1. Deribit Support
  2. Compliance
  3. Legal

Custody Policy

  • Updated

The purpose of this document is to describe the custody agreements and arrangements between Deribit and its clients.

1. Business model

1.1 Execution model

1.1.1 Price-time priority

Deribit operates a central limit order book in which orders from customers will be matched according to the price-time priority principle, meaning that orders with the highest bid and lowest offer at a certain point in time will be placed at the top of the order book. Orders with the same bid and offer prices will be prioritised according to the time that they were entered in the order book.

1.1.2 Posting of margin

Margin to enter into or maintain a position in a derivative product on the trading platform needs to be maintained in the currency of the underlying contract, e.g. Bitcoin.

The firm currently does not accept any fiat currency on its trading platform. This means in order to post initial or variation margin, customers must buy the relevant cryptocurrency on an external cryptocurrency exchange such as Binance, and then transfer the acquired cryptocurrency to its digital wallet that is maintained with Deribit. It is also possible to use the Deribit platform to buy crypto currency from a third-party (e.g. Banxa or Legend Trading) which then will be transferred to the Deribit account.

1.2 Settlement

All contracts are cash-settled in the underlying cryptocurrency where all settlement obligations will be payable in the underlying cryptocurrency, with the amount payable depending or fluctuating on the value of the underlying cryptocurrency at the time of settlement.

For example, if a customer were to enter into a futures contract to buy 1 bitcoin in three months at $50,000 per bitcoin, but the bitcoin were to rise to $60,000 at the expiry date of the contract, then Deribit would settle and pay $10,000 worth of bitcoin to the customer.

1.3 Clearing

Although Deribit has no clearing house or clearing members connected to it, it does offer quasi-clearing services in the form of an insurance fund. Deribit acts as a settlement agent between the trading counterparties. In case a trading counterparty defaults on its obligation, the insurance fund will ensure that the financial obligations of the defaulted trading member are met vis-a-vis its trading counterparties. The moment the insurance fund is depleted, the financial obligations of the defaulting trading member are, as per our Exchange Terms, via a system of 'socialised losses' born by other 'winning' trading participants on the platform during that trading day.

1.4 Custody

Customers are required to deposit underlying cryptocurrencies as initial and variation margin when they enter into derivative contracts on Deribit´s trading platform. These cryptocurrencies must be held in a digital wallet that is held with Deribit.

The detailed custody arrangements are described in more detail below.

2. Detailed custody arrangements

Customers are required to deposit underlying cryptocurrencies as initial and variation margin when they enter into derivative contracts on Deribit´s trading platform.

2.1 Asset storage

To trade in the products (options, futures) offered by Deribit, clients need to fund their account. Clients can deposit either BTC, ETH, USDC or USDT. Although it is not possible to transfer fiat currency into their account, it is possible to exchange one virtual asset for another (spot trading). 

Client deposits will be received in the hot wallet of Deribit. The hot and warm wallets are managed by Fireblocks.

Deribit offers clients three types of custody solutions:

  • via Deribit;

  • via a third-party custodian;

  • or self-custody.

2.1.1 Custody by Deribit

Deribit maintains three types of wallets to hold client funds:

  1. hot wallet;

  2. warm wallet; and

  3. cold wallet.

For security reasons, the hot and warm wallets are maintained by Fireblocks, a specialist third-party solution provider. 

To lessen the risk of theft, fraud, hacking and misappropriation:

  • Approximately 1-2% of user deposits are held in a hot wallet; these funds are primarily used to provide daily liquidity and support efficient withdrawal handling;

  • Up to approximately 30% of user deposits are held in a warm wallet;

  • The remainder of user deposits are held on-chain, but offline in a ‘cold’ wallet. The private keys enabling assets to these on-chain assets are held in secure bank vaults.

The hot wallet upper thresholds are in basis defined by 1-2% of the platform assets calculated per currency. The actual variable upper limit (maximum allowed size of the hot wallet) will range within these percentages and are expressed in absolute terms. The limits are defined per digital asset, and not in USD values. Deribit bases this on historical data, past business experience and current market conditions. The upper and lower limits are constantly being fine-tuned and are highly dependent on daily deposits, withdrawals and overall market conditions. Since Deribit wants to limit the risk of theft, fraud and misappropriation, the limit in the hot wallet is kept at the minimum, yet optimal, to be able to operate comfortably.

If the hot wallet exceeds the upper limit the over limit balance will automatically be sent to the warm wallet, which is called an “overflow”. An overflow transaction can only be sent to a predefined and whitelisted address. The lower limit defines the minimum size the hot wallet should have after an overflow transaction has been executed.

The specific limits for the warm wallet are the following:

  • Warm wallet minimum balance 5x a refill of the hot wallet 

  • Warm wallet mid balance 10x a refill of the hot wallet.

  • Warm wallet maximum balance 15x a refill of the hot wallet.

A refill is based on the midsize of the lower and upper limit of the hot wallet. In normal  market conditions we expect to see a warm wallet balance of +/- 7.5x a refill of the asset.

If the balance exceeds 15x the balance will be sent to cold storage leaving 10x a refill.

The warm wallet can only be accessed manually by a selected number of employees of which a few can initiate transactions. These transactions always have to be approved by multiple employees. With these warm wallet limits we are able to maintain a low hot wallet balance, enough balance to perform hot wallet refills and ensure we do not need to access the cold wallet often.

2.1.1.1 Hot wallet

The hot wallet is used to facilitate deposits and withdrawals from clients. The determination of the maximum amount of virtual assets that is held within the hot wallet is based on market conditions as described in section 4.1.1. In case the amount of virtual assets exceeds the threshold as defined by Deribit, this “overflow” is transferred to the warm wallet. 

Deposits

The following process is followed in relation to deposits:

  1. Clients can deposit crypto assets after they have been KYC’d.

  2. Once verified, a client can request a deposit address (this is an on-chain address) which users can use to send funds to. These addresses are linked to client accounts held with Deribit. These unique addresses are automatically created and managed from within the Fireblocks system.

  3. When those funds arrive at the unique client-specific deposit address Deribit will credit the customer’s account held at Deribit with the funds received. After the deposit has been received Deribit will re-direct the received assets to our central hot wallet address.

  4. Clients do not hold the public or private key associated with the addresses.

Withdrawals

The following process is followed in relation to withdrawals:

  1. withdrawals are automatically submitted by clients through an API or the website to whitelisted withdrawal addresses;

  2. upon receipt by the Deribit system, a confirmation email is sent to the client requesting the withdrawal (optional);

  3. the withdrawal request will be automatically reviewed by the system:

    a. request is deemed ok (account where the funds are directed to is a known address): withdrawal request is manually confirmed and the request is sent to Fireblocks (see step 4);

    b. request is deemed not ok (account where the funds are directed to is an unknown address or is only recently added):

    i. call back to client to confirm withdrawal request; if confirmed, the request is manually confirmed and the request is sent to Fireblocks to electronically sign the request (see step 4).

  4. Fireblocks signs the withdrawal request;

  5. Assigned person within Deribit also signs the withdrawal request using a confirmation by a mobile phone application. The size of the withdrawal will determine who is entitled to approve it within the Fireblocks application

  6. Withdrawal request is processed by Fireblocks and assets are sent on-chain to destination specified by client. 

2.1.1.2 Warm wallet

The warm wallet is used to replenish the hot wallet if withdrawal requests exceed reserves. The determination of the maximum amount of virtual assets that is held within the warm wallet is based on market conditions as described in section 4.1.1. In case the amount of virtual assets exceeds the threshold as defined by Deribit, this “overflow” is transferred to the cold wallet. 

A limited number of people within Deribit are authorised to replenish the hot wallet from the warm wallet.

The warm wallet is subject to the following security protocols:

  • Transfer requests from the warm wallet can only go to whitelisted accounts;

  • These are the hot wallet addresses as well as some whitelisted destinations like our third-party custodians.

The following process is followed in relation to transfer requests:

  • Automated check against the above security protocols;

  • Fireblocks to electronically sign the transfer request;

  • Assigned person 1 from Deribit electronically signs the transfer request;

  • Assigned person 2 from Deribit electronically signs the transfer request;

  • Transfer request is processed. 

Furthermore, the warm wallet is used as an overflow destination of the hot wallet setup. Per asset the system has a maximum and if the hot wallet exceeds this maximum, automatically a withdrawal is initiated from hot to warm. For example, if this maximum is 200 BTC and due to a larger deposit the actual value is 300 BTC the system would trigger an overflow withdrawal of e.g. 150 BTC (back to minimum balance) is triggered and sent to Fireblocks for processing.

2.1.1.3 Cold wallet

The cold wallet is used to keep the majority of customer funds safe from unauthorised users.

Deribit uses a multi-signature, split private key system to ensure that a signature quorum is required to gain access to the cold storage funds. This means that no single party alone can have access to the cold wallet. This decreases the risk of theft, targeted attacks or loss of funds due to lost access to the key. Additionally, Deribit has developed a strict multi-layer asset access protocol, that governs the signing process of the transactions.

Two different people have access to the cold wallet. Private keys are dispersed over multiple physical vaults.

2.1.2 Third-party custodian

Deribit offers the following third-party custody solutions for its clients:

  • Copper Clearloop

  • Cobo Loop

2.1.2.1 Copper Clearloop

Deribit has fully integrated Copper Clearloop into its infrastructure. Clearloop is an off-chain solution, which means that settlement will take place outside the blockchain protocol.

Both Deribit and the client will open an account with Copper in which funds are deposited. This means that assets will never leave the Copper environment. Any credits and debit will be processed by Copper between the accounts of Deribit and the client. Clearloop ensures that both the client and Deribit have enough assets allocated to cover any position submitted by the client before it is opened. Deribit always makes sure that the aggregate of client equity is covered in the Deribit trading balance at Copper Clearloop. Client equity reflects all trades, settlements, P&L and for that reason is the sole value of importance. Clients can deposit and withdraw by transferring funds from their custody balance within Deribit to their Deribit trading balance. Funds in the so-called Deribit trading balance cannot be moved to the custody balance without a check by Deribit (available balance check). Once the funds are in the custody account they can be withdrawn to Copper (undelegated).

Copper ensures that all client's assets are segregated and protected with multi-party computation (“MPC”). Additionally, clients are also protected by Copper crypto crime insurance policy (up to $500 million).

2.1.2.2 Cobo Loop

The Deribit implementation of Cobo Loop is slightly different as in this case it is a hybrid model offering both off-chain as well as an on-chain withdrawal ability. The off-chain solution is similar to that of Copper Clearloop (see above) and includes instant-off chain settlement, immediate collateral transfer and security.

Additionally, Deribit allows Cobo clients to withdraw funds from their Deribit account for on-chain settlement as well (e.g. from Deribit to Bitmex or any platform not connected to Cobo Loop).

2.1.3 Self-custody with Fireblocks

Fireblocks offers an on-chain custody solution. Clients can hold an account, a CVA, (“Collateral Vault Account”) in their own name, effectively becoming their own custody provider. They are in control of their workspaces, vaults, and wallets, including Multi-Party Computation (MPC) keys. They also have the flexibility to tailor their own Transaction Authorization Policy (TAP) and establish their unique recovery kits.

A unique vault is designated to Deribit. Assets deposited into this specialised Deribit vault are used for trading activities on the platform. This particular vault, belonging to a client, is interconnected with Deribit through an API. Furthermore, Deribit needs to notify Fireblocks to establish a connection with this particular client's vault. Therefore, all three parties - the Client, Deribit, and Fireblocks - need to consent to this arrangement. The process of creating this connection is manual and cannot be initiated automatically for a Deribit client.

When a client deposits assets into their designated Deribit vault, the funds are updated, and Deribit is informed via the API. This enables Deribit to credit the client's wallets with the assets. 

The usual Deribit procedures handle trading, margins, withdrawals, settlements, fees, etc. Clients can only withdraw assets once the Deribit API approves, which naturally follows standard procedures such as checking funds, margins, and open positions to ensure sufficient funds are available.

In instances where Deribit fails to respond or handle funds appropriately, clients can file a complaint with Fireblocks. Fireblocks has the capacity to investigate whether Deribit adhered to the agreed procedures as per the legal contract. There are four potential scenarios that a client might face:

  1. Deribit responds efficiently

  2. Deribit ceases operations

  3. Deribit issues unusual responses or requests

  4. Other unforeseen situations

Fireblocks has rigorous procedures to scrutinise all these different circumstances. Ultimately, this offers market makers the highest level of confidence, particularly following incidents like the one involving FTX. The solution is beneficial for Deribit to provide and equally advantageous for clients from a risk management perspective.

2.1.3.1 Third-party custodian terms of service

2.1.3.1.1 Copper ClearLoop

Both clients and Deribit enter with Copper into agreements which are governed by English law. Where Copper acts as settlor this is done according to the detailed documentation as summarised above. Where Copper acts as custodian of the funds it does so as trustee under English law and therefore has a fiduciary duty. Customer funds are segregated from Copper’s own funds by this trust construction, therefore reducing risk in case of bankruptcy of Copper.

2.1.3.2 Self-Custody terms of Service

2.1.3.2.1 Fireblocks “Off-Exchange”

Fireblocks “Off-Exchange” is described as “software as a service” or “infrastructure as a service”. Both clients and Deribit contract for a connection to this service (or infrastructure), but they will have to work out the terms and conditions that apply between themselves (hence: “self-custody”). Fireblocks explicitly is not a party to their agreement and only provides the access. In principle Fireblocks also does not accept liability in case anything goes wrong with this construction. 

Deribit will have separate terms and conditions in place with the client under which clients will use the “Off-Exchange” solution of Fireblocks. Since it will always be the client who wishes to use this solution, in principle client will remain liable if anything goes wrong with the use of this solution, such as where the CVA is not designated to Deribit where it should, or in any other way does not offer recourse for Deribit to cover any trading losses of client.

2.1.3.3 No Exemption Socialised losses

Third party custody setups are not exempt from socialised losses.

3. Audit and ongoing review

3.1 Ongoing review

The CISO will regularly assess the security of Deribit’s information technology systems and software integration with external parties and ensure that appropriate safeguards are implemented in order to mitigate risks.

The CISO’s ongoing review must ensure that Deribit is safeguarding access to Virtual Assets in accordance with industry best practices and, in particular, to ensure that there is no single point of failure in Deribit’s access to, or knowledge of, Virtual Assets held by Deribit.

Any safeguards implemented will be reported to the Board and the Internal Auditor and shall be reviewed by the third-party auditor as part of the annual audit.

4. Wallet generation and storage of keys and seed phrases

4.1 Hot/Warm wallets

The hot and warm wallets are created and managed by Fireblocks. All clients have deposit addresses that are generated within the hot wallet. The seed phrases to restore the public and private keys of all wallets are in possession of Deribit. These storage devices are stored within bank vaults on multiple geographically chosen locations.

4.2 Cold wallets

Deribit cold wallets are high-security offline storage that make use of a multi-signature, split private key system. In order to achieve full risk decentralisation, keys are stored in multiple geographically distributed military-grade offline vaults, in bank-safe deposit boxes. 

The seed phrases to restore the public and private keys of the cold wallets are stored on military grade pincode protected usb-devices. A limited number of people have access to the devices, on which the recovery seed phrases are stored.

4.3 Access revocation

Private keys and seed phrases are stored in secure vaults. If any individual with access to the vaults leaves Deribit, steps will be taken to ensure that the individual’s access is revoked immediately and no later than 24 hours of the individual’s notice of resignation. In addition, Deribit must ensure that key generation processes ensure that revoked signatories do not have access to the backup seed phrase or knowledge of the seed phrase used in the key’s creation.

An audit of access permissions will be performed on a quarterly basis.

Deribit will continuously monitor which individuals have used their access and any such use will be promptly reported to the Compliance Officer. If the Compliance Officer reasonably suspects that an individual has had improper access, such access will be immediately revoked.

4.4 Access Control Register

Deribit will maintain an appropriate Access Control Register in order to keep track of individuals 

  • that have been onboarded and offboarded; and

  • that have access to seed phrases or private keys and when these were granted and revoked.

The Compliance Officer is responsible for keeping the Access Control Register up to date. 

5. Segregation of client assets

All client funds are held in Deribit’s hot, warm and cold wallets, which also include third party custody wallets. Deribit’s hot wallet has deposit addresses for all clients. Those addresses are linked to the accounts that clients hold with Deribit.

Deribit has a real time ledger on which all transactions are recorded (the transactions can, of course, at all times also be viewed via on-chain block explorers). This information is held in two data centres across two separate locations: the United Kingdom and Switzerland. So at any point in time Deribit knows exactly which and how much of an asset belongs to its clients.

6. Periodic independent review

The custody mechanisms described in this policy shall be subject to an audit by an independent third-party auditor on an annual basis. The terms of reference for the audit must include ensuring that the custody mechanisms are in line with industry best practice and that there is no single point of failure in Deribit’s access to, or knowledge of, Virtual Assets held by Deribit.