The four types of on-chain risk every custodian needs to monitor

Crypto custody has a maturity problem. The compliance frameworks borrowed from traditional finance, KYC at onboarding, periodic reviews, manual transaction monitoring, were designed for a world where assets move through centralised intermediaries at human speed. On-chain, assets move at block speed, 24 hours a day, across jurisdictions with no overnight settlement window.

The custodians building durable compliance programmes understand that monitoring is not a point-in-time activity. It is a continuous posture. Here are the four risk categories that deserve dedicated monitoring infrastructure.

Counterparty exposure

Every time a custodied wallet receives funds, those funds carry the history of every address they passed through. A deposit that originated three hops from a sanctioned entity may not be flagged by a simple screening tool, but it creates regulatory exposure for the custodian that received it.

Counterparty monitoring means watching the indirect exposure created by the funds' on-chain history, not just the direct sender. This requires a graph traversal model with configurable hop depth and risk-weighting. A simple address blacklist is not enough.

Outgoing transactions matter too. A customer sending funds to a high-risk counterparty may indicate a relationship that warrants enhanced due diligence or transaction blocking, depending on your jurisdiction.

Smart contract interaction

As DeFi matures, custodians are increasingly asked to hold assets that interact with smart contracts: staking positions, liquidity pool deposits, structured product vaults. Each interaction creates a risk exposure that traditional custody frameworks have no model for.

Smart contract risk monitoring covers interactions with newly deployed or unaudited contracts, contract upgrades that change the risk profile of existing positions, large withdrawals from protocols where custodied assets are deposited, and known exploit patterns such as flash loan attacks and oracle manipulation.

“The most costly custodial incidents in recent years have not been private key compromises. They have been unexpected smart contract behaviours that drained assets before any human noticed.”

— Opsion Security Review, Q1 2026

Velocity and behavioural anomalies

Behavioural baselines are powerful signals. A wallet that has moved between 0.1 ETH and 2 ETH per day for six months, then suddenly initiates a 150 ETH transfer, deserves scrutiny regardless of the destination.

Velocity monitoring requires historical context per address, per asset, and per time window. Useful rules include volume exceeding 5x the 30-day average, transactions at unusual hours for the account's jurisdiction, rapid consolidation of many small inputs, and sudden changes in the mix of counterparties.

This category is also the most likely to surface account compromise before the customer notices. An attacker with access to a private key will often probe with a small test transaction before moving larger amounts. Velocity monitoring can catch that pattern early.

Network-level and cross-chain exposure

This is the category most custodians are not yet monitoring: systemic risks at the protocol or network layer rather than the individual wallet layer.

• Bridge exposure: if custodied assets are bridged across chains, the security of the bridge protocol is part of your risk surface. Monitoring bridge contract TVL drops and unusual withdrawal patterns is not optional for custodians with cross-chain positions.
• Stablecoin depegs: custodied stablecoin positions can lose value rapidly. Monitoring peg deviation against on-chain oracle prices provides earlier warning than exchange prices.
• Protocol concentration: if a significant portion of custodied assets are in a single DeFi protocol, a governance attack or exploit on that protocol is a custodial risk. Concentration limits and monitoring go together.
• Validator and sequencer health: for custodied assets on PoS chains or L2 networks, validator set changes, sequencer downtime, and governance proposals that affect consensus are relevant risk signals.

Turning signals into action

Monitoring these four categories produces a stream of signals. The operational challenge is getting those signals to the right person quickly enough to act. A counterparty risk flag on an incoming deposit is useful if it arrives before settlement. Twelve hours later it is much less useful.

Opsion monitors all four risk categories out of the box, with alert delivery to Slack, Telegram, Lark, email, and webhooks. If you are reviewing your custody risk programme, we are happy to walk through how these categories map to your specific asset mix and jurisdictional requirements.