Lombard Security Model

Lombard secures bitcoin through a 14-member Security Consortium (OKX, Galaxy, Kraken, Wintermute, and 10 others) where every transaction requires a two-thirds majority to authorize. No single institution controls anything. This is backed by hardware-level key protection via CubeSigner, independent verification via Bascule Drawbridge, and 10 third-party audits. Zero incidents. Zero downtime since launch.

14Consortium Members

10 of 14Signing Threshold

10Completed Audits

$250KBug Bounty Max

Lombard Security Model

Security Consortium

The Security Consortium distributes trust across multiple independent digital asset institutions. These members possess public reputations, legal accountability, professional security teams, and geographic/organizational diversity.

Members include OKX, Galaxy, DCG, Wintermute, Amber Group, Figment, P2P, Kiln, Kraken, Antpool, and F2Pool. See the full Consortium roster and member roles.

Key operational requirements:

Two-thirds majority (10 of 14 members) must sign off on critical operations
A single or even four compromised members cannot authorize actions independently
Membership requires infrastructure deployment, KYB review, network voting, and smart contract updates

CubeSigner: Hardware-Level Protection

CubeSigner, built by Cubist, manages cryptographic operations through Hardware Security Modules. Private keys are generated inside HSMs and never leave secure hardware, ensuring keys remain inaccessible to Consortium members, Lombard, or Cubist.

Implementation mechanisms:

Fine-grained signing sessions with expiration and revocation capabilities
Transaction restrictions limiting key usage to specific transaction types
Multi-party authorization requirements for high-risk operations
Timelocks preventing immediate credential utilization
Anti-slashing cryptographic policies for Babylon validators

Bascule Drawbridge: Independent Verification

Operating as an independent verification layer, Bascule provides cross-checks preventing a compromised Consortium from minting unbacked LBTC. The system monitors Bitcoin independently, awaits six confirmations, and requires dual authorization from both the Consortium and Bascule.

For deposits: Before any mint, Bascule independently verifies that the BTC deposit exists on the Bitcoin network with 6 confirmations. Minting requires valid signatures from both the Consortium and Bascule.

For withdrawals (Reverse Bascule): Bascule monitors redemption events on supported chains. Before CubeSigner authorizes a BTC payout, the Reverse Bascule verifies that the corresponding LBTC was actually burned.

Smart Contract Security

Lombard contracts undergo rigorous third-party audits from six firms, OpenZeppelin, Halborn, Veridise, Sherlock, ABDK, and Cantina. The protocol maintains an Immunefi bug bounty program offering rewards up to $250,000 and employs Hexagate for real-time behavioral monitoring.

Safety mechanisms include:

Pausable critical functions
Two-step upgrades with timelocks
Rate limiting on unusual patterns

Operational Security

Infrastructure protection includes:

Documented incident response procedures
Formal key ceremonies with multiple witnesses
Regular penetration testing
Continuous ecosystem threat monitoring

Transparency Measures

Chainlink Proof of Reserve feeds verify Bitcoin backing every 10 minutes. On-chain audit trails, publicly available audit reports, and comprehensive documentation support user verification of security measures.

How LBTC Compares to Other Wrapped Bitcoin

LBTC, WBTC, and cbBTC all represent Bitcoin onchain at a 1:1 ratio, but they differ in how that Bitcoin is secured and whether it earns yield.

Property	LBTC	WBTC	cbBTC
Type	Wrapped bitcoin	Wrapped bitcoin	Wrapped bitcoin
Native yield	Yes	No	No
Custody / trust model	Distributed (14-member consortium, HSM keys)	Custodial (BitGo 2-of-3 multisig)	Custodial (Coinbase)
Backing	1:1 BTC	1:1 BTC	1:1 BTC
Reserve verification	Chainlink Proof of Reserve + Bascule Drawbridge	Chainlink Proof of Reserve	Chainlink Proof of Reserve
Redeemable for native BTC	Yes	Yes	Yes
Multi-chain	Yes	Yes	Yes

The main differences are native yield and the custody model: LBTC pays yield and distributes signing across a 14-member consortium, while WBTC and cbBTC pay no yield and rely on a single custodian.

Known Risks

The protocol acknowledges inherent limitations:

Slashing risk: 0.1% exposure for Babylon-staked BTC
Smart contract vulnerabilities: Despite audits, no code is guaranteed bug-free
Bridge infrastructure dependencies: Cross-chain transfers rely on external validators
Permissioned Consortium coordination: Requires trust in institutional members
Regulatory uncertainties: Evolving legal landscape for crypto assets

Frequently Asked Questions

Every Lombard operation is authorized by a 14-member Security Consortium under a two-thirds supermajority (10 of 14), with private keys held in hardware security modules via CubeSigner and an independent Bascule layer that cross-checks every mint. No single party can move funds.

The consortium is made up of 14 independent institutions: OKX, Galaxy, Kraken, Wintermute, DCG, Amber, Antpool, F2Pool, Figment, Kiln, P2P, Cubist, Nansen, and Bitwise Onchain Solutions.

Yes. Lombard has completed 10 third-party audits with 6 leading firms (OpenZeppelin, Halborn, Veridise, Sherlock, ABDK, and Cantina) and runs an Immunefi bug bounty with rewards up to $250,000.

No, by design, not even Lombard or the consortium itself can. The 14 members are deliberately independent and diverse institutions, and moving funds needs a 10-of-14 supermajority, so the compromise or collusion of a few can never reach the threshold. The signing keys live inside hardware modules (CubeSigner) that no one, not Lombard, Cubist, or any member, can extract. The most a bad actor could do is stall operations, never steal funds.

Next Steps

Consortium Members, Full list of the 14 Security Consortium members
Audits, Complete audit history and security review details
Bug Bounty, Immunefi program details and reward tiers
Transparency, Proof of Reserve, oracles, and on-chain verification