Secure cold wallet design

Cryptocurrencies are innovative digital assets, forming the backbone of the next generation of financial ecosystems. However, cryptocurrencies still face major challenges in the areas of asset security and private key security.



Cryptocurrencies leverages extensively tested and widely accepted cryptographic standards (SHA-256 hash and ECDSA encryption). Therefore, the main challenge lies in how to securely store and protect private keys. Currently, exchanges use cold wallets (offline wallets) to address this concern. By keeping private keys offline and never exposing them to the internet, the safety of funds can be effectively ensured.

OKX TR ensures the secure operation of cold wallets not just through promises, but through action.

We learn from the cryptocurrency industry and build our platform from experience. To be transparent, we are sharing the details of our wallet architecture with the public. We welcome community builders and security experts to provide valuable suggestions.

Our security design philosophy

Anything connected to the internet is inherently vulnerable. That's why we keep the majority of all funds in our offline, cold wallet system.

Security-hardened storage media are employed to prevent virus implantation.

Access to our cold wallet system requires confirmation from multiple authorized personnel.

Unexpected and unforeseeable events may happen. Our architecture offers multiple offsite backups to reduce risk.

We use secure vaults requiring in-person access for custody.

Specifics of cold wallet security measures

• Cold wallet addresses with private keys are generated on an offline device.

• All private keys are encrypted on offline devices using Advanced Encryption Standard (AES).

• After all private keys are encrypted, all cleartext versions of the private keys are securely deleted.

• The AES keys are held by OKX TR employees in separate locations.

• The encrypted private keys on offline devices are only accessible via a secure mechanism.

• The encrypted private key is stored inside secure vaults, which requires in-person access.

• Additional private key backups are created and stored in vaults in separate locations.

• Limited authorized employees are granted access to vaults.

• Segregation of duties is in place to strengthen our security against unauthorized access.

• Limits are in place for the amount of assets that can be transferred to each cold wallet address.

• An AES key custodian performs decryption on encrypted private keys.

• Transactions are signed on offline devices, then transferred to the online devices via a secure mechanism, and then broadcast.

Core features of our security protocol

The assets held in cold wallets are distributed across multiple addresses.

All private keys are stored on an offline device.

Our private keys never directly interact with the internet.

Our private key backups are stored in secure vaults in geographically different locations.

Access to decryption passwords and key backups is divided among multiple authorized employees.

Employees who have access to passwords and backups are in different locations.

Benefits of our protocol

All assets in cold storage are spread across multiple addresses, avoiding a single point of failure.

Access to cold wallets requires multiple authorized employees.

Backups are stored in geographically different locations, providing additional security against natural disasters.