Key management
go back

Cubist launches key management platform

Non-custodial, chain-agnostic solution for infrastructure keys

April 18, 2023
written by
Riad Wabhy
Co-Founder & CEO
Ann Stefan
Co-Founder & COO
Fraser Brown
Co-Founder & CTO
Deian Stefan
Co-Founder & Chief Scientist
Aleksandar Milicevic
Founding Engineer
Andres Nötzli
Founding Engineer
John Renner
Founding Engineer
Key management
Today we announced the launch of a non-custodial key management platform designed to help infrastructure engineering teams secure and programmatically manage their secret keys. The Cubist team is led by a former fintech Head of Fraud Operations and Computer Security professors from Carnegie Mellon University and University of California San Diego who have spent their careers developing and deploying technologies that make complex production systems more secure.<br> <br> Since the beginning of 2022, <a href="" target="_blank">over $1.5B has been lost</a> due to secret key compromises and access control exploits in Web3. Without a streamlined key management solution, infrastructure teams have been forced to compromise on both security and convenience. Some teams opt for simplicity, storing their secret keys on the same server that runs their validator software. Others go through the enormous effort of piecing together commercially available vaults and signers, resulting in complex systems that offer little security in the best case—and cause disaster in the worst. Both arrangements expose direct access to raw secret keys, meaning a breach or insider threat could result in serious loss.<br> <br> We are tackling this problem head on. Our non-custodial key manager allows staking-as-a-service providers, blockchains, and other validator operators to lock their secret keys in secure hardware and use short-lived revocable privileges—instead of the keys themselves—to programmatically sign transactions and validation messages. The key manager makes it easy to specify access control rules (e.g., validator clients generate attestations only for their assigned keys) and custom key usage policies (e.g., multi-factor authentication required to withdraw staked funds), and to take advantage of Cubist's anti-slashing protection, anomaly detection alerts, and audit trail out-of-the-box.<br> <br> We designed and built the platform following a single principle: treat everything as untrusted. This gives organizations very strong security properties; even if an organization's systems are hacked, the key manager can prevent an attacker from signing malicious withdrawal transactions or validation messages. The policy engine at the heart of the key manager was designed to be automatically checked using formal verification, ensuring that policies are always correctly enforced. All cryptographic code runs inside secure hardware modules, meaning that no one—not even Cubist—can see, copy, or steal raw secret keys. This unique design combines our team's world-renowned academic research across systems security, verification, and cryptography to provide higher assurance than any existing key management solution.<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br> "DeFi's long-term potential hinges on security. Stakers and validators must be confident that their funds are safe, but today's frequent key management failures and multi-million-dollar hacks totally undermine that confidence," said Riad Wahby, Co-Founder and Chief Executive Officer of Cubist. "We're confident that Cubist's infrastructure-focused key management dramatically reduces risk, making it much easier to run secure validators on Ethereum and other Proof-of-Stake chains."<br> <br> Cubist's first publicly announced key management customer is <a href="" target="_blank">Ankr</a>, one of the world's leading Web3 infrastructure, developer tooling, and liquid staking providers. Cubist's key manager is securing Ankr's Ethereum validators, including the execution of safe withdrawals, which are now possible thanks to last week's Shanghai network upgrade.<br> &nbsp;<br> "Ankr is thrilled to be working with Cubist to enable secure withdrawals of staked ETH for the first time on Ethereum Proof-of-Stake," said Stanley Wu, Co-Founder and Chief Technology Officer of Ankr. "Our priority is always protecting our customers' funds. We chose Cubist because their team includes preeminent experts in applied cryptography and systems security. They are uniquely qualified to secure Ankr's most critical workflows. We believe Cubist's involvement will make Ankr the most secure choice for Ethereum liquid staking."<br> &nbsp;<br> Cubist's key manager is now available to teams running infrastructure on a variety of chains, including Ethereum following its Shanghai upgrade. Staking providers can use Cubist's solution to enable secure withdrawals of staked ETH for the first time, or to upgrade the security of their existing validators on Ethereum or other chains. We offer a safe and easy process for migrating secret keys from existing keystores to Cubist's hardware-backed storage and provide an interface for popular validator clients like Lighthouse and Prysm. Learn more at <br> &nbsp;<br> <br> <br> <br><br> <br> **Press**<br> <br> **<a href="" target="_blank">CoinDesk</a>**<br> <br> **<a href="" target="_blank">Blockworks</a>**<br> <br> **Contact**<br> <br> Sam Cohen at Gasthalter & Co.<br> <br> [(212) 257-4170](tel:2122574170)<br> <br>

Read more

Passkeys for secure web3 workflows

Passkeys are fundamentally changing how we authenticate on the web. They can fundamentally improve the security of web3 tools too.

May 18, 2023

Understanding the security of web3 remote signing

The signing code that uses secret keys should not be able to talk to the network or filesystem, and your logging library should definitely not be in your trusted computing base.

May 1, 2023

You're likely not securing your staking keys properly

We review the challenges infrastructure teams face when trying to secure staking keys and why we've been working on a hardware-backed key manager.

April 18, 2023