• Table of contents

We’ve spent a lot of time thinking through our team’s financial opsec. It’s important that we’re able to securely store our assets without losing the ability for team members to access them when and where they’re needed.

And it’s not just money we need to store. Today we hold our company ENS (splits.eth) and recovery keys for our Farcaster account (@splits), and we believe that in the future there will be more non-financial assets our company owns.

In this article we’re going to outline how we secure our assets at a high level, and then zoom in and discuss each specific account’s security profile in detail.

Our system

As of writing, we have 5 shared accounts for our team. Each account is a multisig (i.e. multiple signatures/approvals are necessary for outgoing transactions, though notably most of our accounts only require 1 approval) that can be used on any EVM network at the same address.

All of these accounts are secured using passkeys. This allows us to retain full sovereignty over our assets without compromising on day-to-day usability. It also means that team members don’t need to manage their own seed phrase or install wallet extensions. Our opsec is no longer only as secure as the weakest link’s ability to secure a seed phrase.

Across our accounts, we hold about ~$800k in assets—a mix of stables, ETH, project tokens (donations from OP, UNI, etc), and NFTs.

We currently have the following accounts: Treasury, Operating, Payroll, Eng Testing, and TWIF. Treasury is where the bulk of our assets are held. Operating is for day-to-day general expenses. Payroll is self explanatory, and TWIF is a growth experiment we’re running.

At the root of all this is our “Recovery” account. This account is unique. It doesn’t hold assets and it’s not something we interact with day-to-day. It exists for the sole purpose of being able to regain access in the off chance we lose access to our Treasury. Recovery is a 2-of-3 that uses company-issued hardware wallets as the signers.

You can read more about why recovery matters, but the short of it: passkeys are tied to our domain (splits.org), which means if our domain goes down, passkeys become inoperable. So to mitigate this risk, we use traditional Ethereum signers as our escape hatch.

In summary:

• We have 5 shared accounts that collectively store $800k in assets across all EVM chains and tokens; we sign transactions on these accounts using passkeys, allowing for full sovereignty (self-custody matters to us) and usability
• We have a single recovery account, which allows us to regain access to our accounts should we lose access to our day-to-day signers (passkeys)

Our accounts

Now that you understand the general shape of the system, let’s look at each specific account, how it’s configured, and how it fits into the system.

Treasury