A recent legal case in the United States, in which a major crypto exchange alleged that a former custody partner had misappropriated client funds by commingling them with operating expenses, brought a structural question into sharp relief. No protocol was exploited. No system was breached. A custodian used legitimate access to act in ways its clients neither anticipated nor consented to.

The details of the case are less important than the structural observation they support: when custody relies on operator compliance rather than technical constraint, the protection it offers is conditional.

‍

Code risk and control risk

Writing in May 2026, Merlin Egalite, co-founder of Morpho, offered a framework that captures what is at stake:

"Control risk also compounds in ways code risk does not, because teams change, keys get compromised, governance gets captured, and custodians can do things their clients never anticipated or consented to."

The distinction between code risk and control risk is now central to how serious practitioners evaluate digital asset infrastructure. Code risk, what audits are designed to address, has improved materially across the industry. Control risk is the next frontier. It concerns not what the code does, but who has the power to act on it, and whether that power is constrained by architecture or by trust.

The question applies at two levels: the off-chain custodian entrusted with holding assets, and the on-chain protocols on which those assets are deployed. At both layers, the standard is the same. Architecture must enforce what contracts can only promise.

‍

What optimal custody looks like

An institutional custody framework for digital assets rests on four properties, each of which must be technically enforced rather than contractually assumed.

Separation of asset access from investment authority. No single party should hold both the ability to make investment decisions and the ability to move assets unilaterally. In practice, this means multi-party computation (MPC) architecture in which transaction initiation and transaction validation are held by independent parties.

Hardcoded destination controls. Authorised transaction destinations should be whitelisted at the infrastructure level. Any attempt to send funds to an unauthorised address should be blocked automatically, before it reaches human review.

Cryptographic dual control. The governance structure of custody infrastructure should make unauthorised actions mathematically impossible. Multi-signature quorum requirements, combined with strict separation of duties between operational teams, remove the possibility of unilateral override.

Regulatory-grade standards. Institutional custody infrastructure should meet recognised external benchmarks: MiCA compliance, SOC 2 Type II certification, independent cryptographic audits, and insurance coverage. These are not differentiators. They are the floor.

‍

The protocol layer

At the on-chain level, Egalite identifies a set of properties that institutional managers should evaluate before deploying capital: immutable core code with no upgrade path that can be exploited, governance minimisation to reduce the attack surface of decision-making mechanisms, and timelocks that enforce a public delay before any parameter change takes effect.

As he writes: "Noncustodiality at the protocol level is one of the only properties that removes this risk entirely for DeFi infrastructure." The most durable infrastructure in decentralised finance shares one characteristic: trust that accumulates over time because no single actor can reset it. In Egalite's formulation, "trust compounds unconditionally over time rather than depending on the continued good faith of whoever holds the keys."

For institutional managers, this translates into a concrete due diligence question: at every layer of the custody stack, is access controlled by architecture or by intention?

‍

The emerging standard

Regulatory frameworks are converging in the same direction. MiCA establishes specific requirements for crypto-asset service providers acting as custodians, requiring asset segregation, operational resilience, and defined liability frameworks. The CLARITY Act, currently advancing through the United States Senate, addresses custody frameworks with the aim of bringing them into alignment with existing financial regulation.

Both reflect the same principle: custody of digital assets must provide equivalent protections to custody in traditional finance, enforced by architecture rather than assumed from conduct.

The question institutional investors should be asking of any digital asset manager is not whether custody infrastructure exists, but whether it meets these standards at both layers. The answers should be grounded in technical design, not in policy or relationship.

Belem Capital operates exclusively on-chain, with assets held under multi-party computation infrastructure that makes unilateral fund movement cryptographically impossible. Transaction initiation and validation are held by separate, independent parties. All destination addresses are hardcoded at the infrastructure level. No individual holds full access. That architecture reflects a single conviction: in digital asset management, the only custody guarantee that counts is the one that does not depend on the continued good faith of any individual.

‍

Quotations from Merlin Egalite are drawn from his analysis "Noncustodiality Is Not a Philosophical Question. It's a Security One.", published  on 5 May 2026.

‍

About Belem Capital

Belem Capital is a Luxembourg-based digital asset investment platform and solution partner for professional and institutional investors. The firm combines years of operating history managing digital-asset strategies at multi-billion-dollar scale with decades of senior expertise from traditional asset management and regulated financial institutions.

For media enquiries: press@belemcapital.com‍

For more information: investors@belemcapital.com