Coinbase serves 100+ million users trading cryptocurrencies with $200+ billion in custodied assets. Designing a crypto exchange tests your understanding of: blockchain integration (transaction monitoring, wallet management), hot/cold wallet security architecture, order matching, regulatory compliance (KYC/AML specific to crypto), and the unique challenges of a platform where user assets are cryptographically controlled keys. This guide covers the architecture for fintech system design interviews.
Wallet and Custody Architecture
Users deposit cryptocurrency into the exchange. The exchange must securely custody these assets. Wallet types: (1) Hot wallet — connected to the internet. Used for: immediate withdrawals and trading. Contains a small percentage of total assets (2-5%). Risk: vulnerable to hacking (internet-connected keys can be stolen). Mitigation: multi-signature (requires 3-of-5 keys to authorize a transaction), withdrawal limits ($10K per transaction from hot wallet), and rate limiting. (2) Cold wallet — offline, air-gapped. Used for: long-term storage of the majority of assets (95-98%). Keys are stored on hardware security modules (HSMs) in geographically distributed vaults. Accessing cold storage requires: physical presence at the vault, multiple authorized personnel (no single person can access), and a multi-day process. Risk: extremely low (no internet connection means no remote attack). (3) Warm wallet — semi-connected. Transactions are pre-signed offline and broadcast online. A middle ground for medium-sized transfers. Deposit flow: (1) User requests a deposit address (a unique blockchain address generated for this user). (2) User sends crypto from their external wallet to this address. (3) The exchange monitors the blockchain for incoming transactions to this address. (4) After N confirmations (varies by blockchain: 3 for Bitcoin, 12 for Ethereum): credit the user internal balance. The deposit address belongs to the exchange (the exchange holds the private key). The user internal balance is a database record, not an on-chain asset.
Trading Engine
The trading engine matches buy and sell orders for cryptocurrency pairs (BTC/USD, ETH/BTC). Architecture: same as traditional trading (covered in our Electronic Trading guide) but with crypto-specific differences: (1) Order book per trading pair — BTC/USD, ETH/USD, SOL/USD, etc. Price-time priority matching. Market orders, limit orders, stop orders. (2) 24/7 operation — unlike stock exchanges (market hours), crypto exchanges operate continuously. No opening/closing auctions, no market holidays. (3) High volatility — crypto prices can move 10%+ in hours. Circuit breakers: if price moves > 10% in 5 minutes, temporarily halt the pair. (4) Internal settlement — trades settle internally (database update: debit buyer USD, credit buyer BTC, debit seller BTC, credit seller USD). No blockchain transaction needed for internal trades (both parties are exchange users). On-chain settlement only occurs on deposits and withdrawals. (5) Fees — maker/taker fee model. Makers (limit orders that add liquidity to the book): 0.1-0.4%. Takers (market orders that remove liquidity): 0.2-0.6%. Volume-based tiers: high-volume traders get lower fees. Latency: crypto exchange matching engines target single-digit millisecond latency (not microseconds like traditional exchanges — crypto traders are less latency-sensitive than HFT firms).
Blockchain Integration
The exchange interacts with multiple blockchains (Bitcoin, Ethereum, Solana, etc.). For each supported blockchain: (1) Node infrastructure — run full nodes for each blockchain. The node syncs the full chain and provides: transaction monitoring (detect incoming deposits), transaction broadcasting (send withdrawals), and balance queries. Redundancy: multiple nodes per blockchain (failover if one falls behind or crashes). (2) Transaction monitoring — continuously scan new blocks for transactions to exchange-controlled addresses. When found: verify the transaction (correct amount, correct address), wait for N confirmations, and credit the user balance. (3) Withdrawal processing — when a user requests a withdrawal: validate (sufficient balance, correct address format, not sanctioned), debit the user internal balance, construct the blockchain transaction (from the hot wallet to the user external address), sign with the hot wallet key (multi-sig: requires multiple approvals for large amounts), broadcast to the blockchain network, and monitor for confirmation. (4) Token support — ERC-20 tokens on Ethereum, SPL tokens on Solana. Each token uses the same blockchain infrastructure but requires: specific contract interaction (approve + transferFrom for ERC-20), decimal handling (USDC has 6 decimals, ETH has 18), and separate balance tracking per token. Gas/fee management: the exchange pays transaction fees (gas) on behalf of users. Maintain a fee reserve in the hot wallet. Optimize gas: batch multiple withdrawals into one transaction when possible.
Security
Crypto exchanges are prime hacking targets (Mt. Gox lost $460M, FTX lost $600M). Security layers: (1) Key management — private keys are the assets. If keys are compromised: funds are irreversibly stolen (no chargeback on blockchain). HSMs (Hardware Security Modules) store keys in tamper-resistant hardware. Multi-signature: transactions require M-of-N keys (distributed across people and locations). No single person or system has all keys. (2) Defense in depth — network segmentation (hot wallet systems isolated from public-facing services), intrusion detection, 24/7 security operations center, and regular penetration testing. (3) Withdrawal security — address whitelisting (new addresses require 48-hour wait before first withdrawal), 2FA required for all withdrawals, velocity limits (max withdrawal amount per 24 hours), and anomaly detection (unusual amount, unusual time, unusual IP -> hold for manual review). (4) Smart contract security — for DeFi integration or token operations: formal verification of smart contract code, multiple independent audits, bug bounty programs ($1M+ rewards for critical vulnerabilities). (5) Insurance — custody insurance (Coinbase has $320M in crime insurance) protects against: employee theft, security breach, and third-party hacks. Does not cover: individual account compromise (phishing) or market losses. (6) Proof of Reserves — cryptographically prove the exchange holds sufficient assets to cover all user balances. Merkle tree of user balances + on-chain verification of exchange wallet balances. Published periodically for transparency.
Compliance: KYC/AML for Crypto
Crypto-specific compliance requirements: (1) KYC (Know Your Customer) — verify identity before allowing trading/withdrawal. Levels: basic (email + phone -> limited trading), intermediate (government ID + selfie verification -> full trading), advanced (proof of address + source of funds -> high limits). Automated verification: compare the selfie to the ID photo using facial recognition. Cross-reference against sanctions lists (OFAC, EU). (2) AML (Anti-Money Laundering) — blockchain analytics. Unlike traditional finance (opaque bank transfers), blockchain transactions are public. Use tools (Chainalysis, Elliptic) to: trace the origin of deposited funds (was it from a sanctioned address, a dark market, a mixer?), assign risk scores to transactions, and flag high-risk deposits for review. (3) Travel Rule — for transfers > $3000: the exchange must share sender/receiver identity information with the counterparty exchange. Implemented via protocols like TRISA or OpenVASP. (4) SAR filing — Suspicious Activity Reports filed with FinCEN for: large transactions (> $10K aggregated daily), structured transactions (splitting to avoid thresholds), and transactions involving sanctioned entities or high-risk jurisdictions. (5) Tax reporting — issue 1099 forms for US users. Track cost basis and realized gains per transaction. Provide annual tax statements. These requirements add significant complexity — crypto exchanges are as heavily regulated as traditional brokerages.
{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[{“@type”:”Question”,”name”:”How does a crypto exchange secure billions in custodied assets?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Hot/cold wallet architecture: Hot wallet (2-5% of assets, internet-connected) for immediate withdrawals. Multi-signature required (3-of-5 keys), withdrawal limits, and rate limiting. Cold wallet (95-98%, offline air-gapped) in geographically distributed HSM vaults requiring physical presence of multiple authorized personnel. Security layers: HSMs store keys in tamper-resistant hardware. Multi-sig means no single person/system has all keys. Withdrawal security: address whitelisting (48-hour wait for new addresses), 2FA required, velocity limits, and anomaly detection. Defense in depth: network segmentation, intrusion detection, 24/7 SOC, penetration testing. Insurance: $320M+ crime insurance covers employee theft and security breaches. Proof of Reserves: cryptographically prove assets cover user balances (Merkle tree + on-chain verification). Published periodically for transparency.”}},{“@type”:”Question”,”name”:”How does a crypto exchange integrate with multiple blockchains?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”For each supported blockchain (Bitcoin, Ethereum, Solana, etc.): (1) Run full nodes (redundant) for transaction monitoring and broadcasting. (2) Deposit monitoring: continuously scan new blocks for transactions to exchange addresses. After N confirmations (3 for Bitcoin, 12 for Ethereum): credit user internal balance. (3) Withdrawal processing: validate request -> debit internal balance -> construct transaction -> sign with hot wallet key (multi-sig for large amounts) -> broadcast to network -> monitor for confirmation. (4) Token support: each token standard (ERC-20, SPL) requires specific contract interaction, decimal handling, and separate balance tracking. (5) Gas/fee management: exchange pays blockchain fees on behalf of users. Maintain fee reserves in hot wallet. Batch withdrawals when possible to save fees. Internal trades settle in the database (no blockchain transaction needed) — on-chain only for deposits/withdrawals.”}}]}