How to stack STX to earn BTC on OKEx
How OKEx secures client assets with advanced wallet security systems
An overview of how OKEx cold and hot wallets operate for maximum security
Bitcoin recently hit a $1 trillion market capitalization and is naturally attracting new waves of retail investors. While the crypto space provides an unprecedented opportunity to benefit from decentralized finance, the security of crypto assets remains a critical topic, especially as new entrants are often unfamiliar with the dynamics of wallets and private keys.
To offer a seamless and secure trading experience for all users, OKEx prioritizes security in the design of its cold and hot wallets. In this article, we go over some of those mechanisms and provide an overview of how OKEx's cold and hot wallets operate to secure client assets.
OKEx cold wallet system
A typical cold wallet is a physical hardware device that enables offline storage of cryptocurrencies. While USB drives are the most common choices, they can be compromised by viruses and attacked when connected to a network.
Even when a cold wallet is entirely isolated from a network, it still relies on personnel and human interaction, presenting a single point of failure.
To circumvent the aforementioned issues, OKEx uses a sophisticated cold wallet design. The private keys of the OKEx cold wallet are stored in offline computers that have no interaction with the internet or removable drives. In addition, the paper versions of private keys are backed up by different authorized personnel located in geographically separate zones.
95% of funds on OKEx are stored in the cold wallet, which operates as follows.
OKEx cold wallet private key generation and backup
The OKEx cold wallet can generate up to 10,000 private keys and corresponding addresses (for multiple cryptocurrencies) stored in offline computers. The OKEx cold wallet private keys are encrypted with Advanced Encryption Standard, or AES — a type of algorithm that is commonly used by various government agencies and leading financial institutions.
The AES private keys are then encrypted with two master passwords. These master passwords are, in turn, managed by two separated groups of authorized company personnel, one based in Beijing and the other on the West Coast of the United States.
Additionally, the OKEx cold wallet's encrypted private key is stored in two secure bank vaults, one in China and the other on the East Coast of the United States. Each bank vault is only accessible by one authorized representative.
Finally, to mitigate the risk of losing access to private keys, the two AES master password holders and the two bank vault key holders do not travel together.
Fund deposits in the cold wallet
To receive deposits from the OKEx hot wallet, the QR code of the relevant cold wallet address is scanned by another computer. Each cold wallet address can be used only once, and after the fund transfer is complete, the key and its corresponding address are no longer valid for deposits.
For security reasons, each wallet address has a maximum balance of 1,000 BTC.
Fund withdrawals from the cold wallet
To withdraw funds from OKEx's cold wallet, the key holder of the bank vault retrieves the number of unused encrypted private keys. The QR codes of these unused keys are then scanned with an offline computer.
An AES master password holder then decrypts the private keys, which are then scanned and imported to another offline computer. These keys are used to sign off transactions on an offline computer and these transactions are then synchronized and broadcasted to the blockchain network.
OKEx hot wallet system
In contrast to a cold wallet, a typical hot wallet is connected to a network for faster transactions. However, OKEx's hot wallet leverages big data and adopts multiple technical solutions, ranging from online and semi-online risk management systems to semi-offline multi-signature services.
To enhance the security of funds stored in OKEx's hot wallet, multiple authorization mechanisms are in place for both deposits and withdrawals.
Only 5% of funds on OKEx are stored in the hot wallet. Below is an overview of OKEx's hot wallet system.
OKEx hot wallet private key generation and backup
Each OKEx hot wallet has three randomly generated master private keys that are encrypted through an algorithm. The ciphertext of the private keys is stored on a semi-offline signature device and held by three different private key holders.
To activate the master private key, at least two of the three private key holders are required to authorize the activation of the semi-offline signature device in a highly secure environment. Moreover, the private keys are stored in the RAM module of the security device and thus cannot be compromised even if the security device is stolen.
Finally, each master private key for the OKEx hot wallet has a backup private key in place, and these three backup keys are stored in bank vaults in the U.S., Japan and Singapore.
The conditions for the activation of backup keys are as follows:
- A backup key will be activated in 48 hours if the private key holder is found dead or affected by amnesia.
- If any of the private key holders are compromised, withdrawals are paused and a backup key is activated in 48 hours. Following this, a new private key holder is also appointed as a replacement to ensure the continued safety of funds.
- If any of the private key holders cannot perform their duties temporarily, a backup key is activated in 30 days.
Fund deposits in the hot wallet
OKEx's hot wallet tracks all transactions on the blockchain using OKEx's internal blockchain gateway service. Any transaction involving OKEx wallet addresses are recorded in a database and passed onto OKEx's online risk management system for further security checks, including:
- Whether the funds are sourced from a blacklisted address
- Whether the OKEx's wallet address is able to receive cryptocurrencies
- Whether the block height of the transaction matches with new blocks on the chain
- Whether the amount of deposit satisfies all risk management rules
If the online risk management system detects any anomalies in the transaction, OKEx's internal treasury service conducts a further audit, and the deposit will be delayed. If the transaction passes the security checks, the funds are credited to the corresponding user's receiving address.
Fund withdrawals from the hot wallet
When users initiate a currency withdrawal request, the online risk management system first scans for any anomalies pertaining to the user's sending address, such as withdrawal frequency, profits and account behavior.
When the withdrawal request passes this security check, it is sent to OKEx's vault system to automatically create an unsigned transaction. OKEx's in-house network communication protocol then sends the unsigned transaction to the semi-offline signature service.
Since the relevant private keys are stored offline with the semi-offline signature service, they cannot be compromised via online attacks. The semi-offline signature service signs the withdrawal transaction when it passes the security checks and OKEx's network communication protocol then broadcasts the signed transaction to the blockchain network.