Programmable Custody: The Invisible Infrastructure That Decides Who Really Owns What When Money Becomes Code

Reader Navigation Guide

Jump to sections relevant to your role

Reader Role	Relevant Sections
Legal & Compliance	Click to view sections → The Gap Between Legal Ownership and Cryptographic Control — Who's liable when code fails? Custody Licensing — GENIUS Act, UK FCA CP25/14, MiCAR requirements Liability Assignment — Protocol developer responsibility for losses Shift from Possession to Permission — How smart contracts redefine legal ownership
Risk Management & Security	Click to view sections → The Four Layers of Programmable Custody — Escrow, multi-sig, upgradeable contracts, bridges Circuit Breakers — Mandatory admin keys and emergency pause functions The Custody Stack — Protocol developers, wallet providers, treasury yield game What Happens if We Get This Wrong — Unanswered legal and regulatory questions
Developers & Infrastructure	Click to view sections → Upgradeable Contracts — What happens when ownership rules can be changed Smart Contract Escrow — Who controls assets locked in DeFi protocols Cross-Chain Bridges — Custody fragmentation across blockchains Circuit Breakers — ERC-7265 and mandatory pause functions
Institutional Custody	Click to view sections → Why "Not Your Keys, Not Your Coins" Doesn't Apply — Paxos $300T incident, custody reality check Multi-Signature Wallets — When 2-of-3 signatures are required, who holds power? The Custody Stack — Why 60% of institutions use third-party custodians Custody Licensing — Regulatory requirements for institutional grade custody
Treasury & Finance	Click to view sections → How "Owning Crypto" Became "Having Permission" — From ownership to conditional permission The Treasury Yield Game — DeFi deployment custody considerations Legal vs Cryptographic Control — What do token holders actually own? How Decentralized Is Custody Really? — Code upgrades, pauses, migrations
Policy & Regulatory Analysis	Click to view sections → Three Regulatory Vectors — Custody licensing, liability, circuit breakers DeFi Promises Disintermediation — Smart contracts as new intermediaries Treating Smart Contract Deployers as Custodians — GENIUS Act, UK FCA, MiCAR frameworks What Happens if We Get This Wrong — Unresolved legal questions, enforcement gaps

This navigation framework is exclusive to MCMS members. Share this article to provide colleagues with the same analytical depth.

On October 29, 2025, Paxos - the regulated issuer behind PayPal's U.S. dollar stablecoinA cryptocurrency pegged to a stable asset, such as USD or gold - accidentally created $300 trillion worth of PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers tokens in a single blockchainA decentralized, digital ledger of transactions maintained across multiple computers transactionA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger. Three times global GDP materialized on-chain in seconds.

Twenty minutes later, those tokens were gone. Burned through the same administrative controls that created them.

If you held PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers in your self-custody walletA tool for storing, sending, and receiving cryptocurrencies during those twenty minutes, you controlled your private keysA secret code that allows you to access and manage your cryptocurrency. But did you own your crypto?

I'm sure that when this came out, more than one compliance officer asked "who has the authority to fix this?" after deciding this is too big to be a hack.

The Paxos incident reveals what compliance officers, treasury managers, and wealth advisors need to understand about digital asset custodyService for securely storing and managing cryptocurrency assets in 2025: "your keys, your crypto" is a marketing slogan, not a legal framework. The crypto industry's foundational mantra - "Not Your Keys, Not Your Coins" - doesn't actually mean your keys guarantee your coins either.

When smart contractsSelf-executing code on a blockchain that automates transactions mediate ownership, custody becomes programmable. And whoever writes or controls the code holds the real power.

Diagnosis - Why "Not Your Keys, Not Your Coins" Doesn't Apply When Code Holds the Keys

The crypto industry built its identity on a simple promise: self-custody eliminates intermediaries. HoldA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains your private keysA secret code that allows you to access and manage your cryptocurrency, control your assets. No banks, no brokers, no trusted third parties. The blockchainA decentralized, digital ledger of transactions maintained across multiple computers verifies ownership cryptographically, and mathematics replaces institutional trust.

This narrative worked when BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto meant holding keys to addresses on a transparent ledgerA record of financial transactions. But institutional crypto in 2025 looks nothing like this. Assets sit in DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols earning yield. Treasury strategies involve multi-signature wallets with third-party co-signers. Tokenized securitiesTraditional securities (stocks, bonds) represented as blockchain tokens live in smart contractsSelf-executing code on a blockchain that automates transactions with compliance modules. Cross-chainThe ability of different blockchain networks to communicate and work together seamlessly bridges fragment custody across multiple blockchains.

Sixty percent of institutions now use third-party custodians despite having technical capability for self-custody. Ninety-two percent of large funds rely on institutional custodians.

The reason isn't technological incompetence - it's structural reality. When smart contractsSelf-executing code on a blockchain that automates transactions define the rules of ownership, possession of private keysA secret code that allows you to access and manage your cryptocurrency becomes just one variable in a complex custody equation.

The Paxos incident made this explicit. PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers holders maintained cryptographicThe science of encoding and decoding information, used to secure cryptocurrency transactions control of their wallets throughout the minting error. Their private keysA secret code that allows you to access and manage your cryptocurrency never changed. Yet Paxos executed a burn function that could have eliminated tokens from any walletA tool for storing, sending, and receiving cryptocurrencies - no signature required, no permission requested. The smart contractSelf-executing code on a blockchain that automates transactions's admin keys superseded every user's private keys.

This isn't a bug. It's how programmable custodyAsset control defined by algorithms works.

Reframe - The Shift from Possession to Permission: How Smart Contracts Redefine Ownership

Traditional finance separates custody from control through legal frameworks. When you deposit cash in a bank, the bank holds the money (custody) but you retain the right to withdraw it (control). Law defines the relationship. Regulators enforce it. Courts resolve disputes.

Cryptocurrency promised to collapse this distinction. If you holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains the private keysA secret code that allows you to access and manage your cryptocurrency, you have both custody and control - mathematically guaranteed, no legal system required. The phrase "not your keys, not your coins" captured this elegantly: cryptographicThe science of encoding and decoding information, used to secure cryptocurrency transactions possession equals ownership.

Smart contractsSelf-executing code on a blockchain that automates transactions broke that promise.

When assets move into smart contractsSelf-executing code on a blockchain that automates transactions - whether for DeFiFinancial systems built on blockchain that operate without intermediaries like banks lending, DAOA group governed by smart contracts and blockchain technology, without centralized leadership treasuries, or tokenized securitiesTraditional securities (stocks, bonds) represented as blockchain tokens - ownership becomes conditional. You don't own the asset; you own a tokenA digital asset built on an existing blockchain, often representing utility or value that represents a claim on an asset held by code. That code defines the rules: when you can withdraw, under what conditions, and who can override those rules.

This is programmable custody: ownership mediated by software that can be paused, upgraded, or overridden by parties who control the contract's administrative functions. Your private keys let you interact with the system, but they don't guarantee you control the asset.

The distinction matters legally. In traditional custody, if a bank refuses to return your deposit, you sue the bank. If a smart contractSelf-executing code on a blockchain that automates transactions locks your tokens because the protocol developer programmed an exit restriction, who do you sue?

The code? The developer? The DAOA group governed by smart contracts and blockchain technology, without centralized leadership that governs the protocol?

The answer remains unclear, which is precisely why this model creates risk for institutional portfolios.

Evidence - The Four Layers of Programmable Custody

Smart Contract Escrow: Who Controls Assets Locked in DeFi Protocols?

When you deposit USDCA fully-reserved stablecoin pegged 1:1 to the US Dollar, issued by Circle and backed by regulated financial institutions into a lending protocol like Aave or Compound, your tokens don't stay in your walletA tool for storing, sending, and receiving cryptocurrencies. They transfer to a smart contractSelf-executing code on a blockchain that automates transactions that holds them in escrow. In exchangeA platform where users can buy, sell, or trade cryptocurrencies, you receive a derivative tokenA digital asset built on an existing blockchain, often representing utility or value (aUSDC, cUSDC) representing your claim on the underlying asset plus accrued interest.

You now depend on the smart contractSelf-executing code on a blockchain that automates transactions's code to withdraw. If the protocol has an emergency pause function - and most institutional-grade protocols do - someone controls the key that can freeze all withdrawals. That someone is usually the protocol development team or a multi-signature walletWallet requiring multiple private key signatures to authorize transactions controlled by core contributors.

The Paxos PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers incident demonstrated this explicitly. Paxos operates as a regulated trust company with NYDFS oversight, yet the stablecoinA cryptocurrency pegged to a stable asset, such as USD or gold's smart contractSelf-executing code on a blockchain that automates transactions included administrative functions that allowed the company to mint and burn tokens without user approval.

When the erroneous $300 trillion mint occurred, Paxos didn't need to ask permission from PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers holders to reverse it. The code gave them unilateral authority.

This isn't unique to Paxos. Every major stablecoinA cryptocurrency pegged to a stable asset, such as USD or gold - USDCA fully-reserved stablecoin pegged 1:1 to the US Dollar, issued by Circle and backed by regulated financial institutions, USDTThe largest stablecoin by market cap, pegged 1:1 to the US Dollar and issued by Tether Limited, BUSDA stablecoin pegged 1:1 to the US Dollar, issued by Paxos and approved by NYDFS (Note: Being phased out as of 2024) (before its shutdown) - includes blacklist functions that let issuers freeze tokens in specific wallets. Regulators require this for sanctions complianceChecking customers and transactions against government sanctions lists.

But it means "your keys, your crypto" comes with an asterisk: your keys work until the issuer decides they don't.

DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols face the same structural reality. Duke University research identifies smart contractSelf-executing code on a blockchain that automates transactions escrow as a "critical DeFi primitive" but notes that tokens become "permanently custodied" if the contract lacks proper withdrawal mechanisms or if admin keys can restrict access.

When Curve Finance suffered a $62 million exploit in July 2023 due to a Vyper compiler vulnerability, the question wasn't just "how did the hack happen" but "who actually had custody of the funds locked in those pools?"

The liquidityThe ease with which an asset can be bought or sold without affecting its price providers? The protocol developers? The governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO holders who could vote on recovery measures?

The answer: custody had fragmented across multiple parties, none of whom could unilaterally access the funds, but all of whom had some degree of control over what happened to them.

Multi-Signature Wallets: When 2-of-3 or 3-of-5 Signatures Are Required, Who Holds the Power?

Institutional treasuries increasingly use multi-signature wallets to prevent single points of failure. A 2-of-3 setup requires two out of three designated keyholders to approve any transactionA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger. This eliminates the risk that one compromised employee or stolen device can drain the treasury.

But it also means no individual has custody. Ownership becomes collective and conditional.

If you're one of three signers on a $50 million corporate BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto treasury, you don't control those funds - you control one-third of the access mechanism. The other two signers must cooperate, or the funds stay locked.

This creates governance risk. What happens if one signer leaves the company? What if two signers collude? What if one signer loses their key?

A professional colleague recently shared this story that gives an interesting POV on this: A mid-sized fund I advised had three signers for their €40M treasury. When their head of operations left abruptly during a restructure, it took six weeks and two law firms to execute a single withdrawal. The BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto was 'theirs' the entire time. They just couldn't access it.

Multi-sig wallets solve the security problem but introduce coordination risk. And in most institutional implementations, at least one of those signers is a third-party custody provider like BitGo, Fireblocks, or Coinbase Custody.

The Bybit hack in February 2025 illustrated the vulnerability. While details remain under investigation, reports suggest the breach involved compromised multi-sig credentials rather than a pure smart contractSelf-executing code on a blockchain that automates transactions exploit.

When custody depends on multiple parties correctly securing their keys and following protocols, the "no intermediaries" promise dissolves into committee-based permission structures.

Multi-signature wallets also concentrate power in DAOs and protocol governance. When a DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocol's treasury sits in a 5-of-9 multi-sig controlled by core team members, those nine individuals have effective custody over potentially hundreds of millions in user funds, regardless of what the "decentralized" branding suggests.

The Swerve Finance governance exploit in March 2023 showed this risk: an attacker didn't hack the code - they legally acquired governance tokens and used them to control the multi-sig, draining the treasury through legitimate voting mechanisms.

Who had custody before the attack? The multi-sig holders. Who had custody after? Still the multi-sig holders - just different ones. The code executed exactly as designed. The users who thought their funds were secure in a "trustless" protocol learned that trust had simply shifted from banks to governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO holders.

Upgradeable Contracts: What Happens When the Code That Defines Ownership Can Be Changed?

BlockchainA decentralized, digital ledger of transactions maintained across multiple computers's value proposition rests on immutabilityThe property of a blockchain where data, once recorded, cannot be changed or deleted: code executes as written, no one can change the rules retroactively, and ownership records can't be altered.

Except when they can.

Most institutional-grade smart contractsSelf-executing code on a blockchain that automates transactions use upgradeable proxy patterns. The user interacts with a proxy contract that delegates logic to an implementation contract. If the implementation has a bug or needs new features, the proxy can point to a new version - effectively rewriting the rules while maintaining the same address and user balances.

OpenZeppelin, the industry standard for smart contractSelf-executing code on a blockchain that automates transactions development libraries, explicitly documents proxy patterns as best practice for production systems. The rationale is sound: code will have bugs, regulations will change, and protocols need the ability to adapt. But upgradeability fundamentally contradicts immutabilityThe property of a blockchain where data, once recorded, cannot be changed or deleted.

When a smart contractSelf-executing code on a blockchain that automates transactions is upgradeable, whoever controls the upgrade mechanism has custody in the truest sense: they can change the rules of ownership. That control typically sits with a multi-sig walletA tool for storing, sending, and receiving cryptocurrencies held by the protocol team, a DAOA group governed by smart contracts and blockchain technology, without centralized leadership governance process, or a designated admin address.

This means your tokens in an upgradeable contractSelf-executing code on a blockchain that automates transactions exist under conditions that can change. The yield rate can be modified. Withdrawal restrictions can be added. TokenA digital asset built on an existing blockchain, often representing utility or value balances can be migrated to a new contract.

All without your explicit approval - your only recourse is to exit before the upgrade occurs, assuming you notice it's happening.

The risk isn't theoretical. Multiple DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols have used upgrade mechanisms to change tokenomicsThe study of supply, distribution, and economic incentives of a cryptocurrency, alter governance structures, or implement emergency security measures. In each case, the code was "immutableThe property of a blockchain where data, once recorded, cannot be changed or deleted" until the moment it wasn't. Users had "custody" until the protocol developers decided different rules should apply.

Regulators are now scrutinizing this model. The French banking authority explicitly notes that as finance decentralizes technologically, "re-concentration occurs in less regulated areas" - meaning protocol developers become the new intermediaries, just without the licensing requirements or liability frameworks that govern traditional custodians.

Cross-Chain Bridges: Where Does Ownership Sit When Assets Move Between Blockchains?

When you bridgeA connection between two blockchains that allows the transfer of assets or data USDCA fully-reserved stablecoin pegged 1:1 to the US Dollar, issued by Circle and backed by regulated financial institutions from EthereumA decentralized blockchain platform that enables smart contracts and decentralized applications to PolygonA scaling network built on top of Ethereum that processes transactions faster and cheaper than the main Ethereum blockchain, you don't actually move the tokens. You lock them in a smart contractSelf-executing code on a blockchain that automates transactions on Ethereum and receive newly minted wrapped tokens on Polygon.

Custody has split across two blockchains, two smart contractsSelf-executing code on a blockchain that automates transactions, and often two separate validatorA participant in a Proof of Stake network responsible for verifying new blocks sets that verify the bridgeA connection between two blockchains that allows the transfer of assets or data transactionsA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger.

If the EthereumA decentralized blockchain platform that enables smart contracts and decentralized applications contractSelf-executing code on a blockchain that automates transactions has a bug, your original USDCA fully-reserved stablecoin pegged 1:1 to the US Dollar, issued by Circle and backed by regulated financial institutions is at risk. If the PolygonA scaling network built on top of Ethereum that processes transactions faster and cheaper than the main Ethereum blockchain contract has a bug, your wrapped tokens could become worthless. If the bridgeA connection between two blockchains that allows the transfer of assets or data's signature verification fails - as happened in the Wormhole bridge hack in February 2022, resulting in $320 million stolen - both chains' assets become compromised simultaneously.

Cross-chainThe ability of different blockchain networks to communicate and work together seamlessly custody creates fragmentation without clear legal ownership. If you holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains wrapped BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto on EthereumA decentralized blockchain platform that enables smart contracts and decentralized applications, who has custody?

The bridgeA connection between two blockchains that allows the transfer of assets or data protocol that locked the real BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto? The smart contractSelf-executing code on a blockchain that automates transactions that issued the wrapped version? You, the holder of the wrapped tokenA tokenized version of another cryptocurrency (e.g., WBTC on Ethereum)? The validators who process bridge transactionsA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger?

The answer is all of them, partially. Custody has been distributed across a technical stack where each component has some control, but no single party has complete authority.

This is programmable custodyAsset control defined by algorithms at its most complex: ownership mediated by multiple layers of code, operated by different entities, subject to separate governance mechanisms, spanning multiple legal jurisdictions.

For institutions, this creates an accounting nightmare. When your treasury holds $10 million in bridged assets, what do you list on the balance sheet? What disclosures do you make about custody risk?

If the bridgeA connection between two blockchains that allows the transfer of assets or data fails and assets become unrecoverable, who's liable - the bridge developers, the validators, the original blockchainA decentralized, digital ledger of transactions maintained across multiple computers's protocol team, or your own risk management for choosing that particular bridge? These questions lack clear answers because the legal framework hasn't caught up to the technology. And that gap is where regulatory intervention will arrive.

Follow the Money - The Custody Stack: Protocol Developers, Wallet Providers, and the Treasury Yield Game

Follow the control points, and you'll find the real custodians.

Protocol developers deploy smart contractsSelf-executing code on a blockchain that automates transactions and often retain admin keys for upgrades and emergency functions. WalletA tool for storing, sending, and receiving cryptocurrencies providers like MetaMask and LedgerA record of financial transactions manage the interface between users and protocols, sometimes with their own custody of seed phrases through recovery services.

Governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO holders vote on treasury management, protocol parameters, and upgrade proposals. Validators and nodeA computer that participates in a blockchain network by validating and relaying transactions operators process transactionsA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger and can theoretically censor specific addresses.

Each layer represents partial custody. No single party can unilaterally move funds, but multiple parties can restrict, freeze, or redirect them through their respective control points.

The treasury yield game makes this explicit. Institutions don't holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains idle crypto - they deploy it into DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols to earn returns. That deployment means transferring custody to smart contractsSelf-executing code on a blockchain that automates transactions controlled by protocol teams they've never met, governed by tokenA digital asset built on an existing blockchain, often representing utility or value holder votes they don't participate in, secured by multi-sig wallets they can't audit, and subject to upgrades they won't learn about until after implementation.

Michael Egorov's position in Curve Finance demonstrated the governance concentration risk. As founder, he held enough CRV tokens to significantly influence protocol decisions while simultaneously borrowing $85 million against those tokens from various DeFiFinancial systems built on blockchain that operate without intermediaries like banks platforms.

When Curve suffered the Vyper exploit, the interconnected custody relationships created systemic risk: Curve's smart contractsSelf-executing code on a blockchain that automates transactions held user funds, Egorov's governance position influenced the protocol's response, and his leveraged positions across multiple platforms meant a Curve failure could cascade into liquidations elsewhere.

Who had custody during this period? Legally, users held their LPA pool of locked assets enabling decentralized trading and yield generation tokens. Practically, the protocol developers controlled the vulnerable code, Egorov influenced governance decisions, and the lending platforms held his CRV as collateral with liquidation rights.

Custody had become a network of interdependent claims, not a clear property right.

This is why sixty percent of institutions use third-party custodians despite having self-custody capability. They're not paying for key management - they're paying for a single legal entity they can sue when custody becomes disputed.

Traditional custodians like Coinbase Custody and Fidelity Digital Assets don't eliminate programmable custodyAsset control defined by algorithms risk, but they consolidate liability. If assets in a DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocol become frozen, the institution sues its custodian, and the custodian navigates the technical and legal complexity of recovery.

The custody stack has simply added a traditional financial layer on top of the crypto infrastructure, reintroducing the intermediaries that blockchainA decentralized, digital ledger of transactions maintained across multiple computers was supposed to eliminate.

Power Shift - How "Owning Crypto" Became "Having Permission from a Smart Contract"

The conceptual shift from ownership to permission happens gradually, then suddenly.

You start by holding BitcoinThe first decentralized cryptocurrency, created in 2009 by Satoshi Nakamoto in a self-custody walletA tool for storing, sending, and receiving cryptocurrencies. You own it - possession and control unified through private keysA secret code that allows you to access and manage your cryptocurrency. Then you deposit it into a lending protocol to earn yield. Now you own a claim on Bitcoin, represented by a derivative tokenA digital asset built on an existing blockchain, often representing utility or value, subject to the protocol's withdrawal rules. Then the protocol implements an upgrade that changes those withdrawal rules. Now your claim exists under conditions you didn't agree to when you deposited. Then a governance vote implements an emergency pause due to an exploit on another protocol. Now your permission to withdraw has been suspended by a vote you didn't participate in, made by token holders you don't know.

At each step, the transactionA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger felt voluntary. You chose to deposit. You accepted the protocol's terms. You could have exited earlier.

But structurally, ownership has transformed into conditional permission - permission granted by code, which is controlled by developers, influenced by governance, and subject to change through mechanisms you may not even be aware of.

Property law distinguishes between possession (physical control) and ownership (legal right). Cryptocurrency attempted to merge them through cryptographicThe science of encoding and decoding information, used to secure cryptocurrency transactions control, making possession proof of ownership. Smart contractsSelf-executing code on a blockchain that automates transactions separated them again, but without the legal framework that governs traditional finance.

When EthereumA decentralized blockchain platform that enables smart contracts and decentralized applications hard-forked in July 2016 to reverse the DAOA group governed by smart contracts and blockchain technology, without centralized leadership hack and return $60 million in stolen funds, the network proved that governance trumps code. The community voted to rewrite the blockchainA decentralized, digital ledger of transactions maintained across multiple computers's history, violating the "code is lawLaw enforced by self-executing software" principle to achieve what they determined was a just outcome. Ethereum Classic emerged as the non-forked chain, preserving the original history where the hack stood.

Users learned a lesson: even on supposedly immutableThe property of a blockchain where data, once recorded, cannot be changed or deleted blockchains, community governance can override cryptographicThe science of encoding and decoding information, used to secure cryptocurrency transactions ownership. Your keys give you possession until the network decides they don't. Nearly a decade later, that same dynamic persists in programmable custodyAsset control defined by algorithms - just distributed across protocols instead of baseCoinbase's Ethereum Layer 2 network using Optimism's OP Stack, designed for low-cost, high-speed transactions with Coinbase ecosystem integration-layer blockchains.

“

"When EthereumA decentralized blockchain platform that enables smart contracts and decentralized applications forked to reverse the DAOA group governed by smart contracts and blockchain technology, without centralized leadership hack, the crypto community learned that governance can rewrite ownership. Smart contractsSelf-executing code on a blockchain that automates transactions just moved that power from baseCoinbase's Ethereum Layer 2 network using Optimism's OP Stack, designed for low-cost, high-speed transactions with Coinbase ecosystem integration-layer consensus to protocol developers."

Illusion of Need - DeFi Promises Disintermediation, But Smart Contracts Are Just New Intermediaries

The term "decentralized financeFinancial systems built on blockchain that operate without intermediaries like banks" contains an implicit promise: removing intermediaries from financial transactionsA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger. No banks approving loans, no brokers executing trades, no clearinghouses settling transactions. Smart contractsSelf-executing code on a blockchain that automates transactions replace all of them with transparent, automated code.

But code doesn't write itself. Smart contractsSelf-executing code on a blockchain that automates transactions are designed, deployed, and maintained by developers. Those developers become the new intermediaries - just without the regulatory oversight or liability that governs traditional financial intermediaries.

The Congressional Research Service's analysis of DeFiFinancial systems built on blockchain that operate without intermediaries like banks notes that decentralization "relocates rather than eliminates intermediaries." Instead of regulated institutions, users now depend on protocol developers, governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO holders, multi-sig signers, validators, and oracleFeeds real-world asset prices to smart contracts providers.

Each represents a control point, a party whose decisions affect whether you can access your funds.

This matters for institutional custody because it redefines counterparty risk. When you deposit funds with a traditional custodian, you assess that institution's financial strength, regulatory compliance, and insurance coverage.

When you deposit funds in a DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocol, you must assess the code quality, the developer team's competence, the governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO distribution, the multi-sig signer reliability, and the upgrade mechanism's security - none of which have standardized evaluation frameworks or regulatory oversight.

The French banking authority's research makes this explicit: DeFiFinancial systems built on blockchain that operate without intermediaries like banks relocates concentration risk to "less regulated areas." You haven't eliminated trust; you've shifted it from regulated banks to unregulated protocol developers.

And those developers often have more power than traditional custodians ever did. A bank can't unilaterally rewrite the terms of your deposit account. A protocol developer with admin keys can upgrade the smart contractSelf-executing code on a blockchain that automates transactions and change your withdrawal conditions - no approval process required beyond the governance mechanism they designed.

This is why the "disintermediation" narrative fails under scrutiny. Smart contractsSelf-executing code on a blockchain that automates transactions are intermediaries - just software ones instead of institutional ones. And software intermediaries can be more opaque, harder to holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains accountable, and impossible to sue when they fail.

What They Won't Tell You - The Gap Between Legal Ownership and Cryptographic Control: Who's Liable When Code Fails?

The Paxos incident created no financial losses. The erroneous tokens were burned before any market impact, and customer funds remained secure throughout.

But it revealed the central custody question institutions must answer: if Paxos can mint and burn tokens at will, what do PYUSDA stablecoin issued by PayPal and Paxos, pegged 1:1 to the US Dollar and designed for payments and transfers holders actually own?

Legally, they own tokens issued by Paxos, a regulated trust company. But cryptographically, those tokens exist only because the smart contractSelf-executing code on a blockchain that automates transactions says they do - and Paxos controls the smart contract.

If Paxos executes a burn function, the tokens disappear from your walletA tool for storing, sending, and receiving cryptocurrencies regardless of your private keysA secret code that allows you to access and manage your cryptocurrency.

Now extend this to a scenario where the burn isn't intentional:

• Suppose a bug in the smart contractSelf-executing code on a blockchain that automates transactions allows an attacker to burn tokens from user wallets
• Suppose a protocol upgrade accidentally locks all withdrawals
• Suppose a cross-chain bridgeA connection between two blockchains that allows the transfer of assets or data fails and wrapped tokens become irredeemable

Who's liable?

The protocol developers claim they merely deployed code and have no ongoing responsibility. The DAOA group governed by smart contracts and blockchain technology, without centralized leadership argues it's a decentralized entity with no legal personality, so it can't be sued. The governance tokenA token that gives holders voting rights on decisions within a blockchain project or DAO holders claim they voted in good faith based on proposals they didn't fully understand.

The users had custody of their private keysA secret code that allows you to access and manage your cryptocurrency, so they accepted the risk of interacting with smart contractsSelf-executing code on a blockchain that automates transactions.

Everyone claims no liability. No one can restore the funds.

This gap between cryptographicThe science of encoding and decoding information, used to secure cryptocurrency transactions control and legal ownership creates unacceptable risk for institutional treasuries. When a company holds $50 million in DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols earning yield, the CFO needs to know who's responsible if those funds become inaccessible.

"The code is the code" is not an acceptable answer for financial reporting or fiduciary duty.

Recent legal developments suggest courts will assign liability regardless of technical arguments. When protocol developers claim they're just publishing code with no ongoing relationship to users, judges are skeptical.

When DAOs argue they have no legal existence, regulators respond by targeting the identifiable individuals who operate them. When users claim their funds were stolen from a smart contractSelf-executing code on a blockchain that automates transactions, courts look for a defendant with assets to recover.

The result is a patchwork of liability assignment that varies by jurisdiction and case. Some courts treat protocol developers as service providers with ongoing duty of care. Others apply securities law, treating governance tokens as investment contracts that create issuer liability.

Still others focus on consumer protection statutes, holding walletA tool for storing, sending, and receiving cryptocurrencies providers liable for inadequate disclosure of custody risks.

For institutions, this uncertainty is untenable. Treasury strategies require clear understanding of custody arrangements and liability in case of loss. Programmable custodyAsset control defined by algorithms provides neither.

The technical architecture fragments custody across multiple parties, and the legal framework hasn't determined how to assign responsibility when the system fails.

This is why regulatory intervention is inevitable - and already arriving.

Counter-Attack - Three Regulatory Vectors

1. Custody Licensing: Treating Smart Contract Deployers as Financial Custodians

The GENIUS Act, signed into law on July 18, 2025, establishes the first comprehensive federal framework for stablecoinA cryptocurrency pegged to a stable asset, such as USD or gold custody in the United States. It requires issuers to obtain either a federal license or state trust charter, maintain one-to-one reserves in approved assets, and submit to regular audits.

Critically, it treats stablecoinA cryptocurrency pegged to a stable asset, such as USD or gold issuers as custodians - not technology companies publishing code, but financial institutions holding customer assetsCrypto or fiat funds belonging to customers entrusted to a CASP or custodian.

The UK's Financial Conduct AuthorityUK's financial regulator overseeing conduct of firms and markets to protect consumers published consultation paper CP25/14 in May 2025, proposing a licensing regime for cryptoasset custody that would apply to any entity providing "safeguarding and administration of cryptoassets belonging to another person."

The definition explicitly includes smart contractSelf-executing code on a blockchain that automates transactions deployers who retain admin keys or upgrade capabilities. If the consultation proceeds as drafted, anyone who deploys a custody-related smart contract in the UK would need FCA authorization by 2026.

The EU's Markets in Crypto-AssetsAn EU regulatory framework standardizing crypto rules for issuers and service providers Regulation (MiCAR) became fully operational on December 31, 2024, requiring crypto asset service providers to segregate client assetsCrypto or fiat funds belonging to customers entrusted to a CASP or custodian, maintain minimum capital, and implement robust custody procedures.

While MiCAR primarily targets exchanges and walletA tool for storing, sending, and receiving cryptocurrencies providers, its functional approach means that protocol developers who control user funds through admin keys or governance mechanisms could be classified as service providers subject to authorization requirements.

These regulations share a common principle: if you control user assets through code, you're a custodian under financial regulation - regardless of whether you call yourself a protocol developer, a DAO, or a decentralized application.

The technical mechanism (smart contractsSelf-executing code on a blockchain that automates transactions vs. database entries) is irrelevant; the functional reality (you can restrict, freeze, or redirect user funds) is what triggers licensing requirements.

For protocol developers, this creates an impossible choice:

• Retain admin keys and emergency pause functions to protect against exploits, and you become a regulated custodian
• Remove all admin controls to avoid regulation, and you lose the ability to respond to bugs or hacks

Most institutional-grade protocols will choose compliance - which means programmable custodyAsset control defined by algorithms increasingly looks like traditional custody with blockchainA decentralized, digital ledger of transactions maintained across multiple computers characteristics, not a fundamentally different model.

2. Liability Assignment: Making Protocol Developers Responsible for Losses

The Howey testFour-point legal test determining whether a crypto asset qualifies as a security determines whether an asset is a security based on investment of money in a common enterprise with expectation of profit from others' efforts. The SEC has argued that many DeFiFinancial systems built on blockchain that operate without intermediaries like banks tokens meet this definition, making the protocols that issue them subject to securities regulation - including liability for material misstatements and fraud.

If a protocol markets itself as "trustless" while the development team retains admin keys that can pause withdrawals, is that a misleading statement that creates liability?

If governance documentation suggests decentralized control but a small group holds majority voting power, does that constitute fraud?

The SEC's enforcement actions suggest yes.

Beyond securities law, traditional tort principles are being applied to smart contractSelf-executing code on a blockchain that automates transactions developers. If a developer deploys code with a known vulnerability that results in user losses, can they be sued for negligence?

Courts in multiple jurisdictions have allowed such claims to proceed, rejecting arguments that deploying open-source code insulates developers from liability.

The Steptoe analysis of smart contractSelf-executing code on a blockchain that automates transactions liability recommends that developers implement formal testing procedures, obtain security audits from reputable firms, establish bug bounty programs, and maintain clear documentation of known risks.

These practices mirror the duty of care expected from traditional financial service providers - suggesting that even without explicit regulation, common law is evolving to treat protocol developers as having ongoing responsibility to users.

For DAOs, the liability question becomes more complex. If a DAOA group governed by smart contracts and blockchain technology, without centralized leadership votes to implement an upgrade that contains a bug, are the tokenA digital asset built on an existing blockchain, often representing utility or value holders liable? Is the core development team liable for proposing it? What about the security auditor who reviewed the code?

Recent cases suggest courts will pierce the "decentralized" structure and assign liability to identifiable individuals who had meaningful control over the decision.

This creates significant risk for anyone participating in DeFiFinancial systems built on blockchain that operate without intermediaries like banks governance:

• Voting on protocol upgrades could create personal liability if those upgrades cause losses
• Serving as a multi-sig signer could make you a fiduciary with duty of care to users
• Contributing to a protocol as a developer might establish ongoing responsibility for its security

The legal framework is still forming, but the direction is clear: claiming you're just code or just governance won't shield you from liability when users lose funds.

3. Circuit Breakers: Mandatory Admin Keys and Emergency Pause Functions

The crypto industry initially celebrated immutabilityThe property of a blockchain where data, once recorded, cannot be changed or deleted. "Code is lawLaw enforced by self-executing software" meant no one could freeze your funds, no government could seize them, and no institution could restrict your access.

That principle is being systematically dismantled by security requirements and regulatory mandates.

ERC-7265, a proposed standard for DeFiFinancial systems built on blockchain that operate without intermediaries like banks circuit breakers, would require protocols to implement emergency pause functions that can halt contractSelf-executing code on a blockchain that automates transactions execution in case of exploits. Real-time monitoring systems would detect anomalous behavior - large unexpected withdrawals, unusual trading patterns, or smart contract calls that match known attack vectors - and automatically trigger the pause mechanism.

For users, this means "your crypto" can be frozen by automated systems responding to threat detection algorithms.

For institutions, it means custody in DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols is explicitly conditional: your funds are accessible unless the protocol determines otherwise.

Regulatory frameworks are moving toward mandatory circuit breakers. The Financial Stability BoardInternational body monitoring global financial system and coordinating regulatory policies's recommendations on DeFiFinancial systems built on blockchain that operate without intermediaries like banks regulation include requirements for "kill switches" and emergency intervention capabilities.

The rationale is financial stability - preventing a single exploit from cascading through interconnected protocols and creating systemic risk.

But mandatory admin keys fundamentally contradict the decentralization and trustlessness that define crypto's value proposition. If every protocol must have an emergency pause function, every protocol must have someone who controls that function. That someone becomes the real custodian, regardless of what the marketing materials claim.

The Chainlink documentation on circuit breakers explicitly acknowledges this trade-off: security requires centralized intervention capabilities, which means trust isn't eliminated - just relocated to whoever controls the circuit breaker.

For institutions evaluating custody risk, the question becomes: who controls the pause function, how is it governed, and what prevents abuse?

Some protocols are implementing time-locked admin keys with mandatory delay periods, requiring governance votes before any emergency action. Others use multi-sig arrangements with external security firms as key holders. A few are experimenting with algorithmic circuit breakers that trigger based on predefined conditions without human intervention.

None of these solutions eliminate the core problem: programmable custodyAsset control defined by algorithms requires trust in the people who programmed it. And once you acknowledge that trust requirement, you're back to evaluating counterparty risk - just with worse information and less recourse than traditional custody provides.

Speculation - When Code Can Be Upgraded, Paused, or Migrated - How Decentralized Is Custody Really?

The ideological promise of cryptocurrency is custody without trust. The practical reality in 2025 is custody with trust redistributed across protocol developers, governance participants, and infrastructure providers - none of whom are regulated as custodians, most of whom disclaim liability, and few of whom can be effectively sued when things go wrong.

This is programmable custodyAsset control defined by algorithms: ownership mediated by software that can be modified by people you've never met, using processes you don't control, governed by tokens you may not holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains, subject to decisions you won't learn about until after they're implemented.

You have your keys, but custody is everywhere and nowhere - fragmented across a technical stack that no single party fully controls and no regulator fully oversees.

For professional asset managers, this creates untenable risk:

• When custody is programmable, it's also revocable
• When ownership is mediated by code, it's also conditional
• When trust is replaced by cryptographyThe science of encoding and decoding information, used to secure cryptocurrency transactions, it reappears as trust in the developers who wrote that cryptography - and those developers explicitly claim they're not fiduciaries

The Paxos incident demonstrated what institutional treasurers already suspected: self-custody in a smart contractSelf-executing code on a blockchain that automates transactions world is an illusion. You can holdA misspelling of 'hold,' used to mean holding onto cryptocurrency for long-term gains your private keysA secret code that allows you to access and manage your cryptocurrency, control your walletA tool for storing, sending, and receiving cryptocurrencies, and store your seed phraseA series of 12 or 24 words used to back up and recover a cryptocurrency wallet in a secure vault - but if the protocol can mint, burn, pause, or upgrade your tokens, custody sits with whoever controls those functions, not with whoever holds the keys.

This isn't an argument against blockchainA decentralized, digital ledger of transactions maintained across multiple computers technology or digital assets. It's an argument for intellectual honesty about custody models.

Programmable custodyAsset control defined by algorithms through smart contractsSelf-executing code on a blockchain that automates transactions is not the same as self-custody through private keysA secret code that allows you to access and manage your cryptocurrency. It's a different risk profile, with different control points, requiring different evaluation frameworks.

“

"The real risk isn't that code will fail - it's that when code works exactly as designed, you'll realize you never understood who programmed the rules."

Implication - What Happens if We Get This Wrong

We don't yet know whether courts will treat smart contractSelf-executing code on a blockchain that automates transactions interactions as contractual relationships that create enforceable obligations, or as purely technical transactionsA transfer of value or data recorded on a blockchain, verified by network participants, and permanently added to the distributed ledger where users assume all risk.

We don't know if protocol developers who deploy and maintain code will be classified as fiduciaries, service providers, or something entirely new under law.

We don't know whether DAOs will be recognized as legal entities with liability, or treated as unincorporated associations where participants bear individual responsibility.

We don't know if cross-chainThe ability of different blockchain networks to communicate and work together seamlessly custody will be governed by the jurisdiction where the original asset is locked, where the wrapped tokenA tokenized version of another cryptocurrency (e.g., WBTC on Ethereum) is issued, or where the bridgeA connection between two blockchains that allows the transfer of assets or data validators are located.

We don't know whether emergency pause functions will become mandatory across all DeFiFinancial systems built on blockchain that operate without intermediaries like banks protocols, or if some will be allowed to remain truly immutableThe property of a blockchain where data, once recorded, cannot be changed or deleted.

We don't know if institutions will ultimately trust programmable custodyAsset control defined by algorithms enough to deploy significant capital, or if they'll demand traditional custodian intermediaries regardless of the underlying technology.

These uncertainties matter because they define risk that can't yet be priced or managed through traditional frameworks. Institutional treasurers, compliance officers, and wealth advisors operating in this environment are making custody decisions with incomplete information about legal ownership, regulatory requirements, and liability exposure.

What we do know is this: "your keys, your crypto" is no longer an adequate framework for understanding custody in a world where smart contracts mediate ownership.

The code that holds assets is written by someone, controlled by someone, and can be changed by someone. Those someones are the real custodians - whether they acknowledge it or not, whether regulators have classified them yet or not, and whether institutions recognize the risk or not.

The regulatory response currently taking shape will force this honesty. Licensing requirements, liability assignments, and mandatory circuit breakers all acknowledge that programmable custodyAsset control defined by algorithms involves intermediaries - just unconventional ones.

The next phase of crypto regulation won't eliminate smart contractSelf-executing code on a blockchain that automates transactions custody, but it will assign responsibility for it to identifiable legal entities that can be held accountable when the code fails.

Call-Forward - What We'll Explore Next

The next MCMS issue will examine "The GENIUS Act StablecoinA cryptocurrency pegged to a stable asset, such as USD or gold Reshuffle" - three months after the law became effective, which issuers made the cut, which got shut out, and what this means for the $300 billion stablecoin market.

Because custody isn't just a technical problem. It's a licensing problem, a compliance problem, and a "who gets to issue dollar-backed tokens" problem. And the answer to that last question will reshape who controls programmable money in the regulated era.