Fixed-scope audit · 3 weeks · $12,000
Crypto custody architecture review
A full review of how your firm generates, stores, authorizes, and recovers cryptographic keys, with a threat model walkthrough and a prioritized findings report. 3 weeks, fixed scope.
For custody firms, exchanges, and prop shops that hold keys directly. Key management architecture is the kind of thing that looks fine until it doesn't. A breach or a lost-key incident at scale is unrecoverable in reputation and often in capital. Most teams have never had an outside engineer trace their key lifecycle end-to-end and compare it against their stated threat model.
$2,500 deposit to reserve your slot. Remainder due on report delivery. Non-refundable deposit after Day 1 kickoff; full report guaranteed or you owe nothing on the balance.
Why this reviewer
Founding Web3 Infrastructure Engineer at Upside (Sep 2022–Jan 2024). Zero-breach custody protecting $500M+ in assets over 16 months. The custody architecture was HSM-based. Designed and operated the key generation, storage, and signing authorization infrastructure.
Senior SRE at Gemini Exchange (Nov 2020–May 2021). $2B+/day throughput at 99.99% uptime. Owned infrastructure reliability for a regulated exchange with institutional custody requirements.
Lead Linux Infrastructure Engineer at FlexTrade (6 years, 2012–2018). SOC-2 and MiFID II compliance. 1,500+ Linux systems. Built the infrastructure for a multi-venue trading platform under regulated financial requirements.
Founder of ZeroCopy Systems. Rust signing pipeline in AWS Nitro Enclaves. Built the full key-lifecycle design: key generation inside the enclave, attestation-backed signing, policy engine governing who can authorize a signature. 42µs measured signing latency on the benchmark suite.
What you get.
HSM/TEE/software-wallet architecture assessment
I review your current key storage technology: whether it's HSM-backed, TEE-based, or software. I assess whether your hardware choice is appropriate for your threat model, whether your HSM configuration is correct (partition structure, authentication policy, firmware), and whether the boundary between trusted and untrusted code is enforced at the right layer.
Key-lifecycle review
End-to-end trace of a key from generation to retirement: where it's generated (on-device vs imported), what entropy source is used, how it's wrapped and stored, who has access to the unwrapped material (and under what conditions), and what happens when a key needs to be rotated or revoked. Key ceremony documentation (if it exists) reviewed against actual implementation.
Signing authorization flow review
Who or what can request a signature, under what conditions, and what stops a compromised component from authorizing arbitrary transactions. I trace the authorization path from transaction origination to signature emission and identify the points where the authorization chain can be bypassed or abused.
Disaster recovery review
What happens when the HSM fails, when the primary datacenter goes dark, or when an employee who owns a key ceremony role leaves the firm. I review your backup key material, your recovery procedures, and whether your team has actually rehearsed them. Untested recovery procedures are not recovery procedures.
Attestation and audit-log review
Can you prove, after the fact, what signed what and when? I review your audit log pipeline for tamper-evidence, completeness, and whether the logs would satisfy a regulator or a forensic investigation. Attestation coverage is assessed where applicable: whether your signing events carry cryptographic proof of the key used and the software state at signing time.
Threat-model walkthrough + prioritized findings report
I document your threat model (or reconstruct it from the implementation if you don't have one). Each finding is mapped to a specific threat actor or failure scenario, assigned a severity, and paired with a specific remediation step. Written report as PDF and markdown, followed by a 60-minute walkthrough with your engineering and security teams.
What the report looks like.
Sample table of contents. Actual scope adjusted to your architecture.
Crypto Custody Architecture Review | [Client] | [Date]
1. Executive summary
1.1 Critical findings
1.2 High / medium / low findings
2. Reconstructed threat model
2.1 Assets at risk
2.2 Threat actors and attack vectors
2.3 Trust boundaries
3. Key-storage architecture assessment
3.1 HSM/TEE configuration review
3.2 Entropy source review
4. Key-lifecycle trace
4.1 Generation and ceremony documentation
4.2 Wrapping and storage
4.3 Rotation and revocation procedures
5. Signing authorization flow
6. Disaster recovery
6.1 Recovery procedures review
6.2 Rehearsal status
7. Attestation and audit logs
8. Remediation roadmap (severity-ordered)
Example finding (anonymized)
Finding #2 - SEVERITY: CRITICAL
Signing authorization · Authorization flow
Description: The signing authorization service had no per-key rate limit. A compromised orchestrator with a valid service credential could request signatures for an arbitrary number of transactions in a single burst. The HSM would sign all of them. There was no policy engine enforcing a transaction velocity cap at the authorization layer.
Remediation: Implement a per-key rate limit at the authorization service boundary before the HSM request. Rate limit should be configurable per key (hot wallet vs cold wallet have different profiles). Add an alert on authorization request rate that fires at 2x the normal operational ceiling. Log and block any burst that exceeds the limit.
What this is not.
Not an MPC review. This review covers HSM-based and TEE-based custody architectures, and software-key architectures. Multi-party computation (MPC) custody protocols (threshold signing, SSS, DKG) involve a different threat model and require specialized MPC expertise that's out of scope here.
Not a penetration test. I review architecture, configuration, and authorization logic. I don't run active exploitation attempts, social engineering tests, or red-team exercises. For penetration testing, engage a dedicated security firm.
Not a regulatory compliance certification. I tell you whether your architecture satisfies the technical controls that regulations typically ask for (SOC-2, ISO 27001 key management requirements). Whether that satisfies your specific auditor is a question for your compliance team. I work alongside them, not instead of them.
Not an implementation engagement. The review tells you what to fix. Executing the remediation is a separate scoped project. If you want hands-on implementation after the report, we can discuss it.
3-week process.
Kickoff
You share architecture documentation, key ceremony procedures (if documented), and read access to your HSM management console and audit log pipeline. I review existing documentation and align on scope: which key types, which wallets, which signing paths are in scope for this engagement.
Architecture review
I trace the key lifecycle, review HSM/TEE configuration, and analyze the signing authorization flow. I map the trust boundaries and reconstruct the threat model from the implementation. I identify gaps between the stated threat model (if it exists) and the actual architecture.
DR, attestation, and audit-log review
I review disaster recovery procedures and whether they've been tested. I assess the audit log pipeline for completeness and tamper-evidence. I check attestation coverage where your architecture supports it.
Write findings and walkthrough
I write the findings report. PDF and markdown delivered by end of Day 19. 60-minute walkthrough call with your engineering and security teams scheduled on Day 19 or 20. Balance due on report delivery.
Questions.
What access do you need?
Architecture documentation, key ceremony procedures (if documented), read access to HSM management console logs, and read access to your audit log pipeline. I don't need access to key material, private keys, or live transaction signing. I review configuration and logs, not the keys themselves. If your security team needs to sign off on the access scope, I'll provide a written access specification before kickoff.
We use a third-party custody provider. Is this relevant?
If you outsource all key custody to a provider (Fireblocks, Copper, etc.) and have no visibility into their implementation, there's limited review scope here; you'd want to engage directly with their security team. If you run your own custody layer alongside a provider, or if you have a hybrid architecture, the scoping call will clarify what's reviewable.
What's the refund policy on the $2,500 deposit?
Non-refundable after Day 1 kickoff. Before kickoff, full refund if you cancel at least 48 hours before the scheduled start. If I fail to deliver the report by Day 19, you owe nothing on the balance.
Who owns the report?
You do. Full IP transfer on final payment. I retain the right to reference the engagement type in aggregate, but will not disclose your firm name, architecture details, or findings without written permission. You can share the report with regulators, investors, or your security team under NDA.
Can I add scope mid-review?
No. The 3-week window is fixed. If you have additional custody systems or key types you want reviewed, we schedule a second engagement. Returning-client discount of 15% applies.
Find the gap before someone else does.
A custody architecture review costs $12,000. A key compromise at scale is unrecoverable. The question is whether you know where the gap is.
One slot per 3-week period. Reserve with the deposit.