Trustless Custodians: A Decentralized Approach to Cryptocurrency Custodianship

Introduction: A Platform of Decentralized Privacy Coins ▸

Shielding Cryptocurrencies: Turning Any Cryptocurrency Into a Privacy Coin ▸

A Decentralized Approach to Cryptocurrency Custodianship ▾

Custodians play a crucial role in the shielding mechanism that turns cryptocurrencies - like BTC, ETH and USDT - into privacy coins [Incognito, 2019a].

Existing custodian solutions like Bitgo and Coinbase Custody are centralized and expensive. Trusted third parties are security holes [Szabo, 2001]. In addition, the very nature of centralized custody necessitates the sharing of a user’s private information to third parties.

Incognito takes a decentralized approach to custodianship; there are multiple custodians instead of one centralized authority like Bitgo or Coinbase Custody. Anyone can become a custodian by simply supplying a bond.

We implemented a smart contract on Ethereum that controls bonds and runs exactly as programmed. Not only is the Bond smart contract trustless, it also provides real-time processing, as opposed to the multi-day manual process adopted by centralized custodian companies.

We initially implemented a fixed custodian fee structure for simplicity’s sake. This could be further improved by implementing a market-driven custodian fee structure where users are able to set their own fees and custodians are able to compete for user deposits.

Insured by collateral
Processing time Instant Days
Fees Low High

Table 1. A comparison between Incognito and centralized custodians like Bitgo and Coinbase Custody.

The Bond Smart Contract

The Bond smart contract glues together Incognito, custodians, and other cryptonetworks like Bitcoin and Binance Chain. There will be multiple implementations of the Bond smart contract on different cryptonetworks, including Incognito itself, using their respective cryptoassets as collateral.

The first implementation is programmed as an Ethereum smart contract [Wood, 2014]. We chose Ethereum because its smart contract platform is battle-tested and it has many liquid cryptoassets that are suitable collateral types.

Figure 1. The Bond smart contract is programmed to glue together custodians, Incognito, and other cryptonetworks like Bitcoin and Binance Chain.

The Bond smart contract is programmed to:

  • Escrow collateral, in ETH and liquid ERC20 tokens, bonded by custodians
  • Set the maximum total amount of user deposits that a custodian can accept based on the Collateral-to-Deposit ratio
  • Verify deposit proofs on other cryptonetworks and submit valid proofs to Incognito for minting privacy coins
  • Verify burn proofs of privacy coins on Incognito and instruct custodians to release public coins
  • Verify custodians’ release proofs on other cryptonetworks and free up their collateral; custodians can withdraw their collateral tokens or take new user deposits
  • Liquidate collateral when custodians misbehave or collateral amount drops below deposit amount

Over-Collateralized Bonds

Custodians must first bond some collateral into the Bond smart contract. Bonded collateral tokens are required as a recourse when custodians misbehave. The Bond smart contract only accepts ETH and liquid ERC20 tokens as collateral.

Because cryptocurrency prices are volatile, bond values are also volatile. It is necessary to ask custodians to overbond so that the total amount of user deposits to a single custodian does not exceed the total value of the collateral bonded by that custodian.

We introduce a parameter α, initially set as 200%. α is the Collateral-to-Deposit ratio, which makes sure that user deposits never exceed the amount of total custodian collateral even if there is a significant drop in collateral value.

For example, as a custodian, Alice needs to bond at least $2000 worth of ETH and ERC20 tokens in the Bond smart contract if she wants to take $1,000 worth of BTC user deposits.


Over-collateralization ensures that custodians do not misbehave.

During the unshielding process, if Alice doesn’t send the public coins back to Bob in full, Alice’s bonded collateral will be used to repay Bob. In this case, the public coins that Bob receives – Alice’s collateral to be precise – may be different from Bob’s original public coin, but their total value is the same or greater than the value of Bob’s original deposit.

Auto-liquidation also kicks in if the value of bonded collateral drops significantly. Custodians must add more collateral to avoid auto-liquidation. We introduce a parameter 𝛽, initially set as 120%. If α is the upper bound, 𝛽 is the lower bound or the liquidation threshold. 𝛽 is designed to make sure that total custodian collateral amounts do not drop below total user deposits.

A future improvement could be automatically liquidating collateral on a decentralized exchange like Kyber [Luu and Yaron, 2017], Uniswap [Adam, 2018], or Incognito pDEX [Incognito, 2019b].


First, custodians earn shielding fees and unshielding fees. The initial fee structure is simple – a fixed shielding fee of 0.01% and an unshielding fee of 0.01%.

Later, as part of a market-driven pricing structure, users could set their own fees and custodians could choose to process the transactions with the highest fees first. A more complex fee structure would take into account shielding, unshielding, and custodial times.

Second, custodians also earn PRV, the native coin of Incognito, through shield mining. In traditional cryptonetworks, mining rewards come solely from block mining, where miners earn rewards for producing new blocks. In Incognito, there is shield mining in addition to block mining, where custodians also mine PRV for shielding public coins. The more a custodian shields, the bigger the PRV rewards the custodian earns. The Incognito DAO funds shield mining rewards.

The shield mining reward ri for a custodian ci at block height k, is computed as follows, where Rk is the total shield mining reward for that block, n is the number of custodians, and bi is the bonded collateral value from custodian ci .

We have proposed a decentralized approach to custodianship. While this mechanism is designed for Incognito specifically, we hope that the community will find this design helpful and expand upon it to build more fully-decentralized systems of custodians.

Sending Cryptocurrencies Confidentially: Ring Signature, Homomorphic Commitment, and Zero-Knowledge Range Proofs ▸

Privacy at Scale with Sharding ▸

Consensus: A Combination of PoS, pBFT, and BLS ▸

Incognito Software Stack: Navigating the Incognito Source Code ▸

Incognito Performance ▸

Network Incentive: Privacy (PRV) ▸

User-Created Privacy Coins ▸

Use Cases: Privacy Stablecoins, Privacy DEX, Confidential Crypto Payroll, and more ▸

Future Work: Smart Contracts, Confidential Assets, Confidential IP, and more ▸

Conclusions, Acknowledgments, and References ▸


I’ll be publishing a video about this soon, focusing on the technical details of the mechanism. Let me know if there’s any specific issues/questions you’d like me to cover :pray:


thanks in advance @Grant. The video should be covering Portal’s mechanism and it’ll be better if we can include shielding & unshielding processes from this post (Shielding Cryptocurrencies: Turning Any Cryptocurrency Into a Privacy Coin) along with trustless custodians approach so that readers can have better understanding about the context.


@duc:wave: I want to become custodians!


appreciated @zes333. Custodian plays a crucial role in Incognito generally and Portal specifically so will need someone like you to make it operational. (MrRobot is one of my favorite shows btw :call_me_hand:)


What does the unbonding of collateral process look like? For example, I bond 10k$ worth of ETH and 3 years later want it back. How do I get it? What happens to the deposits?

1 Like

Is the goal in the future to compete with centralized custodians like BitGo? Are there numbers that represent what Incognito currently holds in custody?

Is anyone from the team working to reach out to current customers of centralized custodians such as BitGo, Fireblocks, Trustology, Prime Trust, Onchain Custodian or Kingdom Trust?

bitgo could be one among many trustless custodians on incognito. it is entirely permissionless. that’s actually a better business model for them and their customers.

1 Like

Ok so the customers would be the centralized custodians to offer them privacy, lower fees and processing times?

BitGo would be a whale of a catch…do you think it’s possible they would be interested in the perks Incognito has to offer? That would be :fire::fire:

Why would their customers not go straight to incognito themselves to avoid the BitGo fee…Maybe bc they couldn’t afford the collateral to deposit ratio?

customers don’t have to deposit collaterals. they deposit their cryptoassets to incognito’s trustless custodians the same way they deposit into centralized cuatodians custodians like bitgo.

the differences are lower fee, no single point of failure, and collateral backed. note that the collaterals are deposited by the custodians, not by the customers. in order to be a custodian, you must make a deposit to get the work permit. so if a custodian doesn’t do his job or run away, the collaterals will be automatically liquidated.

I think I’m beginning to see but I’m not understanding one piece. Let’s use an example. Let’s say binance was using BitGo to store their BTC. Why would they continue to use BitGo and not use incognito and become their own custodian? My understanding is that it’s an added layer of security to not take custody of your owns funds but if incognito is trustless then the third party custodian is not needed for security right? On top of that they would earn PRV for shielding.

1 Like

How are users (who deposit cryptocoins) and custodians matched?
Do custodians specify the cryptocoins they are willing to take into custody, e.g. a custodian may not want to take CrapCoins into custody?
And vice versa, do the users specify the collateral that they are willing to take (that will eventually be given to them in the case of a malicious custodian), e.g. I deposits BTC into pBTC, and be given back CrapCoins?
Is there any reputation system for custodians?
Which oracle that Incognito is currently using for the price of the exchanges?

hey @ncn, thanks for your questions. You can find answers to the questions below:

How are users (who deposit cryptocoins) and custodians matched?

Based on shielding amount requesting by a user and available collateral of custodians, the protocol matches automatically these two actors by a rule: value of the available collateral (in USD) should be greater than or at least equal to twice of value of the shielding amount (in USD also).

Do custodians specify the cryptocoins they are willing to take into custody, e.g. a custodian may not want to take CrapCoins into custody?
And vice versa, do the users specify the collateral that they are willing to take (that will eventually be given to them in the case of a malicious custodian), e.g. I deposits BTC into pBTC, and be given back CrapCoins?

Currently, the protocol only accepts PRV (Incognito native token) as collateral, we’ll be working on the next version that will accept ETH as well. And custodians may only take BTC and BNB into their custody.

Is there any reputation system for custodians?

Doesn’t have yet.

Which oracle that Incognito is currently using for the price of the exchanges?

The oracle price feed is still being run by the core team. As you can see, this is an extremely important component, but to design an oracle in a full decentralized fashion is not that easy. Especially incentivization for honest price feed. We’re still working on the design for this. For now, it’s still controlled by the core team and prices would be reported every 30 seconds.