Early this week, we joined a call with an institutional investor and the Investment Manager (IM). The investor wasn't asking about NAV calculations, reporting cycles, or portfolio performance.
Instead, they went straight to the heart of a question that every allocator should care about:
"How do you actually whitelist our wallet address securely?" That one question led to a whole series of excellent follow-ups:
- How do you verify an emailed instruction is genuine and not from a compromised inbox?
- How do you treat different wallet structures — CEX, self-custody, smart‑contract wallets, new protocols?
- How do you know whether a new wallet has ever interacted with high-risk or sanctioned addresses?
These questions weren't theoretical. They were practical, operational, and completely on point — exactly the kind of diligence institutional investors should be doing today.
So, here's what we shared.
1. Wallet Whitelisting: The Fund Admin's Perspective
To us, whitelisting a wallet is equivalent to setting up a new bank beneficiary. In digital assets, sending funds to the wrong address isn't reversible. So we treat wallet instructions with a zero‑error mindset, backed by institutional controls.
Here's how it works.
A. We always perform dual-channel verification
Email alone is never enough.
When an investor sends a new wallet instruction:
- We receive the instruction via their authorized email, and
- We verify the instruction through a second channel — typically a scheduled call or secure messaging with the authorized signatory and/or the fund operations team
If both don't match, the instruction is rejected.
This protects against the most common operational risk in digital assets today: email compromise without the investor even realizing it.
B. We verify the authority of the person giving the instruction
We cross-check against:
- Subscription documents
- Authorized signatory lists
- Operating documents
If an instruction comes from someone not listed, we cannot act on it — even if they appear connected to the investor or IM.
In operations, "almost authorized" is still not authorized.
C. Every wallet undergoes on-chain risk screening.
Before whitelisting a wallet, we run it through blockchain analytics platforms to check for:
- Sanctioned address exposure
- Proximity to mixers or tumblers
- Links to hacked contracts or stolen funds
- Interactions with high-risk jurisdictions
- Patterns that indicate phishing, mule activity, or scam association
Only after passing these checks can a wallet be whitelisted.
2. Different Wallet Types = Different Operational Approaches
The investor asked a great question:
"Do you process centralized exchange wallets differently from self-custody or smart‑contract wallets?"
Yes — absolutely.
A. Centralized Exchange (CEX) Wallets
Risk: Deposit addresses may be reused or controlled by the exchange.
Controls:
- Require an exchange-issued account statement
- Video verification covering the required key profile information
- Additional declaration from the fund
B. On-chain Wallets / Self-custody Wallets (e.g., Ledger, MetaMask)
Risk: Phishing or compromised seed phrases
Controls:
- Dual-channel human verification
- A cryptographically signed message from the wallet to prove control
- Additional declaration from the fund
3. How We Assess a Wallet's Risk Level Before Whitelisting
A wallet isn't just an address — it's a history.
We assess:
A. Counterparty exposure
Has this wallet ever touched:
- Sanctioned addresses
- Mixers
- High-risk entities
- Scam clusters
B. Behavioural patterns
We examine:
- Age of wallet
- Flow patterns
- Velocity of transactions
- Dormant‑wallet activation
- Unusual routing behaviour
C. Contract‑level risk (if applicable)
- Verified source code
- Audit status
- Admin key structure
- Upgradeability settings
If a wallet fails any category, it doesn't get whitelisted.
Why These Questions Matter — and Why We Welcome Them
Operational risk in digital assets is real, and institutional investors are right to scrutinize it.
These questions show a healthy, mature attitude toward fund operations:
- "How do you verify instructions?"
- "How do you protect us from fraud?"
- "How do you know a wallet is safe?"
As fund administrators, we're not here to talk investment strategy. We're here to protect investors, ensure operational integrity, and create trust in an industry that still has room to grow.
When an institutional investor asks tough operational questions, it's a sign of a future-proof partnership.