LEDGER TRADELINK API Driven Custodian Setup Best-Practices

Ledger Tradelink (“TRADELINK”) is a technology solution that leverages Ledger Enterprise’s governance technology to help support the creation create of customizable trading and settlement networks. While the collateral management and settlement conditions are fully customizable by users, Ledger recommends Custodians implement the following best practices.

Collateral accounts management

The Custodian is responsible for creating and managing the segregated wallet(s) used to store the Client’s collateral.

Ledger recommends creating new dedicated accounts for managing the collateral to ensure the accounts do not contain governance rules that may not align with the settlement management conditions.

For EVM-based collateral accounts, all advanced features, including Smart Contract Interaction, Contract Deployment & Message Signature should be disabled from the beginning on the collateral parent account.

In the case where a previously created account is being repurposed into a TRADELINK collateral account, the Custodian should confirm that no token spending approvals or other on-chain authorizations are currently active which could compromise the security of the collateral. The Custodian can use tools such as https://revoke.cash/ to detect and revoke unnecessary token spending approvals.


The Custodian should implement two separate policies to manage withdrawals on one hand and settlement requests on the other hand. The Custodian should ensure that no other policy unrelated to TRADELINK is implemented which could allow unauthorized transfers of the collateral.

Dedicated withdrawal and settlement whitelists should be added to the two policies to ensure that withdrawal and settlement transactions can only be executed within the set of authorized and trusted addresses.

General governance recommendations are as follows:

For withdrawals:

  • Withdrawal requests can be initiated by the Client through either a PSD or an API account.
  • Withdrawal requests must be pre-approved by the Exchange so that it can verify the withdrawal request matches pre-defined conditions. It also gives the opportunity for the Exchange to update the mirrored collateral before the collateral leaves the account.
  • Finally, the Custodian provides the final approval for the transaction to be signed and broadcasted.

For settlement:

  • Settlement requests can be initiated by the Exchange.
  • The settlement request must be pre-approved by the Client so that they can verify that the settlement amount matches what is expected from their recent trades.
  • Finally, the Custodian provides the final approval when they check that all predefined settlement conditions are met.
  • The number of approvals on the Client and the Custodian to approve the settlement should adhere to the risk controls agreed to by all parties in the settlement agreement.

These transaction policies ensure that no operation can be executed without the agreement of all three parties.

Once transaction policies have been agreed to by all parties and implemented by the Custodian, no edits to the governance rules should be made unless it is requested and accepted by the other parties.

The different parties can set up real-time monitoring of the governance rules to ensure that no unauthorized changes are made by the Custodian.

API access

The Custodian is responsible for creating API user accounts and providing the corresponding credentials to the different TRADELINK participants, especially to the Exchange.

The Custodian should define a process with the other participants to securely transmit API credentials and it is the responsibility of the Exchange to secure API credentials when in use.

Settlement execution

The exchange should implement mechanisms to update the mirrored collateral in real-time and especially to include changes produced by potential withdrawals.

When a withdrawal request is being processed, the exchange should ensure they update the available collateral before approving the request to avoid a time window during which the collateral available on the exchange could be higher than the available collateral held by the custodian.

Data accuracy

Given the decentralized nature of blockchain technology, Ledger does not guarantee that the data provided on the Ledger Vault platform is 100% accurate and perfectly synchronized with the latest state of the blockchain.

Ledger provides functionalities to synchronize account balances with the latest state of the blockchain, but the data should always be verified with external data sources to be validated.

The custodian and exchange should implement verification mechanisms to ensure that the data they use to mirror collateral and execute settlements is correct.

An example of verification would be:

  • Synchronize account using the GET /account/{id}/sync endpoint.
  • Fetch account balance using GET /account/{id}
  • Confirm balance value from other data sources (i.e. blockchain explorers) to detect any discrepancies.


TRADELINK is a technology solution, and not a financial service. Ledger provides TRADELINK with no warranty or guarantee that it will be error-free, accurate or that it will meet your expectations or requirements. Ledger is not responsible for any data provided through TRADELINK and does not express any opinion regarding it. Such data is provided for informational purposes only and without any liability whatsoever to Ledger.

Copyright © Ledger Enterprise Platform 2023. All right reserved.