Key management
Security
Staking
Product releases
go back

Cubist launches key management platform

Non-custodial, chain-agnostic solution for infrastructure keys

April 18, 2023
written by
Riad Wahby
Co-Founder & CEO
Ann Stefan
Co-Founder & COO
Fraser Brown
Co-Founder & CTO
Deian Stefan
Co-Founder & Chief Scientist
Aleksandar Milicevic
Founding Engineer
Andres Nötzli
Founding Engineer
John Renner
Founding Engineer
tags
Key management
Security
Staking
Product releases
Today we announced the launch of a non-custodial key management platform designed to help infrastructure engineering teams secure and programmatically manage their secret keys. The Cubist team is led by a former fintech Head of Fraud Operations and Computer Security professors from Carnegie Mellon University and University of California San Diego who have spent their careers developing and deploying technologies that make complex production systems more secure.<br> <br> Since the beginning of 2022, <a href="https://defillama.com/hacks" target="_blank">over $1.5B has been lost</a> due to secret key compromises and access control exploits in Web3. Without a streamlined key management solution, infrastructure teams have been forced to compromise on both security and convenience. Some teams opt for simplicity, storing their secret keys on the same server that runs their validator software. Others go through the enormous effort of piecing together commercially available vaults and signers, resulting in complex systems that offer little security in the best case—and cause disaster in the worst. Both arrangements expose direct access to raw secret keys, meaning a breach or insider threat could result in serious loss.<br> <br> We are tackling this problem head on. Our non-custodial key manager allows staking-as-a-service providers, blockchains, and other validator operators to lock their secret keys in secure hardware and use short-lived revocable privileges—instead of the keys themselves—to programmatically sign transactions and validation messages. The key manager makes it easy to specify access control rules (e.g., validator clients generate attestations only for their assigned keys) and custom key usage policies (e.g., multi-factor authentication required to withdraw staked funds), and to take advantage of Cubist's anti-slashing protection, anomaly detection alerts, and audit trail out-of-the-box.<br> <br> We designed and built the platform following a single principle: treat everything as untrusted. This gives organizations very strong security properties; even if an organization's systems are hacked, the key manager can prevent an attacker from signing malicious withdrawal transactions or validation messages. The policy engine at the heart of the key manager was designed to be automatically checked using formal verification, ensuring that policies are always correctly enforced. All cryptographic code runs inside secure hardware modules, meaning that no one—not even Cubist—can see, copy, or steal raw secret keys. This unique design combines our team's world-renowned academic research across systems security, verification, and cryptography to provide higher assurance than any existing key management solution.<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br> "DeFi's long-term potential hinges on security. Stakers and validators must be confident that their funds are safe, but today's frequent key management failures and multi-million-dollar hacks totally undermine that confidence," said Riad Wahby, Co-Founder and Chief Executive Officer of Cubist. "We're confident that Cubist's infrastructure-focused key management dramatically reduces risk, making it much easier to run secure validators on Ethereum and other Proof-of-Stake chains."<br> <br> Cubist's first publicly announced key management customer is <a href="https://www.ankr.com/" target="_blank">Ankr</a>, one of the world's leading Web3 infrastructure, developer tooling, and liquid staking providers. Cubist's key manager is securing Ankr's Ethereum validators, including the execution of safe withdrawals, which are now possible thanks to last week's Shanghai network upgrade.<br> &nbsp;<br> "Ankr is thrilled to be working with Cubist to enable secure withdrawals of staked ETH for the first time on Ethereum Proof-of-Stake," said Stanley Wu, Co-Founder and Chief Technology Officer of Ankr. "Our priority is always protecting our customers' funds. We chose Cubist because their team includes preeminent experts in applied cryptography and systems security. They are uniquely qualified to secure Ankr's most critical workflows. We believe Cubist's involvement will make Ankr the most secure choice for Ethereum liquid staking."<br> &nbsp;<br> Cubist's key manager is now available to teams running infrastructure on a variety of chains, including Ethereum following its Shanghai upgrade. Staking providers can use Cubist's solution to enable secure withdrawals of staked ETH for the first time, or to upgrade the security of their existing validators on Ethereum or other chains. We offer a safe and easy process for migrating secret keys from existing keystores to Cubist's hardware-backed storage and provide an interface for popular validator clients like Lighthouse and Prysm. Learn more at https://cubist.dev/keys. <br> &nbsp;<br> <br> <br> <br><br> <br> **Press**<br> <br> **<a href="https://www.coindesk.com/business/2023/04/18/cubist-launches-bank-grade-ethereum-key-management-service/" target="_blank">CoinDesk</a>**<br> <br> **<a href="https://blockworks.co/news/cubist-web3-private-keys" target="_blank">Blockworks</a>**<br> <br> **Contact**<br> <br> Sam Cohen at Gasthalter & Co.<br> <br> [(212) 257-4170](tel:2122574170)<br> <br>

Read more

What's embedded in your embedded wallet?

What's embedded in your embedded wallet?

Here are the four questions to ask before choosing your embedded wallet provider. If you want to keep your users’ keys safe—and keep yourself safe from key custody risk—read on.

May 6, 2024
Cubist joins the Allora Network as a node operator

Cubist joins the Allora Network as a node operator

As a node operator, Cubist is supporting Allora’s mission by operating a validator to secure the Allora chain and a Reputer to rate the performance of the ML models delivered by Allora Workers.

April 15, 2024
Slashing risks you need to think about when restaking

Slashing risks you need to think about when restaking

A proper anti-slashing setup mitigates these risks on AVSes which have designed their protocols to be anti-slashable, but this doesn’t mean just firing up an instance of Web3Signer.

March 28, 2024