Cryptographic Control as Fiduciary Power

Why key-holders, MPC committees, and exchange custody teams sit inside ordinary private law

Control is power, not ownership

Modern cryptoasset custody rarely leaves the economic owner with unilateral capacity to dispose of the asset. A gatekeeping layer sits in between: a custodian holds the signing capability, distributes it through multi-signature, fragments it through threshold signing and multi-party computation (MPC), or embeds it in administrative smart-contract controls. The practical outcome is the same across architectures. Someone other than the beneficial owner can release, delay, condition, or refuse a disposition. That is a legally meaningful power, whether or not the ledger treats the resulting signature as sufficient to move value.

The most persistent analytical error is to treat technical capacity as a proxy for title. English private law has never equated “ability to transfer” with beneficial ownership. Agents, trustees, nominees, mortgagees, and other holders of transfer mechanisms can possess decisive powers without owning beneficially. The reverse error is equally common: because an on-chain transfer is technically irreversible, the controller is treated as immune from legal constraint. Equity does not work by reversing transactions on a ledger. It regulates people and institutions through in personam orders, accounting, injunctions, constructive trusts, and structural relief. The question is not whether courts can “control the chain”. The question is whether the person who holds the gatekeeping power owes duties in its exercise.

A simple method: build a power map

Custody technology is often described as if each architecture demanded its own doctrine. A better approach is to convert the architecture into a power map. Who can do what to whose proprietary position? On what conditions? Who has a veto? Who can rotate keys, alter thresholds, change signers, pause a contract, or upgrade code? Who decides whether a withdrawal is “safe”, a user is “verified”, or a transaction is “compliant”? Who profits from delay? Who benefits from discretion?

Once the power map is clear, the legal analysis becomes ordinary. If a party holds a discretionary veto or release power over another’s asset position, and that power is assumed for another’s benefit or for a defined purpose, equity’s familiar machinery is triggered. Trust analysis becomes a question of objective intention and undertaking. Fiduciary analysis becomes a question of loyalty and conflicts in the face of dependence. Supervision becomes a question of proper purpose, rationality, relevant considerations, and constraints on discretionary use.

Single-key custody is the cleanest fiduciary problem

In single-key custody, the custodian holds the sole authorising capability, while the customer holds an internal account entitlement. Whatever the marketing language, the power map is stark: the custodian has an exclusive veto over disposition. The customer is dependent on operational processes (withdrawal queues, identity checks, recovery procedures) that are entirely controlled by the custodian.

That dependence is not a rhetorical point. It is the reason fiduciary questions arise. Where one party holds a gatekeeping power that the other cannot realistically monitor or replace, the structure is vulnerable to opportunism. The legal response is not sentimental. It is prophylactic: equity restricts conflicts, collateral use of power, and unauthorised profit.

Multi-signature and MPC shift the surface, not the substance
Multi-signature escrow and MPC governance are often presented as decentralising or neutralising custodial risk. Sometimes they do. Often they do not. A 2-of-3 scheme, for example, still creates decisive powers: which combinations can transfer without the customer; who has a veto; who can rotate keys; and who determines whether conditions are satisfied. A party may not be able to transfer unilaterally, yet still hold an effective veto, or a practical capacity to force outcomes through collusion.

MPC and threshold signing frequently make the power map harder to see, not less important. A threshold signature can look on-chain like a single key signed it, while the real governance is committee-based and discretionary. The legally relevant facts are internal: who holds shares; what approvals trigger signing; whether “compliance” teams have veto; who can reconstitute the threshold set; and whether emergency procedures permit bypassing ordinary rules. A technology that hides discretion increases the need for legal clarity about discretion, not the opposite.

Smart contracts add a meta-layer: admin power

Smart-contract escrow systems are often described as “code-enforced”. Many are, until they are not. Administrative controls—upgrade keys, pause powers, parameter changes, emergency withdrawals, oracle dependencies—create a meta-layer of control that sits above the visible contract logic. This meta-layer is where fiduciary issues concentrate. If a small group can alter the rules after users have locked assets, or can freeze and selectively release, then the system is not “rule-bound” in the way users are invited to assume. It is governed.

Again, the question is not whether governance is always wrong. The question is what duties constrain those who hold it. A pause power for genuine emergency protection is one thing. A pause power used to manage liquidity, protect insiders, or extract concessions is another.

Exchange custody: the hardest case, because the power is continuous
Exchange custody combines omnibus wallets, internal book-entry transfers, hot/cold partitioning, and discretionary withdrawal pipelines. Most customer “transfers” are internal ledger movements. On-chain wallets are pooled settlement infrastructure. That does not make customer interests unreal. It does make the power map more complex.

The legally load-bearing facts are operational: withdrawal queues; risk scoring; manual review; compliance holds; forced delays; selective processing; and the reality of account recovery and credential resets. Recovery authority often becomes functionally equivalent to dispositive authority. If an exchange can decide when you can access an asset, whether you are “verified”, whether your destination is “acceptable”, and whether your account is “safe”, then it holds a practical veto over your proprietary position. That veto is the nucleus of fiduciary analysis.

When custody becomes trust

Trust analysis should not be derailed by metaphysical debates about whether a private key is “property”. The orthodox inquiry is objective intention and undertaking. If a custodian or platform undertakes to hold assets for a customer, segregates or earmarks them, limits its own use, and places the disposition pathway under purpose-bound control, then the architecture can evidence an intention to hold for another rather than to owe an equivalent. Where the platform reserves broad rights to use assets as working capital—lending, rehypothecation, internal liquidity deployment—while promising only an equivalent balance on demand, the structure trends towards debt.