A cold wallet for a crypto exchange isn't paranoia — it's a basic safeguard that most operators delay until something goes wrong. Most small services keep nearly all their reserves in hot wallets: funds need to be on hand while a client waits for a payout. But if the server is compromised, everything goes. Here's how to split funds intelligently between hot and cold storage without sacrificing transaction speed.
Why a Hot Wallet Is a Constant Risk
A hot wallet is connected to the internet around the clock. The script sends payouts automatically without your involvement — convenient, sure. But there's a trade-off: private keys live on the server. Anyone who gains access to it — through a software vulnerability, a leaked password, or a compromised hosting provider — walks away with the keys and all the funds.
This isn't a theoretical scenario. Most hacks of crypto exchanges and exchangers come down to exactly this: hot storage was reached. A cold wallet — physically isolated from the network — makes that attack pointless. There's simply no key within reach.
How Much to Keep Hot, How Much Cold
There's no universal percentage — it depends on your average payout volume over 6–12 hours, plus a reasonable buffer. The logic is simple: the hot wallet should cover peak load without manual intervention, but not a coin more.
A solid starting point for a small exchanger: 10–15% of reserves in hot storage, the rest cold. If your service pays out at most 2 BTC per day, keeping 20 BTC in the hot wallet is unnecessary risk with zero upside. As volume grows, set up a threshold alert and top up the hot wallet manually from cold storage in small tranches — it takes 5–10 minutes and happens once a day or less.
Which Cold Wallet to Choose for Your Exchange Business
Three approaches that work — each with its own trade-offs.
- Hardware wallet (Ledger, Trezor). Reliable and straightforward, with open-source firmware. The downside: cumbersome when handling many coin types, since every top-up requires a manual operation with the device.
- Air-gapped computer. A laptop fully disconnected from the network with a wallet installed. Cheaper than hardware, more flexible across supported networks. Requires strict discipline: no unverified USB drives, no Wi-Fi — ever, under any circumstances.
- Multisig. A transaction requires sign-off from multiple keys stored in different locations. Ideal for a team where no single person should have unilateral control over reserves.
For a small solo exchange, a hardware wallet or air-gapped machine provides sufficient protection. Multisig makes sense when there are multiple co-owners or when daily volume runs into six figures.
How Hot Wallet Top-Ups Work in Practice
The process looks like this: the hot wallet balance drops to its threshold → the operator gets a notification → manually creates a top-up transaction → signs it on the isolated device → broadcasts it to the network. The whole thing takes 5–10 minutes.
Automating the signing itself is a bad idea. The moment a private key becomes accessible to a program, it effectively becomes a hot key — with all the risk that implies. Manual signing isn't old-fashioned; it's your last line of defence.
Multisig: When It Helps, When It Just Adds Complexity
Multisig is a setup where a transfer requires agreement from multiple keys — say, 2 out of 3. It sounds like the perfect solution, but there's a catch: if one key is lost without a backup, the funds are frozen permanently. Setting up multisig correctly across multiple coins is harder than it looks.
Multisig is genuinely necessary in two situations: multiple co-owners who each need real authority over funds, or a jurisdiction requiring separate controls under AML/compliance rules. In most other cases, a well-configured air-gapped wallet with solid backups is just as secure and far less complicated.
Three Mistakes That Come Up Most Often
- Seed phrase stored next to the device. If the wallet and the phrase are seized together, all your protection collapses instantly.
- Only one backup copy. Fire, flood, theft — any of these events destroys access to funds permanently. Keep at least two copies in separate physical locations.
- The backup was never tested. Before moving real funds to cold storage, verify that you can restore access from the seed phrase on a clean device. An untested backup is an illusion of security.
Conclusion
Splitting funds between hot and cold storage feels optional — right up until the first incident. The rule is simple: keep in the hot wallet exactly what's needed for smooth operations, and isolate everything else.
If you're building an exchange from scratch or want to reduce dependence on third-party wallets and their fees, take a look at iEXWallet — a dedicated wallet built for exchange businesses, with no middleman fees.
