Does Lagoon custody my assets?

No. Lagoon is non-custodial infrastructure. The protocol provides vault smart contracts and governance roles, but never holds private keys or takes custody of assets. The curation wallet, and therefore custody, is controlled entirely by the fund manager.

Can I change my custody model after deploying a vault?

The curation wallet address can be updated after deployment (subject to time-lock). This means you can migrate from a simple wallet to a Safe multisig, or from a multisig to an MPC wallet, without redeploying the vault contract.

Which MPC providers does Lagoon support?

Lagoon supports any Ethereum-compatible address as a curation wallet. This includes MPC wallets from Fireblocks, Fordefi, and any other provider that generates standard EVM addresses. There is no provider lock-in.

How does Zodiac Roles Modifier differ from an MPC policy engine?

Zodiac enforces permissions onchain: every constraint is publicly verifiable in the smart contract. MPC policy engines (Fireblocks TAP, Fordefi policies) enforce permissions off-chain within the provider's infrastructure. Both achieve similar functional outcomes (constrained execution), but Zodiac provides onchain auditability while MPC engines provide operational speed.

What happens if a signer is compromised in a multisig?

In a multisig with a threshold (e.g., 3-of-5), a single compromised signer cannot authorize transactions alone. The remaining signers can remove the compromised key and add a replacement through a standard multisig vote. This is one of the primary security advantages of multisig over single-key wallets.

Back to all articles

Product

Onchain Fund Custody: MPC, Multisig, and Safeguards

MPC wallets, multisig, and role-based permissions for institutional onchain funds. Compare custody models, trade-offs, and how Lagoon integrates each.

LagoonMarch 17, 202610 min read

Introduction

86% of institutional investors either hold digital assets or plan to allocate within the next two years, according to a 2025 EY survey. Yet when these institutions evaluate onchain fund structures, one question dominates every due diligence conversation: who controls the keys?

In traditional finance, custody is straightforward. A regulated third-party custodian (State Street, BNY, Northern Trust) holds the assets, maintains the books, and provides insurance coverage. The fund manager gives instructions; the custodian executes. The roles are distinct, the liability is clear, and the model has worked for decades.

Onchain funds work differently. There is no single custodian holding assets in an omnibus account. Instead, assets sit in a smart contract vault, and a designated curation wallet executes the investment strategy. That wallet can be an MPC wallet, a multisig, or a hybrid of both, and the choice directly affects the fund's security model, operational speed, and regulatory posture.

This article maps the three dominant custody models for onchain funds, explains their trade-offs in terms institutional managers already understand, and shows how Lagoon's infrastructure supports all three.

What Custody Means for Onchain Funds

In a traditional fund, custody means physical or legal control of assets by a regulated entity. The custodian is a separate counterparty from the fund manager, the administrator, and the transfer agent. This separation of duties is a cornerstone of institutional fund governance.

In an onchain fund built on the ERC-7540 standard, the vault smart contract handles deposits, net asset value (NAV) calculation, fee computation, and share token issuance. But the vault itself does not execute the investment strategy. That responsibility belongs to the curation wallet: the address authorized to deploy the vault's settled assets into protocols, lending markets, or other yield-generating positions.

The curation wallet is your custody layer

The curation wallet is the onchain equivalent of the custodian role. It controls where settled assets go and how they are deployed. Unlike a traditional custodian, the curation wallet is not a separate legal entity; it is a blockchain address, and the security model depends entirely on what kind of address it is.

This is where the custody decision matters. The curation wallet can be:

An MPC wallet (Fireblocks, Fordefi), where key shards are distributed across multiple parties and no single person ever holds a complete private key.
A multisig wallet (Safe), where N-of-M independent signers must approve every transaction onchain.
A hybrid setup (Safe + Zodiac Roles Modifier), where a multisig provides the base security layer and a permissions module delegates scoped execution rights to specific addresses.

Non-custodial infrastructure

A critical distinction: Lagoon is non-custodial infrastructure. The protocol never holds private keys, never takes custody of assets, and never controls the curation wallet. Custody remains entirely with the fund and its chosen wallet provider. Lagoon provides the vault smart contracts (audited 7+ times by NethermindSec), the governance roles, and the settlement logic, but the custody model is the fund's decision.

Three Custody Models Compared

Each custody model represents a different set of trade-offs across security, operational speed, transparency, and regulatory alignment. The right choice depends on the fund's strategy, compliance requirements, and operational maturity.

MPC wallets: speed and flexibility

Multi-party computation (MPC) wallets distribute the private key into multiple cryptographic shards held by different parties. To sign a transaction, the parties participate in a distributed signing protocol without ever assembling the complete key. The result is a standard blockchain signature, indistinguishable from any other, with no onchain footprint of the multi-party process.

Providers like Fireblocks (protecting over $10 trillion in cumulative assets) and Fordefi (recently acquired by Paxos, safeguarding $120 billion in monthly transaction volume) have become the dominant MPC platforms for institutional digital asset management.

MPC wallets are chain-agnostic (they work on any EVM network without requiring chain-specific smart contracts), produce single-signature transactions (lower gas costs), and allow flexible signer rotation without onchain transactions. They also include built-in policy engines that can restrict transactions by protocol, amount, destination, and time of day.

The trade-off: MPC signing happens off-chain. The approval process is not publicly verifiable on the blockchain, and the fund depends on the MPC provider's infrastructure for availability and security. For institutions accustomed to relying on regulated custodians, this maps closely to the traditional model: you trust a service provider rather than a smart contract.

Multisig: transparency and decentralization

Multisig wallets, most commonly implemented through Safe (managing over $50 billion in assets), require multiple independent private keys to sign every transaction. A 3-of-5 Safe, for example, needs three out of five designated signers to approve before any assets can move.

Every approval is recorded onchain. Anyone can verify who signed, when, and what was executed. This makes multisig the most transparent custody model, and the most auditable. Regulators, investors, and compliance teams can independently verify every transaction without relying on provider reports.

The trade-off: higher gas costs (each signer's approval is an onchain transaction), slower execution (coordinating multiple signers takes time), and less flexibility for signer changes (adding or removing a signer requires an onchain transaction approved by the existing threshold).

Hybrid: multisig with scoped permissions

The hybrid model combines a multisig base layer (Safe) with a permissions module (Zodiac Roles Modifier) that delegates specific, scoped execution rights to designated addresses. This gives the fund the security of multi-party approval for high-risk operations while enabling faster execution for pre-approved, constrained actions.

The Zodiac Roles Modifier is an onchain permissions module that controls access at three levels: which smart contracts can be called, which functions within those contracts, and what argument values are acceptable. For example, a fund could allow its portfolio manager to execute swaps on Uniswap up to a specific dollar amount without requiring a full multisig vote, while still requiring multisig approval for any other action.

Organizations like ENS DAO, GnosisDAO, and Balancer already use this pattern for treasury management. Karpatkey's DeFi-Kit provides pre-built permission sets for common DeFi protocols, accelerating setup.

Side-by-side comparison

Dimension	MPC Wallet	Multisig (Safe)	Hybrid (Safe + Zodiac)
Key management	Distributed shards, never assembled	Independent keys, onchain threshold	Multisig base + scoped delegation
Transparency	Off-chain signing	Fully onchain, publicly verifiable	Onchain approvals + scoped actions
Gas cost	Low (single signature)	Higher (N onchain signatures)	Variable (depends on action type)
Signer changes	Off-chain, no gas	Onchain tx required	Onchain tx for signers, offchain for roles
Policy engine	Built-in (Fordefi, Fireblocks)	Via modules (Zodiac)	Native Zodiac permissions
Chain support	Any chain (chain-agnostic)	EVM chains (requires deployment)	EVM chains (Safe + module)
Vendor dependency	Yes (MPC provider)	No (open-source contracts)	Partial (open-source + optional tooling)
Best for	High-frequency, multi-chain	DAO treasury, audit-first	Institutional funds, delegated mgmt

Role-Based Permissions: The Missing Layer

Choosing between MPC and multisig addresses only half of the custody question. The other half is permissions: what is the curation wallet allowed to do with the vault's assets?

In a traditional fund, the investment management agreement (IMA) defines what the portfolio manager can and cannot do: asset class restrictions, concentration limits, counterparty exposure caps. Violations are caught by the compliance team after the fact, through periodic reviews.

Onchain, these constraints can be enforced before the fact, at the smart contract level. The curation wallet does not just need to be secure; it needs to be constrained.

Three levels of onchain permissions

The Zodiac Roles Modifier enforces permissions at three levels:

Contract-level: Which smart contracts can the role interact with? (e.g., only Aave, Compound, and Uniswap)
Function-level: Which functions within those contracts? (e.g., supply and withdraw, but not borrow)
Argument-level: What parameter values are acceptable? (e.g., maximum 50 ETH per swap, only USDC as collateral)

This creates an onchain equivalent of the investment management agreement. The rules are encoded in the smart contract, publicly verifiable, and enforced automatically: no compliance officer needed for real-time monitoring.

MPC policy engines

MPC providers offer their own permission systems. Fordefi's policy engine allows role-based approvals with thresholds based on protocol, action type, amount, and time windows. Fireblocks provides a transaction authorization policy (TAP) that can enforce approval workflows, whitelisted destinations, and spending limits.

These operate off-chain within the MPC provider's infrastructure, offering similar functional outcomes (constrained execution) but without onchain verifiability. For institutions that already trust their MPC provider for key management, this may be an acceptable trade-off. For those requiring full onchain auditability, the Zodiac approach provides a stronger transparency guarantee.

How Lagoon Integrates Custody

Lagoon's vault architecture separates custody from fund operations by design. The ERC-7540 vault contract handles all investor-facing logic (deposits, redemptions, NAV, fees, share minting), while the curation wallet handles strategy execution. This separation means the custody model is a configuration choice, not a protocol constraint.

Any address as curation wallet

During vault deployment via the Lagoon Vault Factory, the manager specifies a curation wallet address. This can be:

A Fireblocks vault address (MPC, for high-frequency, multi-chain strategies)
A Fordefi wallet address (MPC, with built-in DeFi policy controls)
A Safe multisig address (for DAO treasuries and transparent governance)
A Safe + Zodiac Roles Modifier address (for institutional funds requiring delegated management with constraints)
Any other Ethereum-compatible address (including hardware wallets for simpler setups)

Governance separation enforced onchain

Regardless of the custody model, every Lagoon vault enforces role-based governance at the smart contract level. The vault administrator configures contract parameters. The valuation provider submits NAV updates. The curator (curation wallet) accepts valuations and executes strategy. The whitelist manager controls investor access. These roles cannot be bypassed; they are enforced by the ERC-7540 contract, not by the custody wallet.

This means the custody model protects how the strategy is executed, while the vault's governance roles protect what can happen within the fund's lifecycle. Together, they create a layered security model that maps to institutional internal controls.

For a step-by-step guide to deploying a vault with your chosen custody wallet, see How to Deploy a Permissionless Vault on Lagoon.

Key Takeaways

Custody in onchain funds is a configuration choice, not a protocol constraint. The curation wallet (MPC, multisig, or hybrid) determines the fund's security model, operational speed, and auditability.
MPC wallets (Fireblocks, Fordefi) offer speed and chain-agnostic flexibility, but signing happens off-chain. Best for high-frequency trading and multi-chain strategies.
Multisig wallets (Safe) provide full onchain transparency and no vendor dependency, at the cost of higher gas and slower execution. Best for DAO treasuries and audit-first mandates.
Hybrid setups (Safe + Zodiac Roles Modifier) combine both models, enabling scoped delegation with onchain constraints. Best for institutional funds with delegated management.
Lagoon is non-custodial infrastructure. The protocol never holds keys or controls curation wallets. Custody remains entirely with the fund, enforced by 8+ audited smart contracts across 18+ EVM chains.

Ready to evaluate custody options for your onchain fund? Explore Lagoon's curation wallet documentation to review Safe, Zodiac, and MPC integration guides, or deploy your first vault at app.lagoon.finance.

Get Started

Going Further

How to Deploy a Permissionless Vault on Lagoon — Step-by-step guide to configuring your curation wallet during vault deployment.
Onchain Vaults vs. Traditional Funds: What Changes — Broader comparison of onchain and traditional fund operations, including the custody dimension.

About Lagoon

Lagoon provides the complete stack for onchain asset management, combining proven ERC-7540 vault technology with institutional-grade fund administration tooling. It enables any digital asset strategy to become a tokenized product: scalable, composable, and accessible to LPs.