How to manage multiple crypto wallets: Our best practices

2. Use different crypto wallets for different purposes

Generating multiple wallet addresses linked to the same seed phrase and private key is akin to having multiple bank accounts with identical login details. But this is not ideal, especially regarding resilience against hacks and implementing access controls.

For improved clarity, dividing the company's assets into multiple crypto wallets with distinct seed phrases is advisable. Lumping it all together into one wallet can make seeing your organization’s crypto finances difficult. Instead, consider maintaining at least three crypto wallets: one for receiving payments, another for paying expenses, and a third wallet that acts like a savings account.

Maintaining different wallets for different purposes provides clarity in tracking your organization's crypto finances. It also enables you to implement proper financial controls and simplifies financial reporting for tax purposes and audits.

Security remains a paramount concern, considering billions of dollars in crypto have been lost to hacks over the years due to insecure crypto wallet management. In 2018 alone, hackers stole private keys controlling over a billion dollars worth of cryptocurrency from hot wallets. 

Someone may be hacking your device, communication software, or crypto exchange to obtain your wallet’s private keys. A person with your private keys can drain your company’s funds. If your seed phrase becomes somehow compromised, all the wallet addresses generated using that seed phrase are compromised.

Diversification is critical - both in managing your organization’s investment portfolio and in storing your company’s crypto inventory. Never put all your eggs in one basket. Limiting the amount of funds stored in any wallet limits the damage any hack can have on your company’s overall crypto inventory.

3. Use a mix of wallet types

Combining hot and cold wallets in your crypto wallet management strategy can greatly enhance your overall security and accessibility. 

Hot wallets are the crypto equivalent of carrying petty cash in your physical wallet - they are easily accessible and convenient for daily transactions. They are typically connected to the internet and allow for quick transfers and spending of funds.

On the other hand, cold wallets provide an additional layer of security and act as a safe vault for storing dormant funds. These wallets are offline and not directly connected to the internet, making them less susceptible to hacking or unauthorized access. Cold wallets are ideal for long-term storage of funds that are not frequently needed for transactions.

Given the trade-offs, cold and hot wallets are usually ideal. You can balance accessibility and security in your crypto wallet management and designate specific purposes for each wallet type based on your organization's needs. For example, you can use a hot wallet for daily transactions and receiving payments while keeping most of your funds in a cold wallet for long-term storage and security.

Consider experimenting with different wallet technologies to enhance your crypto wallet management further. For instance, multi-signature (multi-sig) wallets require multiple authorized signatures to initiate transactions, adding an extra layer of security and control. Secure multi-party computation (MPC) wallets leverage cryptographic techniques to distribute private key information among multiple parties, increasing security and mitigating the risk of a single point of failure.

Each type of crypto wallet has advantages and disadvantages, allowing them to play different roles and meet different needs in your crypto FinOps. Understanding different wallets can help you evaluate whether your organization's current crypto wallets are being used in a way that is fit-for-purpose. 

More importantly, the effectiveness of your crypto wallet choices is heavily dependent on the processes and controls you establish within your organization. 

4. Have a clear system for managing your organization’s crypto wallets

Setting up multiple crypto wallets can simplify financial reporting and enhance the security of your crypto assets. However, many large crypto companies often neglect important aspects, such as keeping records of all wallets, defining their purposes, identifying authorized signatories, and establishing a process for approving new wallets.

Consider maintaining a comprehensive document on your organization's knowledge management system (KMS), like a Notion page to address this. This living document should clearly outline the existence and purpose of each wallet, along with its corresponding wallet address. This is particularly important for larger organizations subject to audit requirements as it streamlines the financial reporting process.

Having a clear approval process for new wallets is equally vital. When reviewing requests, ensure they align with your organization's custody, security, and workflow requirements. Ask pertinent questions, such as the reason for the wallet's existence, who should have access to it, the expected flow of funds in and out of the wallet, and how crypto transactions from the wallet should be labeled in the organization's chart of accounts.

It’s crucial to map out risks associated with authorized signatories and their wallets, especially in web3 organizations. Implement solutions to mitigate conflicts of interest and key man risks, safeguarding community assets. Multisignature (multi-sig) or secure multi-party computation (MPC) wallets can reduce reliance on individual key holders. Collusion among interested or related parties remains a potential vulnerability. The more independent private key signatures required further protect the multi-sig wallet. 

Olympus DAO, for example, requires a four-of-eight multisig which requires “a quorum of 4 to authorize any transaction like engaging in DAO swaps.” Olympus identifies the public key of each signatory for additional transparency.

The treasury is the beating heart of any organization. Left in the hands of bad actors, all its funds could be drained with a few clicks - leaving it with serious going concern issues.

You can never be too safe when it comes to safeguarding your crypto treasury and having controls for on-chain payment authorizations.

A portfolio tracker can help monitor different crypto wallets, balances, and transaction flows across various blockchain networks. This ensures that all wallets are accounted for, and allows you to track the origin and destination of your crypto assets. Reliable portfolio trackers prevent frustrations for crypto accountants by providing comprehensive visibility and insights into your wallet balances.

5. Securely manage your wallets’ seed phrases

When managing multiple wallets, ensure you accurately record and preserve your seed recovery phrases' sequential order and spelling. Consider secure options such as splitting the phrases between multiple safe deposit boxes or using services like Cryptosteel for engraving.

Alternatively, writing down and storing copies of the recovery phrases in safe locations can be effective. You may also encrypt and store an encrypted version of the recovery phrase in the cloud or keep an offline copy.

The easiest way to manage multiple wallets is through browser profiles or browsers. You can simply install web wallets in different browsers or utilize separate browser profiles for each wallet. This allows for easier management and simultaneous access to multiple wallets.

To keep your computer and its contents as safe as possible from someone with physical access to your machine (e.g. for technical support), we recommend you enable full disk encryption such as FileVault on Mac or BitLocker on Windows, to protect your computer and its contents, including cryptocurrency keys.

6. Observe cyber hygiene

Remember that while crypto wallet companies can try as hard as they can to design robust security systems, your systems are only as safe as your people are.

To maintain cyber hygiene, avoid interacting with malware or risky smart contracts that have not been audited or tested over time. Additionally, implement essential data security practices such as regularly updating software, following security vulnerability patch protocols, and managing passwords and access controls effectively. Not doing so can run the risk of not only a lapse in data security but “mistakes” in the execution of the contract that can result in lost funds.

“Social engineering” attacks are often used to bypass sophisticated technical controls put in place. Instead of picking a well-designed lock, hackers can trick one of your organization’s members into handing over the keys. Millions of dollars have been stolen from tech giants like Facebook and Google, large global banks like the Oversea-Chinese Banking Corporation (OCBC), and even United States Government Agencies.

A common tactic is fraudulent invoices. Scammers pretend to be a vendor requesting payment for services performed for the company. Often, this type of attack will masquerade as one of an organization’s actual suppliers and use a realistic-looking invoice but with the scammer's bank account details or crypto wallet address.

The challenge with billing is that the team members who incur the bill, are typically not involved when the company’s finance team reviews and pays invoices. That makes it difficult for finance teams to verify if an invoice is legitimate or fraudulent, resulting in legitimate bills not being paid on time, or, worse - paying fraudulent invoices.

For instance, in October 2022, security researchers from Japanese cybersecurity vendor Trend Micro uncovered fraudulent invoice scams on PayPal impersonating well-known crypto companies like Stellar XLM, Bitcoin Exchange, Terra Luna Classic, Oasis Network and TrueUSD.

To protect enterprise users from invoice fraud, consider using tools like Request Finance’s crypto invoicing app, which allows you to require vendors to cc multiple people on invoices that you receive. That way, your finance team can check with other team members on cc to ensure a legitimate bill. This should both protect you from billing fraud while also ensuring your company’s bills are paid on time. If you've been receiving unsolicited invoices that appear fraudulent, you can also block the issuer of those invoices.

Staying vigilant against scammers and social engineering attacks is crucial. Be cautious when processing payments or sharing sensitive information, and always verify the authenticity of invoices or requests before taking action.

By following these practices, you can enhance the security and management of your wallets and protect your crypto assets from potential threats.

Remember! All the information in this article is for educational purposes only. You should not consider any such information as legal, tax, investment, trading, financial, or other advice. Always do your research!