Crypto Exchange Security Architecture: What Actually Keeps Exchanges Safe
Security Architecture Best Practices

Crypto Exchange Security Architecture: What Actually Works

C
Codono Team
| | 19 min read

$3.8 Billion Stolen in 2022 Alone. Most of It Was Preventable.

Let’s talk about something that should keep every exchange operator awake at night: the sheer predictability of crypto exchange hacks.

When Ronin Network lost $625 million in March 2022, the root cause wasn’t some brilliant zero-day exploit. It was compromised validator private keys — five out of nine validators were controlled by a single entity, and attackers social-engineered their way to enough keys to drain the bridge. When Mt. Gox collapsed back in 2014 with 850,000 Bitcoin missing, the underlying problems included hot wallet mismanagement, zero multi-sig controls, and almost no internal audit trail. And when FTX imploded? That wasn’t even really a hack. It was an insider with unrestricted access to customer funds and absolutely no operational controls to stop them.

The pattern is painfully obvious once you’ve seen it enough times. And we have seen it — after helping more than 500 exchanges build and secure their platforms, the failure modes are almost always the same. It’s not the sophisticated nation-state attacks that take exchanges down. It’s the boring stuff. Poor key management. Single points of failure. Admin accounts with god-mode access. Hot wallets stuffed with way more crypto than they should hold because someone couldn’t be bothered to run a sweep.

Here’s what actually works. Not the marketing-speak version with “military-grade encryption” and “AI-powered threat detection.” The real version. The one where I tell you that good security architecture is deeply unsexy and that’s exactly what makes it effective.

The Cold/Hot/Warm Wallet Architecture (a.k.a. The 95/5 Rule)

If you only implement one security measure for your exchange, make it this: keep 95% or more of all customer funds in cold storage at all times.

Cold storage means the private keys never touch an internet-connected device. Ever. They’re generated offline, stored on hardware security modules or air-gapped computers, and transactions are signed in a physically isolated environment. The moment a private key exists on a machine with a network connection, it becomes a target. Cold storage eliminates that entire attack surface.

But you can’t run an exchange on cold storage alone. Users expect to deposit and withdraw crypto within minutes, not hours. That’s where the hot and warm wallet tiers come in.

Hot wallets are your front-line. They’re connected to the internet, integrated with your exchange’s withdrawal system, and hold just enough crypto to handle normal withdrawal volume — typically 2-5% of total funds. Think of them as the cash register at a retail store. You keep enough bills to make change, but you don’t keep the full day’s revenue sitting in the drawer.

Warm wallets sit between hot and cold. They’re semi-connected — perhaps on a system that comes online only at scheduled intervals to top up the hot wallets. Warm wallets might hold 5-10% of funds and act as a buffer so you don’t need to access cold storage for routine operations.

Cold wallets hold everything else. The vast majority. The 85-95%.

How Sweeping Works

The flow goes like this: deposits arrive into deposit addresses, which are essentially temporary hot wallets. A sweeping process periodically collects deposits from these addresses and consolidates them. Small amounts get moved to the hot wallet to maintain its operating balance. Everything else gets swept to cold storage.

On the withdrawal side, when a user requests a withdrawal, it comes from the hot wallet. If the hot wallet balance drops below a threshold, someone (ideally two someones, but we’ll get to that) authorizes a transfer from the warm wallet to replenish it. Cold storage only gets touched for large, planned movements — and those should require multiple approvals, physical presence, and a documented process.

The practical numbers vary by exchange size. A small exchange doing $1M in daily volume might keep $50K in hot wallets. A mid-tier exchange doing $50M daily might hold $500K-$1M hot. The key metric is: can your hot wallet cover 4-8 hours of normal withdrawal demand? If yes, you’re probably sized right. If you’re holding more than that, you’re taking unnecessary risk.

A solid crypto wallet infrastructure handles all of this — the sweeping schedules, the threshold monitoring, the automated rebalancing between tiers. But even the best software is only as good as the policies wrapped around it. Which brings us to multi-sig.

Multi-Signature Security: Eliminating the Single Point of Failure

Multi-signature (multi-sig) wallets require more than one private key to authorize a transaction. Simple concept, massive security implications.

Without multi-sig, a single compromised key means total loss. One phished employee, one stolen hardware wallet, one rogue insider — and the funds are gone. Multi-sig changes the math entirely. An attacker now needs to compromise multiple independent keys, ideally held by different people in different locations using different security practices.

Common Multi-Sig Configurations

2-of-3: Three keys exist, any two can authorize a transaction. This is the minimum viable multi-sig for exchange operations. Typically you’d have one key held by the CEO/founder, one by the CTO or head of security, and one stored in a secure vault as a backup. It protects against a single key being compromised while still allowing operations if one keyholder is unavailable.

3-of-5: Five keys, three required. This is what we recommend for cold storage wallets holding significant value. Distribute keys across the executive team, board members, or even external custodians. Geographic distribution matters too — keys should be in different physical locations, ideally different cities or countries. If three of your five keyholders work in the same office, a single physical security incident could compromise your entire setup.

4-of-7: For large exchanges holding hundreds of millions. The more signatures required, the harder the attack, but the more operationally complex every transaction becomes. At this level, you’re probably also implementing time-locks (transactions don’t execute for 24-48 hours after signing, giving you a window to detect and cancel fraudulent transactions) and hardware security modules for key generation and storage.

When Each Setup Makes Sense

Starting out with less than $1M in total custody? 2-of-3 is fine. It gives you meaningful protection without creating an operational nightmare. As you grow past $10M in custody, move to 3-of-5 for cold storage while keeping 2-of-3 for warm wallets. Above $100M, you should be looking at 4-of-7 with geographic distribution, time-locks, and probably some form of institutional custody partnership.

The critical rule: no single person should ever be able to unilaterally move funds from cold storage. Period. If your exchange has a setup where the CEO can single-handedly drain the cold wallet, you don’t have a security architecture. You have a hope-the-CEO-stays-honest architecture. That’s what FTX had, and we all saw how that ended.

API Security: The Front Door Most Exchanges Leave Wide Open

Your exchange’s API is how the world interacts with your platform. Trading bots, market makers, institutional clients, mobile apps — they all hit your API. It’s also the most attacked surface area on any exchange, handling thousands of requests per second, many of them from automated systems that probe for weaknesses around the clock.

Rate Limiting: Your First Line of Defense

Rate limiting isn’t just about preventing abuse. It’s about making sure a single compromised API key can’t drain an account in seconds.

Smart rate limiting works on multiple levels:

  • Per-IP limits: Cap the number of requests from any single IP address. 1,200 requests per minute is a reasonable default for general endpoints. Tighter for sensitive operations.
  • Per-account limits: Even authenticated requests should be capped. A legitimate trading bot might make 10 orders per second. If an API key suddenly starts making 1,000 withdrawal requests per second, that’s not a bot — that’s an attack.
  • Per-endpoint limits: Withdrawal endpoints should have dramatically lower rate limits than market data endpoints. Nobody legitimately needs to submit 50 withdrawal requests in a minute.
  • Graduated responses: First offense gets a gentle slowdown. Repeated violations get temporary bans. Sustained abuse gets permanent blocks plus a security review of the account.

HMAC Signature Authentication

Every API request that involves account actions — placing orders, making withdrawals, checking balances — should be authenticated with HMAC (Hash-based Message Authentication Code) signatures.

Here’s how it works in practice: the user has an API key (public identifier) and a secret key (never sent over the wire). When making a request, the client creates a signature by hashing the request parameters plus a timestamp using the secret key. The server receives the request, recreates the signature using its copy of the secret key, and verifies they match. If the timestamp is more than 30 seconds old, reject it — this prevents replay attacks where someone intercepts a signed request and tries to reuse it.

This is table stakes. If your exchange API doesn’t require HMAC signatures for authenticated endpoints, you have a serious problem.

IP Whitelisting

Allow users to restrict their API keys to specific IP addresses. A market maker running bots from three known servers should be able to lock their API key to those three IPs. If someone steals the API key and tries to use it from a different IP, the request gets rejected.

This single feature prevents the majority of API key theft from actually resulting in fund loss. Make it available, make it prominent, and consider making it mandatory for API keys with withdrawal permissions.

The admin dashboard should give your security team real-time visibility into API usage patterns — sudden spikes, unusual geographic origins, keys being used from new IPs. Detection is almost as important as prevention.

DDoS Protection: When They Can’t Steal, They Try to Destroy

Distributed Denial of Service attacks against crypto exchanges are constant. Not occasional — constant. During volatile market periods (exactly when your exchange needs to be up), attack volume can spike 10-20x. Attackers range from competitors trying to push your users to their platform, to short sellers who profit when an exchange goes offline and the market panics, to plain old extortionists demanding Bitcoin ransoms.

Layer 3/4 Protection (Network Level)

This is volumetric attack mitigation — absorbing massive floods of junk traffic before it reaches your servers. You need a CDN/DDoS mitigation provider like Cloudflare, Akamai, or AWS Shield. Don’t try to handle this yourself. A serious DDoS attack can push 500 Gbps or more of traffic. Unless you own your own data center with massive upstream bandwidth, you need a provider whose entire business is absorbing this kind of flood.

Cloudflare’s free tier won’t cut it for an exchange. You need their Business or Enterprise plan, which includes advanced DDoS protection, WAF rules customized for API traffic patterns, and 24/7 support from their security team. Budget $200-$500/month minimum. It’s cheap insurance.

Layer 7 Protection (Application Level)

These are the sneaky attacks. They don’t flood you with raw bandwidth — they send carefully crafted requests that look legitimate but are designed to overwhelm your application. Think thousands of complex order book queries, mass login attempts, or API requests that trigger expensive database operations.

Layer 7 protection means:

  • Web Application Firewall (WAF) rules that detect and block malicious request patterns
  • Challenge pages for suspicious traffic (CAPTCHAs, JavaScript challenges)
  • Geographic filtering — if you don’t serve users in certain regions, you can block or challenge traffic from those regions during an attack
  • Behavioral analysis that distinguishes human users from bots based on request patterns, mouse movements, and browsing behavior

The Trading Engine Isolation Pattern

Here’s something most smaller exchanges miss: your trading engine should be isolated from your public-facing web servers. If a DDoS attack takes down your website, that’s bad. If it also takes down your matching engine and users can’t execute trades or withdrawals — that’s catastrophic.

Run your matching engine on separate infrastructure that’s not directly exposed to the internet. The web servers talk to the matching engine through an internal message queue. Even if the web frontend goes down, the matching engine keeps running, and you can bring the frontend back up without any impact on pending orders or trades.

Internal Security Controls: Your Biggest Threat Wears a Company Badge

I realize this sounds paranoid. It’s not. The data is clear: insider threats account for a disproportionate share of exchange security incidents. Not because most employees are malicious — the vast majority aren’t — but because a single bad actor with elevated access can do more damage than a thousand external attackers.

Role-Based Access Control (RBAC)

Not every admin needs access to everything. In fact, no admin should have access to everything. Build your access control around the principle of least privilege:

  • Customer support agents can view account details and transaction history. They cannot modify balances, override KYC status, or process withdrawals.
  • Compliance officers can review KYC documents and flag accounts. They cannot access wallet infrastructure or trading system configuration.
  • Finance team can view aggregate reports and treasury balances. They cannot initiate individual transactions.
  • System administrators can manage infrastructure. They don’t have access to private keys.
  • C-level executives have broader access but still require a second person for sensitive operations.

The Codono admin dashboard is built around this principle — every role has specific permissions, and expanding those permissions requires explicit authorization and creates an audit trail.

The Two-Person Rule

For any action that could result in financial loss, require two authorized individuals. This includes:

  • Withdrawals above a certain threshold (say, $10,000)
  • Changes to wallet configurations
  • Modification of trading pair settings
  • Disabling security features
  • Overriding KYC/AML flags
  • Adding new admin accounts

One person initiates. A different person approves. Both actions are logged with timestamps, IP addresses, and device fingerprints. This doesn’t just prevent malicious insiders — it also protects against compromised admin accounts. Even if an attacker gets one admin’s credentials, they still need a second admin to approve the dangerous stuff.

Audit Trails That Actually Mean Something

Every action on your exchange — every trade, every withdrawal, every admin login, every configuration change — should produce an immutable audit log. “Immutable” is the key word. The logs should be written to a system that even your senior developers can’t modify or delete. Ship them to an external logging service, write them to append-only storage, or use a blockchain-based audit trail.

These logs are your forensic lifeline. When (not if) something goes wrong, you need to reconstruct exactly what happened, when, and by whom. Without comprehensive audit trails, incident investigation is guesswork, regulator inquiries are nightmares, and legal liability goes through the roof.

There’s a tendency to think of KYC/AML systems as purely a compliance requirement — something you grudgingly implement because regulators demand it. That’s a mistake. Good KYC/AML is also a security layer.

Identity verification prevents attackers from creating armies of fake accounts to exploit your platform. Transaction monitoring flags unusual patterns that could indicate account takeover, money laundering, or insider manipulation. Sanctions screening prevents your exchange from being used as a conduit for sanctioned entities — which, apart from the legal consequences, tends to attract the kind of attention from law enforcement that no exchange wants.

Integrate with a reputable KYC provider like Sumsub that handles verification across multiple jurisdictions and document types. The technology for this is mature now — real-time ID verification with liveness checks takes under two minutes for most users. There’s no longer any excuse for skipping it or half-implementing it.

Incident Response: The Plan You Hope You Never Need

Every exchange will face a security incident eventually. Not might — will. The question is whether you respond in five minutes or five hours, and that difference often determines whether the incident is a manageable event or an existential crisis.

Your Incident Response Plan Should Cover:

Detection: How do you know something is wrong? Automated monitoring should cover unusual withdrawal patterns, login anomalies, API abuse, server resource spikes, and wallet balance deviations. Set alert thresholds that err on the side of too sensitive rather than not sensitive enough. Investigating false alarms is annoying. Missing a real breach is fatal.

Containment: What happens in the first five minutes? Your team should be able to pause all withdrawals within 60 seconds of a confirmed breach. Not “call a meeting to discuss whether we should pause withdrawals.” Not “try to reach the CEO for approval.” Immediate, automatic, documented. The person on call should have the authority and the technical ability to halt withdrawals instantly.

Assessment: Once contained, figure out the scope. Which systems were compromised? Which accounts were affected? How much was taken? What’s the attack vector? This is where your audit trails earn their keep.

Communication: Tell your users what happened. Quickly and honestly. The exchanges that survive security incidents are transparent about them. The ones that try to cover things up or go silent for days get destroyed by the rumor mill. Issue a public statement within hours, not days. Be specific about what you know and honest about what you don’t know yet.

Recovery: Fix the vulnerability, restore services, and make affected users whole if possible. Then publish a post-mortem. The crypto community respects exchanges that handle incidents professionally and transparently.

Improvement: Every incident is a learning opportunity. Update your security architecture based on what you learned. Run tabletop exercises simulating similar attacks. Make sure the same vector can’t be exploited again.

Run Tabletop Exercises Quarterly

Gather your team. Present a scenario: “It’s 3 AM on Saturday. Your monitoring system alerts that 500 BTC have been transferred from the hot wallet to an unknown address in the last 15 minutes. What do you do?” Walk through the response step by step. Find the gaps in your plan before a real attacker does.

Security Audit Checklist for Exchange Operators

Before you launch — and quarterly after that — work through this checklist. It’s not exhaustive, but it covers the fundamentals that we see exchanges miss most often:

Wallet Security

  • Cold storage holds 95%+ of all customer funds
  • Multi-sig is enabled on all wallets (minimum 2-of-3)
  • Key generation happens on air-gapped devices
  • Backup keys exist and are stored in geographically separate secure locations
  • Sweeping runs on automated schedules with balance thresholds
  • Hot wallet balances are monitored with real-time alerts

Access Controls

  • Role-based permissions are enforced for all admin accounts
  • Two-person rule is active for all sensitive operations
  • All admin accounts require hardware 2FA (not SMS)
  • Admin sessions expire after 15 minutes of inactivity
  • Departing employee access is revoked within one hour of termination
  • Quarterly access reviews confirm all permissions are still appropriate

API Security

  • HMAC signature authentication on all authenticated endpoints
  • Rate limiting on all endpoints with stricter limits on sensitive ones
  • IP whitelisting available (and encouraged) for API keys
  • API keys with withdrawal permissions require additional verification
  • All API traffic uses TLS 1.2 or higher
  • Request timestamp validation prevents replay attacks

Infrastructure

  • DDoS protection through a reputable provider (Cloudflare, Akamai, AWS Shield)
  • Trading engine is isolated from public-facing web servers
  • Database encryption at rest and in transit
  • Regular automated backups with tested restoration procedures
  • Server access via SSH keys only (no password auth)
  • All dependencies are monitored for known vulnerabilities

Monitoring and Response

  • Real-time alerting for unusual withdrawal patterns
  • Login anomaly detection (new device, new location, impossible travel)
  • Immutable audit logs shipped to external storage
  • Incident response plan documented and tested quarterly
  • On-call rotation with the authority to pause withdrawals immediately
  • Communication templates ready for security incidents

Compliance

  • KYC/AML verification for all users above threshold
  • Transaction monitoring for suspicious patterns
  • Sanctions screening against current OFAC and EU lists
  • Regular compliance training for all staff
  • Regulatory reporting procedures documented

How Codono Handles Security

We’ve been building crypto exchange software since 2018, and security has been at the core of the architecture from the beginning — not bolted on as an afterthought.

The Codono platform implements everything discussed in this article out of the box. The wallet system supports full cold/hot/warm wallet architecture with automated sweeping, configurable balance thresholds, and multi-sig support. The admin panel enforces role-based access control with the two-person rule for sensitive operations and comprehensive audit logging.

KYC/AML is built in with native support for providers like Sumsub, including real-time identity verification, transaction monitoring, and sanctions screening. The admin dashboard gives your security team visibility into everything happening on your exchange — API usage patterns, login anomalies, withdrawal trends, and system health metrics.

But I want to be honest about something: no software is a substitute for good security practices. Codono gives you the tools. You still need to use them correctly. You still need to implement proper key management. You still need to train your team. You still need to get a third-party security audit. You still need an incident response plan.

The exchanges that get hacked in 2025 won’t be the ones running bad software (though some will). They’ll be the ones running good software with bad operational security. The tool is only as good as the hands holding it.

The Security Mindset

If there’s one thing I’d want you to take away from this, it’s that security isn’t a feature you implement and check off a list. It’s an ongoing discipline. The threat landscape evolves. Attackers get more sophisticated. New vulnerabilities emerge. The exchange that was secure last month might not be secure this month if nobody’s paying attention.

Build security into every decision. Every new feature gets a security review. Every new employee gets security training. Every quarter brings a security audit. Every incident generates a post-mortem and improvements.

The exchanges that thrive long-term are the ones where security is baked into the culture, not just the technology stack. It’s the exchanges where the junior developer feels empowered to flag a potential vulnerability, where the CEO participates in tabletop exercises, and where “we’ll fix that security thing later” is never an acceptable answer.

The cost of doing security right is measured in thousands of dollars and hours of planning. The cost of getting it wrong is measured in millions of dollars, criminal liability, and the end of your business. The math isn’t complicated.

Do the boring stuff. Do it consistently. And sleep a little better at night knowing that when — not if — someone comes for your exchange, you’ve done everything reasonable to stop them.

Security Architecture Best Practices Infrastructure

Related Articles

Institutional Compliance

What Institutional Investors Actually Require From a Crypto Exchange (2026 Checklist)

Security Architecture

Crypto Exchange Security Architecture: An Enterprise Framework for 2026

Technology Trading Engine

How Crypto Exchange Matching Engines Actually Work

Build Your Exchange with Codono

Complete crypto exchange software with spot, futures, P2P, and 15+ blockchains.

View Pricing Live Demo