Inside the Money Flow in Centralized Exchanges: MPC + TEE at Work

Have you ever wondered:

• Where do my tokens go when I deposit them to a CEX?
• Why do I always receive tokens from a Binance Hot Wallet instead of the one I deposited to?
• What exactly are hot, warm, and cold wallets?

Let’s unwrap the secret flow of money inside centralized exchanges. You’ll also learn how technologies like MPC (Multi-Party Computation) and TEE (Trusted Execution Environment) silently power these systems behind the scenes.

References:

• Institutional Custody in Crypto - Binance Research
• Hot vs. cold vs. warm wallets: Which crypto wallet is right for me?
• Binance's 8 Wallet "error" was there for all to see
• Hack Brief: Hackers Stole $40 Million from Binance Cryptocurrency Exchange

What are hot, warm and cold wallets?

Hot, warm, and cold wallets describe how exposed your keys are to the internet. Hot wallets are always online, fast and automated, but riskier. Cold wallets are fully offline, ultra-secure but slow. Warm wallets sit in between: connected, but require human approvals before signing. A serious setup uses all three, hot for withdrawals, warm for ops, cold for long-term reserves.

In short:

• The colder the wallet, the safer the funds.
• The hotter the wallet, the closer it is to the internet

When it comes to handling billions in customer funds, major centralized exchanges don’t rely on a single wallet type. Instead, they deploy a tiered wallet system: hot, warm, and cold with each serving a distinct role in balancing speed, security, and operational control. Hot wallets power real-time deposits and withdrawals. Warm wallets act as secure liquidity buffers. And cold wallets serve as deep storage vaults, often air-gapped and heavily restricted.

But hardware separation alone isn’t enough. Today’s top-tier CEXs layer in Multi-Party Computation (MPC) to split key control across distributed nodes, and Trusted Execution Environments (TEE) to guarantee secure signing inside isolated memory. This combination allows exchanges to automate flows like deposit crediting or hot wallet refills while maintaining strong safeguards against internal compromise, external exploits, or key leakage.

Now let’s walk through how funds actually move through this system from the second a deposit hits the chain to how withdrawals are routed securely.

Deposit Flow

The process works as follows:

1. Users deposit tokens onchain to the User Deposit Wallet, which is an HD (Hierarchical Deterministic) wallet derived from a single master seed securely stored in CloudHSM. This approach allows the CEX to manage millions of user addresses scalably and efficiently without exposing private keys.
   (user1DepositAddress = hdWallet.drivePath("m/44'/60'/0'/0/0"")
2. Sweep Engine monitors the blockchain in real time to detect a deposit transaction to that specific User Deposit Wallet, then initiates a signing request to the Signer to sweep the full balance.
3. Sweep Engine validates against multiple Decision Engines, including:
   - Rule Engine: Enforces business logic and platform configuration — e.g., token paused status, minimum sweep size, whitelisted destination addresses, and deposit wallet-to-user mapping.
   - Risk Engine: Identifies fraud or abuse patterns — e.g., flagged wallets (via Chainalysis/TRM), high-frequency or high-value deposits, interactions with mixers, or connections to known exploiters.
   - Compliance / Sanctions Engine: Ensures compliance with global regulations — e.g., blocking OFAC-listed addresses, embargoed jurisdictions, or triggering AML thresholds.
   - Balance Reconciliation Engine: Verifies state consistency — e.g., deposit properly recorded in internal DB, current hot wallet balance aligns with expectations, and prevents duplicate sweeps.
   - Fee Estimator / Gas Oracle: Optimizes transaction fees — e.g., evaluating current base fee, fee spike protection, checking native token balance for gas sufficiency.
   - Capacity & Health Engine: Ensures operational readiness — e.g., confirming the hot wallet is not overloaded, no stuck or pending transactions, and all underlying blockchain nodes are healthy.
   
4. Once all rule checks pass, the Sweep Engine sends a request to the Signer: “Hey Signer, I have a transaction from wallet 0x4eaf...g14d and it passed all validations. Please help me sign it."
5. Signer runs in a Trusted Execution Environment (TEE), securely loads the private key (via CloudHSM), and performs the signing operation within an isolated, tamper-proof enclave.
6. The signed transaction is returned to the Sweep Engine, which then broadcasts it to the blockchain network.
7. Funds are now swept into the Hot Wallet (MPC-powered). This wallet is connected to critical services but kept isolated via MPC to reduce exposure and avoid single-point key compromise.
8. If the Hot Wallet balance exceeds a defined threshold, the system automatically triggers a transfer to the Warm Wallet. The Warm Wallet uses MPC as well, but includes human approval gates, typically signers like the CEO, CTO, and CFO.
9. Once all designated human signers approve the transfer, funds are moved to the Cold Wallet (e.g., Ledger hardware wallet), which remains completely offline and air-gapped.

Withdraw flow

User Request Flow

1. The user kicks off a withdrawal request from the frontend.
2. That request hits the CEX Backend, which immediately validates against Decision Engines (risk checks, velocity rules, balance logic, etc.).
3. If everything passes, the transaction goes into a TX queue, where it’s grouped with others for gas saving.
4. Once ready, the batch is submitted to the Hot Wallet (MPC).
5. The Hot Wallet signs and sends funds straight to the user’s Destination Wallet.

Hot Wallet Refill Flow

6. Behind the scenes, a balance watcher keeps an eye on hot wallet liquidity.
7. If the balance dips too low, the system automatically triggers a refill.
8. The Signer Group gets notified.
9. They review and sign the refill request.
10. Funds flow in from the Warm Wallet (MPC with human approvals) to top up the hot wallet.

Warm Wallet Refill Flow

10. Meanwhile, a separate process keeps monitoring the Warm Wallet’s balance.
11. When it gets low, an automated refill request is raised to the Operator Group.
12. This step is highly manual by design. A multi-person operation on a secure workstation approves the refill using hardware wallets.
13. Once cleared, the funds move from the Cold Wallet (Ledger) into the Warm Wallet.

Major exchanges rely on a multi-tier wallet setup: hot, warm, and cold to balance speed and security. At the heart of this system, MPC ensures no single party ever holds the full private key, while TEE secures signing operations in isolated hardware. Together, they protect billions in assets against both internal threats and external attacks.