Crypto Deposit and Withdrawal System Development

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Crypto Deposit and Withdrawal System Development
Complex
~1-2 weeks
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1349
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    949
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

One of the most common scenarios of losing funds on an exchange is an error in processing a blockchain reorg: a transaction is considered confirmed, but the block is rolled back, and the money disappears. Another pain point is gas wars: when withdrawing ETH, the gas price spikes, the transaction gets stuck, and users panic. We build a deposit and withdrawal system that is resilient to such situations. The architecture is based on proven patterns: multi-sig, HSM, automatic reorg-handling, adaptive gas management.

Our team has 5+ years of experience in blockchain development and has implemented over 50 projects for crypto exchanges and DeFi protocols. We guarantee that your deposit and withdrawal system will comply with the best industry practices. Contact us to discuss your exchange architecture — we will evaluate the project and offer the optimal solution.

How are deposit addresses generated?

Each user receives a unique deposit address for each network. There are two approaches.

HD Wallet (Hierarchical Deterministic). A deterministic key tree is generated from a single master seed according to BIP-32 and BIP-44. For Bitcoin: m/44'/0'/0'/0/{user_index}. For Ethereum: m/44'/60'/0'/0/{user_index}.

import { HDNodeWallet } from "ethers";

const masterNode = HDNodeWallet.fromMnemonic(Mnemonic.fromPhrase(MASTER_MNEMONIC));

function getDepositAddress(userId: number, coinIndex: number): string {
  // m/44'/coinIndex'/0'/0/userId
  const child = masterNode
    .deriveChild(44 + 0x80000000)  // purpose
    .deriveChild(coinIndex + 0x80000000)  // coin type
    .deriveChild(0 + 0x80000000)  // account
    .deriveChild(0)               // external
    .deriveChild(userId);
  return child.address;
}

The master seed is stored in an HSM or in an encrypted vault (HashiCorp Vault). Public keys for address generation are in the database, private keys for signing are only in the HSM.

Shared address + memo — one address for the entire exchange, the user specifies a memo/tag. Used for Ripple (XRP), Stellar (XLM), Cosmos. Cheaper to maintain, but a memo error leads to loss of funds.

Monitoring incoming transactions

The monitoring service subscribes to blockchain events:

  • EVM chains: eth_subscribe("logs", { address: [depositAddresses], topics: [ERC20_TRANSFER_TOPIC] }) via WebSocket to the node + polling eth_getBlockByNumber as fallback
  • Bitcoin: zmqpubrawtx from Bitcoin Core + periodic address scanning via scantxoutset
  • TRON: TronGrid WebSocket or polling TronScan API
type DepositMonitor struct {
    node         EthClient
    db           *DB
    confirmations int // minimum confirmations
}

func (m *DepositMonitor) ProcessBlock(blockNum uint64) {
    receipts := m.node.GetBlockReceipts(blockNum)
    
    for _, receipt := range receipts {
        for _, log := range receipt.Logs {
            if !isERC20Transfer(log) {
                continue
            }
            
            to := common.HexToAddress(log.Topics[2].Hex())
            if !m.db.IsDepositAddress(to) {
                continue
            }
            
            m.recordPendingDeposit(Deposit{
                TxHash:      receipt.TxHash,
                BlockNum:    blockNum,
                UserAddress: to,
                Token:       log.Address,
                Amount:      new(big.Int).SetBytes(log.Data),
            })
        }
    }
}

Confirmations and finality

The number of required confirmations depends on the network and amount:

Network Minimum Confirmations Reason
Bitcoin 3–6 Reorg probability
Ethereum 12–20 (or finalized) Post-merge finality
Polygon PoS 100–256 Checkpoint finality
BSC 15–20 PoSA, more centralized
TRON 19 Solid consensus
Solana 32 (finalized) Tower BFT

After reaching the confirmation threshold, the deposit is credited to the user's balance. Until then, it is in pending status. We display pending deposits with a progress indicator.

Reorg handling: store block_hash along with block_number. When a reorg is detected (block hash changed), mark affected transactions as reorged and restart monitoring.

How is fund consolidation (sweeping) done?

Deposit addresses number in the thousands or millions. Storing ETH on each address is expensive and insecure. Automatic consolidation to a master hot wallet is needed:

func (s *Sweeper) SweepAddress(depositAddr Address) error {
    balance, _ := s.node.GetBalance(depositAddr)
    
    if balance.Cmp(s.minSweepAmount) < 0 {
        return nil // not worth the gas
    }
    
    // For ERC20: first need to send ETH for gas
    if s.token != ETH {
        gasCost := estimateGas(depositAddr, HOT_WALLET, token)
        s.fundGas(depositAddr, gasCost)
    }
    
    // Sign via HSM — private key of depositAddr never leaves HSM
    tx := s.buildTransfer(depositAddr, HOT_WALLET, balance)
    signed := s.hsm.Sign(depositAddr, tx)
    return s.node.SendRawTransaction(signed)
}

For ERC20 tokens, the task is complicated: ETH for gas is needed on the deposit address. Solutions:

  1. Gas station: send ETH before sweep, then sweep tokens
  2. Gasless sweep via EIP-2612/permit: if the token supports permit, the exchange pays gas itself
  3. Batch sweep via multicall: one call collects funds from multiple addresses

Savings on gas when using batch sweep can reach $40,000 per month at high volumes.

Withdrawal architecture

A withdrawal goes through several stages:

REQUESTED → VALIDATED → APPROVED → SIGNING → BROADCASTING → PENDING → CONFIRMED

VALIDATED: check balance, limits, AML/KYC. If passed — reserve funds (deduct from available balance).

APPROVED: for large amounts — manual review by exchange operator or multi-signature (M-of-N approval from several operators). For small amounts — automatic approval.

SIGNING: sign the transaction in HSM or cold wallet system. Never sign on the server where approval logic is stored — separation of duties.

BROADCASTING: send the transaction to the network. After that, the transaction cannot be canceled.

Gas management

The exchange must pay gas for withdrawals. A gas management system is needed:

  • Monitoring eth_gasPrice / EIP-1559 baseFee + maxPriorityFee
  • Gas budget: account for gas cost in withdrawal cost or fee
  • RBF (Replace By Fee) for stuck Bitcoin transactions
  • EIP-1559 bump: when an Ethereum transaction gets stuck — resend with same nonce and increased maxFeePerGas

Notifications and statuses

The user must see the withdrawal status in real time. Integration:

  • WebSocket push on each status change
  • Email/Telegram notifications at key stages (approval, sending, confirmation)
  • Transaction hash with a link to the explorer immediately after broadcasting

How is security ensured?

Critical checks:

  • Address whitelist: require adding a new address 24-48 hours before withdrawal to it. When adding — email confirmation + 2FA.
  • Anti-phishing: display an anti-phishing code in emails and UI (the user sets it). If it's missing — suspicious.
  • Withdrawal limits: daily limits by KYC levels. If exceeded — manual review.
  • Velocity checks: multiple withdrawals in a short time → temporary block and notification.

Hot/Warm/Cold wallet segregation

  • Hot wallet: small operational reserve (10-20% of daily withdrawal volume), always online, automatic withdrawals
  • Warm wallet: multi-sig (2-of-3 or 3-of-5 hardware keys), replenishes the hot wallet once a day
  • Cold wallet: offline storage, only for large reserves, manual access procedure

Distribution: 5-10% hot, 15-20% warm, 70-80% cold. Specific numbers depend on volumes and the exchange's risk model.

Infrastructure and reliability

Node vs API provider: a full node gives reliability and independence. API providers (Alchemy, QuickNode, Infura) — convenience but dependency on a third party. For a production exchange: several providers + own node, automatic failover.

Idempotency: each withdrawal request has a unique withdrawal_id. Repeated processing of the same ID does not create a duplicate transaction. Critical for recovery after failures.

Transaction monitoring: after broadcasting — periodic check of transaction status. If after N minutes it's not in mempool — consider it dropped, resend with correct nonce.

What's included in the work

  • Architecture documentation: description of cold/warm/hot wallet scheme, confirmation logic, signing scheme, and disaster recovery.
  • Source code with integration of HSM, multi-sig, gas management, and AML checks.
  • Deployment and setup: node configuration, load balancers, monitoring (Prometheus/Grafana).
  • API documentation for frontend and admin panel.
  • Team training: workshop on system operation and incident response.
  • 3-month warranty on identified bugs and free consultations on modifications.

Estimated timelines

Component Duration
Ethereum + ERC20 deposits/withdrawals 4-6 weeks
Bitcoin 3-4 weeks
TRON 2-3 weeks
Each additional EVM network 1-2 weeks
Multi-currency hot wallet management 3-4 weeks
Admin dashboard for monitoring 2-3 weeks

Full system for 5-7 networks with HSM integration, AML checks, and admin interface — 3-5 months. Cost is calculated individually after auditing your project.

Order the development of a deposit and withdrawal system — get a ready-made solution with warranty and support. We value transparency: all stages, timelines, and costs are fixed in the contract. Get a consultation — we will answer questions and propose the optimal architecture for your project. Contact us for an estimate — within two days we will analyze your infrastructure and send a commercial proposal.

Why exchange development requires deep domain expertise

We develop exchanges — not 'chart sites,' but matching engines that process thousands of orders per second without delay, route liquidity between pools, and guarantee that no user gains access to others' funds. Teams that start with the UI and postpone the engine 'for later' end up rewriting everything in six months in 90% of cases.

Order Book vs AMM: where most projects break

Centralized exchanges (CEX) are built around an order book + matching engine. Decentralized exchanges (DEX) either also use an order book (dYdX on StarkEx, Serum/OpenBook on Solana) or an AMM with concentrated liquidity (Uniswap v3/v4, Curve, Balancer). A classic mistake when developing a CEX is implementing the matching engine on top of a relational database with transactions for each match. PostgreSQL handles ~500 RPS without special effort, but at peak loads of 5,000–10,000 orders per second, it turns into a deadlock nightmare. The correct architecture: in-memory order book (Redis Sorted Sets or custom C++/Rust structure), asynchronous writing of matches to PostgreSQL via a queue (Kafka/RabbitMQ), and a separate settlement service that finally updates balances.

For DEX, the most painful problem is sandwich attacks and MEV. A pool with a plain xy=k AMM without slippage protection becomes a target for MEV bots within hours of launch. Uniswap v2 lost hundreds of millions of dollars in user liquidity. Solutions: integration with Flashbots Protect, a commit-reveal scheme for orders, or switching to TWAMM (Time-Weighted AMM) for large trades.

Concentrated liquidity and impermanent loss

Uniswap v3 introduced concentrated liquidity – LPs choose a price range in which to provide liquidity. Capital efficiency increased 4,000x compared to v2 for stable pairs. But implementing this mechanism correctly is non-trivial. The Uniswap v3 liquidity contract uses tick-based accounting: the price space is divided into discrete ticks (tick = log₁.0001(price)), each tick stores accumulated fee growth and liquidity delta. When creating a position, the lower and upper ticks are computed, and the contract recalculates all active positions at each swap. Storage layout is critical here – incorrect variable packing in slots easily adds 40–60% to swap gas cost.

We implemented a Uniswap v3 fork for a client on Polygon with a custom fee tier system. The initial version consumed 180k gas for a swap across 2 ticks. After slot packing of variables in Tick.Info and inlining several internal calls, it dropped to 112k gas. This reduced gas costs by 38% and saved the client substantial costs on fees monthly. The techniques applied are described in the Uniswap v3 Whitepaper and confirmed by our audit experience.

How a matching engine delivers performance

A production-ready matching engine is built according to the following scheme:

  • Order ingestion layer – WebSocket gateway (Go or Rust), accepts orders, validates signature, checks balance via Redis, queues them. Latency at this level must be <1ms.
  • Matching core – single-threaded event loop (eliminates race conditions without mutexes). In memory, we hold two Sorted Sets for each trading instrument: bids and asks. FIFO matching for limit orders, immediate-or-cancel for market orders. Throughput with a proper Rust implementation – 500k–1M matches per second on a single core.
  • Settlement service – reads matches from Kafka, atomically updates balances in PostgreSQL (UPDATE accounts SET balance = balance - $1 WHERE id = $2 AND balance >= $1). Optimistic locking via row versioning.
  • Withdrawal pipeline – separate service with cold/hot wallet architecture. The hot wallet holds 5–10% of total deposits, the rest is cold storage with multi-sig (Gnosis Safe or custom HSM). Automatic withdrawals only from hot wallet, large amounts require manual authorization.
Component Technology Latency / Throughput
Order gateway Go + WebSocket <1ms p99
Matching engine Rust (in-memory) 500k+ orders/sec
Balance store Redis (write-through) <0.5ms
Settlement DB PostgreSQL 14+ ~50k TPS with partitioning
Event streaming Apache Kafka 1M+ events/sec
Blockchain node Geth / Solana validator depends on chain

How our exchange development process ensures reliability

Smart contracts and gas optimization

For EVM-based DEX (Ethereum, Arbitrum, Optimism, Polygon), the entire critical path lives in Solidity. Main contracts: Pool, Factory, Router, PositionManager (for v3-like), and Quoter for off-chain calculations. Typical mistakes we see in audits:

Reentrancy via callback. Uniswap v3 uses flash swap with a callback (uniswapV3SwapCallback). If your router lacks a nonReentrant guard and you don't check msg.sender == pool, the contract gets drained via a nested call. This is not hypothetical – several v3 forks lost funds this way.

Oracle manipulation in AMM. If your contract uses the spot price from the pool for collateral calculation, it is front-runnable. Correct: TWAP over 30+ minutes (Uniswap v3 OracleLib) or an external oracle (Chainlink).

Unbounded loops in liquidity range. If a swap crosses many ticks in a row (price impact 80%+), gas may exceed the block limit. Need MAX_TICKS_CROSSED with partial fill and returning the remainder.

For Solana DEX (Anchor framework, Rust), the architecture is fundamentally different: account-based model, Program Derived Addresses (PDA) instead of storage, Cross-Program Invocations instead of internal calls. Solana's throughput (~3,000–4,000 TPS vs 15–30 on Ethereum mainnet) allows building on-chain order books – exactly what Phoenix DEX does.

Liquidity bootstrapping and aggregator integration

Launching a pool is not enough – you need to ensure liquidity at launch. Practical mechanisms:

  • Liquidity Bootstrapping Pool (LBP) – initial price is high, asset weights dynamically shift, creating selling pressure and even token distribution. Implemented in Balancer v2.
  • Initial Liquidity Offering via Uniswap v3 – adding liquidity in a narrow range around the initial price, then gradually expanding as volume grows. Requires active liquidity management or integration with Arrakis/Gamma.
  • Integration with 1inch, Paraswap, Li.Fi – aggregators bring traffic but require standard compliance: the pool must have correct getAmountsOut, support ERC-20 approval/permit, and not have custom transfer hooks that break the aggregator's routing.

Development process and deliverables

Analytics and design begin with choosing the architectural model: CEX with custodial storage, non-custodial DEX, or hybrid (off-chain order book + on-chain settlement, like dYdX v3). This decision determines everything – regulatory load, tech stack, team.

Development proceeds in layers: first smart contracts with full Foundry coverage (fuzzing, invariant testing), then backend services, then integration layer, and finally frontend. Testing includes fork testing on mainnet via Foundry – we reproduce real liquidity conditions, not synthetic ones.

Audit is mandatory before mainnet deployment. For DEX contracts, minimally one firm with manual review (Trail of Bits, Spearbit, Code4rena contest). For CEX custody, audit of key storage processes. We guarantee all contracts undergo formal verification and fuzzing testing (Echidna, Foundry invariant).

Estimated timelines

Exchange type Timeframe
DEX (AMM, xy=k) 3 to 5 months
DEX with concentrated liquidity (v3-like) 6 to 10 months
CEX (matching engine + custody + trading UI) 8 to 14 months
Integration with existing protocol 4 to 8 weeks

Cost is calculated individually after a technical briefing: chain selection, throughput requirements, custodial model. Our certified engineers with 10+ years of experience will help you choose the optimal architecture and avoid common pitfalls. Contact our team for a detailed proposal.

Pitfalls to avoid at launch

  • Forgetting the price oracle in AMM. Spot price can be manipulated with a flash loan in one transaction. If your lending protocol uses the spot price from its own pool, that's a bug.
  • Hot wallet without limits. A CEX without daily limits on automatic withdrawals is an invitation for attackers. Compromising one key should lose at most 10% of total funds.
  • Absence of circuit breaker. A 40% price drop in 5 minutes should halt automatic liquidations or withdrawals until manual review. Without this, a cascading liquidation spiral destroys all TVL.
  • Incorrect decimal handling. USDC uses 6 decimals, WBTC – 8, most tokens – 18. Mixing without normalization leads to either precision loss or overflow. Solidity has no float; we work with fixed-point using FullMath (mulDiv with overflow protection).

Want to avoid these problems? Get a consultation — we will select the architecture for your project and provide exact timelines. Order exchange development with quality guarantee and ongoing support.