Skip to main content

Best practices for structuring your Fireblocks Vault

  • Updated

In this article, we discuss how to choose the Vault structure that suits your business needs and requirements.

Think of the Fireblocks Vault as a safe room in a bank. The safe room contains many drawers, each with a different lock and key. As a Fireblocks customer, you control the Vault (safe room) and can organize the vault accounts (drawers) to your preference. Inside each vault account, you can create a wallet for each crypto asset. These wallets contain unique keys and addresses on the blockchain.

Vault structures

We recommend organizing your Vault using one of the following structures. While there are fundamental differences between them, both structures use the blockchain as a single source of truth ledger.

Segregated Vault structure

The segregated Vault structure consists of individual vault accounts for each end client. Funds are stored in and invested from these individual accounts.

In a segregated Vault structure:

  • Reconciliation is not needed since funds are invested directly from individual vault accounts and never transferred to other vault accounts within your Vault.
  • Tracking and auditing are simplified. Compliance is made easier since each transaction can be associated with the person who made it.
  • On-chain transaction fees are usually considered the cost of doing business.
  • Since funds are invested directly from the end client's vault accounts, funds are available immediately in order to respond to changes in the market.

Sweep-to-omnibus Vault structure

The sweep-to-omnibus Vault structure consists of a central vault account in addition to vault accounts for each end client. Funds are deposited into the individual vault accounts and then swept to the central vault account, where the funds can be invested. We recommend using the following vault accounts when implementing this Vault structure:

  • Intermediate vault accounts: These are the vault accounts assigned to each end client. Because you could have numerous end clients, you can use the Fireblocks API to automatically generate as many intermediate vault accounts as needed.
  • Omnibus Deposits: This is the central vault account where end-client funds are swept and stored.
  • Withdrawal Pool: This is the vault account containing funds allocated for end-client withdrawal requests. More than one Withdrawal Pool vault account may be required due to blockchain limitations.

In a sweep-to-omnibus Vault structure:

  • Reconciliation is completed during the on-chain sweeping transaction.
  • Account management is simplified by using a single vault account for treasury management and investing. You can apply the desired logic to an internal database.
  • End-client deposit addresses remain private and unexposed to third parties since outbound transactions are sent from the Omnibus Deposits vault account.
  • Since funds must be transferred twice (deposited then swept), you pay transfer fees on two occasions before you can invest the funds. To optimize the cost of transfer fees, we recommend sweeping funds once per day when fees are low. By doing so, you can deduct the expected fees from the originally deposited amount when crediting your end clients.
  • Funds are not immediately available to respond to market changes since they should be swept only when transfer fees can be optimized.

Sweep_to_omnibus_diagram.png

Use cases

You can structure vault accounts based on your specific business use case. The following example structures are taken from common business use cases on Fireblocks. However, you can customize your Vault structure as needed to match your best practices.

Crypto-trading business segment

For the crypto-trading business segment, we recommend a segregated Vault structure. In this structure, your company creates a vault account for each of your end clients or business use cases.

Recommended vault accounts

  • Proprietary assets
    • Treasury
    • Market making
    • OTC trading
  • Customer assets
    • Collateral (for lending)
    • Withdrawals
    • Deposits
    • DeFi
    • Vault accounts for each corporate client, family office, etc.

A segregated Vault structure allows you to easily track each transaction for auditing, compliance, and Know Your Customer (KYC) purposes. This structure also allows you to keep your company's assets separate from its end-clients' assets and oversee different branches, strategies, and operations in the same workspace.

Hedge funds

You can structure vault accounts per share class, product, strategy, or by portfolio manager.

Trading firms and brokers

You can structure vault accounts to segregate any proprietary assets from customer assets.

Retail business segment

For the retail business segment, we recommend the sweep-to-omnibus Vault structure since retail customers mostly use API to automate scaling their business.

On Fireblocks, you can use API keys to generate intermediate vault accounts, identify incoming transactions, and sweep funds to the Omnibus Deposits vault account.

The Fireblocks API can generate as many vault accounts as needed to receive direct deposits from your end clients. Then, using webhooks to monitor incoming transactions, the Fireblocks API triggers a sweep from the end-client vault account to the Omnibus Deposits vault account.

Exchanges, retail payments, lending desks, and Neo Banks

Typically, a sweep-to-omnibus Vault structure is suitable for retail businesses that serve a large number of end clients and manage a database of customer names and IDs.

UTXO-based assets logic

  • Structure
    • In the Omnibus Deposits vault account, you can assign each end client a deposit address (which is derived from the permanent wallet address of the UTXO asset).
    • When adding an address for an end client in the Omnibus Deposits vault account, use the Create a New Deposit Address of an Asset in a Vault Account API call and use the customerRefId parameter to associate the end client's ID. The customerRefId parameter is then propagated to every transaction to the end client in your system.
  • Process - Deposits
    • Funds are deposited using the following process:
      1. The retail platform shares the deposit address with the end client.
      2. The end client makes a deposit.
      3. The incoming deposit triggers a webhook notification.
      4. Your client-facing software automatically notifies the end client that the deposit was successfully received.
      5. The deposit appears on the Transaction History page.
      6. You can now invest funds from multiple end clients using one transaction from the Omnibus Deposits vault account. Due to the nature of UTXO-based blockchains, the transaction includes the source address for each end client, unlike account-based transactions which require an intermediary vault account.
  • Process - Withdrawals
    • Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is detached from the Omnibus Deposits vault account.
    • Manually load funds as needed into the Withdrawal Pool or Treasury vault accounts. More than one Withdrawal Pool vault account may be required due to blockchain limitations.
    • Note: When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.

Account-based assets logic

  • Structure
    • The workspace should contain one or more intermediate vault accounts per end client in addition to a single Omnibus Deposits vault account.
    • When adding a vault account, we recommend using the Create a New Vault Account API call and using the customerRefId parameter propagates to every transaction associated with this address, allowing you to easily map deposits to the end client in your system.
    • When creating intermediate vault accounts, we recommend setting the hiddenOnUi parameter to true, which helps reduce visual clutter in the Fireblocks Console and improves loading time. We recommend implementing this setting so that only your Omnibus Deposits vault account and other operational vault accounts are visible in the Fireblocks Console.
    • Therefore, incoming transactions to intermediate vault accounts will not display in the Active Transfers panel. To track incoming transactions, you must use the List Transaction API call, the webhook, or the Transaction History page.
    • Transactions used for sweeping funds to the Omnibus Deposits vault account are displayed on the Active Transfers panel and the Transaction History page. They can also be viewed using the List Transaction API call or the webhook.
    • Due to the nature of account-based blockchains, transactions with account-based assets can only be transferred from one account-based address to another account-based address (unlike UTXO, where multiple addresses are included in a single transaction).
  • Process - Deposits
    • Funds are deposited using the following process:
      1. The end client receives a deposit address.
      2. The end client makes a deposit.
      3. The incoming deposit triggers a webhook notification.
      4. Your client-facing software automatically notifies the end client that the deposit was successfully received.
      5. The deposit is swept to the Omnibus Deposits vault account.
  • Process - Withdrawals
    • Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is separate from the Omnibus Deposits vault account.
    • Manually load funds as needed into the Withdrawal Pool or Treasury vault accounts. More than one Withdrawal Pool vault account may be required due to blockchain limitations.
    • Note: When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.
  • Gas fee management
    • All transfers on Fireblocks, including those between vault accounts, take place on the blockchain. Therefore, you must pay gas fees when transferring funds from the intermediate vault accounts to the Omnibus Deposits vault account. You can enable the Fireblocks Gas Station to automatically transfer funds to the appropriate vault accounts to cover future fees for the sweeping process. To optimize the cost of transfer fees, we recommend sweeping funds once per day when fees are low.

TradFi business segment

For TradFi business segments, the recommended Vault structure varies per use case and license.

Commercial and investment banks

These banks can rehypothecate the funds in their custody and use the assets given to them as they see fit. Therefore, we recommend using the sweep-to-omnibus Vault structure to simplify investing.

Custodial banks

Because custodial banks offer custody services rather than investing funds, we recommend using the segregated Vault structure. With this structure, assets are stored in individual vault accounts until the end client requests to withdraw funds.

A separate Fireblocks workspace

When your business use case requires more than just vault account segregation, you can request to purchase additional workspaces. An additional workspace may be useful when your use case meets one or more of the following criteria:

  • You want to manage independent sets of clients and/or policies. For example, a corporate firm with independent sub-companies or departments may require each entity to have full ownership of a separate workspace.
  • You want to give your end clients and investors user access to their Fireblocks workspace. This can be accomplished by assigning a separate workspace to each customer.
  • You want to give your employees different viewing privileges on vault accounts.
  • You want to create different configurations. For example:
    • Different AML defaults (such as fail-on-unknown versus pass-on-unknown)
    • Different DeFi approval cap limit
    • Allowing the use of Raw Signing
Was this article helpful?
7 out of 7 found this helpful

Related Articles