Tokenized Asset Custody: Who Holds the Keys? | Elacity
Wall Street is tokenizing Treasuries and equities in public. The custody layer underneath never decentralized: a short list of operators still holds the keys that move the asset.
Tokenized Asset Custody: The Ledger Is Public. The Keys Are Not.
You are about to be told you own a Treasury bill on a blockchain. What you will hold is an entry that clears in public and a key that someone else keeps in a vault. The ledger is the part everyone can see. Custody is the part that decides whether the asset is actually yours, and that part did not go on-chain with the rest.
On May 4, 2026 the DTCC said it will run its first live tokenized trades in July and open the full service in October, putting Russell 1000 equities, major ETFs, and U.S. Treasuries onto a shared blockchain rail alongside BlackRock, Goldman Sachs, JPMorgan, Circle, and Ondo. The tokenized market already runs into the tens of billions of dollars, and by one recent account about half of it never trades. Wall Street is tokenizing itself in the open. It is worth asking where the keys went.
The Missing Half of Blockchains
A blockchain decentralizes one thing precisely: agreement about who owns what. No single party writes the ledger, and thousands re-check it. That is consensus, and it is genuinely hard to corrupt. Tokenization borrows that settlement layer for stocks and bonds, and the settlement part works.
Custody is a different question, and it did not decentralize. Someone still has to hold the private key that can move the token. In the institutional build-out, that someone is a qualified custodian: a regulated bank, trust company, or broker-dealer that meets the SEC bar. The holder of the key effectively holds the asset. Consensus went to the crowd. The keys went to a short list.
Tokenization has a deeper argument to answer as well, that it often tokenizes the wrong wealth while your own data sits unowned. Set that aside for a moment. Even the assets it does put on-chain inherit a custody layer that never moved with them.
The Honeypot Comes Back
Concentrated custody is efficient, and it is a target. A handful of operators holding the keys for a large share of tokenized value is the same shape as every breach of the last decade: one place worth attacking, one operator worth compelling, one failure with market-wide blast radius. The chain removed the central ledger. The custody layer quietly rebuilt the central vault beside it. It is the same gap that appears the moment AI agents are handed payment rails, only here it holds Treasuries.
The standard mitigation is multi-party computation. Firms split a key into shares across several machines so it never sits whole in one place, and every move needs a quorum, say two of three. This genuinely removes the single stolen laptop as a failure mode. It does not change who the quorum belongs to. The shares are the custodian's. The nodes are the custodian's. You are still trusting the custodian, only now it is a better-run one.
Where the Trust Boundary Should Sit
The design question that matters is not how many machines share a key. It is whose rights those machines check before they act. This is the line Elacity draws differently, and it is worth being precise about what is built and what is not.
In Elacity's model the key that unlocks an asset is split across an owned two-of-three quorum, and before any share is released, each node independently re-checks your rights on-chain. The quorum does not serve the operator. It answers to whatever the ledger says you are entitled to. The asset stays encrypted everywhere except a single sealed moment of use, and the secret exists in the clear only for the split second it signs or decrypts for you, welded to that one action, then wiped. The key is used. It is never owned, not by an app, not by Elacity, not by an attacker who breaches a server. It is the same key-quorum mechanism that lets a creator sell work no device gets to keep.
That is the difference from a custodian's multi-party setup. A custodian splits a key it controls and checks its own internal policy. Elacity splits a key no operator holds and checks the chain, so the thing that authorizes a move is your on-chain right, not a vendor's approval. Your machine is the source of truth. The chain and the key network sit beneath it as replaceable guests, not as masters.
The Honest Edge
Here is what this is not. It is not trustless. The quorum today is an owned, operator-run set of nodes, and a quorum that colluded could in principle reconstruct a key. That is a real limit, stated plainly: the design is trust-minimized, not trust-free, and the permissionless, staked node markets that would widen the trust further are being built, not shipped. The claim is narrower than trustless and more durable for it. No single operator can move your asset alone. No key sits whole in one place to be stolen. Every release answers to the ledger rather than to a company's discretion.
That narrower claim is the one that counts once tokenized Treasuries settle at scale. Decentralizing the record of ownership is solved. Decentralizing the power to act on that ownership is the part still up for grabs, and it decides whether tokenization hands control to holders or just gives the old custodians a faster ledger.
Wall Street will tokenize the asset. The question worth tracking is who ends up holding the key that moves it. Follow that thread, and follow the work. Follow Elacity on X.