G GOPNIK ACADEMY
Custody 301 — Multisig, recovery, and the annual drill · Lesson 5 of 5

The annual recovery drill

5 min · read

Back to course

Custody isn't a setup. It's a maintenance discipline. Every long-term self-custody failure I've seen falls into the same shape: the user had a perfectly good setup at year zero, then never touched it for three years, and by year three something had decayed — corroded metal, lost shard, dead device firmware, forgotten passphrase modifier, dead trusted human. The annual drill is the routine that catches these before they're fatal.

Block out half a day. Same date every year — pick something memorable, your birthday or January 2nd. Don't move the date. Drill in calendar form, not "when I get to it."

The drill — six steps

1. Inventory check (30 minutes)

Open a notebook (paper, not a synced doc) and write down:

  • Every wallet you hold material balance in. Address, network, approximate balance.
  • The signers / signer list for any multisig wallets.
  • The location of every seed-phrase backup, every Shamir shard, every hardware wallet.
  • The recovery contacts (attorney, shard holders) and their current contact info.

If anything has changed since last year — moved house, changed attorney, replaced a hardware wallet — flag it. Most year-over-year losses come from someone moving the seed to a "better" hiding place and then losing track of which version is authoritative.

2. Physical-condition check (30 minutes)

Visit each off-site backup location. For metal-stamped seed phrases: check the plate for corrosion, especially around the edges. For paper backups (you shouldn't be using these for >€10k, but if you are): check for fading, water damage, mold.

For hardware wallets in storage: turn them on, verify they boot, verify they show the right wallet address. Do not enter the passphrase from your active environment — bring the HW home if you need to verify deeper, then put it back.

3. Recovery rehearsal (60 minutes — the most important step)

Pick one wallet — ideally one with a small dust balance, not your main holding. Wipe its hardware wallet. Restore from your written backup. Verify the restored device produces the same addresses you recorded in step 1.

This step is what catches:

  • Seed phrases written wrong years ago and only checked once.
  • Hardware wallets that have been silently bricked by storage conditions (humidity, temperature).
  • Passphrase modifiers you've forgotten exactly how you typed (uppercase first letter? Trailing space?).
  • Derivation-path mismatches between the original setup and a newer firmware.

If the restore fails, you've found the problem before it mattered. Fix it on the spot — re-write the seed, replace the device, re-stamp the plate. Do not leave the day without a confirmed-working recovery.

4. Signer-set rotation (45 minutes — biennially is fine)

For multisig wallets, rotate one signer every other year:

  1. Generate a new key on a fresh HW.
  2. Submit a SignerListSet transaction that replaces the oldest signer with the new one.
  3. The replaced signer's HW gets wiped and recycled.

This bounds the age of any single signer key to ~10 years (5 signers × 2 years). It also exercises the multisig signing flow itself, which is the second-most-common source of "I can't move my funds when I need to" — people forget how to multisign because they only do it once every few years.

5. Shard holders check-in (15 minutes)

Call each shard-holder. Confirm they still have the shard. Confirm they remember the protocol. Update their contact info if it's changed. Reaffirm that they should NOT act on a request from anyone who isn't in your written list of triggers.

If someone has moved, changed jobs, become hard to reach, or fundamentally seems uninterested — replace them. This is a 60-minute exercise to set up a new shard-holder; doing it during the drill is dramatically easier than doing it during a real recovery.

6. Document the drill (15 minutes)

Date and sign a one-paragraph note in your custody binder:

"Annual drill conducted 2027-01-02. Inventory verified. All three off-site backups in good condition. Test recovery of wallet rXXXX… succeeded. Signer 2 rotated (old key wiped, new key now active). Shard holder Maria confirmed her shard is in place. Next drill: 2028-01-02."

This note is the single best piece of evidence that a custody setup is being actively maintained. Insurance underwriters, tax authorities, and (if you ever need them) your own heirs will all benefit from it.

What this protects against, and the math

A retail trader who runs this drill yearly is, in effect, doing for their custody what a fire department does for hydrants: confirming that the thing you'll rely on in a crisis still works before the crisis.

Most six-figure self-custody losses I've seen retrospectively trace back to a single failure mode that would have been caught by step 3 of this drill. The cost is half a day a year. The expected value of running it on a €100,000 long-term holding is, conservatively, in the thousands of euros per year.

If you remember nothing else from Custody 301: annual drill, half a day, same date every year, step 3 is the one that matters. The Sealmaster doesn't lose to clever attacks. He loses to people who showed up once a year and actually checked.