treasury team typically holds 2-of-3 or 3-of-4 key shares; the custody provider holds the remaining shares. Transaction approvals go through the custody provider's policy engine — spending limits, allowlisted addresses, mandatory cooldowns — before signature shares are released.
Strengths. Single onchain signature — looks like an EOA to the chain, which means lower gas costs, broader compatibility (some old protocols don't accept Safe signatures), and faster transaction execution. Cross-chain consistency — the same MPC wallet works identically across all chains supported by the provider, with one signing workflow regardless of chain. Higher signing tempo than multi-sig — institutional MPC platforms can sign in seconds with policy automation handling routine transactions. Strong recovery options — providers maintain backup share schemes that allow recovery if treasury-side shares are lost.
Weaknesses. Provider dependency — the MPC provider is in the signing path for every transaction. If the provider has an outage, funds can't move. If the provider is compromised, treasury-side controls have to be sufficient to prevent loss. The 2024 BitGo MPC incident (no funds lost, but a brief signing outage) highlighted this dependency. Less onchain auditable — the signer set isn't visible onchain because the signature is single-party. Off-chain policy is the audit surface.
Common configurations. Operational treasury at fintechs and exchanges: Fireblocks 3-of-4 or 4-of-5 with policy engine handling routine flows. Crypto-native businesses with frequent settlement: Copper or Cobo with off-exchange settlement integration to major venues. Hybrid setups: MPC for hot operational accounts, multi-sig or HSM custody for cold reserves.
How Does HSM-Based Institutional Custody Work?
HSM (hardware security module) custody keeps private keys in tamper-resistant hardware managed by a regulated custodian. The customer never holds the keys directly; movement requires authentication through the custodian's operational process, which typically includes multi-factor authentication, named-signer authorization, and human review for transactions above policy thresholds.
The major providers.Coinbase Custody (a New York Trust, regulated by NYDFS) holds $200B+ in institutional assets across 12 chains. Anchorage Digital (a federally-chartered bank, regulated by OCC) holds $50B+ across 9 chains. BitGo Trust (South Dakota Trust, also operates a NY Trust subsidiary) holds $100B+ across 18 chains. Fidelity Digital Assets (limited stablecoin coverage, focuses on BTC and ETH).
Strengths. Regulated entity holding the keys — the custody arrangement is a fiduciary relationship under applicable trust law, which is the closest onchain equivalent to traditional bank custody. Insurance coverage — most institutional custodians carry $300M-$1B in crime/cyber insurance covering loss from custody compromise. Operational continuity — institutional custodians provide 24/7 support, withdrawal processing within defined SLAs (typically 1-4 hours for standard withdrawals), and named relationship management. Regulatory acceptability — qualified custody is required for some regulated entities (SEC-registered investment advisers, US broker-dealers).
Weaknesses. Counterparty risk on the custodian — if the custodian fails operationally or is compromised, the customer's path to recovery runs through bankruptcy or insurance claims rather than direct asset control. The 2022 collapse of Voyager and Celsius (which had different custody models, but similar counterparty-risk dynamics) showed the slow-moving recovery process. Less DeFi composability — many institutional custodians don't support direct interaction with DeFi protocols; the customer has to withdraw to a self-custodied wallet first. Cost — typical institutional custody charges 50-100 bps per year on AUM, materially higher than self-custody.
Common configurations. Public companies with stablecoin exposure: Coinbase Custody or Anchorage for the bulk of holdings, supplemented by smaller operational accounts elsewhere. Funds and asset managers: Coinbase, Anchorage, or BitGo for qualified custody requirements. Foundations and large DAOs sometimes hold reserve allocations in qualified custody for treasury policy or audit reasons.
Comparing Custody Models
Dimension | Multi-sig (Safe) | MPC (Fireblocks) | HSM custody (Coinbase Custody) |
Key holder | Treasury (signer set) | Treasury + provider | Custodian |
Signing tempo | Hours | Seconds (with policy) | 1-4 hours (withdrawals) |
DeFi composability | Native | Via integrations | Limited / withdraw-then-deploy |
Cross-chain consistency | Per-chain Safe | Single workflow | Provider-supported chains |
Recovery model | Signer rotation | Provider backup shares | Custodian process |
Insurance | None native | Provider-dependent | $300M-$1B typical |
Annual cost | ~$0 (gas only) | 5-25 bps + per-tx fees | 50-100 bps |
Regulated entity | No (smart contract) | Provider regulated where applicable | Trust/bank charter |
Hybrid Custody Architectures
Most treasuries above $50M run hybrid setups that use different models for different tiers. Three common patterns dominate.
Hot/warm/cold split. Hot wallet (operational float, 5-10% of treasury) held in an MPC wallet with policy engine for fast signing. Warm wallet (yield-bearing reserves, 30-50%) in a Safe multi-sig with 3-of-5 threshold. Cold reserves (long-horizon strategic, 40-60%) in qualified custody with Coinbase Custody or Anchorage. Each tier matches signing tempo to operational requirements while limiting exposure if any single layer is compromised.
DeFi/CeFi separation. All DeFi-active funds in Safe multi-sigs (which integrate natively with Aave, Morpho, Spark, etc.). All CeFi-active funds in Fireblocks (which integrates natively with Coinbase, Kraken, Binance, etc.). The separation reflects the different operational requirements: DeFi requires composable, contract-callable signing; CeFi requires fast withdrawal authorization with deposit-address management.
Per-chain custodian. Some treasuries use different custodians on different chains based on integration depth. Coinbase Custody for Ethereum and Base reserves; Anchorage for chains where Anchorage has stronger coverage; Fireblocks for operational MPC across all chains. The trade-off: more vendor relationships, more reconciliation, more contracts — but also better per-chain operational fit.
Recovery and Continuity Planning
The custody decision should include explicit recovery planning. Three scenarios matter.
Single signer loss. A signer's hardware wallet breaks, a key holder leaves the company, a key is compromised. For Safe, signer rotation requires threshold sign-off — the surviving signers vote to add a replacement and remove the lost one. The operational process should be drilled annually; a treasury that hasn't tested signer rotation has unknown recovery time.
Provider failure. An MPC provider has a sustained outage or goes bankrupt. The treasury's contract should specify either backup share recovery (the provider holds shares that can be released to the treasury under defined conditions) or a parallel Safe-based withdrawal path. Fireblocks, Copper, and Cobo all offer some variant of disaster-recovery share access.
Custodian failure. Qualified custodians are bankruptcy-remote (assets are held in trust, not on the custodian's balance sheet) but the operational recovery path during a custodian wind-down is slow. Coinbase Custody operates as a separate New York Trust precisely to insulate customer assets from Coinbase Inc bankruptcy. The 2022 BlockFi and Celsius failures, while not custodians proper, illustrate the duration of recovery (12-36 months from failure to distribution).
Recovery testing is the gap most treasuries skip. The right test: every six months, simulate the loss of one signer or one custody surface and walk through the actual recovery path. The first time a treasury runs this test it usually finds at least one gap in documentation or process.
Eco's Role in Custody-Aware Treasury Workflows
Treasury operations that span multiple custody models — Safe on Ethereum, Fireblocks on operational chains, Coinbase Custody for cold reserves — face cross-custody movement workflows for every rebalance, payout, or yield deployment. The signing tempo of each custody layer differs (seconds for MPC, hours for multi-sig, hours for qualified custody withdrawal), and the chains each layer supports differ. Eco is the stablecoin execution network that handles the cross-chain movement once the source-side signing is complete; the same intent abstraction works regardless of which custody layer initiated the transfer. For the broader treasury management context, see the treasury management pillar; for execution patterns, see Eco Routes.
FAQ
Is multi-sig safer than MPC?
Neither is categorically safer. Multi-sig is fully self-custodied and onchain auditable but slower to sign. MPC is faster and cross-chain consistent but introduces provider dependency. The right choice depends on operational tempo and the threat model — a high-frequency operational treasury usually wants MPC; a low-frequency reserve usually wants multi-sig. See the treasury management guide.
Do I need qualified custody for a stablecoin treasury?
Required for SEC-registered investment advisers managing client assets, US broker-dealers, and most regulated banks. Optional for operating businesses, fintechs, and DAOs — many use a hybrid setup with qualified custody for cold reserves and self-custody (Safe or MPC) for operational accounts. See the reporting guide for related compliance context.
What's the recovery path if a Safe signer loses their key?
The remaining signers vote to remove the lost signer and add a replacement, executing the change with the existing threshold. If more signers are lost simultaneously than (N-M), the funds become inaccessible — Safe has no native recovery beyond signer rotation. The recommendation is to maintain at least one redundant signer (set threshold below maximum) and test signer rotation annually.
How much does institutional custody cost?
Typical institutional custody (Coinbase Custody, Anchorage, BitGo) charges 50-100 bps per year on AUM, with per-transaction withdrawal fees of $25-100. MPC providers (Fireblocks, Copper) typically charge 5-25 bps annually plus per-transaction fees of $0.50-5. Self-custody (Safe) costs only the gas fees for transactions. The cost spread reflects the service depth — qualified custody includes insurance, named support, and SLA-backed operations.
Can I use Safe and Fireblocks together?
Yes, and many treasuries do. Common pattern: Safe holds the funds; Fireblocks (or another MPC wallet) holds one of the signer-set keys, providing fast institutional signing for that signer's portion. This combines Safe's onchain auditability and DeFi composability with Fireblocks' policy engine and operational tooling. See the DAO treasury guide for related patterns.