Skip to content
Back to case studies

Case Study · ICO Infrastructure

ICO whitelabel platform: multi-chain smart-contract deployment with transient custody handoff

Multi-chain deploymentSep 2022–Jan 2024$500M+ through launchesTransient custodyHandoff architectureZero breaches

Anonymization note

The firm is a Web3 ICO whitelabel platform. I worked there as Founding Web3 Infrastructure Engineer from September 2022 to January 2024. The firm is not named here; outcomes are described as measured over the engagement period.

Each ICO launch the platform ran required deploying smart contracts to a new chain, clearing multi-jurisdictional compliance gates, holding contributor funds securely during the pre-launch window, and handing custody over to the project team once they were ready to operate independently. The custody was transient by design. The hard part was getting the handoff right every time.

The problem

An ICO whitelabel platform running multiple client launches faces a compounded problem. Each launch is a distinct project on a distinct chain with distinct jurisdictional requirements. The platform needs to deploy contracts, integrate KYC/AML, coordinate with legal across multiple jurisdictions, hold contributor funds during the pre-launch window, and then transfer custody to the project team cleanly at go-live.

The custody piece is specifically a transient-holding problem, not a long-term custody problem. You are not running a fund. You are a secure intermediary for a bounded window. The optimization function is different: you are optimizing for handoff cleanliness and due-diligence audit trail, not for long-term ECDSA throughput or fund management efficiency.

The failure modes in this context are also different from a trading desk or exchange. Key theft risk is real but the window is bounded. The more operationally dangerous failure mode is a botched handoff: handing over operational control before the project team is ready, or failing to document the chain of custody in a way regulators can verify post-launch.

The approach

The platform needed three things: a repeatable smart-contract deployment pipeline that worked across chains, a pre-launch custody arrangement that held funds securely and produced a clean audit trail, and a handoff procedure that moved operational control to the project team with cryptographic evidence of the transfer.

For custody during the pre-launch window, HSM-backed signing was the right call for this context. The goal was auditability and clean handoff documentation, not ongoing throughput. HSM gives you an immutable operation log and FIPS-certified hardware attestation that the audit trail is genuine - exactly what regulators reviewing an ICO post-launch want to see. MPC is engineering overhead you do not need when the custody window is bounded and the exit is a planned handoff, not ongoing operations.

On-chain multisig at the handoff layer made the transfer itself verifiable: the transition from platform custody to project team control is recorded on-chain, independent of either party's self-report.

Key design decisions

Multi-chain deployment pipeline

Each client launch required deploying to the project team's target chain(s). The pipeline had to handle chain-specific deployment tooling, automated contract verification, address registry updates, and post-deploy audit trail generation. Foundry for EVM chains with tight audit requirements; Hardhat for peripheral contracts with TypeScript SDK integration. Each deployment produced a documented artifact set used in the compliance record.

Multi-jurisdictional due-diligence gate

Before any launch could proceed, the platform ran a compliance gate across the target jurisdictions: KYC/AML on contributor flows, jurisdiction-by-jurisdiction legal readiness check, on-chain audit trail configuration, and sign-off from the project team's legal counsel. Each launch had a documented compliance record tied to the deployment artifacts.

HSM-backed signing for pre-launch custody

Contributor funds held during the pre-launch window were managed through HSM-backed signing with separation of duties: no single operator could initiate and authorize a transaction. FIPS 140-2 Level 3 hardware attestation and write-once audit logging meant the custody record was auditable and tamper-evident for post-launch regulatory review.

Multisig handoff ceremony at go-live

The transfer from platform custody to project team operational control used on-chain multisig. The project team's keys were added to the multisig configuration before removal of platform keys, so the chain of custody is cryptographically visible on-chain. No gap in control, no ambiguous moment of "we handed it over." The on-chain record is the handoff documentation.

Operator-of-record transfer procedure

Beyond the on-chain handoff, a documented procedure governed the off-chain transfer: HSM audit log export to the project team, compliance record package, runbooks for the project team's ops staff, and a signed attestation of transfer from both parties. The project team received everything needed to demonstrate clean chain of custody to a regulator.

Outcomes

$500M+
Contributor funds shepherded through ICO launches over the 16-month engagement
0
Breaches during transient custody across all launches (Sep 2022–Jan 2024)
Multi-chain
Smart-contract deployment pipeline across Ethereum, Polygon, BSC, Avalanche, and others
2-of-N
Minimum quorum enforced at hardware policy level for all pre-launch custody signing

What "zero breaches" means here

Zero breaches across the 16-month engagement means no unauthorized access to key material during any pre-launch custody window, no unauthorized transactions, no failed handoffs. It does not mean the system was never probed or that no vulnerabilities were found in review. Several were found and remediated. The architecture's job was to ensure that finding a vulnerability did not translate into a loss event during a custody window.

The claim is bounded: the controls worked as designed across all launches over 16 months of production operation with $500M+ in cumulative contributor funds. Each custody window was finite and ended with a clean handoff. The $500M+ figure is cumulative across launches, not assets held at any single point in time.

What this means for a client

The failure modes in custody are not primarily cryptographic. They are operational. The handoff procedure that gets rushed at launch because the project team is anxious to go live. The audit trail that was not configured before the custody window opened. The compliance record that does not cover the jurisdiction added at the last minute.

The productized version of this work is the custody architecture review. If you are running a token launch or holding customer assets and need to know whether your controls and handoff procedures would survive regulatory scrutiny, that is the engagement.

Related reading

MPC vs HSM vs Multisig: A Decision Framework Built from $500M of Live Capital Experience → Hot, warm, and cold wallet tiering → Key ceremonies and quorum approvals → Insider threat and collusion resistance →
Book a discovery call → See all case studies

If you're holding customer assets

Need a custody architecture that would survive an incident review?

Custody architecture review → Other case studies