Part 1 of Fund Custody: Risks and Boundaries – From CEX to On-Chain Custody

This article is part of the "Decentralized Exchanges" series.
This series aims to help readers systematically understand the fund custody structures of different exchanges.
From centralized to on-chain, from manual approval to procedural execution
Clarify asset control, trust boundaries, and potential risks.

Author: Sevclub, Seven Research

In the previous article, we discussed Hyperliquid —a hybrid exchange that structurally comes closest to "fully decentralized." It puts matching, clearing, and settlement all on-chain, using the system to replace trust.
However, we also see that its decentralization still has its limits: the structure is transparent, but power is not necessarily decentralized; assets are verifiable, but governance is still in the gray area of ​​centralization.

Taking this topic as an example, we hope to push the issue a step further—what dimensions should we use to judge the degree of decentralization of an exchange? Which factors are determined by the technical architecture, and which depend on the system and design? After all, when discussing whether an exchange is truly "decentralized," clarifying these dimensions not only helps to understand the nature of its operation, but also enables investors to make more rational and evidence-based analyses and decisions when facing different platforms.

Today, let's start with the most basic and intuitive dimension: Custody – where is your money stored?
Whether it's a DEX with an AMM model, an on-chain exchange using a cross-chain bridge mechanism, or a traditional centralized platform (CEX).
"Fund custody method" is always the first key for many novices to understand the risks and trust of these exchanges.

I. Centralized Hosting (CEX): The Conflict Between Efficiency and Trust

For many beginners, centralized exchanges are the first and easiest option to use. Traditional centralized exchanges have an advantage in that they have well-developed deposit and withdrawal channels, which DEXs currently cannot replace, at least in terms of user experience.

In traditional centralized exchanges (CEXs), users' assets are first transferred to the platform's internal account.
On the surface, account balances are updated in real time and transactions are smooth, but those are just numbers in the database and do not equate to the real-time ownership of assets on the blockchain .

The custody logic of CEXs is very similar to that of traditional securities or banking systems:
Users' funds are not stored directly on the blockchain, but are concentrated in several master accounts (wallet addresses) on the platform.
The exchange can complete matching and transaction records in milliseconds simply by performing "bookkeeping settlement" on its internal ledger .

It is this " in-account matching and centralized accounting " model that gives CEXs extremely high execution efficiency and liquidity:
It does not require waiting for block confirmation or paying gas fees, thus providing a far superior transaction experience compared to on-chain systems.

However, the price of its efficiency is that user funds must be completely held in escrow by the platform. The platform possesses all the private keys to these funds and can:

• Approval, delays, or even refusal of withdrawals;
• Misappropriation or pledging of user assets without disclosure;
• Funds were frozen under the guise of "compliance" or "risk control".

In practice, exchanges typically categorize assets into two types: **hot wallets** and **cold wallets**.

• The hot wallet handles daily matching and withdrawals, and is online and readily available.
• Cold wallets store most assets offline to reduce the risk of theft.

To mitigate the risks associated with single-point private keys, many platforms employ multisig or threshold signature (M-of-N) to distribute private key control, along with operational governance measures such as permission separation, audit logs, withdrawal approval processes, and signature threshold settings.

However, these technologies and processes can only reduce operational risks, not completely eliminate systemic risks caused by abuse of power by management, compliance policy pressure, or insider misconduct. Therefore, when "decentralization" is used as a marketing term, the primary question for raising the risk radar remains: where exactly is the money placed, who can access it, and what processes and externally verifiable mechanisms are required for its use?

From Mt. Gox to FTX, ten years of experience proves:
When trusteeship is concentrated in a single entity, the lack of transparency will eventually translate into systemic risk.

The "efficiency" of a CEX comes from its centralized ledger, but the "risk" also stems from this centralized structure.
What users see is a balance system maintained by the platform;
The real assets may have already been mixed in with the platform's total funds pool.

More importantly, the regulatory systems in most countries still do not fully cover the custody of crypto assets .
Traditional financial institutions are constrained by capital adequacy ratios, separate accounting regulations, and investor protection provisions.
Crypto exchage often operate in a gray area.
It is neither a bank nor a securities brokerage.

This means:

• Platforms typically lack mandatory disclosure regarding how they use customer assets;
• There is no unified legal framework for the order of asset liquidation during bankruptcy proceedings.
• Regulators are unable to track on-chain fund flows in real time.

Therefore, even with an "audit report" or "proof of reserves",
They often do not have equal legal effect.
Once trust is broken, whether users can recover their assets still depends on the ambiguous judgment of the jurisdiction in which they reside.

Centralized custody is essentially a form of "institutional trust".
It relies on the platform's reputation, auditing practices, and regulatory framework, rather than publicly verifiable blockchain rules.
Once a crisis of trust occurs, leading to a run on the exchange, its collapse, and users being unable to withdraw their funds, they will realize that what they own is not an on-chain asset, but rather a "paper claim" against the exchange.

This is a risk that everyone entering this industry must understand, whether you are a veteran or a novice.
Someone once said:

"Anyone who doesn't have a single penny on a centralized exchange is either a complete novice or a seasoned veteran who has seen through everything."

II. Authorized Self-Hosting: The Two Sides of Uniswap and the "Crypto Honeypot"

Uniswap represents a different logic— funds are not held in escrow by the platform, but reside directly in smart contracts .
Users do not "deposit" their assets; instead, they temporarily authorize the contract to call the transaction during the transaction. Once the transaction is completed, the assets are immediately returned to the wallet.

This is the AMM (Automated Market Maker) model we discussed in the previous episode, which forms the prototype of decentralized exchanges (DEXs).

The principle of AMM and the essence of "on-chain custody"

At its core, an AMM is a pool that holds two types of assets (such as ETH and USDC).
The pricing rule follows the constant product formula: x × y = k

Where x and y represent the reserves of the two assets in the pool, respectively, and k is a constant.
Regardless of the transaction amount, the product must remain unchanged (ignoring transaction fees).

This means:

• When a user buys ETH (paying USDC to the pool), the ETH reserves decrease and the USDC reserves increase.
• The system automatically adjusts prices to maintain a constant product relationship;
• The price is no longer determined by pending orders, but is automatically generated by the proportion of assets in the capital pool.

For example, "exchanging 1 ETH for USDC".

① Approve
The user first authorizes the Router contract to access a certain amount of assets. This authorization is not a "deposit".
Instead, the contract is invoked temporarily during the transaction.

② Submitting a Transaction <br>Users initiate a transaction on the front end, and the wallet confirms it with a signature. Transaction information includes parameters such as expected slippage, minimum amount to receive, and deadline.

③ Atomic execution (On-chain Swap)
The Router contract receives ETH and sends it to the Pool contract;
Pool calculates and distributes the corresponding amount of USDC according to the constant product formula ( x*y=k ).
Ultimately, the funds return directly to the user's wallet .

④ State Update <br>The reserves are updated, and the transaction event is recorded on-chain.
There were no human interventions or withdrawal requests throughout the entire process.

This is the managed logic of AMM:
The "custodian" of user funds is the contract itself, not a centralized institution.

The true meaning of liquidity providers (LPs) and "deposits".

The concepts of "deposit" and "withdrawal" only arise when a user becomes a liquidity provider (LP) .

• Add Liquidity : Deposit two assets into the pool proportionally and receive LP tokens;
• Remove Liquidity : Destroy LP tokens and retrieve both assets and a share of the transaction fees.

This may seem simple, but it hides the Impermanent Loss .
When market prices fluctuate, the pool automatically rebalances; if prices reverse,
The total assets at the time of withdrawal may be lower than the returns from simply holding the currency.

In other words, AMM replaces market makers with algorithms, but redistributes volatility risk to ordinary participants.

Self-management ≠ Risk-free: From authorization to "crypto honeypot)

The advantages of the AMM model are obvious:

• The platform cannot misappropriate funds; all rules are executed by code.
• All transactions are executed on-chain, making them verifiable and traceable;
• There is no "withdrawal request" step; users can operate independently at any time.

However, self-hosting does not equate to security.
The act of granting authorization itself can become a source of risk.

In the past few years, a large number of contract projects have emerged that are disguised as "high-yield mining" or "aggregated trading".
This tricks users into granting unlimited limits by calling the approve() function.

These contracts appear normal on the surface, but are actually a typical "Crypto honeypot" scheme .
The name comes from a mythical beast that only takes in money and never lets it out, implying that "once the money goes in, it can never come out."

Common features include:

• The contract can receive tokens, but it lacks withdrawal logic.
• Reserved administrator privileges, allowing authorized assets to be transferred at any time;
• They use phishing websites or airdrops as a cover to trick users into signing authorizations.

In these scams, the wallet remains in the user's hands.
However, ownership of the assets has been taken away by the contract.

This reveals the cost of the self-managed model:
It eliminates "platform risk" but amplifies "judgment risk".
Users must bear full responsibility for every authorization and every piece of code.

In a self-hosted system, the blame for errors doesn't fall on someone else, but on the line of code you signed off on.

The AMM model maximizes user control over their assets.
However, at the same time, it also puts all the responsibility for safety back on the individual.

In a centralized platform, you lose control but gain escrow protection in return;
In the world of self-hosting, you regain control, but you must also possess sufficient judgment.
To identify which contracts are trustworthy.

This is precisely the first contradiction in the DEX model:
Decentralization brings freedom to users, but also the responsibility of self-management.

In the next episode, we'll discuss two custody models for on-chain exchanges.

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.