How lenders protect crypto collateral

Crypto loans often advertise similar rates and LTVs. The real difference is custody. Who safeguards the keys, how wallets are structured, and what controls sit around transfers determine whether pledged assets are genuinely protected or only marketed as such. In the institutional world, that security standard typically means qualified custodians with audited controls, segregated storage, and explicit policies on rehypothecation and incident response. In DeFi, it means open-source contracts that escrow collateral in code and remove human discretion from day-to-day custody. Understanding the tradeoffs is the key due diligence step before you pledge a single satoshi or wei.

The custody baseline in CeFi lending

Most institutional lenders route collateral to a regulated trust-company custodian that offers segregated, cold-storage vaults and independent audits. Coinbase Custody Trust Company is a New York Department of Financial Services-chartered limited-purpose trust and describes itself as a qualified custodian with SOC 1 Type II and SOC 2 Type II examinations by Deloitte. NYDFS publicly confirms Coinbase’s limited-purpose trust charter in its press release and listings of virtual currency businesses.

BitGo operates as a regulated qualified custodian and details SOC reporting and an insurance framework with up to $250 million in coverage for assets held in qualified custody, subject to scope and exclusions.

Why this matters for borrowers: qualified custodians are subject to banking-style oversight in New York and similar regimes, and their controls are examined against AICPA SOC criteria that focus on security, availability, processing integrity, confidentiality, and privacy. See Coinbase’s custody overview for cold-storage and control design here.

Milo’s program mirrors that institutional pattern. After approval, collateral is transferred to a loan-specific vault with Coinbase Custody or BitGo and remains off-exchange in cold storage. Wallets are segregated, not pooled, and Milo states that client collateral is not rehypothecated. Those choices align with what large custodians publicly position as the institutional baseline for crypto custody, as reflected in Coinbase’s custody disclosures and BitGo’s qualified-custody materials.

What “good” looks like in custodial setups

• Segregation and persistence: loan-specific, non-reused addresses that can be observed and reconciled.
• Cold storage by default: keys generated and stored offline with layered physical and logical controls. See Coinbase’s cold-storage description here.
• Independent assurance: current SOC 1 and SOC 2 Type II report letters or coverage letters from the custodian. Coinbase discloses SOC audits on its custody page.
• Insurance clarity: named policies, caps, deductibles, covered perils, and exclusions in writing. BitGo’s insurance summary is a helpful benchmark here.
• No rehypothecation: collateral is not reused, pledged, or lent out by the lender or custodian.

The non-custodial alternative in DeFi

DeFi lending removes the company-level custodian and escrows collateral in smart contracts. Borrowers keep control of their external wallets, but once assets are pledged, the protocol holds them in contract until obligations are met. Practically, that means you cannot spend or move pledged collateral while the loan is open. Aave states this plainly in its product docs: supplied collateral cannot be transferred or withdrawn until the borrow position is repaid.

How to evaluate DeFi custody posture in practice:

• Contract custody, not platform custody: assets sit in audited, upgrade-governed contracts, not with a company’s ops team.
• Transparency by default: addresses and contract states are visible on-chain, which enables third-party monitoring tools and public verification.
• Operational risk looks different: key management and cold storage are replaced by governance processes, contract audits, and change controls. Technical guardrails, not organizational ones, become the primary line of defense.
• Oracle and upgrade hygiene matter: while outside the scope of liquidation mechanics, borrowers should still review how market data reaches the protocol and how contract upgrades are controlled, since both affect custody behavior over time. Aave’s and Maker’s official docs are the starting point for this diligence

The borrower’s security checklist

Use this list with any platform, Milo included. Focus on custody, controls, and clarity.

1. Custodian and status Name the custodian. Ask for evidence of trust-company or equivalent authorization and whether it is treated as a qualified custodian. NYDFS maintains public materials and registries for New York entities (registry).

2. Segregation and address policy Confirm that collateral sits in loan-specific addresses that are not commingled and that addresses remain persistent for auditability.

3. Assurance reports Request current SOC 1 and SOC 2 Type II report letters or summaries applicable to the custody entity.

4. Cold storage and key management Verify offline key generation and storage, geographic key separation, and operational approval flows.

5. Insurance scope Get the policy overview in writing, including caps, deductibles, and exclusions. Insurance does not cover market movements.

6. Movement and incident policies If collateral can be moved between vaults or custodians to mitigate a verified risk, ask for the triggers, approvals, and notification timelines. Expect a complete audit trail.

7. Transparency and monitoring Confirm how you can independently verify balances and how the platform surfaces status in-app. Milo, for example, provides a dashboard view of pledged balances while the custodian holds assets offline, consistent with institutional custody norms.

Bottom line If you want named accountability, audited controls, and explicit insurance frameworks, evaluate lenders that use qualified custodians and segregated cold storage. If you prefer open-source rules and public state visibility, evaluate DeFi protocols where collateral is escrowed by contract rather than by a company. Either way, the custody model, not the headline APR, is what protects your collateral.

The opinions expressed in the Blog are for general informational purposes only and are not intended to provide specific advice or recommendations for any individual or on any specific security or investment product.