Talk to us

All services ODD

Operational Due Diligence

The last mile of diligence on digital asset operations. We name what your existing audits cover, what they miss, and what to fix.

Operational due diligence is the last mile of diligence. A package leaves Shanghai, makes it to a shipping facility in New York, and still has to get on a truck for the last mile to someone’s door. Other assurances (SOC 2, smart contract audits, prior CCSS work) get the risk assessment to the neighborhood. ODD is the truck.

Over the last two years, operational and custody failures account for approximately $4.6 billion in digital asset losses, compared to roughly $1.17 billion from smart-contract vulnerabilities and $594 million from fraud and market manipulation (sources: de.fi, web3isgoinggreat.com, DigOpp analysis as of May 2026). The industry assumes code vulnerabilities drive crypto loss. The data shows otherwise. Every operation that lost money was being audited under one framework or another at the time the loss happened; the failures were not in the audits’ scope.

What ODD actually covers

We map every assurance the target already has (SOC 2 reports, ISO 27001 certificates, smart contract audit outputs, prior CCSS work, penetration test results) and identify exactly what each one does and does not cover. The Standards Board for Alternative Investments (SBAI) operational due diligence framework for digital assets is the closest thing the industry has to a shared standard for this work; we apply it alongside ILPA’s general ODD principles as a baseline. Then we assess the digital-asset-specific operational surface that none of those frameworks were designed for:

  • Custody and wallet architecture. Key and wallet generation, storage, ceremonies, recovery, and the full lifecycle of how assets are held. The biggest source of losses in this asset class. Deep CCSS-level work lives in our CCSS practice; ODD covers it at the assurance-coverage level.
  • Policy and quorum design. Multi-actor signing thresholds, transaction whitelisting, rule engines, time-locks, amount-locks, and smart contract interaction policies. We test whether the documented quorum matches the quorum actually used.
  • Smart contract and DeFi exposure. Protocol audit history, smart contract upgrade authority, admin key controls, and underlying DeFi integrations. Where the operation depends on counterparty smart contracts, we assess the governance and operational design around them, not the code itself.
  • On-chain treasury operations. Reconciliation between on-chain state and internal books, stablecoin mint and burn workflows, tokenized asset movements, and prime broker wallet exposure. Where the on-chain reality and the documented procedure diverge, we name the gap.
  • Governance controls. Administrator key controls, key-person risk, decision authority, succession planning, and incident history. HR practices and access controls relative to key material and operational authority.
  • Financial health. Traditional audited financials (current ratio, debt-to-equity, ARR, burn rate, cash runway). Where applicable, on-chain Proof of Reserves and stablecoin reserve backing verification. Banking and credit relationships, including any account closures since inception.

Business continuity and disaster recovery are tested against actual digital asset failure modes (chain congestion, oracle halts, custodian outages), not just generic IT-DR scenarios. Incident response procedures are reviewed alongside the evidence they have been exercised.

What you get

A report structured around assurance coverage: what is covered, by what, to what standard, and a clean list of what is not. The report opens with a summary, an Impact-Likelihood Heat Map, and a risk table grading each finding from Informational to Critical. Subsequent sections cover the operational surface (custody technology, products and offerings, trading and execution where applicable), financial health, regulation and compliance (licenses, audits, policies, AML/KYC/KYB, investigations, cybersecurity), and insurance.

The report is written to be handed to an LP, a board, a regulator, or a counterparty. No filler.

Typical turnaround

Six to ten weeks from kickoff, depending on the scope and the responsiveness of the target. Updates run faster: two to four weeks once the baseline report exists.

Why ODD is often the entry point

Most new clients come to us for ODD. A service provider wants to publish a diligence report to its trust center. A fund’s board has started asking questions the internal team can’t answer. An LP has asked for evidence before committing. In every case, the question is the same: what does what we already have actually cover, and what’s left?

The pattern we see repeatedly: providers hand over a procedure manual that looks comprehensive on paper. When we ask for evidence to show those procedures were actually followed (signed ceremony runbooks, reviewed access logs, attested quorum, reconciliation outputs from specific dates), it often doesn’t exist. The standard expects evidence, not just documentation. ODD finds where that gap is before someone else does.

When to engage

  • A counterparty, LP, or regulator has asked for operational diligence and the existing assurances do not answer the question.
  • You are launching a new product (custody, stablecoin, tokenized fund, on-chain credit) and want the operational design pressure-tested before it goes live. For product-specific deep dives, see Stablecoin Operations, RWA Tokenization Audit, On-Chain Credit, and Cross-Chain Bridge Audit.
  • You want to publish an ODD report as part of a trust center or buyer-enablement package.
  • Your board or risk committee has started asking questions the team can’t answer with current documentation.
  • You need to narrow the field of providers before selecting a target for ODD. See Vendor Research & Benchmarking for the field-level work that precedes a target-level engagement.

Frequently asked questions

How much of digital asset losses are operational vs. code-based?

Over the last two years, operational and custody failures account for approximately $4.6 billion in digital asset losses, compared to roughly $1.17 billion from smart-contract vulnerabilities and $594 million from fraud and market manipulation (sources: de.fi, web3isgoinggreat.com, DigOpp analysis as of May 2026). The industry assumption that code vulnerabilities drive losses does not match the data. Operational controls, key management, and counterparty risk drive the majority.

What does operational due diligence on a crypto operation actually cover?

Crypto ODD maps every assurance the target already has (SOC 2, ISO 27001, smart contract audits, CCSS, penetration tests) and identifies what each one does and does not cover. It then assesses the digital-asset-specific operational surface: custody and wallet architecture, policy and quorum design, smart contract and DeFi exposure, on-chain treasury operations, governance controls, and financial health (including audited financials, on-chain Proof of Reserves, and reserve backing where applicable). The deliverable is a report structured around assurance coverage and gaps.

How long does crypto ODD take?

Six to ten weeks from kickoff, depending on scope and the responsiveness of the target. Updates run faster: two to four weeks once a baseline report exists.

Do I need different ODD scopes for a service provider versus a fund or manager?

Yes. Service-provider ODD (a custody tech provider, prime broker, exchange) assesses the operational integrity of the platform itself: key generation, signing infrastructure, policy management, disaster recovery, the controls around the people who run it. Fund and manager ODD assesses the operational design of the fund: valuation policy, custody selection, trade reconciliation, NAV calculation, third-party provider management, key-person risk. The two reports share methodology but answer different questions. We deliver both shapes.

What did Genesis, Celsius, and BlockFi miss operationally?

Undisclosed counterparty exposure, rehypothecation that did not match what was disclosed, treasury reconciliation failures, custody arrangements at odds with documented procedures, and inadequate liquidation procedures. Three Arrows Capital (June 2022), Celsius (July 2022), Voyager Digital (July 2022), BlockFi (November 2022), FTX and Alameda (November 2022), and Genesis (January 2023) each failed on one or more of these. More recent failures (Bybit $1.5B in February 2025 from a custody supply-chain breach, BlockTower $1.7B in May 2024 from private-key compromise, Infini $50M in February 2025 from compromised admin keys) confirm the pattern.

Do I need ODD if my fund holds spot crypto only?

In most cases, yes. Spot custody still depends on a custodian's operational practices around key management, segregation, withdrawal authorization, and ceremony integrity. Prime Trust (June 2023, ~$80 million lost to improper private-key backup setup) was a regulated custodian holding spot assets. Operational risk does not require complex products to materialize.

Who is asking for crypto ODD right now?

LPs running diligence on funds with digital asset exposure. Banks and corporate treasuries running diligence on stablecoin issuers, custody platforms, and tokenization partners. Boards and risk committees responding to regulator questions. The Standards Board for Alternative Investments (SBAI) published a dedicated digital asset ODD guide in 2023; institutional demand has tracked the framework's release.

Can the ODD report be published to a trust center?

Yes. Service providers commission ODD specifically to publish alongside SOC 2 reports and other assurances on a customer-facing trust center. We structure deliverables for this use case when requested. ILPA's institutional ODD framework provides a baseline for what such reports should contain.

Scope a ODD engagement

Every engagement starts with a scoping call about what you're trying to assure and who you need to assure it to.

Prefer to schedule directly? Book a call