FinWiki
EN

CEX matching engine + cold/hot wallet internal architecture

Confidence: Likely Updated 2026-05-19 Review by 2026-09-22 Sources 2 Machine-translated Original (JA)
#exchanges#matching-engine#cold-storage#architecture#technical
On this page

Wiki route

This entry sits under exchanges index. Read it against Domestic VASP Cold Storage 95% + Segregated Management Regime for peer / contrast context and FSA crypto-asset exchange registration system — number system / Local Finance Bureau jurisdiction / registration requirements for the broader system / regulatory boundary.

1. Matching engine overview

The core of a CEX = the matching engine (order-book matching engine). Design philosophies broadly fall into 3 categories:

  • CLOB (Central Limit Order Book) — industry standard. Matches buy and sell orders by price and time. Carried over from NYSE / NASDAQ to CEXs
  • RFQ (Request for Quote) — centered on institutional OTC. Request a bid/ask quote → individual fill
  • AMM-like — DEX family. AMMs are an alternative design to CEX matching (see amm-design-evolution)

CEXs (Binance / Coinbase / bitFlyer / all domestic firms) are CLOB-based. Large institutional trades are handled separately by an OTC desk via RFQ.

2. CLOB matching-engine design elements

ElementContent
FIFO (First-In First-Out)Same price fills by time priority
price-time priority2 -stage matching of price priority + time priority
iceberg ordersDisplay large orders in splits to suppress market impact
post-only / IOC / FOKOrder types (maker only / Immediate-or-Cancel / Fill-or-Kill)
co-locationLow-latency connectivity for institutional HFT (NYSE / Binance VIP)

Representative implementations: NYSE / Binance / Coinbase / dYdX v4 (Cosmos appchain). dYdX v4 implements a CLOB on top of on-chain validators, attempting to fuse CEX performance with DEX transparency.

3. RFQ / OTC engine

Institutional OTC (Cumberland / B2C2 / FalconX / Genesis (bankrupt)) adopts an RFQ scheme rather than a CLOB:

  • A client requests a quote, e.g. “I want to buy 100 BTC”
  • The market maker presents a bid/ask
  • Individual fill (does not appear in the order book)
  • Controls slippage + conceals price on large trades

Domestic OTC: bitFlyer / Coincheck provide similar functionality to retail customers under the “sales-counter (販売所)” label (see jp-cex-sales-vs-exchange-model-economics).

4. Cold/hot wallet internal architecture

The 3 -tier structure based on domestic VASP obligations (jp-vasp-cold-storage-segregation-rules):

  • Hot wallet (≤ 5% domestic obligation) — directly connected to the matching engine · real-time deposit/withdrawal processing · maker/taker bot integration · signing via API
  • Warm wallet — semi-offline · staging for large withdrawals · replenished from cold multiple times per 1 day
  • Cold wallet (≥ 95% domestic obligation) — air-gapped signing · multi-sig (at least 2-of-3 ) · HSM or MPC mandatory

The Coincheck 2018 NEM 580 億円 incident was the result of “effectively hot 100%” (coincheck-nem-hack-detailed-analysis). The regulatory tightening after that incident made 3 -tier separation a domestic obligation.

5. Major technology stack

The 5 technologies of institutional custody (global-institutional-custody-five-pillars / jp-institutional-custody-three-pillars):

TechnologyRepresentative vendorRole
multi-sigGnosis Safe (now Safe)Standard 2-of-3 signing threshold · smart-contract based
HSMThales / Utimaco / Ledger VaultHardware cryptographic module · FIPS 140-2/3 certified
MPCFireblocks / Fordefi / SepiorKey distribution · eliminates single point of failure
air-gap signingCasa / AnchorageFully offline signing · no network connection
Shamir’s Secret SharingmanyThreshold distribution of the private key (k-of-n)

CEX implementation examples:

  • Coinbase Custody — mix of multi-sig + HSM
  • Anchorage Digital — MPC-centric (US OCC national bank charter)
  • Komainu — cold + air-gap (Nomura JV)
  • Fireblocks — MPC SaaS · adopted by domestic GMO Coin and others

The 2025 Bybit Lazarus hack (bybit-lazarus-hack-detailed-analysis) was a social-engineering attack that deceived multi-sig signers via Safe UI spoofing. The technology itself functioned, but a vulnerability in the UI layer was exposed, reaffirming the importance of air-gap + hardware confirmation. For detailed forensic methods, read bytecode forensic 3-tier verify and forensic identity anchor chain together. For a structural analysis of supply-chain attacks, see module path confusion supply chain attack.

Source: general industry knowledge + Binance / Coinbase tech blog + Gnosis Safe docs + Fireblocks whitepaper + Anchorage announcements.