Cubist Inc., a security-focused Web3 tools provider, today announced the launch of a non-custodial key management platform designed to help infrastructure engineering teams secure and programmatically manage their secret keys. Cubist’s team is led by a former fintech Head of Fraud Operations and Computer Security professors from Carnegie Mellon University and University of California San Diego who have spent their careers developing and deploying technologies that make complex production systems more secure.
Since the beginning of 2022, over $1.5B has been lost due to secret key compromises and access control exploits in Web3. Without a streamlined key management solution, infrastructure teams have been forced to compromise on both security and convenience. Some teams opt for simplicity, storing their secret keys on the same server that runs their validator software. Others go through the enormous effort of piecing together commercially available vaults and signers, resulting in complex systems that offer little security in the best case—and cause disaster in the worst. Both arrangements expose direct access to raw secret keys, meaning a breach or insider threat could result in serious loss.
Cubist is tackling this problem head on. Cubist’s non-custodial key manager allows staking-as-a-service providers, blockchains, and other validator operators to lock their secret keys in secure hardware and use short-lived revocable privileges—instead of the keys themselves—to programmatically sign transactions and validation messages. The key manager makes it easy to specify access control rules (e.g., validator clients generate attestations only for their assigned keys) and custom key usage policies (e.g., multi-factor authentication required to withdraw staked funds), and to take advantage of Cubist’s anti-slashing protection, anomaly detection alerts, and audit trail out-of-the-box.
Also Read: Is ChatGPT a Threat to Software Engineers?
The team designed and built the platform following a single principle: treat everything as untrusted. This gives organizations very strong security properties; even if an organization’s systems are hacked, Cubist’s key manager can prevent an attacker from signing malicious withdrawal transactions or validation messages. The policy engine at the heart of the key manager was designed to be automatically checked using formal verification, ensuring that policies are always correctly enforced. All cryptographic code runs inside secure hardware modules, meaning that no one—not even Cubist—can see, copy, or steal raw secret keys. This unique design combines the team’s world-renowned academic research across systems security, verification, and cryptography to provide higher assurance than any existing key management solution.
“DeFi’s long-term potential hinges on security. Stakers and validators must be confident that their funds are safe, but today’s frequent key management failures and multi-million-dollar hacks totally undermine that confidence,” said Riad Wahby, Co-Founder and Chief Executive Officer of Cubist. “We’re confident that Cubist’s infrastructure-focused key management dramatically reduces risk, making it much easier to run secure validators on Ethereum and other Proof-of-Stake chains.”
Cubist’s first publicly announced key management customer is Ankr, one of the world’s leading Web3 infrastructure, developer tooling, and liquid staking providers. Cubist’s key manager is securing Ankr’s Ethereum validators, including the execution of safe withdrawals, which are now possible thanks to last week’s Shanghai network upgrade.
“Ankr is thrilled to be working with Cubist to enable secure withdrawals of staked ETH for the first time on Ethereum Proof-of-Stake,” said Stanley Wu, Co-Founder and Chief Technology Officer of Ankr. “Our priority is always protecting our customers’ funds. We chose Cubist because their team includes preeminent experts in applied cryptography and systems security. They are uniquely qualified to secure Ankr’s most critical workflows. We believe Cubist’s involvement will make Ankr the most secure choice for Ethereum liquid staking.”
Cubist’s key manager is now available to teams running infrastructure on a variety of chains, including Ethereum following its Shanghai upgrade. Staking providers can use Cubist’s solution to enable secure withdrawals of staked ETH for the first time, or to upgrade the security of their existing validators on Ethereum or other chains. Cubist offers a safe and easy process for migrating secret keys from existing keystores to Cubist’s hardware-backed storage and provides an interface for popular validator clients like Lighthouse and Prysm.