Buy a licensed company 
VASPs live data and insights 
Learn about crypto safety 
Read the latest research 
Two Keys Are Better Than One: A Crypto Business Guide to Multi-Sig
- Multi-sig kills the single point of failure. No lone stolen key, lost seed, or rogue insider can move funds on its own.
- Three models worth knowing: on-chain scripts, threshold signatures, and MPC. The last two produce one ordinary-looking signature on-chain, which is cheaper and more private.
- It is not bulletproof. Bitfinex in 2016, the Parity bugs in 2017, the BitGo flaw in 2023, and the Bybit breach in 2025 all show the scheme is only as strong as its weakest link.
- Governance is the actual product. Who holds keys, how many must sign, and how transactions get verified out-of-band is more important than the cryptography brand.
- Regulators expect strong custody without naming a technology. FinCEN, MiCA, the UK’s incoming regime, and Singapore’s MAS all point toward multi-party key control as the baseline.
Shared custody through multi-signature wallets has gone from a nice-to-have to a basic requirement for any business holding crypto. The logic is straightforward. A single-key wallet has a single point of failure. Steal the key, phish the seed, or compromise one insider, and the money is gone. Multi-sig removes that by requiring multiple approvals before any transaction moves.
A multi-signature wallet needs more than one private key to authorize a transaction. Instead of one person controlling a balance with one key, control is distributed. A 2-of-3 multi-sig wallet means any two of three keyholders must co-sign. In traditional on-chain multi-sig, each required signer adds a separate valid signature, and the network or smart contract checks that enough signatures are present. In threshold and MPC systems, the parties coordinate off-chain to produce one final signature. The result is a valid transaction that moves funds on-chain, and no single compromised key can do that alone. Requiring two or more individuals to approve a transaction enhances security for corporate funds.
The cryptographic principle underneath is consistent. Any authorized subset, say any 2 of 3 signers, can reconstruct or use a key share to sign, while a minority below the threshold cannot. That is typically achieved through secret-sharing, such as Shamir’s Secret Sharing, combined with secure protocols for signing or key management.
The three schemes
Modern multi-sig comes in three flavors, and the differences are practical.
On-chain multi-sig scripts require each signer’s full signature to be published on-chain. Bitcoin supports this natively through opcodes like OP_CHECKMULTISIG, so a P2SH address might require any 2 of 3 listed keys. On Ethereum and other chains, multisig is usually a smart contract, with Gnosis Safe requiring M of N owners to call execute. The approach is simple, transparent, and easy to audit because every signature and public key is explicit. The cost is that transaction size grows with each signature and public key, which raises fees, and the chain shows exactly how many signers were used.
Threshold or scriptless signatures use newer schemes like MuSig and FROST that let a group jointly produce one public key and one signature on-chain. Each signer still holds a key share internally, but the final transaction looks like an ordinary single-signer transaction. That cuts transaction data and improves privacy, since outsiders cannot see how many parties signed or even that multisig was used. Bitcoin’s MuSig2 and Taproot upgrades enable 2-of-3 Schnorr signatures that appear as one signature on-chain. The cost is coordination complexity: participants run an off-chain protocol to combine shares, and the scheme has to protect against malicious or faulty signers.
MPC, or multi-party computation, wallets use protocols so that no single private key ever exists. The key is split into shares on independent devices or servers, and to sign, the devices run an MPC protocol where each computes a partial result and they combine into a valid final signature. As Fireblocks describes it, MPC removes the concept of a single private key entirely, with each endpoint independently validating the transaction and contributing its share without any single endpoint ever holding the complete key. MPC is protocol-agnostic, so the same shares can sign on any chain, and key shares can be refreshed off-chain without changing addresses.
The advantage of threshold and MPC over naive on-chain multi-sig is that only one signature appears on-chain even when multiple parties signed. That makes transactions smaller and cheaper and hides the multi-party structure from observers. A 2-of-3 Bitcoin multi-sig, by contrast, spends space on two full signatures and three public keys. But scriptless schemes demand advanced cryptography, and the difficulty is not theoretical. As Lightspark explains, implementing threshold signatures involves complex protocols for key-sharing and signing, and mistakes can be critical. Fireblocks researchers found a flaw in BitGo’s threshold-ECDSA implementation that could leak entire private keys, traced to omitting required zero-knowledge proofs. Fireblocks sums up the trade-off: multi-sig’s risks sit in implementation quality and key management, since each key is a complete point of failure, while MPC eliminates any complete key and gives more uniform security across chains.
Hybrid models exist too. A custodial service might hold one key in an HSM and require a second user signature, which is technically a 2-of-2 on-chain but managed centrally. The common thread is that all of these are ways to achieve shared custody, multiple approvals over the key controlling assets.
Implementation patterns
Implementing multi-sig comes down to where keys are stored and how signing gets coordinated. For Bitcoin and compatible chains, native on-chain multisig uses built-in scripts: a wallet generates N public keys and creates a P2SH or P2WSH address requiring M-of-N signatures, with each signer holding a private key offline, often on a hardware wallet. Wallets like Electrum, or hardware combinations like Trezor plus Coldcard, implement these entirely on-chain. On Ethereum and EVM chains, smart-contract vaults are the usual route, with Safe the popular example: an on-chain smart wallet where owners and an approval threshold are set at deployment, supporting batching and DeFi integration but costing gas to deploy and execute.
Hybrid custodial multi-sig is the model some institutions adopt. BitGo pioneered a setup where the customer holds two key shares, one on a device and one in an encrypted file, and BitGo holds a third in an HSM; the customer signs, the platform co-signs, and the combined signature is broadcast. It is technically multi-sig but the keys are centrally managed, and FinCEN has noted that such providers may or may not count as money transmitters depending on whether they also hold assets. MPC wallet deployments have each signer running wallet software, cloud services, on-premise HSMs, or mobile apps, that generates key shares and jointly computes the public address, then exchanges messages through a secure hub to produce a normal signature. Fireblocks, Curv, and Qredo use MPC behind the scenes, often as a wallet-as-a-service model. Hardware wallet collaboration is another pattern: a Bitcoin 2-of-3 multisig can have each key on a separate Ledger or Trezor, with software like Electrum or Specter Desktop coordinating the signing, which physically enforces shared custody across devices in different vaults.
Threshold schemes like FROST or MuSig2 also need a distributed key generation step to create shares without ever exposing the full key. Shared custody can be split by role rather than just by key, so the board holds one key, the CEO another, the CFO a third. And some multi-sig contracts allow time-locks, where a transaction not signed by enough members within a set window triggers an alternative path.
The providers
The ecosystem is busy. On the software side, Electrum and Sparrow Wallet let users build their own Bitcoin multi-sig by connecting multiple hardware wallets, and Safe is the dominant Ethereum and EVM smart-contract multi-sig, used by DeFi projects and enterprises. Among custodial platforms, BitGo pioneered enterprise multi-sig wallets where customers hold two keys and BitGo holds the third, with custody insurance on top; Fireblocks provides an MPC-based wallet-as-a-service to institutions; Curv, now part of PayPal, and Qredo also use MPC; and traditional exchanges like Coinbase, Kraken, and Binance offer institutional custody using multi-party schemes internally. On the hardware side, Ledger and Trezor support multi-sig when paired with third-party software, and the Coinkite Coldcard focuses specifically on Bitcoin multisig. Native protocol support varies: Bitcoin fully supports multisig scripts, Ethereum relies on smart contracts, and newer chains like Algorand have built-in multisig.
Integration: custodial, non-custodial, hardware, smart-contract
Crypto businesses can integrate multi-sig in different ways depending on their trust model.
Non-custodial, or self-custody, means the organization holds all keys or key shares itself. For on-chain multi-sig, that means hardware wallets and backups for each signer, ideally in different locations. For MPC, it means running your own nodes or HSMs. Self-custody gives full control and avoids counterparty risk, but it requires strong internal security and procedures, and it often falls under non-custodial wallet definitions, which carry less regulatory burden.
Custodial third-party services like BitGo, Fireblocks, or Coinbase Custody hold one or more key shares in a secured environment while the business’s signers hold the others. That offloads hardware management and some security operations, and custodial providers often offer insurance and compliance support. The cost is third-party risk, though in an M-of-N scheme the custodian cannot sign alone if they hold only one share. Many custodial solutions use 2-of-2 or 2-of-3 schemes in practice.
Hardware wallets are recommended for key storage in any of these models. An exchange might require two approvals to move funds, one from a hardware vault in New York and one from a vault in Singapore. Smart-contract vaults are the route on chains with smart contracts: integration means interacting with the contract’s interface or sending signed messages to it, and a treasury system might let an administrator propose a transaction and route it through a Safe contract’s execTransaction only once enough co-signers have pre-signed off-chain.
The practical considerations are compatibility and user experience. On Bitcoin, only native script-based or PSBT multi-sig is possible. On Ethereum, you choose between contracts and threshold approaches. Some newer chains only support multisig via on-chain programs. Picking a provider often comes down to whether the business is comfortable extending any trust to a third party, and whether it needs full multi-chain support, which favors threshold or MPC. Many institutions run hybrid models: day-to-day liquidity in a self-custodied, easy-access multi-sig wallet, with the bulk of reserves in a custodial MPC vault.
The benefits, and the limits
The main benefit is eliminating single-point compromise. With a single-key wallet, any breach of that key means total loss. If an attacker gets one key share, they cannot sign alone. If one co-signer’s device is compromised, funds stay safe as long as the threshold is not reached. If a key is lost, backups or additional signers can still transact. Multi-sig also brings governance and audit advantages, since every transaction needs explicit approval from multiple roles, which aligns with how businesses already operate.
The limits are real. Coordination is the first one: more parties have to coordinate for every transaction, and if keyholders are in different time zones or need hardware to sign, latency goes up. Changing signers often means creating a new wallet address or updating a contract on-chain, which Fireblocks calls operationally inflexible. Implementation risk is the second, and the incident history is the evidence. The 2016 Bitfinex hack exploited a flaw in a 2-of-3 scheme. The 2017 Parity multisig library bugs froze or lost over $300 million. BitGo’s 2023 threshold-signature vulnerability showed a single exploit could expose all key shares. Usability is the third: multi-sig is harder for end users, creating and managing the wallets demands more technical setup, and for fast or low-value transfers it can be overkill, which is why some businesses use a tiered approach where only large transfers trigger multi-sig. There are smaller trade-offs too. On-chain multi-sig reveals that multiple parties control funds, which scriptless and MPC approaches avoid, and chain support is uneven, since threshold and MPC wallets are chain-agnostic while on-chain multi-sig needs chain-specific code.
The benefits, resilience against external hacks and insider errors alike, make multi-sig clearly worthwhile. But they only materialize if the scheme is well designed and run with discipline.
Operating it well, and governing it
To get the full value, organizations need strong operational controls. Keep as many keys offline as possible, on air-gapped hardware wallets, in cold storage, or in secure enclaves and HSMs for MPC. Separate signers by geography and by role, so one key sits in New York, another in London, a third in Singapore, split across departments like IT, finance, and legal. Choose the threshold carefully, since too low defeats the purpose and too high can block recovery; 2-of-3 or 3-of-5 is a common balance. Build a real transaction review process where finance leads verify the destination address offline before signing, never relying solely on a wallet UI’s on-screen prompt. Audit any custom code, keep wallet software and firmware updated, and use well-vetted libraries. Plan for key loss with Shamir backups or additional backup keys stored in geographically separated secure locations, and test recovery with simulated key-loss drills. Log all signing requests and key access, and use policy engines where available; Fireblocks, for instance, can enforce that a transaction over a threshold requires multiple approvals.
Multi-sig is governance built into the cryptography, and the schemes encode it directly. Role-based keys assign keys to specific people or roles, so a 3-of-5 wallet might have keys held by the CEO, CFO, COO, head of legal, and a board member. Weighted thresholds give some signers more voting power, though that needs custom scripting. Time-locked multisigs make a proposed transaction wait before execution, giving signers time to review. Emergency backups keep a key offline for use only if a signatory is incapacitated. And in DAOs, the multi-sig itself may be controlled by a token governance process. Whatever the scheme, it has to be documented in corporate policy, with all stakeholders agreeing on signing rules and dispute-resolution procedures, supplemented with legal frameworks like keyholder contracts.
What the big incidents taught
Four cases carry most of the lessons. In August 2016, Bitfinex used a 2-of-3 multisig scheme with BitGo for its cold wallets, and attackers tricked one BitGo keyholder into signing a fraudulent transaction, circumventing the signing process; roughly 119,000 BTC was stolen. The lesson is that implementation integrity is critical, because even with multiple required signatures, a tricked co-signer can authorize a malicious transaction. The 2017 Parity wallet hacks were bugs in Ethereum smart-contract multisig code, where one vulnerability let an attacker drain a large amount of ETH and another let a user accidentally freeze a very large sum. The lesson is that on-chain multisig logic has to be simple and audited. The 2023 Fireblocks-BitGo threshold-signature vulnerability was not an external hack at all; it exploited a mathematical omission that could extract the entire private key, and BitGo patched it while Fireblocks recommended customers generate new keys and migrate funds. The lesson is that cryptographic correctness has to be treated like critical software, with independent audits.
The 2025 Bybit breach, the largest crypto heist to date, is the sharpest warning. Attackers compromised a Safe developer’s AWS credentials and injected malicious JavaScript into the Safe wallet front-end. When Bybit initiated a real transaction, the compromised interface silently swapped the destination address for the attacker’s. Signers, seeing what looked like a normal transaction on their screens, co-signed it, producing a valid multi-sig transaction that drained the funds. Investigators confirmed the Safe smart contract itself was never broken; it was a supply-chain and front-end attack. The lesson is that multi-sig is only as secure as the entire workflow around it, and independent, out-of-band verification of the transaction hash or destination address might have caught it. Across all four cases, the common threads are the same: cryptographic wallets have to sit inside a secure environment, businesses need a migration plan to move assets to a fresh scheme when a key is suspected leaked, processes should be audited routinely, and every signer needs to understand phishing and social engineering, because a five-signer setup is only as secure as its least careful signer.
Migration, recovery, and cost
Key management should assume that at some point keys or shares will be lost or compromised. Rotate keys periodically, which for on-chain multi-sig means deploying a new address and moving funds through co-signed transactions, while MPC can often regenerate shares off-chain against the same address. Keep an emergency path, a backup signer in cold storage or Shamir secret-sharing that splits a master key across vaults. Test migrations before you need them, at small scale, confirming version compatibility. Consider a failover custodian, splitting assets across two providers so one failure does not sink everything, and maintain insurance for custodial setups. Document everything: an up-to-date keyholder roster, the multi-sig config with addresses and thresholds, and recovery procedures. After the Fireblocks report, BitGo’s recommendation was to create new wallets and transfer funds, and firms should be able to do that on demand.
On cost and usability, every solution has trade-offs. On-chain multi-sig transactions are larger and cost more in fees, Ethereum Safe transactions incur gas plus multiple signatures, and threshold and MPC transactions yield a single signature that minimizes fee overhead. Coordinating signatures across dispersed signers slows operations, custom or on-premise custody needs IT resources, and more signers means more hardware to maintain. A small startup might run a 1-of-2 hardware setup offering minimal shared custody, while a large exchange will accept a 3-of-5 scheme to protect billions. The right move is a risk-cost analysis: heavy multi-sig or MPC for high-value treasury funds, lighter controls for smaller operational balances.
The regulatory picture
Crypto regulation increasingly addresses custody, though the rules vary. In the United States, FinCEN distinguishes custodial services from pure multi-sig facilitators: a service that only provides key-generation without transmitting funds is not a money transmitter, because the provider does not accept and transmit value, while a service that also holds assets or facilitates transfers qualifies as one. For most businesses, implementing shared custody where the business keeps majority control does not trigger money-transmitter status on its own. Beyond FinCEN, the SEC and CFTC expect state-of-the-art key controls, and the NYDFS BitLicense requires rigorous cybersecurity for custodians, effectively favoring multi-signature or multi-factor storage.
In the EU, MiCA requires crypto-asset custodians to be authorized and to segregate customer assets, keeping client assets isolated from the custodian’s own, and while it does not prescribe exact technology, regulators expect strong multi-key controls as part of safekeeping. In the UK, the proposed crypto custodial regime builds on existing CASS-like rules, with the FCA’s consultation work pointing toward detailed safeguarding rules for qualifying cryptoassets; explicit multi-sig mandates are not specified, but the direction is toward segregated, secure client wallets. In Singapore, MAS licenses digital payment token service providers, and any entity that controls user tokens needs a license; MAS guidance clarifies that control can include possession of private keys, so a 2-of-2 setup with the provider holding one key could still be viewed as the provider having control, while a more distributed MPC or 3-of-5 arrangement complicates that assessment.
Across these jurisdictions the pattern is the same. Most major regulators encourage or require strong custody practices without mandating one technology, and multi-signature and MPC fit the industry expectation naturally. The compliance point is that businesses holding crypto for others have to segregate assets, implement multi-party controls, and demonstrate that no rogue insider or hacker can withdraw funds alone.
Frequently Asked Questions (FAQ)
What is a multi-signature wallet?
A crypto wallet that requires multiple private keys, held by different parties, to approve a transaction. In a 2-of-3 wallet, at least two keys must sign any transfer, which enhances security because one compromised key alone cannot move money.
How do threshold and MPC wallets differ from traditional multi-sig?
They also require multiple parties to sign, but they produce a single on-chain signature, so the transaction looks like a normal one-signer spend, saving on fees and improving privacy. Traditional on-chain multi-sig publishes each signer’s separate signature.
What are the main security benefits of shared custody?
Eliminating the single point of failure. Funds can only move if multiple keyholders approve, which guards against external hacks and internal fraud, and if one key is stolen or lost, the others still protect the assets.
Can a multi-sig provider be considered a money transmitter?
In the US, FinCEN guidance says a provider that only helps create a joint wallet, without transmitting funds, is not a money transmitter. If the provider also holds custody or moves funds, regulatory obligations apply, and local laws like the New York BitLicense can add requirements.
What are the downsides of multi-sig wallets?
Complexity and cost. On-chain multi-sig means larger transactions and higher fees, coordination slows things down, and poor implementation can still be exploited, as Bitfinex and the BitGo flaw showed. There is also the risk of losing too many keys, so backups are essential.
How do I implement a multi-sig wallet?
Options run from self-custody to third-party services. You can set up your own with hardware wallets and software like Electrum or Safe, or use an institutional MPC custodial wallet from a provider like Fireblocks or Coinbase. On Ethereum, a Safe contract wallet is the common choice. Use hardware for keys, verify each transaction out-of-band, and start with at least 2-of-3 signers.
What regulatory requirements apply to crypto custody?
Licensed custodians generally must segregate client assets and often use multi-key controls. FinCEN has issued guidance on multi-sig providers, the EU’s MiCA and the incoming UK regime require authorization and strict safekeeping, and Singapore’s MAS expects DPT providers to maintain control of keys with institutional security measures.
What should I do if a key is lost or compromised?
Have a recovery strategy ready: encrypted backups or extra shares. If a key is suspected compromised, migrate to a new multi-sig address immediately by having your signers co-sign a transfer. After the BitGo incident, the recommendation was to create new wallets and move funds once the vulnerability was fixed.
