Exchange custody is the operator-side architecture every centralized crypto exchange runs to hold customer funds: a multi-tier wallet stack with the bulk of assets in geographically distributed cold storage, a smaller balance in a warm-tier signing layer, and the smallest fraction in hot wallets that process daily withdrawals. That architecture is what determines whether a balance sitting on an exchange is safe in practice.
This article walks the CEX-custody framework as a counterpart to the trading-side companion piece on crypto spot settlement and custody, which covers settlement timing and trade matching (T+0 and T+1 settlement on a CEX, internal-versus-on-chain trade matching, market-maker custody flow, spot-versus-futures margin custody, copy-trading custody). The scope here is the wallet architecture itself: the cold-warm-hot tiers and ratios operators target, chain-by-chain deposit-address derivation, the omnibus account model, the HSM and MPC infrastructure that signs cold-storage transfers, the withdrawal-queue and refilling cadence, the breaches that shaped today's defaults, and the framework a sophisticated user should apply to any CEX in 2026.
What is exchange custody, and how does a CEX actually store your funds?
Exchange custody is operator-side custody of digital assets by a centralized exchange that holds customer funds in a mix of cold, warm, and hot wallets, with per-customer balances tracked on an internal ledger and on-chain holdings reconciled against it on a defined cadence. The architecture is structurally different from retail self-custody on the comparing wallet security models synthesis grid: the user does not hold the keys, the exchange does, and the trust boundary sits on the operator's signing infrastructure.
The lay phrase "not your keys, not your crypto" is the user-side reading of this. From the operator side, the exchange runs a custody operation at scale with the same fiduciary obligations any custodian carries (segregation, signing-flow controls, audit cadence), but without the trust-charter wrapper a qualified custodian operates under per the institutional crypto custody framework. The balance on the trading screen is a number on the internal ledger, backed by on-chain holdings in addresses the exchange controls.
The architectural question is how the exchange protects those holdings against the threats that map to a custody operation at scale: external compromise (Mt. Gox 2014), commingling with operating capital (FTX November 2022), and signing-interface compromise even on cold infrastructure (Bybit February 21 2025). The cold-warm-hot tier stack is the primary defense; deposit-address derivation, the signing infrastructure, the withdrawal queue, and the audit and insurance posture are the layers around it.
What are the cold, warm, and hot wallet tiers, and what ratios do exchanges target?
Centralized exchanges hold customer assets in three operational tiers. Cold wallets hold the bulk of assets in offline signing infrastructure, with private-key material in hardware security modules or MPC key shares distributed across geographically separated parties. Warm wallets hold a working balance used to refill the hot tier on a defined cadence, with multi-party policy controls on every refill. Hot wallets hold the smallest fraction, sufficient to process daily withdrawal volume, with signing automated under policy controls and rate limits.
Named operators sit at the cold-heavy end. Coinbase discloses approximately 98 percent of customer crypto in offline cold storage, geographically distributed, with less than 2 percent in hot wallets, and carries a $320 million commercial-crime insurance policy on the hot-wallet pool. Coinbase's own behind-the-scenes custody-transfer disclosure defines truly cold storage as requiring multiple geographically separated humans to perform physical actions and review transaction details before signing. Kraken and Gemini operate similar ratios with their own cold-storage and Proof-of-Reserves disclosures. The cold-heavy posture is the institutional baseline in 2026; an operator materially below it is signalling a different risk profile.
The reserve-fund layer sits above the tiers as the residual-loss backstop. Binance maintains the Secure Asset Fund for Users (SAFU), with a value of approximately $1 billion that Binance converted entirely from stablecoin reserves into approximately 15,000 BTC in February 2026, with a stated floor commitment to replenish if the value falls below $800 million. The fund covers user losses once any insurance and in-tier recovery is exhausted; its size relative to customer balance is the rough measure of how much loss the operator absorbs on its own balance sheet. The Bybit February 21 2025 cold-wallet exploit at approximately $1.46 billion is the recent counter-example to the assumption that a cold-wallet label means unhackable; the exploit was at the signing-interface layer (covered in §6).
Cold / warm / hot ratio comparison across named exchanges. Disclosed wallet-tier ratios and Proof-of-Reserves cadence for the five most-cited CEX operators. Disclosures vary in granularity; the column notes flag where the operator publishes a precise number versus a qualitative posture.
Exchange | Disclosed cold ratio | Warm / hot ratio | Proof-of-Reserves cadence | Reserve fund | Primary disclosure |
|---|---|---|---|---|---|
Coinbase | ~98% cold storage (geographically distributed) | <2% hot wallet | Audited financial statements as public US company; SOC 1 + SOC 2 Type 2 | $320M crime insurance on hot-wallet pool | |
Kraken | ~95% cold storage per disclosure | ~5% combined warm + hot | Bi-annual PoR via Armanino LLP (TrustExplorer), Merkle-tree user verification | Self-insurance via parent balance sheet | |
Gemini | Majority cold storage (specific ratio not publicly itemised) | Operational tier policy-controlled | SOC 2 Type 2 audited annually; PoR via Deloitte historically | NY DFS trust capital + commercial insurance | |
Bybit | Cold-storage majority per disclosure (post-Feb 2025 incident) | Hot tier reduced after Feb 21 2025 exploit; refilling cadence tightened | Monthly Merkle-tree PoR | Reserve fund commitments per incident update | |
Binance | Cold-storage majority per disclosure | Hot tier sized to daily withdrawal volume | Monthly Merkle-tree PoR with zk-SNARK extension (since Feb 2023) | SAFU ~$1B (15,000 BTC since Feb 2026), $800M floor commitment |
The matrix sorts roughly by disclosure granularity, with Coinbase's audited public-company filings at one end and Bybit's post-incident tightened-cadence at the other. The cold ratio alone is a weak signal without the disclosure layer; a 98% cold-storage claim without PoR cadence is operator promise rather than verifiable structure, and the Bybit precedent shows that even disclosed cold-storage architecture fails at the signing-interface layer if the cold-tier signing flow is compromised.
How do exchanges generate deposit addresses, and what is the omnibus-account model?
A CEX deposit address is the on-chain endpoint where the exchange receives a customer's deposit, derived under chain-specific patterns across its multi chain wallet security surface. The operator's choice determines whether each customer sees a fresh address or shares one with the customer base.
On Bitcoin, the standard pattern is BIP32 hierarchical-deterministic derivation, with each customer assigned a fresh derived public-key branch from the exchange's BIP32 tree; funds at per-customer addresses are swept on a cadence to consolidated cold-storage destinations. On EVM chains (Ethereum, BNB Chain, Polygon, L2s), the pattern is one of three: per-customer EVM addresses with periodic sweeping (clean for users, gas-expensive at scale), a single shared deposit address with a memo or destination tag (operationally simpler, error-prone if the user forgets the memo), or an Account-Abstraction smart-contract deposit with per-customer routing enforced on-chain. On chains with native memo support (XRP, Stellar, Cosmos zones), the memo-based shared-address pattern dominates; without it, per-customer addresses with sweeping are more common.
The omnibus-account model is the operator-side structure that holds those deposits in a single pool of consolidated on-chain accounts, with per-customer balances tracked on the internal ledger rather than on-chain. When a customer trades, the trade settles as an internal-ledger update; on-chain holdings do not move per trade. When the customer withdraws, the ledger debits the balance and the on-chain holdings are reduced as the withdrawal is broadcast. The omnibus pattern lets the exchange process matching-engine volume at speeds the underlying chains cannot support; the trade-off is that the per-customer balance is only as good as the operator's internal-ledger integrity and the on-chain reconciliation cadence.
What does HSM and MPC infrastructure actually do for an exchange?
Hardware Security Modules (HSMs) and multi-party computation (MPC) signing are the two institutional-tier signing primitives an exchange runs on its cold and warm wallets, and most operators in 2026 run a combination of both. HSMs hold private-key material in tamper-resistant silicon (typically FIPS 140-2 Level 3 or Level 4 certified devices) and perform the signing operation inside the device, so the private key never leaves in plaintext; the HSM is the institutional analogue to the retail device covered in the hardware wallet guide primer, at custodian scale. MPC distributes the signing capability across multiple parties under a threshold-signature scheme, so no single party holds a complete key, per the MPC wallets explained chain-agnostic framework applied at operator tier.
Several exchanges run institutional MPC through Fireblocks, with the Fireblocks exchange-platform offering providing MPC-based signing across multiple HSM-backed parties as a managed service. Others run in-house HSM and MPC stacks with custom signing-policy engines layered above. The signing primitive itself is mature; the residual risk has moved up the stack to the human-interface layer (how the signing operation is presented to signers), the policy-engine layer (what authorizations initiate signing), and the operational layer (who has access).
The smart-contract surface on EVM chains adds a layer above the basic signing primitive. Some exchanges sign EVM transactions through HSM- or MPC-backed externally-owned accounts; others use Account-Abstraction smart-contract wallets at the operator level, with contract logic enforcing rate limits, withdrawal-destination allowlists, and multi-signer requirements. That surface carries the audit and code-quality concerns the retail smart contract wallet risks primer covers, at operator scale.
How do withdrawal queues and hot-wallet refilling cadences work?
A withdrawal from a centralized exchange is the operational moment the tier architecture becomes visible to the user. A small withdrawal settles in minutes because the hot wallet has sufficient balance to broadcast immediately; a large withdrawal can settle in hours because the hot wallet drains, the policy engine flags the queue for a warm-tier refill, the refill itself requires multi-party policy signing under the HSM or MPC stack, and only after the refill lands does the hot wallet process the queued withdrawal.
The withdrawal-queue model prevents a hot-wallet drain from converting into a hot-wallet compromise. If the hot wallet always carried enough to process the largest possible withdrawal, it would carry too much loss exposure; the queue keeps the hot wallet at a controlled level and triggers refills only when needed. The user sees "withdrawal pending"; the operator sees a refill-pending status with a defined signing cadence (often every four to six hours for high-volume operators, on-demand for smaller volumes).
The user-side reading is that a withdrawal delay on a large transfer is not "internal review" in the compliance sense, it is the architecture working as designed: the hot tier stays small because the operator is keeping loss exposure low, and the queue is the cost of that choice. A compliance-review state (a freeze for KYC, Source of Funds, or sanctions reasons) is a different status covered separately on the user-side incident-response framework.
What major exchange custody breaches have shaped the architecture?
Three exchange custody incidents shaped the architecture every reputable CEX runs in 2026, and each is worth reading for the architectural lesson rather than as a news event. The first is the Mt. Gox bankruptcy filed February 28 2014, in which the Tokyo-based exchange reported approximately 850,000 BTC missing through years of cumulative compromise (approximately 200,000 BTC were later recovered). The lesson: hot-wallet exposure is the dominant attack surface at exchange scale, and the cold-heavy ratio every reputable operator targets today is the direct response. After Mt. Gox, the cold-heavy ratio became the institutional baseline.
The second is the FTX Chapter 11 filing of November 11 2022, with an estimated $8 billion customer-fund shortfall at filing (substantially recovered under the May 2024 plan). The lesson: the cold-warm-hot ratio is necessary but not sufficient; the structural failure was commingling of customer funds with operating capital and the use of customer assets to back margin and venture-capital positions. The fix is segregation, supported externally by proof of reserves explained attestations at the on-chain-transparency layer. FTX is the canonical reason institutional money has migrated toward qualified-custodian custody, and the reason retail readers ask about PoR cadence before placing material balances.
The third is the Bybit ETH cold-wallet incident of February 21 2025, with approximately $1.46 billion in ETH and stETH lost when an attacker manipulated the signing interface during a scheduled cold-to-hot transfer; the smart-contract logic was altered so signers saw a benign payload while the device signed the malicious one (TRM Labs attributed the attack to Lazarus Group). The lesson: a cold-wallet label does not prevent loss when the signing interface is the attack surface. The institutional defense has since moved to multi-party signing-interface verification, with a second-signer interface independently verifying the payload against the first.
How should you evaluate a CEX custody posture in 2026?
A sophisticated user evaluates a CEX custody posture in 2026 along seven dimensions: cold-storage ratio (and the operator's own definition of "cold"), deposit-address segregation model, HSM and MPC infrastructure (Fireblocks-tier vendor, in-house build, or combination), withdrawal-queue cadence, Proof-of-Reserves attestation cadence and methodology, insurance and reserve-fund structure (hot-wallet insurance per the crypto insurance coverage framework plus operator-funded reserves like SAFU), and incident track record. The dimensions are independent; a CEX that passes on six and fails on the seventh is not a complete custody operation.
The cold-storage ratio is the first-pass filter: the institutional baseline is approximately 95-98 percent, and an operator materially below it is signalling a different risk profile. Deposit-address segregation matters for chain-specific risk. HSM and MPC infrastructure matters for the institutional-tier signing posture. Withdrawal-queue cadence matters for how tightly the operator manages hot-tier exposure. PoR cadence and methodology matter for on-chain transparency. Insurance and reserve-fund structure matters for residual loss. Incident track record matters because the defense against any future incident is partly the operator's posture at the last one.
Once funds leave the exchange, the chain-agnostic discipline applies: the revoke token approvals practice, hardware-signed flows on non-trivial transfers, and the PoR cadence of any subsequent operator each carry the same evaluation weight. The CEX wallet stack is one tier in a layered framework; the user controls how much of any balance sits in it.
From Blofin's operational perspective, the multi-tier custody architecture every reputable CEX runs is the operator-side complement to the retail self-custody framework: the trust boundary moves off the operator's hot infrastructure either by user-controlled withdrawal or by qualified-custodian custody, with the CEX wallet architecture sitting between them. Blofin's own retail-user framework supports the equivalent move (withdrawals to user-selected self-custody, hardware-signed flows on non-trivial transfers, the Web3-wallet Passkey plus Account-Abstraction option for on-platform self-custody, and the 24-hour withdrawal-suspension window after any reset of the security verification methods extending to 48 hours through the security-method-recovery flow, documented at the Blofin platform security features reference); retail self-custody and exchange custody are paired tiers in a single framework the user composes across the whole holdings.
Frequently asked questions
Are funds on a centralized exchange ever really "yours"?
In the strict cryptographic sense, no: the exchange holds the private keys, and your balance on the trading screen is a number on the internal ledger backed by on-chain holdings the exchange controls. In the legal sense, the answer depends on the operator's segregation framework and the jurisdiction's bankruptcy treatment of customer assets. Funds on a CEX are operator-custodied assets with a contractual claim attached, structurally different from funds in a self-custody wallet.
Is a cold wallet always safer than a hot wallet?
A cold wallet is structurally safer against the most common attack categories (remote network compromise, key exfiltration, mass-withdrawal automation), because the private-key material is offline and signing requires a controlled human ceremony. But "cold" does not mean unhackable; the Bybit February 21 2025 incident at approximately $1.46 billion happened on a cold-wallet transfer where the attack surface was the signing interface, not the hardware-security layer. Cold storage reduces the attack surface, but an operator can still lose a cold-wallet transfer if the signing-flow controls are compromised.
Why does my large withdrawal take longer than my small one?
Because the hot wallet only holds enough to process typical withdrawal volume, and a large withdrawal can drain it and trigger a warm-tier refill. The refill requires multi-party policy signing on the HSM or MPC stack, often on a fixed schedule rather than on-demand, and only after the refill lands does the hot wallet process the queued withdrawal. The delay is the architecture working as designed, independent of any compliance-review state.
What happens to my funds if the exchange itself fails?
The answer depends on the operator's segregation framework, the jurisdiction's bankruptcy treatment of customer assets, and any insurance or operator-funded reserves (like SAFU). The FTX November 11 2022 Chapter 11 filing illustrated the worst case, where customer funds were commingled with operating capital; the May 2024 plan eventually recovered substantially all customer claims. The structural defense is segregation, supported externally by Proof-of-Reserves attestations demonstrating the operator holds the on-chain assets corresponding to internal-ledger liabilities at the attestation moment.
How should I split balances between an exchange and self-custody?
A useful default is to hold operationally-active balances on the exchange and longer-term holdings in self-custody under your own keys. The trade-off is operator-custodied operational liquidity versus user-controlled long-term holdings. The seven-dimension CEX-custody framework feeds the operator-side input; the wallet-security-model framework feeds the user-side input. No single tier should carry the full holdings.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include the Coinbase Help Center disclosure on the approximately 98 percent cold-storage ratio and the $320 million commercial-crime insurance policy, the Coinbase blog "behind-the-scenes" custody-transfer disclosure on the cold-storage signing-ceremony framing, the Coindesk coverage of the Binance SAFU conversion to approximately 15,000 BTC in February 2026 with the $800 million stated floor commitment, the Binance Academy reference on the Secure Asset Fund for Users framework, the Bybit incident announcement on the February 21 2025 cold-wallet exploit and the Coindesk coverage with the approximate $1.46 billion figure and the TRM Labs Lazarus-Group attribution, the Wikipedia Mt. Gox reference on the February 28 2014 Chapter 11 filing and the approximately 850,000 BTC reported missing, the Wikipedia Bankruptcy of FTX reference on the November 11 2022 Chapter 11 filing and the approximately $8 billion customer-fund shortfall, and the Fireblocks exchange-platform documentation on the institutional MPC custody infrastructure for exchanges. All facts independently verified against cited documentation current as of May 2026.
This article is for informational purposes only and does not constitute financial advice, investment guidance, or a recommendation to buy, sell, or hold any digital asset. Cryptocurrency markets involve significant risk and you should conduct your own research and consult qualified professionals before making investment decisions. Blofin Academy content reflects the state of public information at time of publication; protocol parameters, fees, and platform data change frequently.