Following recent discussions with Crypto.com and signing an NDA, LlamaRisk provides additional information about cdcETH. This update clarifies previous concerns and offers a more comprehensive view of security measures and operational procedures.
Custody solution
We’ve reviewed an audit by a reputable firm (undisclosed due to NDA) confirming Crypto.com’s robust custody solutions, which is compliant with SOC2 (Service Organization Control) Type 2, a year-long process that identifies:
- Security controls against unauthorized access, mitigating system abuse, theft, fraud, data removal, software misuse, and information alteration
- Quick detection of anomalies and incidents by monitoring staff
- Established frameworks for responding to security breaches
The SOC2 Type 2 framework’s security controls and processes have been effectively designed and implemented to protect the custody solution. Security is the core of SOC 2 compliance requirements.
Public repository
Crypto.com has made its cdcETH GitHub repository public. Key points:
- Uses Circle’s Wrapped Token OS ERC20 format (like cbETH, USDC)
- Identifies contract access controls and owner-changeable variables
- Includes detailed contract architecture diagrams
- Primary contract (FiatTokenProxy.sol) is functionally identical to other Wrapped Token OS tokens, with minor informational differences
MPC Address Custody Solution
Crypto.com uses a multistage contract interaction process, which, for security reasons, cannot be detailed. LlamaRisk reviewed the operational flow, which provides checks and balances to prevent unauthorized transactions. However, ownership of the Multi-Party Computation signer keys and adherence to these procedures cannot be independently verified. While an onchain Safe solution would be preferable, the reported efforts suggest good operational procedures.