Self-custody for market makers: when the math actually pays off

    CrypDefi team · June 2026

    For most of crypto's history, the custody debate has been about security. Hot wallet vs. cold storage, your keys vs. someone else's, which counterparty you're willing to trust. Given how much has been lost to exchange failures and hacks, it's an understandable framing, but, for a market maker, it misses the point.

    A market maker's inventory is working capital. It exists to be quoted against and filled thousands of times a day, turned over continuously, and the way it is held either supports that or quietly taxes it. So the useful question isn't whether self-custody is safer, but what holding your own keys costs to run, what it saves you from paying, and, once those numbers are on the table, whether running that infrastructure is a business you want to be in at all.

    On a centralised exchange, the choice barely exists

    Most market makers still route the bulk of their flow through CEX venues, so start there. To make markets on Binance, your inventory has to sit on Binance. The exchange matches internally and you cannot quote without funds on the platform, so there is no real self-custody option to weigh in the first place.

    There are ways to soften the exposure. Off-exchange settlement products, like Fireblocks Off Exchange, Copper ClearLoop, Ceffu's MirrorX, BitGo's Go Network, let you keep assets in independent custody, mirror collateral to the venue, and settle periodically rather than pre-funding the exchange in full. These have become standard infrastructure for serious market makers, and they do real work. But they are settlement products, with their own lockups and their own counterparty assumptions, and they should not be mistaken for self-custody.

    So on CEX, custody is mostly a treasury and counterparty management question: how much inventory are you willing to leave exposed to a given venue, and at what risk premium? October 10, 2025 showed what that exposure looks like when it stops being theoretical. A tariff headline hit a market sitting at record open interest, and more than $19 billion in leveraged positions were liquidated in less than a day – the largest deleveraging event in crypto's history, with roughly 1.6 million traders caught in it. Exchange infrastructure strained under the load: APIs failed, deposits lagged, and traders watched positions get auto-deleveraged while the collateral that might have saved them sat out of reach. The venues survived. The point stands anyway: an account balance on an exchange is an unsecured claim, and in the moment it matters most, you may not be able to act on it.

    And if we are being honest, the question matters less every quarter, because the market isn't staying on CEX.

    The flow is moving on-chain

    Trading has migrated on-chain steadily enough that it is hard to write off as a passing phase. DEX's share of spot trading volume has roughly doubled in two years, from about 7% in January 2024 to around 14% by January 2026 and has held above 10% since early 2025 (CoinGecko). Over the past 30 days, decentralised venues cleared roughly $184 billion in spot volume, about $6.5 billion a day (DefiLlama, June 2026).

    Derivatives make the point more sharply. Perp-DEX volume more than quadrupled in a year, from $1.5 trillion in 2024 to $6.4 trillion in 2025 (CoinGecko), and the pace has held: roughly $670 billion in the past 30 days, with Hyperliquid alone clearing $227 billion of it (DefiLlama, June 2026) – the only on-chain venue ranked among the global top ten perpetual exchanges, centralised or not.

    The trend is not perfectly linear. Centralised exchanges still handle the large majority of flow, and perp-DEX share dipped in early 2026 before recovering. Over a multi-year horizon, though, the direction is clear: a growing share of trading is moving to venues where you hold your own keys by default. Self-custody stops being a constraint to engineer around and becomes the ordinary way the market works.

    The risk moves from custody to execution

    It would be too convenient to present that as a free upgrade. What disappears on-chain is the counterparty claim: no balance parked on an exchange, no exposure to a venue's balance sheet. What replaces it is execution-layer risk. Smart contracts can be exploited, still the dominant attack vector for on-chain venues (CoinGecko). Oracles can misprice. Transactions can fail, land late, or get sandwiched. And key management becomes entirely your problem, with no support desk behind it.

    That is also the honest answer to why every market maker hasn't moved: risk appetite. Trading on-chain means accepting that whether you get your funds back depends on code and infrastructure, not on a counterparty's creditworthiness. You are not removing risk; you are shifting it from custody to execution. Whether that trade makes sense depends almost entirely on how good your execution stack is, which is precisely why the quality of that stack has become the real question.

    The cost of being slow on-chain

    The first generation of on-chain market making meant providing liquidity to AMMs, and it carried a structural cost with a name: loss-versus-rebalancing, or LVR, the gap between holding a pool position and simply rebalancing the same portfolio at market prices. It grows with the square of volatility: at 5% daily volatility, a constant-product pool bleeds roughly 3 basis points a day to arbitrageurs, on the order of 11% a year before fees (Milionis, Moallemi, Roughgarden & Zhang, 2022). That is not a latency problem. It is the arithmetic of quoting passively on volatile assets, and it is a large part of why professional liquidity stayed away.

    The market's answer was to bring the order book on-chain, and Hyperliquid's rise is the proof of how much demand there was for it. But an order book has no passive comfort: your edge depends on refreshing quotes as fast as the market moves.

    Being slow now costs you twice. First, stale quotes get picked off: the market moves, your order doesn't, and someone trades against your price before you can pull it. Market makers call this adverse selection, and it is the main tax on being slow. Second, every requote and every rebalance has to be signed before it exists. On general purpose chains each one pays gas as well – one reason continuous rebalancing gets rationed – and even on venues like Hyperliquid, where order updates are gasless, every order still waits on your signature. However fast the venue is, you are never faster than your own signing.

    A market maker with slow or expensive signing quotes wider, refreshes less, and carries more staleness, conceding basis points on volatile pairs day after day. The arithmetic is simple enough to run on your own book: every basis point of adverse selection costs $100,000 per $1 billion of volume traded. Those losses scale with the volume you trade; the cost of fast signing infrastructure does not. Once a book reaches even moderate size, what staleness costs per year is a multiple of what the infrastructure that prevents it would cost.

    Custody built for static money

    Here is the structural reason the signing path is slow, and it is not carelessness. Institutional crypto custody inherited its design from traditional finance, where the custodian's job is to keep assets safe while they sit still. Security means putting layers between the key and the outside world: MPC ceremonies across multiple parties, policy lookups, approval round-trips. For money that is static, that paradigm is right.

    On-chain trading money is the opposite of static. It moves constantly – quoted, filled, rebalanced, settled – and a custody stack built to slow things down cannot serve a workflow whose entire economics depend on speed. The constraint is architectural: an MPC signature is negotiation between machines over a network, several round-trips per signature, and no amount of optimisation gets that loop anywhere near the sub-millisecond signing that an active on-chain book demands. Closing the gap takes a different design point: keys held in dedicated, hardware-isolated signing infrastructure, with the path around them engineered for speed rather than for ceremony. That is a deliberate trade, and worth stating plainly: MPC remains the right answer for assets that rarely move. For keys that have to sign against a live order book, hardware isolation is the safest architecture that can also keep up.

    That is the gap CrypDefi was built to close: HSM-based signing at sub-1ms latency, so the keys stay under your control while you quote at speeds the market actually moves at.

    So when does the math pay off?

    The real question underneath all of this is one trading firms rarely ask out loud: should custody be your core business? You could build all of this yourself. Some of the largest firms have. But be clear about what that means: standing up a low-latency security operation inside a trading firm – hardware management, key ceremonies, monitoring, audits, around the clock operations – a massive upfront investment and a permanent engineering tax that produces no alpha. Every hour spent maintaining signing infrastructure is an hour not spent on trading strategy.

    That is the 'when' in the title. The math pays off under two conditions: your flow is on-chain, where holding your own keys is simply how the market works, and you treat the signing infrastructure as something you buy rather than something you build. Owning the keys does not require owning the machinery around them, and for most market makers building that machinery is a distraction, not a moat. Security was always the entry requirement. The part that shows up in the P&L is speed, and whose payroll it sits on.

    For informational purposes only; not investment, trading, or legal advice. Product and company names are trademarks of their respective owners; reference does not imply affiliation or endorsement. Latency figures are production measurements under specific conditions.

    Sources

    Related

    How the signing engine worksAdd low-latency signing to FireblocksRequest sandbox access