What Custody Actually Means
In traditional finance, custody is invisible. You open a bank account, money goes in, and you assume it is yours. Legally and practically, it is more complicated: you are an unsecured creditor of the bank. If the bank fails, you rely on deposit insurance up to a limit. If the bank freezes your account due to suspected fraud, regulatory pressure, or simple error, your access is suspended until they decide otherwise.
In DeFi, custody is explicit. You either hold your own private key, or someone else holds it for you. There is no middle ground. If you buy crypto on Coinbase and leave it there, Coinbase holds your private key. You have a claim on the asset, but you do not hold the asset. If Coinbase is hacked, goes bankrupt, or freezes withdrawals, your funds are at risk.
This is what the phrase "not your keys, not your coins" means. It is not a slogan. It is a description of how the technology actually works.
Custodial: A third party holds your private key. You access your funds through their platform. Examples: Coinbase, Binance, any centralized exchange.
Non-custodial: You hold your private key. You access your funds directly on-chain. No third party can block or freeze your access. Examples: Phantom, MetaMask, Ledger hardware wallet.
Private Keys, Public Keys, and Seed Phrases
Every wallet in DeFi is built on asymmetric cryptography. The system generates two related numbers: a private key and a public key. The public key (or its shorter form, the wallet address) can be shared with anyone. It is how others send you assets. The private key must never be shared. It is the proof of ownership, and whoever holds it controls everything in that wallet.
The private key itself is a very large number, typically 256 bits. It is computationally impossible to derive the private key from the public key. This is the mathematical guarantee that makes self-custody possible.
Because a 256-bit number is impractical to write down or remember, modern wallets use a seed phrase: a sequence of 12 or 24 ordinary words that encodes the private key in human-readable form. The seed phrase is everything. It can regenerate your wallet on any compatible application. It can restore access after your device is lost or broken. And if someone else gets it, they have full and irrevocable access to your funds.
Write your seed phrase on paper. Store it somewhere physically secure, separate from your device. Never photograph it. Never store it digitally. Never share it with anyone, ever, for any reason. No legitimate service will ever ask for it.
Wallet Types: A Practical Breakdown
Not all wallets are equal. The right choice depends on how actively you use DeFi and how much you have at stake.
Hot Wallet
Software Wallet
Browser extension or mobile app. Always connected. Convenient for frequent DeFi use. Vulnerable to malware and phishing. Examples: MetaMask, Phantom.
Cold Wallet — Recommended
Hardware Wallet
Physical device, offline storage. Private key never touches the internet. Signs transactions locally. Best security for significant holdings. Examples: Ledger, Trezor.
Hybrid Approach
Hot + Cold
Hot wallet for small, active DeFi positions. Hardware wallet for larger, longer-term holdings. This is the most practical setup for serious DeFi participants.
Advanced
Multisig
Requires multiple signatures to authorize a transaction. Used by protocols and DAOs. Increasingly available to individuals. Eliminates single point of failure.
Use a separate wallet for DeFi interaction — never your main holdings wallet. Verify contract addresses independently before connecting. Revoke unused token approvals regularly. If a site asks you to sign a transaction you did not initiate, close the tab immediately.
Reading Smart Contracts Without Being a Developer
One of the most underrated skills in DeFi is the ability to verify what a protocol actually does, without writing a single line of code. Most DeFi participants connect their wallets to protocols they have not examined at all, trusting branding and community reputation instead.
On Solana, Solscan shows whether a program is upgradeable or has its authority revoked. On Ethereum, Etherscan shows whether a contract is verified (source code matches bytecode), whether an owner or admin key exists, and whether the contract uses a proxy pattern that allows the logic to be replaced. These are not developer-level checks. They take minutes and require no technical knowledge beyond knowing where to look.
The key questions before connecting to any protocol: Is the contract verified on-chain? Has it been audited, and by whom? Does an admin key or upgrade authority exist? Who holds it? This is not advanced analysis. It is due diligence, and the information is publicly available for every legitimate protocol.
Before interacting with any new protocol, spend five minutes on the relevant block explorer. Verified contract, known audit, no admin key with unilateral power: these are the baseline checks. A protocol that cannot pass this basic review deserves a higher risk premium, not blind trust.
Stablecoins: The Bridge That Can Break
Stablecoins are the most used asset in DeFi. They allow participants to hold value, earn yield, and transact without exposure to the volatility of ETH or SOL. But "stable" describes the target, not the guarantee. Different stablecoin designs carry fundamentally different risk profiles.
| Type | Mechanism | Risk Level | Key Risk |
|---|---|---|---|
| Fiat-Backed | 1:1 backed by USD held in bank accounts. Issuer redeems on demand. | Lower | Counterparty risk on the issuer (USDC: Circle, USDT: Tether). Regulatory seizure possible. |
| Crypto-Backed | Overcollateralized with crypto assets. Smart contract manages liquidations. | Medium | Collateral value collapse in extreme markets can trigger cascading liquidations. DAI is the established example. |
| Algorithmic | Peg maintained by token supply adjustments and arbitrage incentives. No direct collateral. | Higher | Death spiral risk if confidence breaks. UST/LUNA collapsed in 2022, wiping $40bn in value in days. |
| Yield-Bearing | Wrapper around a stablecoin position that automatically accrues interest. | Medium | Inherits the risk of the underlying stablecoin plus the risk of the yield protocol. |
The practical takeaway: fiat-backed stablecoins (USDC, USDT) are the most stable in practice, but they reintroduce counterparty risk. The issuer can freeze specific addresses, and regulators can apply pressure. Crypto-backed stablecoins are more decentralized but less reliable in acute stress. Algorithmic stablecoins have a demonstrably poor track record at scale and should be approached with significant caution.
For most DeFi participants, USDC is the working stablecoin of choice: well-audited, liquid, and redeemable. For those who prioritize decentralization, DAI is the established alternative. Algorithmic stablecoins without substantial collateral backing are speculative instruments, not stable stores of value.
What This Means in Practice
Self-custody is not complicated, but it is unforgiving. A traditional bank account can recover from a forgotten password, a stolen card, or a compromised login. A self-custodied wallet cannot. The private key is the final word, and no support team exists to appeal to.
This is not an argument against self-custody. It is an argument for taking it seriously. The participants who have lost funds in DeFi have overwhelmingly done so through one of three vectors: poor seed phrase security, connecting to malicious contracts, or using platforms that held custody on their behalf and then failed.
The next article in this series examines how DeFi actually generates yield: exchanges, lending, and liquidity provision. Understanding that layer requires the foundation covered here.
Go deeper
DeFi Foundations
This article covers wallets, keys, and stablecoins at a summary level. The full course dedicates three complete chapters to these topics, with step-by-step setup guides, practical security checklists, and a framework for evaluating any stablecoin you encounter.
Courses are updated periodically. During an active update cycle, direct purchase and download are paused. In that case, a waitlist spot is offered automatically — with a 50% price advantage and email notification the moment the course goes live.
Disclosure: This article is published for informational and educational purposes only. It does not constitute financial or investment advice. White & TT is an independent research desk. White & TT may hold positions in assets mentioned in its research. Any such positions are disclosed transparently in relevant research publications.
White & TT LLC · whitett.info · research@whitett.info