CEX matching engine + cold/hot wallet internal architecture

ConfidenceLikely
Updated2026-05-19
Review by2026-09-22
Sources2
Machine-translatedOriginal (JA)
#exchanges#matching-engine#cold-storage#architecture#technical
On this page

Wiki route

This entry sits under exchanges index. Read it against Domestic VASP Cold Storage 95% + Segregated Management Regime for peer / contrast context and FSA crypto-asset exchange registration system — number system / Local Finance Bureau jurisdiction / registration requirements for the broader system / regulatory boundary.

1. Matching engine overview

The core of a CEX = the matching engine (order-book matching engine). Design philosophies broadly fall into 3 categories:

  • CLOB (Central Limit Order Book) — industry standard. Matches buy and sell orders by price and time. Carried over from NYSE / NASDAQ to CEXs
  • RFQ (Request for Quote) — centered on institutional OTC. Request a bid/ask quote → individual fill
  • AMM-like — DEX family. AMMs are an alternative design to CEX matching (see amm-design-evolution)

CEXs (Binance / Coinbase / bitFlyer / all domestic firms) are CLOB-based. Large institutional trades are handled separately by an OTC desk via RFQ.

2. CLOB matching-engine design elements

Element Content
FIFO (First-In First-Out) Same price fills by time priority
price-time priority 2 -stage matching of price priority + time priority
iceberg orders Display large orders in splits to suppress market impact
post-only / IOC / FOK Order types (maker only / Immediate-or-Cancel / Fill-or-Kill)
co-location Low-latency connectivity for institutional HFT (NYSE / Binance VIP)

Representative implementations: NYSE / Binance / Coinbase / dYdX v4 (Cosmos appchain). dYdX v4 implements a CLOB on top of on-chain validators, attempting to fuse CEX performance with DEX transparency.

3. RFQ / OTC engine

Institutional OTC (Cumberland / B2C2 / FalconX / Genesis (bankrupt)) adopts an RFQ scheme rather than a CLOB:

  • A client requests a quote, e.g. “I want to buy 100 BTC”
  • The market maker presents a bid/ask
  • Individual fill (does not appear in the order book)
  • Controls slippage + conceals price on large trades

Domestic OTC: bitFlyer / Coincheck provide similar functionality to retail customers under the “sales-counter (販売所)” label (see jp-cex-sales-vs-exchange-model-economics).

4. Cold/hot wallet internal architecture

The 3 -tier structure based on domestic VASP obligations (jp-vasp-cold-storage-segregation-rules):

  • Hot wallet (≤ 5% domestic obligation) — directly connected to the matching engine · real-time deposit/withdrawal processing · maker/taker bot integration · signing via API
  • Warm wallet — semi-offline · staging for large withdrawals · replenished from cold multiple times per 1 day
  • Cold wallet (≥ 95% domestic obligation) — air-gapped signing · multi-sig (at least 2-of-3 ) · HSM or MPC mandatory

The Coincheck 2018 NEM 580 億円 incident was the result of “effectively hot 100%” (coincheck-nem-hack-detailed-analysis). The regulatory tightening after that incident made 3 -tier separation a domestic obligation.

5. Major technology stack

The 5 technologies of institutional custody (global-institutional-custody-five-pillars / jp-institutional-custody-three-pillars):

Technology Representative vendor Role
multi-sig Gnosis Safe (now Safe) Standard 2-of-3 signing threshold · smart-contract based
HSM Thales / Utimaco / Ledger Vault Hardware cryptographic module · FIPS 140-2/3 certified
MPC Fireblocks / Fordefi / Sepior Key distribution · eliminates single point of failure
air-gap signing Casa / Anchorage Fully offline signing · no network connection
Shamir’s Secret Sharing many Threshold distribution of the private key (k-of-n)

CEX implementation examples:

  • Coinbase Custody — mix of multi-sig + HSM
  • Anchorage Digital — MPC-centric (US OCC national bank charter)
  • Komainu — cold + air-gap (Nomura JV)
  • Fireblocks — MPC SaaS · adopted by domestic GMO Coin and others

The 2025 Bybit Lazarus hack (bybit-lazarus-hack-detailed-analysis) was a social-engineering attack that deceived multi-sig signers via Safe UI spoofing. The technology itself functioned, but a vulnerability in the UI layer was exposed, reaffirming the importance of air-gap + hardware confirmation. For detailed forensic methods, read bytecode forensic 3-tier verify and forensic identity anchor chain together. For a structural analysis of supply-chain attacks, see module path confusion supply chain attack.


Source: general industry knowledge + Binance / Coinbase tech blog + Gnosis Safe docs + Fireblocks whitepaper + Anchorage announcements.

Discovery

Keep reading

Related

Read next

Links here