A hybrid custody model splits asset control between on-chain program logic and off-chain authorization. The typical architecture involves a multi-signature wallet or a multi-party computation (MPC) system for off-chain key management, which then authorizes transactions to an on-chain smart contract vault, like a Safe{Wallet} or a custom Vault.sol. This separation allows for complex off-chain policy enforcement—such as transaction approval workflows, rate limits, and fraud detection—before any on-chain action is executed. The on-chain contract acts as the immutable, transparent custodian of the assets.
LABS
Guides
How to Design a Hybrid Custody Model (On-Chain/Off-Chain)
This guide details the technical architecture for hybrid custody systems that split control between on-chain smart contracts and off-chain legal or technical processes.
Chainscore © 2026
introduction
ARCHITECTURE GUIDE
How to Design a Hybrid Custody Model
A hybrid custody model combines on-chain smart contracts with off-chain key management to balance security, user experience, and operational control. This guide outlines the core components and design patterns for building one.
Designing the model starts with defining the signing scheme. For enterprise use, a threshold (m-of-n) scheme is common, where m out of n authorized parties must sign. This can be implemented off-chain with libraries like TSS (Threshold Signature Scheme) from Chainlink or MPC providers, or on-chain using Safe's GnosisSafe contract. The choice impacts latency and cost: off-chain TSS is faster and gas-efficient, while on-chain multi-sig provides maximum transparency at the expense of gas fees for each approval.
The next component is the policy engine, which resides off-chain. This service evaluates transaction requests against business rules: checking amounts against daily limits, verifying destination addresses against allowlists, or requiring time delays for large transfers. Only requests that pass these policies are signed and forwarded to the on-chain vault. For example, a policy could mandate a 24-hour delay for any transfer over 10 ETH, implemented by queuing the transaction in an off-chain service.
Integration between off-chain and on-chain layers is critical. The off-chain signer typically interacts with the vault via a relayer that submits the signed transaction, paying gas fees so the end-user doesn't need native tokens. The on-chain contract must include access control—using modifiers like onlySigner—to ensure only the authorized off-chain signer address can execute sensitive functions. A well-designed contract will also emit clear events for all state changes to facilitate monitoring and auditing.
Consider recovery and inheritance scenarios from the start. A hybrid model should include a secure, time-delayed process for rotating signers or recovering assets if keys are lost. This often involves a separate set of guardian addresses or a social recovery module that can initiate a change to the signing threshold after a security period. These mechanisms should be codified in the smart contract to prevent unilateral changes and ensure user assets are never permanently locked.
Finally, audit and test the entire system. Use tools like Foundry or Hardhat to simulate attacks on the vault contract. Conduct thorough integration testing of the off-chain signer and policy engine. Real-world deployments, such as Coinbase's cbETH staking infrastructure or BitGo's institutional custody, demonstrate that a robust hybrid model significantly reduces single points of failure while maintaining the programmability of DeFi.
prerequisites
PREREQUISITES
How to Design a Hybrid Custody Model (On-Chain/Off-Chain)
This guide outlines the core concepts and technical considerations required to design a secure hybrid custody system that balances self-sovereignty with user experience.
A hybrid custody model combines on-chain programmable logic with off-chain private key management to create flexible and secure asset control. The primary goal is to mitigate single points of failure. Instead of relying solely on a user's single private key (self-custody) or a centralized custodian's database (off-chain custody), a hybrid system splits authority. Common patterns include using a multi-signature wallet where one key is held by the user and another is managed by a service, or implementing social recovery where a user's assets can be reclaimed via a pre-defined group of guardians. This approach is foundational for account abstraction wallets and institutional asset management.
Before designing your model, you must define the security thresholds and user journey. What actions require multi-party approval? A simple transfer might only need the user's on-device key, while moving a large sum or changing recovery settings could require 2-of-3 signatures. You must also map the recovery process: if a user loses their device, how do they regain access through the off-chain component? These decisions directly inform your technical architecture, determining whether you'll use smart contract account standards like ERC-4337 for Ethereum, or a custom multi-signature implementation on other chains like Solana or Cosmos.
The technical stack involves both smart contract development and secure off-chain infrastructure. On-chain, you'll write and audit the custody logic. For Ethereum, this could be a Smart Contract Wallet implementing the ERC-4337 standard, defining rules for signature validation and transaction bundling. Off-chain, you need a highly available, secure service for key management. This often involves Hardware Security Modules (HSMs) or Trusted Execution Environments (TEEs) like Intel SGX to generate, store, and sign with the service's share of the keys. This service must expose a well-defined API (e.g., REST or gRPC) for the user's client to request partial signatures.
A critical prerequisite is understanding the signature schemes that enable collaboration between on- and off-chain components. Simple ECDSA signatures from different parties can be aggregated off-chain before submitting a single transaction. More advanced designs use threshold signature schemes (TSS), where a single signature is collaboratively generated without any party ever holding the complete private key, improving privacy and reducing on-chain gas costs. Alternatively, you can use multi-send transactions where each party submits their signature directly to the chain, with the smart contract verifying the required threshold is met, as seen in Gnosis Safe contracts.
Finally, you must plan for key lifecycle management and auditability. How are keys generated, rotated, and revoked? How do you handle the legal and operational aspects of the off-chain custodian's role? All actions, especially those involving the off-chain service, must be logged to an immutable audit trail, potentially on-chain via events or a dedicated ledger. Thorough testing with tools like Foundry or Hardhat is essential to simulate failure scenarios, such as the off-chain service being offline or a guardian acting maliciously, ensuring the system's resilience and the safety of user funds.
key-concepts
HYBRID CUSTODY
Core Architectural Concepts
Hybrid custody models combine on-chain programmability with off-chain security, enabling flexible asset management for institutions and advanced users.
06
Designing the Signing Architecture
Map the transaction journey to define which components sign and where.
- User Initiation: Off-chain client (UI/CLI).
- Policy Check: Off-chain server (optional).
- Signature Generation: Could be MPC cluster, HSM, or a mobile device.
- Aggregation & Relay: A sequencer bundles and submits the final signed tx on-chain.
- Key Decision: Determine the signing latency and finality guarantee for your use case.
ARCHITECTURE
Custody Model Comparison
Key characteristics of on-chain, off-chain, and hybrid custody models.
| Feature | On-Chain (Smart Contract) | Off-Chain (MPC/TSS) | Hybrid Model |
|---|---|---|---|
Settlement Finality | Immediate (on-chain) | Delayed (requires on-chain broadcast) | Configurable (on-chain for critical, off-chain for routine) |
Key Management | Private key stored on-chain | Private key sharded off-chain | Multi-sig combining on-chain & off-chain keys |
Transaction Authorization | Pre-defined smart contract logic | Off-chain multi-party computation (MPC) | Multi-factor (e.g., 2/3 on-chain + 1 MPC signature) |
Gas Cost Responsibility | User/contract pays for all on-chain ops | Service provider absorbs most costs | User pays for on-chain finality; provider covers off-chain |
Upgradeability / Recovery | Requires governance or time-lock | Managed by service provider | On-chain governance can override off-chain components |
Typical Withdrawal Delay | < 1 sec (block time) | 2-24 hours (manual review) | < 5 min for small tx; 24h for large tx (policy-based) |
Regulatory Compliance (Travel Rule) | |||
Maximum Theoretical Security | Formally verifiable code | Cryptographic secret sharing | Highest (defense-in-depth across layers) |
architecture-design
SYSTEM ARCHITECTURE DESIGN
How to Design a Hybrid Custody Model (On-Chain/Off-Chain)
A hybrid custody model combines the security of self-custody with the convenience of managed services, balancing user control with operational efficiency. This guide outlines the core architectural patterns and implementation considerations.
A hybrid custody model splits control of digital assets between on-chain smart contracts and off-chain, institutionally managed systems. The primary goal is to mitigate single points of failure. Common patterns include multi-signature schemes where a user holds one key and a service provider holds another, or time-locked withdrawals that require an on-chain delay before funds move, allowing an off-chain guardian to intervene. This architecture is foundational for wallet-as-a-service providers, institutional trading desks, and DAO treasuries, enabling features like transaction batching, fraud monitoring, and key recovery without granting unilateral access to any single party.
Designing the on-chain component requires selecting the appropriate smart contract primitive. For Ethereum and EVM chains, consider Safe (formerly Gnosis Safe) for robust multi-signature functionality or building custom contracts using libraries like OpenZeppelin's AccessControl. The contract must clearly define roles (e.g., USER, GUARDIAN, ADMIN) and the rules for executing transactions. A critical pattern is the social recovery module, where a user's primary wallet is a smart contract wallet; if the user loses their key, a predefined set of off-chain guardians can collectively initiate a recovery process on-chain after a security delay.
The off-chain component acts as the operational layer. It typically includes a key management service (KMS) like HashiCorp Vault or AWS KMS for secure key storage, a transaction orchestrator that constructs, signs, and submits batches of user transactions, and a policy engine that enforces rules (e.g., daily withdrawal limits, allowed destination addresses). This service must expose a secure API (using techniques like request signing and nonce replay protection) for user clients to submit transaction intents. All off-chain signing should occur in hardware security modules (HSMs) or secure enclaves to protect private keys.
Security is paramount. The architecture must be resilient to both on-chain exploits (e.g., reentrancy attacks on the smart contract) and off-chain breaches (e.g., compromise of the service provider's backend). Implement circuit breakers that can freeze contract functionality via a decentralized governance vote or a guardian council. Use multi-party computation (MPC) or threshold signature schemes (TSS) to eliminate single points of key storage, distributing signing power across multiple nodes. Regularly audit both smart contracts and off-chain infrastructure, and establish a clear incident response plan for key compromise or service failure.
A practical example is a hybrid custody DEX trading interface. A user deposits funds into a dedicated smart contract vault. To trade, they sign an off-chain order message. The service provider's off-chain matching engine aggregates orders and submits a batch settlement transaction to the chain. This batch must be co-signed by the user's key (via a meta-transaction) and the service's guardian key. This design reduces gas costs for users and enables advanced order types while ensuring users retain veto power over final settlement and can withdraw assets independently at any time.
ARCHITECTURE
Implementation Patterns by Use Case
Multi-Signature Vaults with Time Locks
Institutional funds require high security and governance controls. A common pattern combines an on-chain multi-signature vault (like a Gnosis Safe) with off-chain policy engines.
Key Components:
- On-Chain: A 3-of-5 Gnosis Safe on Ethereum or Arbitrum holds assets. Critical actions (large transfers, contract upgrades) require a 24-hour timelock.
- Off-Chain: A policy server (e.g., using OpenZeppelin Defender) validates transactions against compliance rules (sanctions lists, withdrawal limits) before signatures are collected.
- Workflow: An off-chain treasurer initiates a transaction in the Safe UI. The Defender Sentinel monitors the pending transaction, runs compliance checks, and only notifies other signers if it passes. The timelock provides a final safety net.
This model balances security (no single point of failure) with the operational need for automated compliance screening before funds move.
smart-contract-implementation
SMART CONTRACT IMPLEMENTATION
How to Design a Hybrid Custody Model (On-Chain/Off-Chain)
A hybrid custody model combines the security of on-chain smart contracts with the flexibility of off-chain systems, enabling applications like secure multi-party computation, institutional DeFi, and compliant asset management.
A hybrid custody model splits control of assets or data between on-chain smart contracts and off-chain systems (like a secure server or trusted execution environment). The core principle is that no single entity has full control, requiring cooperation between the on-chain logic and an off-chain signing service or oracle. This architecture is essential for applications requiring complex business logic, regulatory compliance, or privacy that cannot be executed efficiently or publicly on-chain. For example, a decentralized exchange might hold user funds in an on-chain vault but rely on an off-chain matching engine for order routing.
The typical design involves a primary custody smart contract that holds assets. This contract's critical functions, like transferring funds, are protected by a multi-signature scheme where one signature comes from the user (on-chain) and another from an authorized off-chain service. The off-chain component acts as a co-signer, only providing its signature after validating a request against its own rules, such as KYC checks, transaction limits, or fraud detection algorithms. This separation ensures the on-chain contract remains trust-minimized and verifiable, while the off-chain service enables functionality impossible in a purely decentralized context.
Implementing this requires careful smart contract design. A common pattern is a HybridWallet contract with a executeTransaction function. This function expects a user's ECDSA signature and a signature from a pre-defined off-chain guardian address. The contract verifies both signatures against the transaction data before execution. The off-chain guardian is typically a server running secure signing software, which signs only requests that pass its internal validation. This setup prevents the off-chain service from acting unilaterally, as the user's signature is always required, creating a 2-of-2 multisig dynamic between the user and the service.
Here is a simplified Solidity example of the signature verification logic in the custody contract:
solidityfunction executeTransaction( address to, uint256 value, bytes calldata data, bytes calldata userSig, bytes calldata guardianSig ) external { bytes32 txHash = keccak256(abi.encodePacked(to, value, data, block.chainid)); address userRecovered = ECDSA.recover(txHash, userSig); address guardianRecovered = ECDSA.recover(txHash, guardianSig); require(userRecovered == msg.sender, "Invalid user signature"); require(guardianRecovered == guardianAddress, "Invalid guardian signature"); (bool success, ) = to.call{value: value}(data); require(success, "Call failed"); }
The contract hashes the transaction details with the chainid to prevent replay attacks across networks.
Key security considerations for the off-chain component include using hardware security modules (HSMs) for key storage, implementing robust authentication for API access, and ensuring high availability. The system must also have a clear recovery or escalation mechanism in case the off-chain service fails, which could involve timelocks allowing users to withdraw assets after a delay without the guardian's signature. Auditing both the smart contract and the off-chain service's security model is critical, as the overall system's security is only as strong as its weakest link.
Use cases for hybrid custody are expanding. In institutional DeFi, it allows funds to be deployed in on-chain protocols while maintaining internal compliance controls. For NFT gaming, it can enable fast, gas-free off-chain interactions that settle periodically on-chain. Projects like Safe{Wallet} with its Modules and Coinbase's cbETH staking model employ variations of this pattern. The model represents a pragmatic evolution in blockchain design, balancing decentralization with real-world operational requirements.
off-chain-guardian-service
ARCHITECTURE GUIDE
How to Design a Hybrid Custody Model (On-Chain/Off-Chain)
A hybrid custody model combines the security of self-custody with the convenience of off-chain services. This guide explains how to architect a system where on-chain smart contracts hold assets, while an off-chain guardian service manages transaction approvals.
A hybrid custody model splits responsibility between an on-chain vault contract and an off-chain guardian service. The vault, a non-custodial smart contract (e.g., a Safe{Wallet} or custom Solidity contract), is the ultimate owner of user assets. It cannot initiate transactions on its own. The guardian service is an off-chain application that monitors the blockchain, validates user requests against security policies, and submits signed approvals to the vault. This separation ensures that private keys for the vault's transaction signing are never exposed to the internet, while users benefit from streamlined transaction management.
The core security mechanism is a multi-signature or policy-based approval process encoded in the vault contract. For example, a contract might require 2-of-3 signatures, where one signature is from the user's wallet (on-chain) and another is a signature from the guardian service's authorized key. The guardian's logic evaluates requests—like a token transfer—against rules such as daily limits, allowed destination addresses, or time-locks. Only if the request passes these checks does the service sign and broadcast the transaction. This design prevents a compromised guardian from draining funds unilaterally.
Implementing the guardian service requires a robust backend with key components: an event listener (using providers like Alchemy or QuickNode) to watch for user intents from the vault, a policy engine to validate requests against predefined rules (e.g., "max 1 ETH per day"), and a secure signer (often an HSM or cloud KMS like AWS KMS or GCP Cloud HSM) to hold the approval private key. The service should expose a secure API for users to initiate requests and provide a clear dashboard showing pending and executed transactions.
Here is a simplified code example for a basic vault contract requiring guardian approval. The contract stores the guardian's public address and only executes a transfer if the provided signature is valid.
solidity// SPDX-License-Identifier: MIT pragma solidity ^0.8.19; contract HybridVault { address public guardian; mapping(address => uint256) public balances; constructor(address _guardian) { guardian = _guardian; } function transferWithGuardian( address to, uint256 amount, bytes memory signature ) external { bytes32 messageHash = keccak256(abi.encodePacked(to, amount)); bytes32 ethSignedMessageHash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", messageHash)); require(recoverSigner(ethSignedMessageHash, signature) == guardian, "Invalid guardian signature"); require(balances[msg.sender] >= amount, "Insufficient balance"); balances[msg.sender] -= amount; balances[to] += amount; } function recoverSigner(bytes32 _ethSignedMessageHash, bytes memory _signature) internal pure returns (address) { (uint8 v, bytes32 r, bytes32 s) = splitSignature(_signature); return ecrecover(_ethSignedMessageHash, v, r, s); } // ... splitSignature function }
In this pattern, the off-chain service signs the intent (to, amount) and the user submits the transaction with that signature.
Key design considerations include latency tolerance (off-chain checks add delay), failure modes (planning for guardian downtime with emergency recovery mechanisms), and cost optimization (batching transactions to save gas). Successful implementations, like Safe{Wallet} with Transaction Guard or Argent's social recovery, demonstrate this pattern's viability. Always audit both the smart contract logic and the guardian service's security, as the attack surface spans both layers. The goal is a seamless user experience that does not compromise on the self-custodial security guarantee.
COMPARISON
Security and Operational Risk Matrix
Risk assessment for different custody components in a hybrid model.
| Risk Dimension | Hot Wallet (On-Chain) | Multi-Sig (On-Chain) | MPC/TSS (On-Chain) | Institutional Custodian (Off-Chain) |
|---|---|---|---|---|
Private Key Storage | Single device | Distributed signers | Distributed key shares | Hardware Security Module (HSM) |
Transaction Signing Speed | < 1 sec | Minutes to hours | < 5 sec | Minutes to days |
Slashing/Settlement Risk | High | Medium | Low | Very Low |
Smart Contract Risk | High (wallet) | High (multi-sig logic) | Medium (TSS library) | None |
Regulatory Compliance | None | Partial (governance) | Partial (auditability) | Full (SOC 2, etc.) |
Operational Overhead | Low | High | Medium | Very High |
Capital Efficiency | High | Medium | High | Low |
Recovery Process | Seed phrase only | M-of-N signer consensus | Key share refresh | Legal/contractual process |
HYBRID CUSTODY
Frequently Asked Questions
Common technical questions about designing and implementing hybrid custody models that split control between on-chain smart contracts and off-chain infrastructure.
A hybrid custody model typically uses a multi-signature (multisig) wallet or a threshold signature scheme (TSS) as its core. The private key or signing authority is split into shares. A subset of these shares is held by an on-chain smart contract (e.g., governed by a DAO or timelock), while the remaining shares are managed by off-chain key management services (KMS) or trusted hardware. For a transaction to be authorized, signatures from both the on-chain and off-chain components are required. This creates a security vs. convenience continuum, where critical actions (like upgrading the contract or moving large sums) require on-chain consensus, while routine operations can be approved off-chain for speed and lower gas costs.
resource-links
HYBRID CUSTODY DESIGN
Resources and Tools
Practical tools and reference architectures for designing hybrid custody systems that split control across on-chain smart contracts and off-chain key management. These resources focus on production security, operational controls, and regulatory alignment.
05
Threat Modeling and Operational Playbooks
Hybrid custody is not only a technical problem. It requires documented operational processes that define how keys, signers, and smart contracts are used under normal and adversarial conditions.
Core elements:
- Threat models covering insider risk, signer compromise, and smart contract bugs
- Incident response playbooks for key loss or unauthorized signing
- Regular access reviews and signer rotation schedules
Best practices:
- Assume one signer will fail or be compromised
- Design on-chain contracts with pause or escape hatches
- Rehearse recovery scenarios using testnets
Teams that skip operational planning often discover that their hybrid custody system fails during real incidents, even if the cryptography and contracts are sound.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
This guide has outlined the core principles for designing a secure hybrid custody model. The next step is to implement and test your architecture.
A well-designed hybrid custody model leverages the strengths of both on-chain and off-chain systems. The off-chain component, typically a secure enclave or multi-party computation (MPC) network, handles private key generation, storage, and signing. The on-chain component, implemented via smart contracts, defines the authorization logic, spending limits, and governance rules. This separation ensures that the private key never exists in a single, fully-formed state on an internet-connected device, while the transparent and immutable rules on-chain provide verifiable security guarantees for users and auditors.
For implementation, start by selecting your core technologies. For the off-chain signer, evaluate options like AWS Nitro Enclaves, Intel SGX, or a decentralized MPC network from providers like Fireblocks or Qredo. For the on-chain logic, use established smart contract frameworks such as OpenZeppelin's AccessControl and custom logic for transaction validation. A basic contract structure involves a HybridWallet contract that stores a public key or address from the off-chain system and requires valid ECDSA signatures from that signer for any state-changing operation, which you can verify using ecrecover.
Thorough testing is non-negotiable. Develop a comprehensive test suite using Hardhat or Foundry that simulates various attack vectors: - Signer compromise - Network latency or downtime - Malicious transaction proposals - Upgrades to the smart contract logic. Consider implementing a time-lock or multi-sig governance for upgrading the on-chain contract parameters. Begin on a testnet like Sepolia or a local development network, using test versions of your chosen off-chain signer to validate the entire transaction flow before committing to mainnet deployment.
Your next practical steps should be: 1. Prototype the integration between your chosen off-chain signer and a simple smart contract. 2. Establish monitoring for the health of the signer service and on-chain contract events. 3. Plan for key rotation and disaster recovery, such as using a shamir's secret sharing (SSS) scheme to back up the key material securely off-chain. Document the architecture and security assumptions clearly for your team and any future auditors. The goal is to create a system that is not only secure by design but also maintainable and transparent in its operation.