Expert Day 50
桥接系统设计 #1 — 托管层 (Custody Layer)
机构托管演化(Hot/Warm/Cold/MPC/Multisig)、Fireblocks Connect架构、子账户隔离原理
2026-06-20
Phase 1 - 机构DeFi与桥接系统设计 (Day 43-56)托管层FireblocksPolicyEngine子账户设计文档
日期: 2026-06-20 方向: 机构DeFi / RWA 阶段: Phase 1 - 机构DeFi与桥接系统设计 (Day 43-56) 标签: #托管层 #Fireblocks #PolicyEngine #子账户 #设计文档
今日目标
| 类型 | 内容 |
|---|---|
| 学习 | 机构托管演化(Hot/Warm/Cold/MPC/Multisig)、Fireblocks Connect架构、子账户隔离原理 |
| 实操 | 设计一个机构托管子账户方案,含Policy Engine、Workflow、应急机制 |
| 产出 | 设计#1:托管层完整架构文档 — 含模块图、接口、序列图、TradFi对照、风险面 |
一、托管层在桥接架构中的位置
1.1 5层桥接架构回顾
┌─────────────────────────────────────────────────┐
│ Layer 5: 风控层 (Risk Layer) │
├─────────────────────────────────────────────────┤
│ Layer 4: 报表层 (Reporting Layer) │
├─────────────────────────────────────────────────┤
│ Layer 3: 清算层 (Settlement Layer) │
├─────────────────────────────────────────────────┤
│ Layer 2: 合规层 (Compliance Layer) │
├─────────────────────────────────────────────────┤
│ Layer 1: 托管层 (Custody Layer) ★ Today │
│ - Fireblocks Connect / Anchorage / BitGo │
│ - Sub-account isolation │
│ - Policy Engine │
│ - Key Management │
└─────────────────────────────────────────────────┘
1.2 托管层为什么是基础
托管层是其他4层的依赖:
- 合规层需要知道"哪个地址属于哪个机构客户" → 来自托管层
- 清算层需要"客户授权某笔交易" → 经过托管层签名
- 报表层需要"持仓余额" → 来自托管层账户
- 风控层需要"客户限额" → 由托管层Policy Engine执行
托管层的核心输出:
- 给合规层:身份信号(whose key, which jurisdiction)
- 给清算层:交易签名(who can sign what)
- 给报表层:余额快照(balance per sub-account)
- 给风控层:策略执行(reject if exceeds limit)
二、机构托管演化史
2.1 三代演化
Gen 1: Cold Storage (2013-2017)
- BitGo, Coinbase Custody, Gemini Custody
- 物理隔离的离线签名(Hardware Wallet/Air-gapped Computer)
- 适合长期持仓,不适合频繁交易
- 风险:物理盗窃、火灾、地震
Gen 2: Multi-Signature (2014-2020)
- M-of-N多签(典型2-of-3, 3-of-5)
- 私钥分布在多个地理位置
- 仍然有"多次签名"的操作摩擦
- 风险:内部串通、单点钥匙丢失
Gen 3: MPC (Multi-Party Computation) (2018-Present)
- 私钥永远不存在完整形态,每个参与方持有"share"
- 签名通过MPC协议协作完成
- Fireblocks (2018)、Copper、BitGo MPC、Anchorage
- 优势:无单点失败、签名快、审计友好
- 现状:占据机构托管80%+市场份额
2.2 MPC vs Multi-sig:为什么MPC赢了
| 维度 | Multi-Sig | MPC |
|---|---|---|
| 链上可见 | 是(多签合约) | 否(看起来像EOA) |
| Gas成本 | 高(多签verification) | 与EOA相同 |
| 隐私 | 暴露策略结构 | 完全隐藏 |
| 兼容性 | 需要合约支持 | 任何链都行 |
| 私钥状态 | 多个完整私钥 | 永不完整 |
| 性能 | 串行签名,慢 | 并行MPC,快 |
| 可扩展性 | 增加签名人需要变合约 | 协议层调整 |
关键洞察:MPC从链上看就是普通EOA,这对跨链兼容性至关重要——不需要每条链都部署多签合约。
三、Fireblocks Connect架构详解
3.1 Fireblocks在机构托管的地位
- 客户数:1800+ institutional clients (2024)
- AUM:$5T+ (2024)
- 支持的链:80+ blockchains
- 支持的Token:1500+
- DeFi protocols integrated:250+
3.2 核心架构
┌──────────────────────────────────────────────────┐
│ Customer Application │
│ (Trading App, OMS, Custom Workflow) │
└────────────────────┬─────────────────────────────┘
│ API / SDK
┌────────────────────┴─────────────────────────────┐
│ Fireblocks Web Console │
│ - User Management │
│ - Vault Management (账户层级) │
│ - Policy Editor │
│ - Audit Trail │
└────────────────────┬─────────────────────────────┘
│
┌────────────────────┴─────────────────────────────┐
│ Fireblocks Cloud Backend │
│ - Transaction Authorization Engine │
│ - Policy Engine │
│ - Workflow Engine │
│ - Compliance Checks (Travel Rule etc.) │
└────────────────────┬─────────────────────────────┘
│
┌────────────────────┴─────────────────────────────┐
│ MPC Co-signer Network │
│ - Customer's MPC nodes (2-3 nodes) │
│ - Fireblocks MPC node (1 node, infrastructure) │
│ - Signature requires N-of-N (typically 3-of-3) │
└────────────────────┬─────────────────────────────┘
│
┌────────────────────┴─────────────────────────────┐
│ Network Layer (DeFi Connect) │
│ - Curated DeFi protocol adapters │
│ - dApps via WalletConnect │
│ - Direct Smart Contract interactions │
└──────────────────────────────────────────────────┘
3.3 关键概念:Vault Account vs Sub-Account
Vault Account:客户的Top-level账户单元
- 一个机构客户通常有10-100个Vault Accounts
- 每个Vault Account有独立的MPC密钥
- 隔离性强(一个被攻击不影响其他)
Sub-Account (Vault Sub-Account):Vault Account下的逻辑分组
- 每个Sub-Account有独立地址
- 共享Vault Account的MPC密钥
- 用于策略隔离(Trading vs Treasury vs Settlement)
实际机构架构示例(一家中等对冲基金):
Hedge Fund X
├── Vault: Operations
│ ├── Sub: Hot Wallet (USDC)
│ ├── Sub: Settlement
│ └── Sub: Gas
├── Vault: Trading
│ ├── Sub: BTC Strategy
│ ├── Sub: ETH Strategy
│ └── Sub: Stablecoin Strategy
├── Vault: Long-term Treasury
│ ├── Sub: BTC Holdings
│ └── Sub: Stablecoin Reserves
└── Vault: DeFi Strategies
├── Sub: Aave Lending
├── Sub: EigenLayer Restaking
└── Sub: Uniswap LP
四、托管层架构详细设计
4.1 模块边界图
┌─────────────────────────────────────────────────────────┐
│ Custody Layer (Day 50) │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 1. Account Management Module │ │
│ │ - Vault创建/Sub-account创建 │ │
│ │ - 地址生成 (HD Wallet derivation) │ │
│ │ - 账户层级管理 │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 2. Key Management Module (MPC) │ │
│ │ - Key generation (DKG) │ │
│ │ - Key storage (HSM-backed) │ │
│ │ - Threshold signature (TSS) │ │
│ │ - Key rotation │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 3. Policy Engine │ │
│ │ - Authorization rules │ │
│ │ - Approval workflows │ │
│ │ - Limit checks (per asset, per period) │ │
│ │ - Address whitelist │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 4. Transaction Authorization Engine │ │
│ │ - Policy lookup │ │
│ │ - Approver routing │ │
│ │ - Multi-step approval │ │
│ │ - Auto-rejection │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 5. Audit & Logging │ │
│ │ - Immutable audit log │ │
│ │ - Real-time event streaming │ │
│ │ - Forensics support │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ 6. Integration Module │ │
│ │ - DeFi adapters (Uniswap, Aave, etc.) │ │
│ │ - Exchange connectivity │ │
│ │ - WalletConnect bridge │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ↓ Output to other layers ↓ │
│ - 给合规层: User Identity Signal │
│ - 给清算层: Authorized Signature │
│ - 给报表层: Account Balance Snapshot │
│ - 给风控层: Real-time Position │
└─────────────────────────────────────────────────────────┘
4.2 核心接口签名
A. Account Management API
interface IAccountManagement {
// Vault管理
createVault(params: VaultParams): Promise<VaultId>;
getVault(vaultId: VaultId): Promise<Vault>;
listVaults(filter?: VaultFilter): Promise<Vault[]>;
// Sub-account管理
createSubAccount(vaultId: VaultId, params: SubAccountParams): Promise<SubAccountId>;
generateAddress(subAccountId: SubAccountId, chain: ChainId): Promise<Address>;
// 资产持仓
getBalance(subAccountId: SubAccountId, asset: AssetId): Promise<Balance>;
getAllBalances(vaultId: VaultId): Promise<BalanceSnapshot>;
// 转账(内部和外部)
internalTransfer(from: SubAccountId, to: SubAccountId, asset: AssetId, amount: bigint): Promise<TxId>;
externalTransfer(from: SubAccountId, toAddress: Address, asset: AssetId, amount: bigint): Promise<TxRequest>;
}
type VaultParams = {
name: string;
ownerOrgId: OrgId;
threshold: number; // M-of-N MPC threshold
signers: SignerId[]; // N signers
defaultPolicy: PolicyId;
};
type SubAccountParams = {
name: string;
vaultId: VaultId;
purpose: 'trading' | 'treasury' | 'settlement' | 'gas' | 'custom';
policyOverride?: PolicyId;
};
B. Policy Engine API
interface IPolicyEngine {
// Policy CRUD
createPolicy(policy: PolicyDef): Promise<PolicyId>;
updatePolicy(policyId: PolicyId, policy: PolicyDef): Promise<void>;
deletePolicy(policyId: PolicyId): Promise<void>;
// Policy evaluation
evaluate(request: TxRequest): Promise<PolicyDecision>;
// Approver management
routeApprovers(request: TxRequest): Promise<ApproverList>;
registerApproval(approverId: ApproverId, requestId: RequestId, decision: 'approve' | 'reject'): Promise<void>;
}
type PolicyDef = {
name: string;
rules: PolicyRule[];
defaultAction: 'allow' | 'deny' | 'require_approval';
};
type PolicyRule = {
// Conditions
conditions: {
fromSubAccount?: SubAccountId | SubAccountId[];
toAddress?: Address | AddressList;
asset?: AssetId | AssetId[];
amountUSD?: { gte?: number; lte?: number };
timeWindow?: { startTime: number; endTime: number };
velocityCheck?: { maxAmountPerPeriod: number; periodHours: number };
};
// Action
action: 'allow' | 'deny' | {
requireApproval: {
approverGroups: GroupId[]; // 谁可以批准
threshold: number; // 需要几个批准
timeoutHours: number; // 超时自动拒绝
};
};
};
type PolicyDecision = {
decision: 'allow' | 'deny' | 'require_approval';
matchedRule?: string;
requiredApprovals?: ApprovalRequirement[];
reason: string;
};
C. MPC Signing API
interface IMPCSigner {
// Key Generation (DKG)
generateKey(params: KeyGenParams): Promise<PublicKey>;
// Threshold Signing (TSS)
initiateSign(message: Bytes32, signers: SignerId[]): Promise<SignSessionId>;
contributeSignShare(sessionId: SignSessionId, share: SignShare): Promise<void>;
finalizeSign(sessionId: SignSessionId): Promise<Signature>;
// Key Rotation
rotateKey(vaultId: VaultId, newSigners: SignerId[]): Promise<RotationId>;
// Recovery
initiateRecovery(vaultId: VaultId, evidence: RecoveryEvidence): Promise<RecoveryId>;
}
D. 智能合约层(On-chain Component)
// 链上Sub-account Registry(可选,给合规层用)
interface ICustodyRegistry {
struct AccountIdentity {
bytes32 ownerOrgHash; // 机构身份哈希
bytes32 subAccountId; // Sub-account ID
uint8 purpose; // 0=trading, 1=treasury, etc.
uint8 jurisdiction;
bool active;
}
function registerAccount(address custodyAddress, AccountIdentity calldata identity) external;
function getIdentity(address custodyAddress) external view returns (AccountIdentity memory);
function isActiveAccount(address account) external view returns (bool);
function deactivateAccount(address custodyAddress) external; // 紧急冻结
event AccountRegistered(address indexed account, bytes32 indexed orgHash, uint8 purpose);
event AccountDeactivated(address indexed account, uint64 timestamp);
}
4.3 序列图1:机构客户Onboarding
sequenceDiagram
participant Client as 机构客户
participant FBC as Fireblocks Console
participant FBE as Fireblocks Engine
participant MPC as MPC Network
participant ChainRegistry as On-chain Registry
Note over Client,FBE: Step 1: KYB/KYC验证
Client->>FBC: 提交注册申请+企业资料
FBC->>FBE: KYB验证(法律实体、UBO穿透)
FBE->>FBE: 通过Refinitiv/Onfido
FBE-->>FBC: KYB通过
Note over Client,FBE: Step 2: 创建Vault & 配置MPC
Client->>FBC: 请求创建Vault Account
FBC->>MPC: initiateDKG(threshold=3, signers=[client1, client2, fb_co])
MPC->>MPC: Distributed Key Generation
MPC-->>FBC: PublicKey, ChainCode
FBC->>FBE: createVault(publicKey, threshold, signers)
Note over Client,FBE: Step 3: 创建Sub-accounts
Client->>FBC: createSubAccount("Trading-BTC")
FBC->>FBE: 派生Sub-account地址
FBE->>ChainRegistry: registerAccount(address, identity)
ChainRegistry-->>FBE: ✓ Registered
Note over Client,FBE: Step 4: 配置Policy
Client->>FBC: 上传Policy规则
Note over Client: 例如:<br/>- Trading-BTC sub限额$5M/天<br/>- Treasury需要3-of-5批准<br/>- DeFi仅限白名单合约
FBC->>FBE: setPolicies(vaultId, policies)
FBE-->>Client: ✓ Onboarding完成
4.4 序列图2:交易授权流程
sequenceDiagram
participant Trader as Trader
participant App as Trading App
participant FBE as Fireblocks Engine
participant Policy as Policy Engine
participant Approvers as Approver Group
participant MPC as MPC Network
participant Chain as Blockchain
Note over Trader,App: T0: Trader发起交易
Trader->>App: 卖出 100 BTC at market
App->>FBE: createTx(from=Trading-BTC, to=Coinbase, amt=100 BTC)
Note over FBE,Policy: T+0.1s: Policy检查
FBE->>Policy: evaluate(txRequest)
Policy->>Policy: 匹配规则
alt 金额 < $1M (auto-approve threshold)
Policy-->>FBE: decision=allow
else 金额 $1M-$5M (single approver)
Policy-->>FBE: decision=require_approval, approvers=[CFO]
FBE->>Approvers: notify CFO
Approvers->>FBE: CFO approves
else 金额 > $5M (multi-sig committee)
Policy-->>FBE: decision=require_approval, approvers=[CFO, CRO, CEO]
FBE->>Approvers: notify all
Approvers->>FBE: 3-of-3 approve (within 24h)
else 金额 > $50M
Policy-->>FBE: decision=deny, reason="exceeds vault limit"
FBE-->>App: Tx rejected
end
Note over FBE,MPC: T+approval_time: MPC签名
FBE->>MPC: initiateSign(txHash)
MPC->>MPC: 客户MPC node 1 contributes
MPC->>MPC: 客户MPC node 2 contributes
MPC->>MPC: Fireblocks MPC node contributes
MPC->>MPC: Combine partial signatures
MPC-->>FBE: Final signature
Note over FBE,Chain: T+签名后: 链上提交
FBE->>Chain: submit signed tx
Chain-->>FBE: Tx hash
FBE-->>App: Tx submitted, hash=0x...
4.5 序列图3:紧急冻结流程
sequenceDiagram
participant Officer as Compliance Officer
participant FBC as Fireblocks Console
participant FBE as Fireblocks Engine
participant Registry as On-chain Registry
participant MPC as MPC Network
Note over Officer,Registry: Trigger: 收到OFAC制裁名单更新
Officer->>FBC: 紧急冻结 Sub-account "Trader-X"
FBC->>FBE: emergencyFreeze(subAccountId)
Note over FBE,Registry: 1. 链上层标记
FBE->>Registry: deactivateAccount(address)
Registry-->>FBE: ✓ marked inactive
Note over FBE,MPC: 2. MPC层禁用
FBE->>MPC: disableSigning(vaultId, subAccountId)
MPC-->>FBE: ✓ signing disabled
Note over FBE: 3. 内部状态更新
FBE->>FBE: 状态: subAccount.active = false
FBE->>FBE: 拒绝所有待处理交易
FBE->>FBE: emit EmergencyFreezeEvent
Note over Officer,FBC: 通知
FBE->>Officer: Audit log + alert
FBE->>FBC: 显示Frozen状态
Note over Officer: 后续: 合规调查 / 解冻流程
五、设计决策与权衡
5.1 自建 vs 外包托管
| 维度 | 自建Custody | 用Fireblocks/Anchorage |
|---|---|---|
| 初期成本 | $5-10M+(HSM, MPC team) | $50-200K (license fee) |
| 持续成本 | $2-5M/year | $200-500K/year |
| 时间到上线 | 12-18 months | 2-4 weeks |
| 控制度 | 完全可控 | 依赖供应商 |
| 监管 | 需要自己拿Trust Charter | 借助供应商许可 |
| 适用规模 | $5B+ AUM | <$5B AUM |
结论:除了Tier-1银行(如JPM自建Onyx Custody),其他机构都应该外包。
5.2 为什么选MPC而不是Multi-Sig?
MPC优势:
- 链上不可见:从链上看是普通EOA,提高隐私
- 跨链通用:不需要每条链都部署多签合约
- 签名成本低:与EOA相同的Gas
- 策略灵活:threshold可调整无需链上变更
Multi-Sig优势:
- 审计简单:策略在链上可见,审计员熟悉
- 成熟生态:Safe (Gnosis)有大量工具
- 去中心化:不依赖MPC运营方
机构选择:90%选MPC,10%选Safe(特别是DAO Treasury)。
5.3 Sub-account隔离的粒度
太粗(一个Vault走天下):
- 一个事件影响所有资产
- 难以做策略分账核算
- Audit Trail混乱
太细(每笔交易一个Sub-account):
- 管理负担大
- Policy配置爆炸
- Performance下降
最佳实践:按"业务功能"分(Trading vs Treasury vs DeFi),每个Vault下5-15个Sub-account。
5.4 Policy Engine设计原则
1. Whitelist-by-default,不是Blacklist
- 默认拒绝,明确允许
- 防止"漏配置"导致的资金损失
2. 多层防御
- Sub-account层(最基础)
- Vault层(中等)
- Org层(最高)
- 任一层拒绝就拒绝
3. 时间窗口限额
- 不只是单笔限额($1M/transaction)
- 还要累计限额($10M/24h)
- 防止"切片攻击"(多笔小额绕过限额)
4. 速度控制
- 紧急情况可Pause(admin权限)
- 大额交易有Cooling Off Period(48h之后才生效)
六、风险与攻击面
6.1 内部威胁:员工恶意操作
威胁场景:机构内某Trader获得签名权限,转移$10M到外部地址。
缓解措施:
- 多人审批:>$1M必须2人审批,>$10M必须3人+CRO审批
- 时间锁:>$5M有24h冷却期(异常时可cancel)
- 行为分析:Detect异常模式(如周末转账、新地址转账)
- 背景调查:所有签名人定期FBI/Interpol查询
6.2 外部威胁:MPC Node被攻击
威胁场景:客户的某个MPC Node被攻击,攻击者获取一个share。
缓解措施:
- Threshold设计:3-of-5 threshold,攻击者需要3个share才能签名
- Node隔离:3个Node在不同物理位置、不同OS、不同云供应商
- HSM保护:每个Node的share在HSM中(如AWS CloudHSM)
- 行为监控:异常签名请求触发alert
6.3 协议层威胁:DeFi合约漏洞
威胁场景:客户托管资产被allowance到一个DeFi协议,协议被攻击导致资产丢失。
缓解措施:
- Approve限额:永远不要infinite approve,每次approve精确金额
- DeFi白名单:只允许已审计协议(Aave, Compound, Uniswap等)
- Approve超时:approve有过期时间(如30天)
- Real-time监控:approve使用情况持续监控,异常立即revoke
6.4 合规层威胁:制裁名单更新延迟
威胁场景:OFAC新增某地址到SDN List,但客户仍在与之交易。
缓解措施:
- 实时更新:从Chainalysis/Elliptic每5分钟同步
- 预交易检查:每笔交易check发送方和接收方
- 历史交易扫描:发现新制裁后扫描过去90天交易
- 紧急冻结:发现违规立即冻结相关Sub-account
6.5 操作威胁:私钥/Recovery Key丢失
威胁场景:客户的MPC Recovery Key保管不当,丢失。
缓解措施:
- 多Recovery Key:3-of-5 Recovery Threshold
- 地理分散:Recovery Key存放在3个不同司法
- Custodian备份:Fireblocks有Cold Recovery服务(紧急时辅助恢复)
- 保险:Lloyd's of London policy覆盖密钥丢失风险
七、TradFi对照表
| 链上托管层模块 | TradFi对应 | 关键差异 | Adaptation |
|---|---|---|---|
| Vault Account | Master Account at Custodian (e.g., State Street) | 链上MPC keys vs 物理证书+银行账户 | 链上T+0访问 |
| Sub-account | Sub-account at Prime Broker | 类似但链上更细粒度 | 自动化Policy |
| MPC Threshold Signing | Multi-signature Authorization (Wire Transfers) | 算法 vs 人工签字 | 加密学保证 |
| Policy Engine | Authorization Matrix (内部规章) | 代码自动执行 vs 流程文件 | 实时enforce |
| Approval Workflow | Wire Transfer Approval Process (Phone confirm) | 链上audit log vs 录音 | Immutable trail |
| Address Whitelist | Beneficiary Whitelist (Wire) | 链上Smart Contract vs 银行系统列表 | 自动检查 |
| Audit Log | SWIFT MT940 + Internal Logs | 不可篡改 vs 可篡改但有备份 | 法定证据级 |
| Emergency Freeze | Account Hold Order (KYC team) | Smart Contract Pause vs Bank IT手动 | <1 minute响应 |
| DeFi Connect | Order Routing to Brokers | API集成 vs FIX协议 | 直接链上交互 |
| Recovery | 法律recovery process (court order) | 链上Recovery Mechanism vs 法律 | 加密学+法律双保障 |
八、关键速查
主要机构托管方对比(2024-2025)
| 托管方 | AUC (Assets Under Custody) | 客户数 | 核心技术 | 监管许可 |
|---|---|---|---|---|
| Fireblocks | $5T+ | 1800+ | MPC | NYDFS BitLicense |
| Anchorage Digital | $50B+ | 200+ | MPC + HSM | OCC Charter (Bank) |
| Coinbase Custody | $130B+ | 500+ | Cold Storage + MPC | NY Trust Co |
| BitGo | $100B+ | 1500+ | Multi-sig + MPC | SD Trust Co |
| Copper | $40B+ | 500+ | MPC (ClearLoop) | UK FCA |
| Komainu | $10B+ | 200+ | MPC | Jersey FSC |
Policy Engine参数模板
| 维度 | Trading | Treasury | Settlement |
|---|---|---|---|
| 单笔上限 | $5M | $1M | $50M |
| 日累计上限 | $50M | $5M | $500M |
| 自动批准阈值 | $500K | $100K | $5M |
| 单人批准阈值 | $1-5M (CFO) | - | $5-25M (CRO) |
| 多人批准阈值 | $5M+ (3-of-5) | $1M+ (2-of-3) | $25M+ (4-of-5) |
| Cooling Off Period | $5M+ → 4h | $1M+ → 8h | $25M+ → 24h |
| 地址限制 | 仅交易所+DeFi白名单 | 仅Vault间转账 | 仅清算对手白名单 |
MPC Threshold推荐配置
| 机构规模 | Vault Threshold | Recovery Threshold |
|---|---|---|
| <$10M AUM | 2-of-3 | 2-of-3 |
| $10-100M AUM | 3-of-5 | 3-of-5 |
| $100M-1B AUM | 3-of-5 | 4-of-7 |
| >$1B AUM | 4-of-7 | 5-of-9 |
九、面试题(资深级)
Q1: 设计一个对冲基金的托管架构,AUM $500M,每天50笔交易
深度回答: Vault结构(10个Vault):
- Operations (USDC for ops)
- BTC Trading
- ETH Trading
- Stablecoin Trading
- DeFi-Lending
- DeFi-Restaking
- Long-term Treasury
- Cold Storage Backup
- Insurance Reserve
- Settlement Hub
MPC配置:
- Each Vault: 3-of-5 MPC
- Signers: 2 Internal (CFO + CRO) + 2 Custodian + 1 Recovery Service
- Recovery: 4-of-7 (additional 2 external lawyers)
Policy Engine:
- Trading Vault: $5M/tx, $50M/day
- Treasury: 24h cooling for >$1M
- DeFi: 仅Aave/Compound/EigenLayer白名单
- Settlement: 仅T+0 atomic结算
整合:
- Fireblocks作为主托管
- DefiLlama API用于Real-time监控
- Internal OMS via Fireblocks API
- Audit log → Splunk for SOC
Q2: 如果客户的MPC Recovery Key全部丢失,能恢复资产吗?
深度回答: Recovery机制设计:
- Setup时除Operating Threshold (e.g., 3-of-5),另设Recovery Threshold (e.g., 5-of-9)
- Recovery参与者:Operating signers + 额外Recovery-only signers (lawyer, family, escrow service)
- Recovery process需要法律文件(如Death Certificate, Court Order)
- 时间锁:Recovery需要30-90天等待期(防止恶意Recovery攻击)
如果Recovery Threshold也丢失:
- 无法链上恢复
- 法律层面:可向Custodian索赔(如Fireblocks的Cold Recovery service,但需要SOC1合规审批)
- 保险层面:Lloyd's policy可能覆盖(视具体条款)
最佳实践:
- 至少3地理位置存储Recovery Key shares
- 至少2 trusted third parties (lawyer, accountant)
- 测试Recovery process每年至少一次
- Backup of Backup(meta-recovery)
Q3: 评价"链上托管 = 自托管"这个常见误解
深度回答: 误解来源:Crypto Native文化推崇"Not Your Keys, Not Your Coins",认为外包托管=非自托管。
机构视角的真相:
- "自托管"对个人意味着自己拿私钥
- "自托管"对机构意味着机构内部Treasury team控制密钥,不必非要每个员工都拿私钥
- Fireblocks等"托管方"实际是Software Provider,密钥在客户机房(at least majority shares)
- 真正的Custodial(如Coinbase Trust)是Coinbase持有,不同概念
机构架构层级:
- Custodial:客户根本不持有任何key(Coinbase Trust)
- Co-Custody:客户和Custodian各持一半(早期Fireblocks)
- Self-Custody with Software Help:客户持有所有key shares,软件辅助签名(现代Fireblocks)
- Pure Self-Custody:客户自建所有Infra(JPM Onyx)
机构通常选3,不选4(自建成本太高),不选1(监管要求和信任问题)。
Q4: 如何处理"链上"和"链下"的对账(Reconciliation)?
深度回答: 对账维度:
- 链上余额 vs 托管系统余额
- 托管系统余额 vs OMS Position
- OMS Position vs Fund Admin Books
对账频率:
- T+0 (实时):链上 vs Fireblocks
- T+0 (end of day):Fireblocks vs OMS
- T+1 (overnight):OMS vs Fund Admin
链上链下不一致的原因:
- 链上交易未确认(pending)
- 链下记录延迟同步
- Forks(Reorg)导致链上回滚
- Token Migration(如某项目升级合约)
- Airdrop(链上多了但链下没记录)
应对:
- Tolerance Threshold (±$10K acceptable)
- 大于threshold人工调查
- Daily Reconciliation Report自动生成
- 触发Alert给CFO + Auditor
Q5: Fireblocks 2022 Profanity Vulnerability事件给机构的教训?
深度回答: 事件背景:2022年9月,Profanity (Vanity Address Generator)被发现有漏洞,可以通过brute force恢复部分私钥。Fireblocks发现客户使用Profanity-generated地址,紧急通知。
关键教训:
- 依赖第三方工具的风险:客户用了Profanity做"漂亮地址",这成为攻击向量
- Fireblocks响应快:发现后24h内通知所有客户、辅助迁移
- Custodian的边界:Fireblocks不为"客户外部生成地址"负责,但需要做合理建议
- 机构应对:
- 不使用第三方Address Generator
- 所有地址必须来自Custody System
- 定期审查地址生成历史
- Trust Boundary:机构需要明确Custodian覆盖什么、不覆盖什么
影响:让机构更重视"端到端"托管(不只是签名,而是从地址生成到交易执行的全流程)。
十、明日预告
Day 51: 桥接系统设计 #2 — 合规层 (Compliance Layer)。基于今天的托管层身份信号,设计KYC Oracle、链上Allowlist、Travel Rule集成。这是另一个700+行深度设计文档,将与Day 50的托管层无缝衔接。