Spot settlement is how your crypto trade resolves after execution, and custody determines who can actually move the resulting funds. On a centralized exchange, trades settle instantly on an internal ledger while the exchange retains private-key control. When you withdraw to a self-custody wallet, the blockchain records a transfer and key control shifts to you. This guide covers the mechanics of both settlement layers, the real risks of each custody model, withdrawal timing, and how to decide where your holdings belong.
How Spot Settlement Works on an Exchange
Spot settlement on a centralized exchange is an internal database update, not a blockchain transaction. The exchange's matching engine pairs your buy order with a seller's order and instantly adjusts both account balances on its own ledger. No miners validate the trade. No block is produced.
This internal settlement model exists because public blockchains are too slow for active trading. Bitcoin processes roughly 7 transactions per second on its base layer (https://developer.bitcoin.org/devguide/transactions.html). Ethereum handles 15-30 TPS at Layer 1. Exchanges need thousands of order matches per second, so they maintain a private accounting system where trades resolve in milliseconds.
The blockchain becomes relevant at two specific moments: when you deposit crypto into the exchange (an on-chain transaction credits the exchange's wallet), and when you withdraw crypto out of the exchange (an on-chain transaction moves funds to your wallet). Everything between those two events happens off-chain on the exchange's internal infrastructure.
A practical sequence illustrates the split:
Deposit. You send BTC from your wallet to the exchange's deposit address. The Bitcoin network requires 3 confirmations (approximately 30 minutes) before the exchange credits your account.
Credit. The exchange updates your internal balance. Your BTC is now tradable.
Trade. You swap BTC for USDT. The exchange debits one balance and credits another internally. Zero blockchain activity.
Internal transfer. You move USDT from your spot sub-account to your funding sub-account. Still internal, still instant, still free.
Withdraw. You request an on-chain withdrawal. The exchange performs security checks, signs the transaction, and broadcasts it to the network. You wait for confirmations.
Steps 2 through 4 never touch the blockchain. The exchange's ledger is the sole record of those state changes. This is why you can execute dozens of trades per minute without paying network fees on each one.
Exchange Custody: What You Control and What You Do Not
Exchange custody means the platform holds the private keys that authorize on-chain movement of your funds. You access your holdings through a username, password, and two-factor authentication. Your balance is a claim against the exchange, not direct cryptographic control.
Across our platform, the most common custody-related support tickets come from users who expected instant settlement on a withdrawal but did not account for blockchain confirmation times during congested network periods.
When you hold crypto on an exchange, your operational rights include trading, internal transfers between sub-accounts, and requesting withdrawals. Your operational limitations include the inability to sign blockchain transactions yourself, dependence on the exchange remaining solvent, and acceptance that the platform can freeze, delay, or restrict access under its terms of service.
Most exchanges segment your holdings into separate sub-accounts for risk isolation:
Spot wallet for trading operations
Funding wallet for deposits and withdrawals
Futures wallet for margin-isolated derivatives positions
Earn wallet for yield products with potential lockup periods
Transfers between these sub-accounts are database updates. They cost nothing and settle instantly.
The core risk of exchange custody is counterparty exposure. You depend on the platform's security infrastructure, financial solvency, and operational continuity. The Bybit hack of February 2025 demonstrated this concretely: attackers compromised an external wallet interface and redirected approximately 401,000 ETH (roughly $1.5 billion) to wallets under their control (https://www.ic3.gov/psa/2025/psa250226). The FBI attributed the attack to North Korea's Lazarus Group. Bybit remained operational and covered losses through bridge loans, but the event showed that even major exchanges carry non-zero custodial risk regardless of their size.
I keep active trading capital on exchanges and move anything I am not trading within the next 48 hours to cold storage. That split means my exposure to any single platform failure stays limited to whatever I can afford to have frozen for weeks during an incident response.
Beyond hacks, exchange custody carries subtler operational risks: compliance holds that freeze accounts during verification, withdrawal cooldowns triggered by new device logins, batch-processing delays during network congestion, and the possibility of insolvency trapping funds in bankruptcy proceedings.
Self-Custody: Private Keys, Seed Phrases, and What Changes
Self-custody means you hold the private keys that authorize transactions on the blockchain. No intermediary can freeze, delay, or deny your access. No intermediary can recover your keys if you lose them.
A crypto wallet does not store your coins. It stores the private keys that prove to the blockchain you are authorized to move specific funds. The actual assets exist as records on the distributed ledger. Your wallet signs transactions with your private key, and the network validates that signature against the corresponding public address.
Hot wallets (software wallets on phones or computers) keep private keys on internet-connected devices. They offer convenience for regular transactions but expose keys to potential malware, phishing, or device compromise.
Cold wallets (hardware devices like Ledger or Trezor) store private keys on offline chips. Even when plugged into a compromised computer, the keys remain isolated inside the device. Transactions must be physically confirmed on the device itself.
Your seed phrase (12 or 24 words) is the master backup that can regenerate all private keys in your wallet. Losing it means permanent, irreversible loss of access. The minimum backup standard:
At least 3 copies on durable material (metal plates survive fire and water)
Stored in at least 2 separate geographic locations
Never stored digitally (no photos, no cloud drives, no text files)
Never shared with anyone, including anyone claiming to be "support"
The responsibility transfer is absolute. With exchange custody, you can contact support if locked out. With self-custody, there is no support. A lost seed phrase or a wrong-network send results in permanent loss with no recovery path.
Withdrawal Mechanics: Timing, Fees, and Confirmation Requirements
Withdrawing crypto from an exchange is the moment custody physically transfers from the platform to you. Understanding the delays prevents panic when your transaction does not arrive instantly.
A withdrawal passes through multiple stages, each adding potential delay:
Request submitted. Your withdrawal enters the exchange's processing queue.
Risk review. Automated systems check for unusual patterns: new device, new withdrawal address, amount exceeding your typical behavior. This stage can add minutes to hours depending on your account history and the exchange's thresholds.
Batch processing. Many exchanges group multiple user withdrawals into a single on-chain transaction to reduce aggregate network fees. Batching intervals vary, but 15-60 minutes is common during normal operations.
Transaction broadcast. The exchange signs and sends the transaction to the blockchain network.
Network confirmation. The blockchain processes and confirms the transaction. Required confirmations vary by network:
Bitcoin: 3-6 confirmations (30-60 minutes typical) (https://www.blockchain.com/charts/avg-confirmation-time)
Ethereum: 12-30 confirmations (3-7 minutes under normal conditions)
Solana, Avalanche, and similar high-throughput chains: seconds to low single-digit minutes
Fee structure. You pay two costs on withdrawal: the network fee (paid to validators/miners, determined by network congestion) and the exchange withdrawal fee (a fixed or percentage charge for the service). Internal transfers between your own sub-accounts cost nothing because they never touch the blockchain.
During high network congestion, Bitcoin fees can spike from under $2 to over $50. Checking current fee conditions before initiating a withdrawal prevents overpaying or experiencing excessive delays (https://mempool.space/).
Choosing Between Exchange and Self-Custody
The right custody choice depends on your situation, not a universal rule. Both options carry risk. They carry different kinds of risk.
Exchange custody fits when:
You trade frequently and need instant execution
Amounts are small relative to your financial situation
You need integrated features like limit orders, earn products, or fiat on-ramps
You prefer delegating key management to a platform with security infrastructure
Self-custody fits when:
Holdings are significant to your financial situation
Your time horizon is months or years
You can maintain seed phrase backups reliably
You want to eliminate counterparty risk entirely
You accept full responsibility for errors being irreversible
The practical hybrid approach. Most experienced users keep working capital on exchanges for active spot trading and withdraw profits or long-term holdings to self-custody. The exchange handles convenience and speed. The wallet handles security and sovereignty.
A natural progression for beginners:
Start with exchange custody while learning order types and market mechanics
Withdraw a small amount to a software wallet (hot wallet) for practice
Move significant long-term holdings to a hardware wallet (cold storage)
Consider advanced setups (multisig, multiple networks) as knowledge grows
Before any withdrawal to a new address, send a small test transaction first. Verify receipt in a blockchain explorer. Confirm the network selection matches on both sides. Only then move larger amounts.
Common Withdrawal Problems and How to Resolve Them
Beginners frequently encounter withdrawal states that look like errors but reflect normal exchange operations. Understanding what each means eliminates unnecessary panic.
"Pending" status for extended periods. Exchanges batch withdrawals at intervals. Your transaction may be queued behind others. Risk-review systems can also hold transactions for new addresses or amounts outside your usual pattern. Wait at least 30 minutes before investigating further.
Deposit not showing after sending. Check the transaction on a blockchain explorer using your TXID. If the explorer shows confirmations but the exchange has not credited you, the exchange likely requires more confirmations than have elapsed. If the explorer shows no confirmations, network congestion or a low fee may be delaying processing.
"Available" balance lower than "Total" balance. Funds committed to open limit orders, locked in earn products, or held for pending withdrawals move from "available" to other categories. Cancel open orders to free funds if needed.
Wrong network send. If you send tokens on one network (e.g., Ethereum) to an address on an incompatible network (e.g., BNB Chain), the funds are typically unrecoverable. Some exchanges can recover cross-chain deposits for supported networks, but this is not guaranteed and usually involves a fee. Always verify network selection before confirming.
Clipboard malware replacing addresses. Malware exists that monitors your clipboard and substitutes crypto addresses with attacker-controlled addresses (https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/). After pasting any address, verify at minimum the first 6 and last 6 characters match what you copied.
Security Practices for Each Custody Model
Exchange accounts and self-custody wallets face different threat types. Secure each according to its specific attack surface.
Exchange account security:
Enable authenticator-app 2FA (not SMS, which is vulnerable to SIM swapping)
Activate withdrawal address whitelist with a waiting period for new addresses
Set an anti-phishing code so you can identify legitimate exchange emails
Use a unique, strong password not shared with any other service
Review login history and connected devices regularly
Self-custody wallet security:
Download wallet software only from official sources; verify developer signatures
Seed phrase stored on durable material in multiple locations, never digitally
Test full recovery from seed phrase before storing significant value
Keep firmware updated on hardware wallets
Assume anyone asking for your seed phrase is an attacker, regardless of context
The highest single-impact action for exchange security: withdrawal whitelist. Even if an attacker gains full account access, they cannot withdraw to an unwhitelisted address without waiting through the cooldown period.
The highest single-impact action for self-custody: proper seed phrase backup. Every other security measure is secondary if the backup is lost, stolen, or stored on a hackable device.
Frequently Asked Questions
Does a blockchain transaction happen when I buy crypto on a spot exchange?
No. When you execute a spot trade on a centralized exchange, the matching engine updates the exchange's internal ledger. No on-chain transaction occurs. The blockchain is only involved when you deposit crypto into the exchange or withdraw crypto out to your own wallet. Internal trading, sub-account transfers, and balance updates all happen off-chain.
What does "not your keys, not your coins" actually mean in practice?
It means that if you do not control the private keys authorizing movement of funds on the blockchain, your access depends on a third party. On an exchange, your balance is a claim, not direct control. The exchange can freeze accounts, impose withdrawal delays, or become insolvent. Self-custody removes that intermediary, but transfers all responsibility for security and recovery to you.
How long does a typical exchange withdrawal take from request to confirmed receipt?
Total time depends on three stages: exchange processing (risk checks and batching, typically 5-60 minutes), transaction broadcast, and network confirmation. Bitcoin requires 3-6 confirmations taking 30-60 minutes. Ethereum needs 12-30 confirmations taking 3-7 minutes. High-throughput chains like Solana confirm in seconds. During heavy congestion, any stage can take longer.
Can an exchange freeze my funds even if I did nothing wrong?
Yes. Exchanges operate under regulatory obligations that can trigger compliance holds during routine verification processes. New device logins, large withdrawals, or geographic restrictions can also lock accounts temporarily. This is a normal, if inconvenient, aspect of exchange custody. It represents the trade-off between convenience and the counterparty risk inherent in delegating key control.
What happens if I send crypto to the wrong address or wrong network?
If you send to a valid address on the correct network that you do not control, recovery depends entirely on the recipient's cooperation. If you send on the wrong network (e.g., ERC-20 tokens to a BNB Chain address), funds may be permanently lost. Some exchanges can recover cross-chain deposits for supported networks, but this is not guaranteed. Blockchain transactions have no undo function. Always verify network and address before confirming any withdrawal.
---
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include BloFin exchange documentation (deposit and withdrawal mechanics, sub-account structure); Investor.gov SEC bulletin on crypto custody basics for retail investors (2025); FBI IC3 public service announcement PSA250226 on Bybit exchange compromise; blockchain.com confirmation-time charts. All facts independently verified against cited documentation current as of April 2026.
This article is for informational purposes only and does not constitute financial advice. Cryptocurrency trading involves substantial risk of loss. Past performance does not guarantee future results. Always conduct your own research and consider your financial situation before trading. BloFin does not guarantee the accuracy of third-party data referenced herein.