Fireblocks is fast becoming a dominant provider in the cryptocurrency custody and insurance space. This article investigates the company and reveals how it differs from other providers like BitGo.
Since 2009, Bitcoin has been helping individuals and organizations around the world exchange value with each other in a decentralized and permissionless manner. Bitcoin and other cryptocurrencies have introduced an entirely new financial system operating on the blockchain.
While the immutability of permissionless blockchain transactions mean Bitcoin and other cryptocurrencies are potentially very secure, this security is entirely dependent on the competence (and honesty) of the people managing the ‘private keys’. Unfortunately, private key management by individuals, exchanges, custodians and other providers across the crypto sector has been poor and remains so today.
Exchanges have been routinely hacked, frauds and project rug pulls are commonplace, and the growth of DeFi has introduced yet more ways for bad actors to steal millions through the manipulation of smart contract code.
Much has been made of the potential for institutional investment in cryptocurrency but it is fair to say that most conservative institutions (like banks and pension funds for example) find it hard to justify an investment in an unregulated technology that runs outside the current financial system.
This is where companies like Fireblocks come into play. Launched in Israel in 2018, the company is a digital asset management platform with a range of services specifically tailored for businesses and institutional investors.
Although Fireblocks is often referred by its clients in the fintech space in a custody and insurance context, those services are really only ‘table stakes’ for Fireblocks – the required minimum offering that is required to conduct business in the crypto space. In reality, Fireblocks sees itself as a ‘crypto as a service’ business – a one-stop-shop for organizations wanting to incorporate cryptocurrency capabilities – including secure storage and transfer of assets, regulated access to DeFi platforms, AML, KYC, tokenization and more.
Who uses Fireblocks?
Fireblock’s customers are some of the biggest names in the crypto and wider financial sector including major banks such as Credit Suisse and BNY Mellon, as well as popular fintech and finance apps like Revolut, Robinhood and eToro. In the crypto industry, some notable names include the top exchange Crypto.com and the lending platform BlockFi.
In all, the company has over 800 customers including exchanges, custodians, banks, trading desks and hedge funds. The attraction of using Fireblocks for all these companies is that the company offers a one-stop solution for many of their most critical operational challenges such as asset storage and transfer, regulation, taxes and infrastructure. Whatever crypto service provider you are currently using, there is a good chance Fireblocks may be providing some of their backend solutions.
Who is behind Fireblocks?
Fireblocks is a private company founded by Michael Shaulov, Pavel Berengoltz and Idan Ofrat. The three men have an extensive background in cybersecurity, having all contributed to Israeli military intelligence developing cybersecurity systems and infrastructure, and working for leading companies in the space.
Shaulov and Berengoltz both worked for the cybersecurity company Check Point, where, in 2017 they were assigned to investigate a spree of crypto exchange hacks that had taken place in South Korea. During their investigation (which revealed North Korean state-sponsored hackers The Lazurus Group as the culprits) they identified major gaps in the security infrastructure around cryptocurrencies – and realized that an opportunity existed to develop a digital asset security platform that could tackle the increasing security breaches in this area.
The market agreed with their assessment and Fireblocks quickly became a favorite with venture capitalists. To date, the company has raised around US$1 billion in funding through five different funding rounds and it is currently valued at $8 billion. Fireblocks has 28 investors in total, including Spark Capital, D1 Capital Partners, Cyberstarts and Galaxy Digital. Interestingly, Galaxy Digital announced plans to purchase Fireblocks competitor BitGo in May last year, but the sale has not been completed at this time.
Although Fireblocks was founded in Israel, its global headquarters are located in New York and it has offices in the UK, Hong Kong, Singapore, Germany, France and Switzerland as well. The company currently employs over 250 workers from 10 different countries.
How does Fireblocks secure assets in its care?
Unlike many other companies, Fireblocks doesn’t view cold storage wallets and multisig private keys as industry best practise – believing instead that these solutions are outdated and not well suited for institutional investors or businesses. There are a couple of reasons for this.
The Problem With Cold Storage & Multisig
Cold storage has always been thought of as an inherently more secure option for crypto custody because cold storage wallets cannot be accessed from the internet. A downside to this, though, is the process of withdrawing assets from cold storage can take a long time, and involve time-consuming manual processes–as Fireblocks founder Michael Shaulov explained on a recent European Blockchain Convention podcast.
“Looking back to 2017 and 2018, companies like Xapo and BitGo built a very effective cold storage solution. They would basically place assets in wallets with no connection to the internet and the private keys were spread around bunkers and military-type facilities in isolated places like Iceland and the Alps. Then when you wanted to make a transaction, you had to bring that key material together, sign a transaction and release it to the blockchain. It is highly secure. But it’s very cumbersome and complicated and it took about 72 hours to do transactions. Processes like that undermine the narrative of blockchain and cryptocurrency being the internet of money.”
The Fireblocks position is that this isn’t an appropriate solution, especially in scenarios where major institutional investors may wish to move their assets quickly, in the case of an arbitrage opportunity for example. In addition, as secure as cold storage may be, it still requires a person, (or several), to move the assets from offline to online – which introduces the human element with all its associated security risks.
While multisig wallets go a long way to mitigating the potential for asset theft, Fireblocks views the technology as outdated as they are “not protocol-agnostic (e.g., incompatible with Ethereum), and otherwise operationally inflexible.”
The Fireblocks MPC-CMP Algorithm
Moving on from cold wallets and multisig as the default security protocols for institutional crypto custody, Fireblocks has developed its own cryptographic algorithm for storing and transferring digital assets – building on an existing technology called Multi-party Computation(MPC) to come up with MPC-CMP.
It works similarly to a multi-sig scheme, where a group of people hold different private keys and a percentage of them have to sign in order to move funds. The private keys held by each party are constantly changing. MPC-CMP can also be integrated into both hot and cold storage scenarios – as cold storage is a legal requirement in some territories. Fireblocks says MPC-CMP is more flexible, more secure and 800% faster than the original MPC processes – in addition to being peer-reviewed and open source technology.
In 2019, Fireblocks successfully completed the Ernst and Young certified Service Organization Control (SOC) 2 Type II examination, which evaluates how well a company safeguards its data. In addition, Fireblocks exposes its software and processes to regular penetration testing. During these, a cyberattack on its platform is simulated to find any potential weaknesses. The tests are performed by third-party cyber security companies ComSec and NCC Group.
Fireblocks was nominated for the second annual Microsoft Security 20/20 awards last year where it ended up as a finalist in the “Security Trailblazer” category. This award recognizes companies who lead security initiatives and take the time and effort to educate their audience on cybersecurity.
Is Fireblocks Insured?
Fireblocks claims to have comprehensive insurance cover for assets in its care. At the same time, though, it does not identify which company it is insured with, or exactly how much it is insured for. This is typical for companies operating in the crypto space, where insurance is very difficult to get and the amount of cover is usually far less than the total amount of assets under management.
In the case of BitGo and Gemini, for example, even in a best-case scenario, only about 1% of the assets in their care are actually covered by their insurance policies. Gemini claims to have $20 billion in AUM, but its insurance policy only covers $200 million. The situation is similar at BitGo.
There is no government-funded FDIC insurance cover for crypto deposits as there is for fiat deposits into a bank and insurance policies for crypto to date have not been prepackaged ‘off the shelf’ solutions. BitGo’s insurance, for example, is by Lloyds of London and is actually provided by several Lloyds affiliated companies and syndicates including Atrium, Coincover, TMK, Markel, and a “panel of other Lloyd’s insurers.”
In Gemini’s case, with no providers available Gemini had to go so far as to incorporate a company in Bermuda called Nakamoto Limited to provide cover – assisted by insurance brokers Aon and Marsh.
Fireblocks says it “created” its insurance policy, which is in line with what all providers have to do in this space. It says its policy is unique in that it insures assets in transit. “Our policy not only insures users’ assets against cyberattacks and internal fraud but also covers important possibilities that many others neglect—like software bugs and internal process errors. When you’re insuring the dynamic handling of a digital asset (such as a transfer), it is critical to insure against possibilities like these, as a software bug in the crypto space could accidentally burn the asset.” Fireblocks says its policy is rated “A” by insurance and credit rating agency A.M. Best.
Where to next for Fireblocks?
In terms of the product Adoption Curve, Fireblocks CEO Michael Shaulov says crypto is now at the ‘Early Majority’ stage. With $1 billion in venture capital raised and a clear objective of being the default infrastructure backend for any institution or business that wants to incorporate crypto into its business plan, Fireblocks is very well positioned to deliver on its vision. One of the company’s main priorities for 2022 is its newly launched Aave Arc product, which it will likely roll out to other protocols as well.
Shaulov says traditional finance players like banks have been unable to play in the DeFi space as banking regulations typically require that they only deal with trusted, known entities and individuals who have completed comprehensive AML, KYV and identity verification processes.
Unfortunately, this is not the reality of the DeFi world. What Aave Arc does is allow DeFi users who want to engage with the regulated finance sector to voluntarily go through those processes with Fireblocks – and essentially become ‘white labeled’.
In this way, with traditional banks accepting Fireblocks as a regulated provider, Fireblocks can act in an pseudo agency capacity for the DeFi players, who can maintain their anonymity to an extent, while at the same time the banks are reassured that they aren’t dealing with any counterparties they should not be.
Other areas of focus for Fireblocks in 2022 include helping grow financial applications that are native to the internet, tokenizing content and other internet consumables, and significant initiatives in the GameFi space.