A single private key is a single point of failure. One phishing attack, one malware infection, one stolen device, and your balance is gone. Multi-Party Computation (MPC) solves this by distributing key material across multiple parties so that the complete key never exists in any single location, not even during signing.
By 2026, MPC is the dominant security architecture for retail crypto cards. Bybit Card uses it. Ledger CL Card uses it. Dozens of white-label providers run on Fireblocks MPC under the hood. This article covers the technical mechanics, compares MPC to alternatives, examines real security incidents, and evaluates how major card providers implement it.
What Is MPC?
MPC is a cryptographic protocol that lets multiple parties jointly compute a function (like generating a digital signature) over their private inputs without revealing those inputs to each other.
Applied to crypto wallets: instead of one private key signing transactions, MPC distributes key material across 2-3 parties. Each party holds a "key share" that is useless alone. Together, they can sign transactions through distributed computation without ever reconstructing the full private key.
A traditional wallet stores a 256-bit secret on one device. Steal the device, steal the funds. An MPC wallet (2-of-2) splits the key into two shares: one on your phone, one on the issuer's server. Signing requires both parties to compute partial signatures independently, which are then combined into a valid transaction. The full key never materializes anywhere.
The Three MPC Architectures
2-of-2 MPC
Both the user's device (Share 1) and the issuer's server (Share 2) must participate in every signing. This is the highest security option because the issuer cannot unilaterally move funds. The tradeoff: if you lose your device and the issuer goes offline, your funds are permanently locked. No recovery mechanism exists. Early MPC implementations (2020-2022) used this model, but most have moved away from it.
2-of-3 MPC
The most common architecture for retail cards. Shares are split across three parties: user device, issuer server, and a recovery service or backup. Any two of the three can sign. Under normal operation, you and the issuer sign together. If you lose your device, the issuer and recovery service can restore access. If the issuer disappears, you and the recovery service can move your funds.
The risk is that the issuer and recovery service could theoretically collude, though this is mitigated by legal agreements, insurance, and audit trails. Bybit Card, Ledger CL Card, and most white-label providers use 2-of-3.
3-of-5 MPC
Used by institutional clients with $1M+ balances. Five shares across user device, issuer server, hardware wallet, and two independent recovery services. Any three can sign. This provides extreme redundancy (survives two compromises) and geographic distribution of shares, but signing is slower because three parties must coordinate. Fireblocks enterprise clients and BitGo custody use this model.
How MPC Signing Works
During setup, each party independently generates their random share. A cryptographic protocol ensures the shares collectively represent a valid private key, but neither party learns the other's share or the complete key. The public key is derived normally and used for receiving funds.
When you tap your card to pay $100, the MPC signing protocol runs:
- Your device creates the unsigned transaction
- Your device computes a partial signature using Share 1
- The issuer's server computes a partial signature using Share 2
- The partial signatures are combined mathematically into a complete ECDSA signature
- The signed transaction is broadcast to the blockchain
The combination happens through homomorphic operations. Shares never leave their respective secure environments. The result is indistinguishable from a standard single-key signature on the blockchain.
In a 2-of-3 system, an adversary who controls one share cannot sign anything. Malware on your phone steals Share 1, but without Share 2 or 3 it is useless. A breach of the issuer's database exposes Share 2, but without Share 1 or 3 it is equally useless. A man-in-the-middle can see transaction details but cannot forge signatures without the shares.
MPC vs. Alternatives
| Feature | Single Key | Multisig | MPC (2-of-3) | Hardware Wallet |
|---|---|---|---|---|
| Key Storage | One location | Multiple full keys | Distributed shares | Secure element chip |
| Single Point of Failure | Yes | No | No | Yes (if lost) |
| Transaction Cost | Standard fee | 3-5x higher (multiple sigs) | Standard fee | Standard fee |
| Blockchain Visibility | Standard wallet | Multisig contract visible | Standard wallet (private) | Standard wallet |
| Recovery | Seed phrase | Backup signers | Third share backup | Seed phrase |
| UX | Simple | Complex (coordinate signers) | Simple (transparent to user) | Requires physical device |
| Chain Compatibility | All chains | Requires smart contract support | All chains (native ECDSA) | All chains |
| Best Use Case | Small amounts | On-chain DAOs | Crypto cards | Cold storage |
MPC wins for cards because users do not notice it is happening (the experience feels like a normal wallet), transaction costs are standard (unlike multisig which requires 3-5x gas), it works on every chain without smart contract support, and recovery is built in through the third share rather than a seed phrase that can be lost.
Which Cards Use MPC
| Card | MPC Provider | Architecture | Share Locations | Recovery Method |
|---|---|---|---|---|
| Bybit Card | Fireblocks | 2-of-3 | Device, Bybit HSM, Recovery HSM | Email + 2FA |
| Xplace | MultiversX native | 2-of-3 | Device, Xplace, Guardian service | Guardian approval |
| Ledger CL Card | Ledger Recover | 2-of-3 | Ledger device, Ledger server, Coincover | ID verification |
| White-label (Striga) | Fireblocks/Copper | 2-of-2 or 2-of-3 | Varies by issuer | Varies |
Most major cards use Fireblocks (B2B MPC provider) or Web3Auth (developer framework) rather than building MPC from scratch. Building secure MPC requires deep cryptography expertise, and licensing a proven implementation is standard practice.
Security Incidents: Where MPC Has Failed
MPC is not invulnerable. Three incidents show where things can still go wrong.
In August 2022, Slope (a Solana wallet) used client-side MPC but logged private key shares in plaintext to their Sentry error tracking service. An attacker accessed the logs, reconstructed keys from the shares, and stole $6M from 9,000 wallets. The MPC math was fine. The implementation leaked the inputs.
In August 2023, researchers found a theoretical attack on Fireblocks' MPC signing protocol. If an attacker controlled both the user's device and could intercept traffic to the Fireblocks server, they could extract the key. No funds were stolen (the disclosure was responsible and patched promptly), but it showed that MPC implementation details matter as much as the cryptographic theory.
In 2024, an attacker used social engineering to convince a recovery service to release Share 3, combined it with Share 1 (phished from user devices), and stole $250k from 12 users. The issuer's Share 2 was bypassed entirely. Recovery share custody is an attack vector that requires strong identity verification.
Attack Vectors That Remain
Even with MPC, four attack paths exist. Device compromise combined with social engineering of the recovery service bypasses the issuer entirely. A rogue employee with access to both the issuer's share and the recovery share can drain funds (mitigated by multi-sig governance and audit logs). Supply chain attacks on MPC libraries can inject backdoors during the build process. And eventually, quantum computing could break ECDSA signatures regardless of how key material is distributed, though post-quantum MPC research is underway.
MPC Provider Comparison
| Provider | Target Market | Architecture | Audits | Notable Clients |
|---|---|---|---|---|
| Fireblocks | Institutions, Exchanges | 2-of-3, HSM-backed | Trail of Bits, NCC Group | Bybit, Revolut, BNY Mellon |
| Web3Auth | Consumer apps, Cards | 2-of-3, OAuth-based recovery | OpenZeppelin, Halborn | Skyweaver, Uniswap Wallet |
| ZenGo | Retail wallets | 2-of-2, biometric recovery | Kudelski Security | ZenGo Wallet (self-operated) |
| Sepior | Enterprise custody | 3-of-5 custom | Academic peer review | Tier-1 banks (NDAs) |
Fireblocks charges $0.02-0.10 per transaction. Web3Auth is free under 10,000 monthly active users, then $0.01/user/month.
MPC vs. Hardware Wallet for Daily Spending
| Feature | Hardware Wallet (e.g., Ledger) | MPC Wallet (e.g., Bybit) |
|---|---|---|
| Signing Speed | Manual (slow) | Automatic/Biometric (fast) |
| Key Theft Risk | Physical access required | Must compromise multiple parties |
| Recovery | Seed phrase (high loss risk) | Social/identity recovery |
| Best For | Cold storage | Daily spending |
For a spending balance of $5,000, MPC eliminates the two most common loss vectors: seed phrase theft and single-device compromise. A hardware wallet is still better for long-term cold storage of larger amounts where you want to remove the issuer from the trust equation entirely.
Common Misconceptions
The most persistent myth is that MPC lets the issuer steal your funds. In a 2-of-3 setup, the issuer holds one share and needs your share (or the recovery share) to sign. Without collusion with the recovery service, the issuer cannot move your funds unilaterally.
Another confusion: MPC is not multisig. Multisig requires multiple separate on-chain signatures (expensive gas, visible contract), while MPC produces a single standard-looking signature at normal transaction cost. On the blockchain, an MPC transaction is indistinguishable from a regular single-key transaction.
Overview
MPC splits private key material across multiple parties so that no single compromise can drain your funds. The 2-of-3 architecture used by most crypto cards (Bybit, Ledger CL, white-label providers) balances security with recoverability: any two of three shares can sign, so losing your device or the issuer going offline does not mean losing your funds. MPC produces standard on-chain transactions at normal gas costs, works on every chain, and feels invisible to the user. The tradeoff is trust in the issuer, who holds one share. For daily spending balances, that tradeoff is reasonable. For cold storage of large amounts, hardware wallets remain the better option. Three real-world incidents (Slope, Fireblocks white-hat, social engineering) show that MPC's strength depends entirely on implementation quality.
