19 // ProtocolAboutMentorshipInterviewsLeadershipWritingBooksContact
Running the Exchange · Part 1Blockchain & Web3

The Cold Wallet Dilemma: Security vs. Customer Experience

What really happens when you hit “withdraw” on a crypto exchange, and why the engineering that keeps your funds safe is the same engineering that sometimes makes you wait.

5 min read📅June 13, 2026📊Liquidity Management🔒Custody & Security
I’ve spent years leading crypto infrastructure engineering at Coinbase and Paxos. At Coinbase, I led liquidity management, on-chain optimization, bridging, and UTXO and EVM wallets. At Paxos, I led the infrastructure behind stablecoin issuance (USDG, PYUSD), smart contracts, rewards distribution, node management, Custody and blockchain integrations across multiple chains. Together, these systems moved billions of dollars in daily volume. What I want to share is how that engineering actually works, the parts nobody talks about.

Your crypto isn’t where you think it is

When you deposit Bitcoin into a crypto exchange, it doesn’t sit in a wallet with your name on it. The moment it lands, the exchange moves it into something called a cold wallet, an offline vault with no connection to the internet, completely air-gapped from the outside world.

Think of it like a bank with two accounts:

The cold wallet is your savings account: large, secure, rarely touched, with keys split across multiple custodians so no single person can ever access the funds alone. It is never online.

The hot wallet is your checking account: smaller, always online, used for the day-to-day business of serving customer withdrawals.

At most well-run exchanges, more than 99.5% of customer funds sit in cold storage at any given moment. The small fraction in the hot wallet is what serves every single withdrawal on the platform.

Diagram 1: Hot & Cold Wallet Architecture
CUSTOMER DEPOSITSBTC · ETH · USDC · XRP · moreINBOUNDONLINEHOT WALLETAlways connected · serves withdrawals instantlyHolds ~0.5% of total customer assetsSWEEPhot → coldRESTOREcold → hotAIR-GAPPEDCOLD WALLETOffline · holds ~99.5% · keys split across custodians

The balancing act behind every withdrawal

Exchanges set a hot wallet limit: the maximum dollar value they are willing to hold online at any moment. This is a risk decision made at the company level. If a hot wallet is breached, those funds are gone. The limit is the ceiling of that loss.

That limit covers hundreds of assets simultaneously: Bitcoin, Ethereum, XRP, USDC, USDT, and more. The combined value of all of them cannot exceed the limit at any point in time.

Three things can push the hot wallet over that limit, each requiring a sweep back to cold storage:

📈Price increase

Bitcoin rises 20% overnight. You haven't moved a single coin, but your hot wallet is suddenly worth more than the limit. Excess must be swept immediately.

📥Deposit surge

Thousands of customers deposit funds simultaneously. Every deposit lands in the hot wallet first. As inflows accelerate, the hot wallet balance climbs toward and past the limit. Those funds must be swept to cold storage continuously.

Over-restore

Sometimes when pulling funds from a cold wallet address, that address holds more than you needed. If you needed $20M but the address held $50M, the full amount moves to the hot wallet. The $30M excess must be swept back to a different cold wallet address.

The reverse also happens. When withdrawals drain an asset below safe levels, funds must move from cold storage back into the hot wallet. This is called a restore. Two directions, constant motion, all while the exchange stays live and customers feel nothing.

The threshold problem nobody talks about

Here is the mistake people assume exchanges make: wait until the hot wallet is empty before restoring, or wait until it is full before sweeping.

That is already too late.

By the time a hot wallet hits its minimum, customer withdrawals are already queued and waiting. Cold-to-hot restores are not instant. They require coordination and orchestration across multiple parties before a single transaction can be signed and broadcast. That process takes time by design, because the security of the cold wallet depends on it.

Coming in the Custody Architecture series:Why does that coordination take so long, and what does it actually involve? I’ll break down exactly what happens inside a cold wallet restore: the key management, the signing ceremonies, and why being deliberately slow is the right engineering choice.

The right design uses three reference points for each asset: a minimum, a target, and a maximum. One critical operating principle: act at the threshold, not at the boundary.

Diagram 2: Hot Wallet Threshold Bands
TOO LOW→ restoreSAFE ZONEact at threshold, not at boundaryTOO HIGH→ sweepMIN$200MTHRESHOLD$400MTARGET$500MMAX$800MACT AT THE THRESHOLD, NOT AT MIN OR MAXBy the time you hit min or max, the customer is already waiting.

If your minimum is $200M and your maximum is $800M, you begin your restore process when the balance hits $400M, not $200M. The funds arrive before the shortage is felt. The customer never waits.

This is the difference between proactive and reactive liquidity management. It is also the difference between a smooth experience and a platform that goes quiet during market volatility.

Why exchanges go silent during volatility

Here is what actually happens when market volatility triggers a wave of simultaneous withdrawals:

  1. 1Large numbers of customers try to withdraw at the same time
  2. 2The hot wallet drains rapidly across multiple assets simultaneously
  3. 3The exchange triggers restores on several assets at once
  4. 4Restore transactions compete for block space alongside customer withdrawals
  5. 5Customers experience delays

What the customer sees: “Why is my withdrawal taking so long? Are my funds safe?”

What is actually happening: a security-first restore process that exists precisely to protect those funds.

So how hard is this problem, really?

Think about your local bank branch. If you walk in and ask for $1,000, the teller handles it from the till immediately. If 1,000 customers each walk in and ask for $1,000, same thing. The branch holds enough cash for routine daily demand.

Now change one variable. Those same 1,000 customers each ask for $1,000,000.

The branch does not hold that kind of cash on the floor. Someone has to contact the central vault, verify the request, coordinate the release, and physically move the hard cash to the branch before a single customer can be served. That is a slow, deliberate, coordinated process. Every dollar is accounted for and completely safe. But it still takes time.

Now take that problem and move it into crypto. You are no longer dealing with one currency. You have hundreds of assets across multiple blockchain networks. Each asset has its own hot wallet allocation. Each allocation has its own threshold. And all of it sums to one risk ceiling the exchange has decided it can absorb.

Every asset, every network, every price movement, every customer withdrawal. All balanced against that single value simultaneously. In a traditional bank, this is already a hard problem. In a crypto exchange with hundreds of assets, multiple blockchains, and a live market moving beneath you every second, it is an engineering challenge of an entirely different order.

How would you even begin to design the algorithm that keeps all of this balanced, invisible, and real-time?

That is liquidity management at a major centralized exchange. The zero-sum balancing act at its core, how it works, how it is designed, and what it takes to make it invisible to the customer, is exactly what the next post in this series breaks down.

Next in this series

The zero-sum balancing act: how exchanges manage hundreds of assets against a single risk ceiling in real time, with diagrams showing the mechanics behind the algorithm that keeps your funds moving.

Raajeev Reddy
Raajeev Reddy

Engineering leader with 15 years leading engineering organizations across blockchain, digital health, and media platforms.

← All writing