Why Vaultody Was Born and What We Achieved in 2023

Background: Why Vaultody Had to Be Built

Vaultody entered the market in December 2022 with a clear purpose: to close critical security and governance gaps in digital asset custody. Our first full year of operations, 2023, was dedicated to turning that vision into a mature, production‑ready platform for institutions.

The timing was not accidental. Throughout 2023, the crypto ecosystem continued to suffer from large‑scale exploits and operational failures:

• Euler Finance lost about $197 million in March due to a protocol exploit (later unusually refunded by the attacker).
• Multichain reported around $130 million in assets moved from its cross‑chain protocol to an unknown wallet.
• Poloniex hot wallets were drained of roughly $114 million.
• HTX and Heco Chain jointly lost around $97 million in a coordinated attack.
• KyberSwap suffered a smart‑contract exploit resulting in losses exceeding $50 million.
• Supply‑chain issues around Ledger integrations impacted DeFi protocols including SushiSwap, Lido, Balancer, Zapper and others, causing additional fund losses.

These incidents underline a simple reality: traditional key management and poorly governed wallets are no longer acceptable for institutions. Vaultody was created to provide a non‑custodial, policy‑driven, MPC‑based wallet infrastructure that:

• Minimises single points of failure.
• Separates control among teams and systems.
• Combines strong cryptography with auditable, configurable workflows.

In 2023, our focus was to prove that vision in production—shipping a full MPC stack and the governance features institutions need to protect and move funds with confidence.

How Vaultody Closed 2023: Features and Capabilities

During our first full year we prioritised depth of security and operational control over superficial feature counts. Many of the capabilities we delivered are still missing from competing custody platforms. Below is an overview of what went live in 2023.

Multi‑Party Computation (MPC) with Threshold Signatures

Our core is a proprietary Multi‑Party Computation engine built around Threshold Signature Schemes (TSS) and hardened by modern cryptographic techniques. Instead of a single private key, signing power is distributed across multiple parties and secure environments:

• No single individual or system can sign a transaction alone.
• Key material is never reconstructed in one place.
• Cryptographic operations are designed to remain secure against advanced attack vectors.

This architecture dramatically reduces the risk of both external hacks and insider abuse while giving institutions granular control over who can initiate, review, and approve movements of funds.

Vaultody Approver: Mobile Governance Layer

To extend security beyond the browser, we launched Vaultody Approver, a dedicated mobile application for Android and iOS. It acts as a second, independent channel for trust and control:

• Account owners and authorised approvers can confirm or reject outgoing transactions and critical system actions.
• Desktop access alone is not sufficient—key operations require pairing with the mobile device.
• Access to the app itself is protected by PIN and biometric checks, reducing risk if the device is stolen.

The result is a strong, user‑friendly governance layer that helps eliminate internal fraud, unauthorised configuration changes, and blind approvals.

Same Address Across All EVM Chains

One of the most common operational errors is sending assets to the correct address on the wrong EVM‑compatible chain. To reduce this risk, Vaultody introduced a mechanism that assigns a consistent deposit address across supported EVM networks:

• The same address can receive funds on different EVM chains.
• Mis‑routed funds become manageable instead of permanently lost.
• Operations teams can choose from several options, including returning assets to the sender where possible.

This directly addresses an everyday source of loss for exchanges, OTC desks and treasury teams.

Rich Transaction History and Bookkeeping Support

We built a 360‑degree transaction history module that serves both operational and accounting needs:

• Complete visibility into incoming and outgoing transfers per vault and per asset.
• Clear separation and labelling of internal versus external movements.
• Data structures designed to map cleanly into bookkeeping and reconciliation workflows.

This gives finance and operations teams the detail they need without pulling fragmented records from multiple systems.

Advanced API Keys and Access Control

Institutions integrate Vaultody deeply into trading, treasury, and back‑office systems. To support that, we introduced Advanced API keys with defence‑in‑depth controls:

• Time‑bound requests enforced with Unix timestamps and a narrow time window.
• Base64‑encoded signatures tied to a passphrase and secret.
• IP allow‑listing to restrict which networks can use a given key.
• Granular permissions for:
  • Generating deposit addresses.
  • Submitting transaction requests.
  • Acting on specific vaults only.
• Predefined expiry dates for keys to reduce long‑lived credential risk.

This creates a programmable yet tightly governed API surface for exchanges, banks and fintechs.

Team Roles and Policy‑Driven Governance

Vaultody was designed for teams, not individuals. The Team Roles feature allows vault owners to:

• Add multiple team members to a vault.
• Assign specific roles with tailored permissions (for example: initiator, reviewer, approver, auditor).
• Combine roles with transaction policies to hard‑code governance rules into the platform.

Policies can reflect real‑world segregation‑of‑duties requirements, such as dual approvals above a certain amount or separate permissions for creation versus approval of withdrawals.

System Actions: Controlled Changes to Sensitive Settings

Critical account and vault changes must be traceable and authorised. The System Actions framework—tightly integrated with Vaultody Approver—introduces a request‑and‑approval flow for:

• Activating wallets.
• Enforcing mandatory backups.
• Updating personal or contact details.
• Changing vault roles or expanding access to transaction policies.

Team members can initiate these requests, but only vault owners or designated approvers can approve or reject them, ensuring strong governance over configuration changes.

Hardware Enclaves: AMD SEV and Intel SGX

To further isolate sensitive computations, Vaultody makes use of Trusted Execution Environments (TEEs), also known as hardware enclaves. We rely on a dual‑enclave architecture:

• AMD SEV for encrypted virtual machines.
• Intel SGX for fine‑grained secure enclaves.

Even in a worst‑case scenario where an attacker gains access to the host operating system, secrets held inside these enclaves remain encrypted and inaccessible, adding an extra layer of protection to MPC operations and key material.

Mandatory Backup and Recovery

Security is incomplete without a reliable recovery path. In 2023 we implemented mandatory vault backup and recovery:

• Users are prompted to create a backup when a new vault is set up.
• Vault owners decide whether to approve or reject backup completion, but are strongly encouraged to complete it.
• The Vaultody Recovery Tool, an open‑source utility, allows backups to be generated and stored securely on local devices.

This balances non‑custodial control with a robust, verifiable recovery process that organisations can independently audit.

Looking Ahead: The Vaultody Roadmap for 2024

After a foundational year, our 2024 roadmap is about scale, automation and regulatory alignment. The main priorities are outlined below.

New Blockchain Integrations

To broaden asset coverage and support more application layers, we are integrating additional high‑demand networks, including:

• Solana
• Arbitrum
• Polygon
• Base
• Optimism

This will allow institutions to manage a wider range of tokens and use‑cases from the same MPC‑secured infrastructure.

Smart Vaults: EVM‑Powered Vault Abstraction

Smart Vaults are our next‑generation EVM vaults, scheduled for release in the first half of 2024. They are designed to optimise cost and operational efficiency:

• Dust consolidation – automatically eliminates small, unusable balances left in wallets.
• Batch transactions – multiple transfers can be executed in a single on‑chain transaction.
• Gas optimisation – expected gas fee savings:
  • Up to ~50% on individual transactions.
  • Up to ~90% on batched operations.

For high‑volume operators, this directly translates into lower operating expenses and cleaner operational flows.

Smart Automations for Policy‑Based Execution

With Smart Automations, vault owners will be able to define rule‑based behaviours that execute automatically when specific conditions are met:

• Threshold‑based rebalancing between hot and warm vaults.
• Scheduled sweeps from operational wallets to treasury.
• Automatic responses to pre‑defined triggers, such as address risk scores or volume levels.

These automations are fully configurable and always executed according to the owner’s governance settings, combining safety with operational speed.

Hot and Warm Vaults

Different use‑cases demand different risk profiles, so we are introducing two managed vault tiers:

• Hot Vaults – tuned for high‑frequency, lower‑value activity such as exchange withdrawals or payment flows.
• Warm Vaults – calibrated for larger balances and less frequent movements, balancing convenience with additional layers of protection.

Both vault types will retain the same MPC security properties and governance controls, but with different operational defaults.

AML / KYT Integrations

Compliance is a core requirement for institutional participants. In 2024 we are integrating Know Your Transaction (KYT) and broader AML tooling directly into Vaultody:

• Incoming suspicious transactions will be automatically flagged and held in a pending state.
• Vault owners will be able to review, investigate, approve, reject or report such transfers from within the platform.
• High‑risk funds can be blocked from moving further until all checks are complete.

This allows compliance and operations teams to handle risk events inside the custody infrastructure, rather than across disconnected tools.

Contacts and Whitelisting

To reduce manual errors and streamline recurring flows, we are adding a flexible Contacts system:

• Maintain an address book of individuals, counterparties and organisations, grouped by blockchain.
• Whitelist trusted addresses for smoother, lower‑friction transaction approvals.
• Ensure that any additions or changes to the address book are subject to owner approval.

This feature brings familiar banking‑style contact management into the digital asset world with proper governance around who can amend it.

Freeze Vaults for Emergency Control

In crisis situations, institutions must be able to stop activity instantly. The upcoming Freeze Vaults capability will allow owners to:

• Temporarily lock one or multiple vaults for an indefinite period.
• Block all transaction requests and disable new approvals while the vault is frozen.
• Manually unfreeze and resume operations once the situation is under control.

This provides a direct, governed kill‑switch for incidents such as compromised endpoints, suspected insider activity or external regulatory events.

Working Hours and Time‑Based Controls

Many fraud scenarios occur outside normal operating hours. Working Hours will let vault owners define when activity is allowed:

• Set allowed time windows for transaction requests and sensitive system actions.
• Block dashboard‑ and API‑initiated requests outside those windows.
• Route in‑hours requests through Vaultody Approver and existing governance rules.

This reduces the attack surface at times when fewer staff are monitoring systems.

Operational Log and Auditing

To make supervision and audits more efficient, we are building a comprehensive Operational Log:

• Track who did what, when and from where across the entire account.
• Filter by author, action type, source, date and time.
• Drill into the history of system actions and transactions for internal or external audits.

With this, security, compliance and finance teams can reconstruct events without piecing together data from multiple systems.

Conclusion: Year One Foundations and the Road Ahead

Vaultody’s first operational year was about building a resilient, institutional‑grade custody infrastructure. We shipped an MPC engine, Vaultody Approver, advanced API and role controls, hardware enclave protection, and a robust backup and recovery framework—all focused on the twin goals of protecting client funds and enabling operational flexibility.

In 2024 we are extending that foundation: more blockchains, Smart Vaults, Smart Automations, hot and warm vault tiers, KYT/AML enforcement, and fine‑grained controls such as contacts, freeze vaults, working‑hours enforcement and detailed operational logging.

Our commitment remains the same: to provide secure, policy‑driven digital asset infrastructure that can evolve with the crypto and institutional landscape, giving organisations the confidence to build on chain at scale.