What is the Fireblocks Vault?
Think of the Fireblocks Vault as a safe room in a bank. The safe room contains many drawers, each with a different lock and key. As a Fireblocks customer, you control the Vault (safe room) and can organize the vault accounts (drawers) to your preference. Each vault account supports a single asset wallet for each asset type. These wallets contain unique deposit addresses and keys on the blockchain.
We recommend organizing your Vault using a segregated structure or a sweep-to-omnibus structure. While there are fundamental practical differences, both structures use the blockchain as a single source of truth ledger.
Learn about all the possibilities for structuring your Fireblocks Vault.
Managing your assets
For managing your organization’s assets, we recommend setting up a "Treasury" vault account to safely store your assets. This account should have the most restrictive Policy rules.
If you manage various operations with teams that need different access to funds, we recommend creating a vault account per team or operation.
Learn more about the segregated Vault structure.
Managing your end-client funds
Grouped funds
If you don't need to separate your organization’s funds from your clients’ funds, we recommend depositing assets to the “Treasury” vault account mentioned above.
Separated funds
If you need to separate your clients’ funds from one another for regulatory reasons or accounting purposes, we recommend creating one vault account per customer to track and manage deposits.
If you want to manage customer deposits from a single account, we recommend creating a central Omnibus vault account where deposits can be swept.
For UTXO-based assets and blockchains that support multiple addresses:
- You can assign each client a unique deposit address within the Omnibus vault account. These addresses are derived from the permanent wallet address of the UTXO asset.
- Clients can deposit funds directly to their assigned address in the Omnibus vault account.
- You can invest funds from multiple end-client deposits with unified transactions from the Omnibus Deposits vault account.
- This also applies to blockchains that support multiple addresses using optional memos, notes, or tags. Learn more about using other deposit addresses.
For account-based assets:
- You must create individual vault accounts for each client to have their own unique address. Ethereum and other EVM-compatible blockchains can't have more than one address per vault account.
- These intermediary vault accounts receive customer deposits, and you can sweep the funds periodically to the Omnibus vault account.
Learn more about the sweep-to-omnibus structure.
Segregated vs. Sweep-to-omnibus
The segregated Vault structure consists of individual vault accounts for each end client. Funds are stored in and invested from these individual accounts.
This structure can also be used for segregating your own funds and marking them for different purposes. For example, if you have multiple funds using a single workspace or if you store funds from separate business lines, creating separate vault accounts can help you organize your assets.
In a segregated Vault structure:
- Reconciliation is usually not needed since funds are invested directly from designated vault accounts.
- Tracking and auditing are simplified. Compliance is made easier since each transaction can be associated with the person who made it.
- On-chain transaction fees are usually considered the cost of doing business.
- Since funds are invested directly from the end client's vault accounts, funds are available immediately in order to respond to changes in the market.
The segregated Vault structure is preferred by Over-the-Counter (OTC) desks, institutional lending desks, prime brokers, hedge fund managers, and other businesses that want to maintain clear and verifiable demarcation between assets dedicated to separate end clients or business units.
The sweep-to-omnibus Vault structure consists of a central vault account and additional vault accounts for each end client. Funds are deposited into the individual vault accounts, each containing its own deposit address, and then swept to the central vault account, where the funds can be invested.
We recommend using the following vault accounts when implementing this Vault structure:
- Intermediate vault accounts: These are the vault accounts assigned to each end client. Because you could have numerous end clients, you can use the Fireblocks API to automatically generate as many intermediate vault accounts as needed.
- Omnibus Deposits: This is the central vault account where end-client funds are swept and stored.
- Withdrawal Pool: This is the vault account containing funds allocated for end-client withdrawal requests. More than one Withdrawal Pool vault account may be required due to blockchain limitations.
In a sweep-to-omnibus Vault structure:
- Reconciliation is completed during the on-chain sweeping transaction.
- Account management is simplified by using a single vault account for treasury management and investing. You can apply the desired logic to an internal database.
- End-client deposit addresses remain private and unexposed to third parties since outbound transactions are sent from the Omnibus Deposits vault account.
- Since funds must be transferred twice (deposited then swept), you pay transfer fees on two occasions before you can invest the funds. To optimize the cost of transfer fees, we recommend sweeping funds once per day when fees are low. By doing so, you can deduct the expected fees from the originally deposited amount when crediting your end clients.
- Funds are not immediately available to respond to market changes since they should be swept only when transfer fees can be optimized.
The sweep-to-omnibus Vault structure is preferred by retail-facing businesses, such as fintechs, brokers, lenders, and exchanges.
Recommended Vault structure per use case
| Use Case | Vault structure | |
| Treasury Management | Self Custody | Segregated |
| Liquidity Management | Segregated | |
| Trading & Yield | Both | |
| Building Retail Service (WaaS) | Financial (B2C) | Sweep-to-Omnibus |
| Financial (B2B) | Both | |
| Non-financial | Sweep-to-Omnibus | |
| Token Lifecycle Management | Financial assets | Segregated |
| Non-financial assets | Segregated | |
| Clearing & Settlement Services | N/A | |
| Payments | Merchant settlement | Segregated |
| Cross-border payments | Segregated | |
| Payouts | Segregated | |
| Payins | Both | |
Other considerations
Web3
We recommend using a segregated Vault structure for Web3 or Decentralized Finance (DeFi) operations when your wallets are:
- Separated based on decentralized app (dApp)
- Used by distinct users or teams
Otherwise, you can use the sweep-to-omnibus Vault structure for your Web3 operation.
Smart contracts
A segregated Vault structure is typically preferred for managing smart contracts. Rather than simply using your wallets as an address for moving funds, each wallet’s address is associated with elevated privileges, such as minting, burning, or other operations, within the smart contract.
We recommend creating vault accounts for these operations: Mint, Burn, Pause, Deploy, Upgrade, and other privileged contract calls. Each user role in the smart contract will have a designated vault account, and Policy rules allow only the relevant personnel to use those vault accounts.
For high-value tokenization projects (>$10M), additional controls and segregation of the key backups may be required. In these scenarios, we recommend using multiple workspaces:
- An Administrative workspace used mainly for:
- Deploying smart contracts
- Upgrading smart contracts
- Role allocation
- An Operational workspace used mainly for minting and burning.
- A Custodial workspace used for your custody or your customer’s custody.
For non-financial or lower-value financial use cases, the overhead of maintaining three workspaces may be excessive for the risk profile. In this case, it may be suitable to utilize only two workspaces by consolidating the administrative and operational functionality into a single workspace.
When using your own smart contracts, you can seek advice from Fireblocks Professional services.
Offline storage
Suppose some of your funds should be stored offline to comply with local regulations. In that case, we recommend purchasing a Fireblocks Cold Wallet workspace and rebalancing it with your hot workspace to manage your liquidity.
Automation
If you're scaling for hundreds and thousands of customers, we recommend using an API Co-Signer to automatically sweep funds according to your organization's logic and fee prices.
When sweeping funds, you pay a fee in the base asset of the deposited token's blockchain. To ensure you always have enough funds for the sweeping transaction, we introduced the Fireblocks Gas Station feature that automatically identifies incoming transactions to your pre-defined vault accounts and deposits enough of the base asset to cover fees for sweeping funds to your main treasury.
When would you need a separate Fireblocks workspace?
A single workspace can hold both segregated and sweep-to-omnibus structures!
When your business use case requires more than vault account segregation, you can request to purchase additional workspaces. This is applicable when:
- You want to manage independent sets of clients, policies, or both. For example, a corporate firm with independent sub-companies or departments may require each entity to own a separate workspace.
- You want to give your end clients and investors user access to their Fireblocks workspace. This can be accomplished by assigning a separate workspace to each customer.
- You want to give your employees different viewing privileges on vault accounts.
- You want to create different configurations. For example:
- Different AML defaults (such as fail-on-unknown versus pass-on-unknown)
- Different DeFi approval cap limit
- Allowing the use of Raw Signing
- Your customer requires the workspace to be run in a separate geographical location. In that case, it would be necessary for them to have a separate workspace.
How do I restrict the visibility of Vault accounts?
By default, all users in the workspace have visibility to all of the Vault accounts in the workspace. To restrict visibility to end users:
- Reach out to your Customer Success Manager to request a new workspace and limit the users on the new workspace to those you want to have overall visibility.
- Limit visibility at the API level by creating a custom application or user interface that integrates with Fireblocks via an API user. Your custom app/UI would include logic to limit end-users' visibility to only their assigned Vault account.