交易所软件 
Crypto Exchange Launch Checklist: 47 Things Before You Go Live
Why You Need a Checklist (Not Just a Plan)
I’ve watched exchange founders spend months on business plans — beautiful documents with market projections, competitor analyses, five-year financial models — and then completely forget to set up withdrawal address whitelisting before going live. A plan tells you where you’re going. A checklist makes sure you don’t leave the house without your keys.
This checklist comes from helping hundreds of exchanges launch on Codono’s exchange platform. Every item on here exists because someone, somewhere, skipped it and paid for it. Some of these lessons were cheap. Others were very, very expensive.
I’ve organized everything into five categories: Legal and Compliance, Technical Infrastructure, Security, Trading and Operations, and Marketing and Growth. Within each category, items are marked as Must-Have (don’t launch without it), Should-Have (get it done within the first month), or Nice-to-Have (important but won’t kill you if it waits).
Print this out. Tape it to your wall. Check things off as you go. Seriously.
Part 1: Legal and Compliance
This is the part everyone wants to skip. Nobody started an exchange because they were passionate about regulatory frameworks. But the exchanges that get shut down almost always get shut down for compliance failures, not technical ones. Do this first.
1. Form your legal entity — Must-Have
You need a registered company in the jurisdiction where you plan to operate. This isn’t optional and it’s not something you can backdate later. The entity type matters: most exchange operators set up a limited liability company or equivalent. Talk to a lawyer in your target jurisdiction about the best structure. Get this done in week one.
2. Obtain the appropriate license or registration — Must-Have
The specific requirement varies wildly by jurisdiction. It might be a Money Services Business registration in the US or Canada, a Virtual Asset Service Provider license in the EU under MiCA, or a simpler registration in places like Seychelles or the Marshall Islands. Whatever it is, start the process immediately because it almost always takes longer than you expect. Even “fast” jurisdictions typically take 4-8 weeks.
3. Hire a crypto-specialized legal counsel — Must-Have
Not just any lawyer. Not your cousin who does real estate closings. You need someone who specifically handles crypto regulatory work in your target market. They’ll review everything from your terms of service to your token listing process. Budget $2,000-$5,000 per month for a retainer. It sounds expensive until you compare it to the cost of a regulatory enforcement action.
4. Draft your Terms of Service — Must-Have
Your ToS is a legal contract between you and every user on your platform. It needs to cover trading risks, liability limitations, dispute resolution, account termination conditions, and about forty other things. Your legal counsel should draft or at least review this. Do not copy another exchange’s ToS — they’re written for their jurisdiction and their specific business structure, not yours.
5. Draft your Privacy Policy — Must-Have
If you serve EU users, this means GDPR compliance. If you serve California users, CCPA. Most exchanges serve users globally, which means you need a comprehensive privacy policy that covers data collection, storage, processing, sharing with third parties (like your KYC provider), and user rights regarding their data. Again, lawyer territory.
6. Create your AML/CFT Policy — Must-Have
Every jurisdiction requires an Anti-Money Laundering and Counter-Financing of Terrorism policy. This document describes how you identify and verify users, monitor transactions for suspicious activity, report suspicious transactions to authorities, and maintain records. Regulators will ask for this document. Have it ready before you launch, not after someone asks.
7. Secure a banking partner — Must-Have
This is consistently one of the hardest parts of launching an exchange. Banks are skittish about crypto businesses. You’ll probably get rejected by several before finding one that works. Start this process early — ideally three months before your target launch date. Consider Electronic Money Institutions as alternatives to traditional banks, especially in Europe.
8. Set up SAR/STR reporting procedures — Should-Have
You need a clear internal process for filing Suspicious Activity Reports (or Suspicious Transaction Reports, depending on your jurisdiction). Who reviews flagged transactions? What thresholds trigger review? How quickly do you file? Who’s your designated compliance officer? Document all of this.
9. Establish a record retention policy — Should-Have
Most regulations require you to keep KYC documents and transaction records for five to seven years after a customer relationship ends. Set up your systems to handle this from day one. Retrofitting data retention into a live platform is painful.
10. Register for tax reporting obligations — Should-Have
Depending on your jurisdiction, you may need to report user transactions to tax authorities. The US has specific requirements around 1099 forms for crypto. The EU is rolling out DAC8. Understand your obligations before they become urgent.
Part 2: Technical Infrastructure
Your exchange infrastructure needs to handle real money and real trading volume without breaking. “It works on my laptop” is not an acceptable standard here. People will be trusting you with their funds.
11. Set up production servers with redundancy — Must-Have
At minimum, you need primary and failover servers in a reputable data center or cloud provider (AWS, Google Cloud, Hetzner, or OVH are popular choices). Never run a production exchange on a single server. When — not if — that server has issues, your entire exchange goes dark and your users panic.
12. Configure SSL/TLS certificates — Must-Have
Every connection to your exchange must be encrypted. This means SSL certificates on your web domains, your API endpoints, your WebSocket connections, your admin panels — everything. Use a certificate from a trusted authority and set up auto-renewal so you don’t have an embarrassing expiration incident.
13. Set up cold storage wallets — Must-Have
At least 90-95% of user funds should be in cold storage — wallets that are not connected to the internet. This is non-negotiable. Use hardware wallets or air-gapped computers for cold storage. Implement multi-signature requirements so no single person can move cold storage funds. This is the single most important thing you can do to prevent catastrophic theft.
14. Configure hot wallets with spending limits — Must-Have
Your hot wallets handle day-to-day withdrawals. They should hold only enough crypto to cover a normal day’s worth of withdrawal requests — typically 3-5% of total user deposits. Set hard spending limits that trigger alerts when exceeded. Automate the replenishment process from cold storage, but require manual approval.
15. Implement automated backup systems — Must-Have
Database backups every hour, minimum. Full system snapshots daily. Store backups in a geographically separate location from your primary servers. Test your restore process regularly — a backup you’ve never tested is not a backup, it’s a hope.
16. Set up monitoring and alerting — Must-Have
You need real-time monitoring on server health, application errors, database performance, wallet balances, and abnormal trading patterns. Set up alerts that actually reach someone who can act on them — PagerDuty, Opsgenie, or even a dedicated Telegram group for critical alerts. If your matching engine goes down at 3 AM, you need to know about it at 3:01 AM.
17. Perform load testing — Must-Have
Before launch, simulate realistic trading loads — and then 10x those loads. How does your matching engine perform with 1,000 concurrent users? 10,000? What happens when 500 people try to withdraw at the same time? Find the breaking points before your users find them for you.
18. Set up a CDN and edge caching — Should-Have
A Content Delivery Network (Cloudflare is the default choice for most exchanges) reduces page load times for global users and provides a layer of DDoS protection as a bonus. Your trading interface needs to feel instant. A user in Singapore shouldn’t wait two seconds for your order book to load because your servers are in Frankfurt.
19. Configure a staging environment — Should-Have
Never test changes on your live production exchange. Set up an identical staging environment where you can deploy updates, test new features, and break things safely. Every code change goes through staging first.
20. Set up log aggregation and analysis — Should-Have
Centralize your logs (ELK stack, Grafana Loki, or a managed service). When something goes wrong — and something will go wrong — you need to be able to trace exactly what happened, when it happened, and why. Scattered logs across multiple servers are nearly useless during an incident.
Part 3: Security
Security for a crypto exchange isn’t a feature. It’s the foundation everything else sits on. A single breach can destroy your exchange overnight — not just financially, but reputationally. Users will forgive slow customer support. They will never forgive losing their funds.
21. Commission a third-party penetration test — Must-Have
Hire a reputable security firm to actively try to break into your exchange before you launch. Not after. Before. They’ll test your web application, your APIs, your infrastructure, and your wallet systems. Budget $5,000-$25,000 depending on scope. Fix every critical and high-severity finding before going live. Your security architecture is only as strong as its weakest point.
22. Enforce two-factor authentication — Must-Have
2FA should be mandatory for all withdrawals and strongly encouraged (or required) for login. Support TOTP apps like Google Authenticator at minimum. Hardware keys via WebAuthn/FIDO2 are even better. And make 2FA absolutely mandatory for all admin and staff accounts — no exceptions, no “I’ll set it up later.”
23. Implement rate limiting on all APIs — Must-Have
Without rate limiting, an attacker can hammer your login endpoint with brute force attempts, scrape your entire order book thousands of times per second, or flood your withdrawal system with requests. Set sensible rate limits on every public and private API endpoint. This also protects you from misbehaving trading bots eating your server resources.
24. Deploy DDoS protection — Must-Have
A Distributed Denial of Service attack can take your exchange offline for hours or days. Cloudflare, AWS Shield, or Akamai provide DDoS mitigation at the network edge. This isn’t optional for a financial platform. Some exchanges have been taken offline during critical market moments by competitors or extortionists using DDoS attacks. Don’t be an easy target.
25. Create an incident response plan — Must-Have
Write down exactly what happens when you detect a security breach. Who gets notified first? How do you pause withdrawals? How do you communicate with affected users? Who contacts law enforcement? What’s your public communication strategy? Practice this plan with a tabletop exercise before launch. The worst time to figure out your incident response process is during an actual incident.
26. Implement withdrawal address whitelisting — Should-Have
Allow users to whitelist specific withdrawal addresses and enforce a 24-48 hour delay when adding new addresses. This simple feature has prevented countless account takeovers from resulting in stolen funds. Even if an attacker gets into a user’s account, they can’t withdraw to their own wallet immediately.
27. Set up a Web Application Firewall — Should-Have
A WAF filters malicious traffic before it reaches your application. It protects against SQL injection, cross-site scripting, and other common web attacks. Most CDN providers include WAF functionality, so if you’re already using Cloudflare, you’re halfway there.
28. Establish a bug bounty program — Nice-to-Have
Invite security researchers to find vulnerabilities in exchange for rewards. You can start small — $100-$1,000 per valid finding — or use platforms like HackerOne or Immunefi. This gives you an army of external testers working for you continuously. Not critical for launch day, but set it up within your first few months.
Part 4: Trading and Operations
This is where your exchange becomes an actual exchange, not just a nice-looking website. Getting the operational details right is what separates exchanges that grow from exchanges that hemorrhage users after their first week.
29. Define your initial trading pairs — Must-Have
Don’t launch with 200 pairs. Start with 15-25 high-quality pairs that have real market demand. Always include the majors: BTC/USDT, ETH/USDT, BTC/USDC, ETH/BTC. Then add 10-15 popular altcoins based on your target market. You can always add more pairs later based on user demand. Every pair you list needs liquidity behind it — an empty order book does more harm than not listing the pair at all.
30. Set your fee structure — Must-Have
Research what your competitors charge and price accordingly. The standard maker/taker model with volume-based tiers is what most users expect. Starting at 0.1-0.2% for makers and 0.1-0.2% for takers is typical. Consider launching with reduced or zero fees to attract early users. Whatever you choose, make it transparent — publish your fee schedule publicly and make sure there are no hidden charges.
31. Implement your liquidity strategy — Must-Have
Empty order books will kill your exchange faster than anything else. Connect to a liquidity aggregation engine that mirrors order books from major exchanges. This gives your users tight spreads and sufficient depth from day one while you build organic volume. Supplement with a market maker on your highest-volume pairs.
32. Set up and test your KYC flow — Must-Have
Your Know Your Customer verification process needs to be fast, reliable, and compliant with your jurisdiction’s requirements. Integrate with a proven provider like Sumsub that can handle identity verification across multiple countries. Test the entire flow yourself — upload documents, wait for verification, see what happens when verification fails. A broken KYC flow means users can’t deposit and trade, which means you have no business.
33. Test every deposit and withdrawal path — Must-Have
Before launch, manually test deposits and withdrawals for every single cryptocurrency and fiat currency you support. Send real transactions (small amounts). Verify that balances update correctly, that confirmation thresholds work properly, that withdrawal processing completes without errors. Then test edge cases: what happens with a zero-confirmation transaction? What about a deposit below your minimum amount? What about a withdrawal that exceeds the hot wallet balance?
34. Set up a customer support system — Must-Have
You need a ticketing system (Zendesk, Freshdesk, or even a well-organized shared inbox to start), a live chat widget on your site, and at least one person dedicated to answering support tickets within a few hours. Prepare template responses for common questions: How long do deposits take? Why is my withdrawal pending? How do I complete KYC? Your support quality in the first few weeks will determine whether early users stick around or leave.
35. Configure your KYC/AML compliance system thresholds — Must-Have
Set appropriate thresholds for different verification levels. A common approach: allow basic trading with just email verification, require ID verification for withdrawals above a certain amount, and require enhanced due diligence for high-volume users. Your compliance counsel should help you set these thresholds based on your jurisdiction’s requirements.
36. Build your mobile trading app — Should-Have
More than 60% of crypto trading happens on mobile devices. If you don’t have a mobile app at launch, you’re leaving the majority of potential users without their preferred trading experience. At minimum, ensure your web platform is fully responsive on mobile browsers. A native app should follow as soon as possible.
37. Create an API documentation portal — Should-Have
Serious traders and market makers interact with exchanges through APIs, not through the web interface. Publish clear, complete API documentation with examples for REST and WebSocket endpoints. Include authentication guides, rate limit specifications, and error code references. Poor API documentation drives away the market makers you desperately need.
38. Set up an internal operations dashboard — Should-Have
Your admin team needs visibility into real-time metrics: active users, pending deposits/withdrawals, KYC queue length, support ticket volume, wallet balances, trading volume, and error rates. Build or configure this before launch so you’re not flying blind on day one.
Part 5: Marketing and Growth
You can build the best exchange in the world, but if nobody knows it exists, you have an expensive hobby, not a business. Marketing for a crypto exchange requires a different playbook than most tech products.
39. Launch your website and landing pages — Must-Have
Your exchange’s public website needs to clearly communicate what makes you different, who you’re for, and why someone should trust you with their money. Include your fee schedule, supported assets, security practices, and team information. This isn’t your trading platform — it’s your storefront. Make it professional and make it fast.
40. Establish social media presence — Must-Have
At minimum: Twitter/X (crypto’s town square), Telegram (your community hub), and Discord (your power user community). Create these accounts and start posting valuable content weeks before launch. Share market insights, development updates, and engage genuinely with the crypto community. A brand-new social media account with zero followers on launch day tells users you’re not serious.
41. Plan your initial user acquisition campaign — Must-Have
How are you getting your first 1,000 users? Have a specific, budgeted plan. Community contests, trading competitions, early adopter benefits, influencer partnerships in your target region — whatever it is, plan it in detail before launch. “We’ll figure out marketing later” is a death sentence for new exchanges.
42. Set up a referral and affiliate program — Should-Have
Word-of-mouth is the most cost-effective growth channel for exchanges. Offer generous referral commissions — 20-40% of trading fees from referred users is standard for competitive programs. Make sharing easy with personal referral links and real-time tracking. The exchanges that grow fastest almost always have strong referral programs driving that growth.
43. Develop a content strategy — Should-Have
Plan a publishing calendar for blog posts, market analysis, educational content, and exchange updates. Consistency matters more than volume — two quality posts per week beats daily filler content. Focus on topics your target audience actually searches for: how-to guides, market analysis, exchange comparison content. This drives organic search traffic that compounds over time.
44. Set up email marketing — Should-Have
Collect email addresses from sign-ups and build automated email sequences: welcome emails, KYC completion reminders, first deposit nudges, weekly market summaries, and new feature announcements. Email remains one of the highest-converting marketing channels, and it’s one you own — unlike social media platforms that can change their algorithms or ban crypto content overnight.
45. Prepare a press kit and PR strategy — Nice-to-Have
Create a press kit with your exchange’s story, team bios, brand assets, and key differentiators. Identify crypto media outlets and journalists in your target markets. A well-placed article in a regional crypto publication can drive significant awareness. Not essential for day one, but valuable within your first quarter.
Part 6: Day-One Priorities vs. What Can Wait
Not everything on this list needs to be perfect on launch day. Trying to nail all 47 items before opening your doors is a recipe for never launching at all. Here’s how to think about timing.
Launch day non-negotiables (items 1-7, 11-17, 21-25, 29-35, 39-41):
These 30 items are the foundation. Legal compliance, core infrastructure, essential security, working trading operations, and basic marketing presence. If any of these are missing or broken, delay your launch. No exceptions. An exchange that launches without proper cold storage or a working KYC flow isn’t brave — it’s reckless.
First 30 days (items 8-10, 18-20, 26-27, 36-38, 42-44):
These 12 items make your exchange competitive rather than just functional. Your staging environment, mobile app, referral program, WAF, content strategy — all important, but the exchange can operate safely without them for a few weeks while you prioritize based on user feedback and actual operational data.
First 90 days (items 28, 45):
Bug bounty programs and PR strategies are valuable but they build on a foundation that needs to exist first. Get the exchange running, get users trading, and then invest in these growth multipliers.
The honest truth: most exchanges launch with about 70-80% of this list completed and scramble to finish the rest in the first few months. That’s fine, as long as the 70-80% you launch with covers all the Must-Have items. Cutting corners on “Should-Have” items is manageable. Cutting corners on “Must-Have” items is how exchanges end up in the news for the wrong reasons.
One Last Thing
A checklist gives you structure, but it doesn’t give you judgment. Every exchange is different. Your target market, your regulatory environment, your budget, your team’s strengths — all of these should influence how you prioritize and execute.
If you’re building on Codono’s exchange platform, a significant chunk of the technical and security checklist items are handled out of the box — the matching engine, wallet infrastructure, trading interface, admin panel, and built-in compliance tools. That lets you focus your energy on the things the software can’t do for you: legal setup, liquidity strategy, community building, and customer support.
Take a look at the pricing options if you’re evaluating your technology stack, and reach out if you want to walk through this checklist with someone who’s seen it done hundreds of times. We’re not going to sell you anything you don’t need — we’d rather help you launch successfully than oversell you on features you won’t use in year one.
Now stop reading and start checking things off.