We’ve spent a lot of time thinking through our team’s financial opsec. It’s important that we’re able to securely store our assets without losing the ability for team members to access them when and where they’re needed.
And it’s not just money we need to store. Today we hold our company ENS (splits.eth) and recovery keys for our Farcaster account (@splits), and we believe that in the future there will be more non-financial assets our company owns.
In this article we’re going to outline how we secure our assets at a high level, and then zoom in and discuss each specific account’s security profile in detail.
As of writing, we have 4 shared accounts for our team. Each account is a multisig (i.e., multiple approvals are necessary for outgoing transactions, though notably most of our accounts only require 1 approval) that can be used on any EVM network at the same address.
All of these accounts are secured using passkeys. This allows us to retain full sovereignty over our assets without compromising on day-to-day usability. It also means that team members don’t need to manage their own seed phrase or install wallet extensions.
Across our accounts, we hold about $500k in assets—a mix of stables, ETH, project tokens (donations from OP, UNI, etc), and NFTs. We currently have the following accounts: Primary, Operating, TWIF, and Onboardings. Primary is where the bulk of our assets are held. Operating is for day-to-day general expenses. And TWIF and Onboardings exist for very specific purposes and thus maintain low balances.
At the root of all this is our “recovery account”. This account is unique. It doesn’t hold assets and it’s not something we interact with day-to-day. It exists for the sole purpose of being able to regain access in the off chance we lose access to our Primary account. This recovery account is a 2-of-3 that uses company-issued hardware wallets (Ledger) as the signers.
You can read more about why recovery matters, but the short of it: passkeys are tied to our domain (splits.org), which means if our domain goes down our passkeys become inoperable. So to mitigate this risk, we use recovery signers (traditional Ethereum wallets) as our escape hatch.
In summary:
Now that you understand the general shape of the system, let’s look at each specific account, how it’s configured, and how it fits into the system.
This is where we keep the bulk (90%) of our team’s assets. These assets are held across 3 networks (Ethereum, Optimism, and Base) in a number of tokens (ETH, OP, UNI, etc). It also holds our ENS (splits.eth), which resolves to this address, making it the primary revenue-receiving account we have. Funds coming into this account, from any external account, are accounted for as revenue.