This post is the third in our series on digital assets and real-world safety. For those who haven’t read it yet, you can find part one here and part two here.
Coins, not accounts.
Chia is not account based. It uses a coinset (UTXO‑like) model with programmable “puzzles” (via Chialisp) that define spending rules for each coin. This unlocks protocol‑level custody, which creates peer-to-peer transactions that cannot be censored by a third party or compromised by someone else’s mistakes. Because all coins exist as contracts, a given coin enforces its own spending policy, nothing else is required. Rules are code, evaluated peer‑to‑peer, validated by the network.
Chia custody contracts execute policy at the base layer. Meaning that rules like M‑of‑N multi‑sig, time locks, spend limits, and veto paths are native coin conditions, not bolted onto an account. Coupled with the fact that because of BLS aggregation, Chia’s BLS signatures aggregate cleanly on‑chain, which translates to efficient, multi‑party approvals without complex contract gymnastics. (A future blog on why BLS matters is forthcoming!)
This all sounds great! But what does it actually mean?
Firstly, it means no standing approvals. There’s no concept of “infinite approval” to a third‑party spender. In any upgradable or custodial smart contract, spending coins into that contract’s custody gives the “owner” or “admin” keys unlimited approval over managing funds in that contract. Anything not explicitly allowed now can be put in later via upgrade that the user has no say in or control over.
With Chia, each spend must satisfy the coin’s conditions at the moment of spend. It also means actual peer‑to‑peer execution. Offers and transfers are executed without custodial escrows; the network verifies the spend conditions directly.
This architecture drastically reduces third‑party control risk. Because coins are governed by code‑level policy, there’s no privileged admin to seize control, no upgrade key to compromise, and no background “approval state” to abuse. Offering all chia smart contracts, including our new vaults and multi signature vaults, has added a layer of legitimacy and security that really matters to the type of firms able to put large amounts of assets on chain.
Chia Signer + Policy‑Driven Multi‑Sig: Wrench‑Resistant by Design
The Chia Signer App is a smart phone application developed by Chia Network engineers that functions similarly to a Ledger, but more secure, with the added bonus that you don’t need to buy a new device. Just use the phone you already have. Our engineers analyzed the blockchain signature space and found a way to marry the usability and reliability of smart phones with the iron clad security of on-device secure key storage. This combination of old ideas with new technology and applications for that technology have created what we feel is an industry leading “killer app” for crypto asset custody.
We built the Chia Signer App because you can’t eliminate physical coercion, but you can design tools so coercion doesn’t work. Distributed approvals (M‑of‑N) mean an attacker must coerce multiple parties, often in different locations, maybe even different countries, within a tight window. We feel this is a state of the art industry leading solution because no other leading blockchain can do this as simply and at the base level. Account models fail at this in my opinion and bitcoin can’t really do it at all (without additional off chain tools). Couple this with our industry leading time‑based locks. That offer optional delays for large transfers, plus claw back keys, make forced, immediate theft impractical.
The biggest change this presents to our threat model for key holders is separation of duties. We are able to split custody by role and geography; and keep all of our custody keys offline (via HSM currently). It’s true, Chia supports air‑gapped or offline flows. In this pattern we plan for every transaction from our prefarm to have clear and deliberate intent, rushed “tap to confirm” is replaced by deliberate review.
These controls transform the economics of coercion. The simplest attack ceases to be viable. If a key is lost or compromised, recovery becomes routine maintenance, not a catastrophe. Keys will get lost, rotated, or retired (replacing a key when an employee leaves), that’s now expected and manageable.
In other blockchains, rekeying is either impossible, or incredibly cumbersome, losing any number of keys in other blockchain solutions would require us to spawn an incident internally at Chia, while it would be just a maintenance event for our current and future solutions. Finally, orgs can replace a signer without pausing business, by spending the coin under the old policy into an identical coin with an updated signer set. This is the biggest win our tooling provides for signature flows, continuity through quorum.
Our multi‑sig tooling ensures funds remain safe and operable even when one key is unavailable or compromised. Enabling standard practices like rotating keys on a schedule; and being able to rehearse recovery so teams are calm under pressure. Which enhances our rekeying ability, moving key loss from existential risk into normal maintenance.
Why This Matters Now
Crypto adoption has grown, and with it targeted attacks on keyholders are rising. Good security assumes adversaries will aim for the path of least resistance: the human. Protocol‑enforced policy raises the bar in ways that technical exploits and social engineering cannot easily bypass. There is no longer a need for security via obscurity, which means less reliance on secrecy and more reliance on actual security tools. Exposure of one key is insufficient to move funds. This is not the case with the lurking custodial keys of other bolted-on smart contract platforms.
Another major win this tooling provides is auditable approvals. Multi‑party signatures and coin conditions create verifiable evidence and accountability for all coin spends. You know who authorized a spend, when, and how. The core concept of security that this all orbits around is called “Defense‑in‑depth”. We blend physical security, process controls, and cryptographic policy, without introducing a central admin key. Meaning you can get a very high level of operational excellence in these patterns without any added friction. Security only works if people can use it.
An additional layer of security is enabled by clear approvals. The Chia Signer App makes intent review explicit before signing. You are able to see exactly what you are signing and for whom, before being asked to do anything else. Which means that you can also do things like role based access. Which will distribute the right approvals to the right people. This can eventually become an automatable policy engine. Where you can treat custody and role based permissions in your org like any other code change, where you have change control, logging, and reviews that fit standard ops practice (including SOC 2 Type II).
TL:DR?
We have created a wholly novel protocol native custody solution. That includes features like Multi‑sig, and time locks, where policies are enforced by coins themselves, not by fragile account state or upgradeable contracts. You cannot be rug pulled later by some third party changing the rules of your contracted interaction. If your coins change state, it is because you chose a new rule set (puzzle) and just have to change the custody config of the vault that controls them. It’s a matter of spending one coin (your vault singleton) to change the custodial arrangement of all of your coins., and signed a transaction to make it happen.
Chia transactions are truly peer‑to‑peer executed. No standing approvals or custodial intermediaries required to transact. We can provide human aligned safety, including things like offline signing (via HSM and soon via Chia Signer App) and quorum‑based approvals to directly mitigate coercion and real‑world threats.
Additionally these tools unlock resilient operations such that rekeying and rotation are first‑class interactions, making continuity and safety routine. Along with enabling practical patterns to adopt; use M‑of‑N for treasury and long‑term holdings; and also lower thresholds with limits for daily ops.
Meaning you can distribute keys across people and places, and keep at least one key offline. These tools also unlock rehearsed recovery and rotation so the process is muscle memory, not theory. Finally you can add time delays and claw back for high‑value moves.
Chia Signer and multi‑signature custody aren’t just features; they’re an architectural stance. In a world where attackers increasingly target people, Chia’s coin‑based, policy first design makes the simplest attacks ineffective and keeps control where it belongs: with your organization, operating safely even under pressure.
For those who haven’t read part 1 of this series, find it here. And find part 2 here.