How OKX secures client assets with advanced wallet security systems

An overview of how OKX cold and hot wallets operate for maximum security

Bitcoin recently hit a $1 trillion market capitalization and is naturally attracting new waves of retail investors. While the crypto space provides an unprecedented opportunity to benefit from decentralized finance, the security of crypto assets remains a critical topic, especially as new entrants are often unfamiliar with the dynamics of wallets and private keys.

To offer a seamless and secure trading experience for all users, OKX prioritizes security in the design of its cold and hot wallets. In this article, we go over some of those mechanisms and provide an overview of how OKX’s cold and hot wallets operate to secure client assets.

OKX cold wallet system

A typical cold wallet is a physical hardware device that enables offline storage of cryptocurrencies. While USB drives are the most common choices, they can be compromised by viruses and attacked when connected to a network.

Even when a cold wallet is entirely isolated from a network, it still relies on personnel and human interaction, presenting a single point of failure. 

To circumvent the aforementioned issues, OKX uses a sophisticated cold wallet design. The private keys of the OKX cold wallet are stored in offline computers that have no interaction with the internet or removable drives. In addition, the paper versions of private keys are backed up by different authorized personnel located in geographically separate zones. 

95% of funds on OKX are stored in the cold wallet, which operates as follows.

OKX cold wallet private key generation and backup

The OKX cold wallet can generate up to 10,000 private keys and corresponding addresses (for multiple cryptocurrencies) stored in offline computers. The OKX cold wallet private keys are encrypted with Advanced Encryption Standard, or AES — a type of algorithm that is commonly used by various government agencies and leading financial institutions.

The AES private keys are then encrypted with two master passwords. These master passwords are, in turn, managed by two separated groups of authorized company personnel, one based in Beijing and the other on the West Coast of the United States.

Additionally, the OKX cold wallet’s encrypted private key is stored in two secure bank vaults, one in China and the other on the East Coast of the United States. Each bank vault is only accessible by one authorized representative.

Finally, to mitigate the risk of losing access to private keys, the two AES master password holders and the two bank vault key holders do not travel together.

Fund deposits in the cold wallet

To receive deposits from the OKX hot wallet, the QR code of the relevant cold wallet address is scanned by another computer. Each cold wallet address can be used only once, and after the fund transfer is complete, the key and its corresponding address are no longer valid for deposits.

For security reasons, each wallet address has a maximum balance of 1,000 BTC.

Fund withdrawals from the cold wallet 

To withdraw funds from OKX’s cold wallet, the key holder of the bank vault retrieves the number of unused encrypted private keys. The QR codes of these unused keys are then scanned with an offline computer. 

An AES master password holder then decrypts the private keys, which are then scanned and imported to another offline computer. These keys are used to sign off transactions on an offline computer and these transactions are then synchronized and broadcasted to the blockchain network.

OKX hot wallet system

In contrast to a cold wallet, a typical hot wallet is connected to a network for faster transactions. However, OKX’s hot wallet leverages big data and adopts multiple technical solutions, ranging from online and semi-online risk management systems to semi-offline multi-signature services.

To enhance the security of funds stored in OKX’s hot wallet, multiple authorization mechanisms are in place for both deposits and withdrawals. 

Only 5% of funds on OKX are stored in the hot wallet. Below is an overview of OKX’s hot wallet system. 

OKX hot wallet private key generation and backup

Each OKX hot wallet has three randomly generated master private keys that are encrypted through an algorithm. The ciphertext of the private keys is stored on a semi-offline signature device and held by three different private key holders.

To activate the master private key, at least two of the three private key holders are required to authorize the activation of the semi-offline signature device in a highly secure environment. Moreover, the private keys are stored in the RAM module of the security device and thus cannot be compromised even if the security device is stolen.

Finally, each master private key for the OKX hot wallet has a backup private key in place, and these three backup keys are stored in bank vaults in the U.S., Japan and Singapore.

The conditions for the activation of backup keys are as follows:

1. A backup key will be activated in 48 hours if the private key holder is found dead or affected by amnesia.
2. If any of the private key holders are compromised, withdrawals are paused and a backup key is activated in 48 hours. Following this, a new private key holder is also appointed as a replacement to ensure the continued safety of funds.
3. If any of the private key holders cannot perform their duties temporarily, a backup key is activated in 30 days.

Fund deposits in the hot wallet

OKX’s hot wallet tracks all transactions on the blockchain using OKX’s internal blockchain gateway service. Any transaction involving OKX wallet addresses are recorded in a database and passed onto OKX’s online risk management system for further security checks, including:

• Whether the funds are sourced from a blacklisted address
• Whether the OKX’s wallet address is able to receive cryptocurrencies
• Whether the block height of the transaction matches with new blocks on the chain
• Whether the amount of deposit satisfies all risk management rules

If the online risk management system detects any anomalies in the transaction, OKX’s internal treasury service conducts a further audit, and the deposit will be delayed. If the transaction passes the security checks, the funds are credited to the corresponding user’s receiving address.

Fund withdrawals from the hot wallet

When users initiate a currency withdrawal request, the online risk management system first scans for any anomalies pertaining to the user’s sending address, such as withdrawal frequency, profits and account behavior.

When the withdrawal request passes this security check, it is sent to OKX’s vault system to automatically create an unsigned transaction. OKX’s in-house network communication protocol then sends the unsigned transaction to the semi-offline signature service. 

Since the relevant private keys are stored offline with the semi-offline signature service, they cannot be compromised via online attacks. The semi-offline signature service signs the withdrawal transaction when it passes the security checks and OKX’s network communication protocol then broadcasts the signed transaction to the blockchain network.

Follow OKX

Twitter: https://twitter.com/OKX
Facebook: https://www.facebook.com/okexofficial/
LinkedIn: https://www.linkedin.com/company/okex/
Telegram: https://t.me/OKXOfficial_English
Reddit: https://www.reddit.com/r/OKX/
Instagram: https://www.instagram.com/okex_exchange