What Would a Transparent CEX Look Like in an Ideal Crypto World?

By Dyma Budorin, CEO of Hacken

I have a dream: transparent, secure and fair CEX.

Centralized cryptocurrency exchanges (CEXs) have seen huge progress in capabilities and safety measures since the early days of digital asset trading. However, uncertainty persists around core issues, including asset custody, assets listing, trading transparency, and security. 

CEXs that consider trading volume, liquidity, and the scalability of decentralized exchanges (DEXs) are some of the most powerful players in the industry. However, we’re at a crucial stage in Web3 history where traditional finance (TradFi) is attempting to overtake crypto’s leadership role via private blockchain, centralized stablecoins, and regulation.

For the last eight years, we as an industry have failed to establish self-regulation practices. As a result, those who built crypto and its foundations from the ground up are at risk of becoming obsolete in the new financial infrastructure. Until today, CEXs have not proposed a global agenda on transparency, security, and trading.

There have been attempts from CoinMarketCap (CMC), such as the DATA Alliance in 2018 that brought orderbook metrics and post-FTX Proof-of-Reserves (PoR) requirements — but alas, we didn’t make any progress. Similarly, CoinGecko introduced its TrustScore in an effort to provide a more transparent methodology, yet meaningful industry-wide traction remained elusive.

This article is an attempt to propose set changes that CEXs can implement to unite those crypto OGs that created the foundations we build upon today — before it’s too late. 

Financial Accountability

Establishing financial accountability is the first — and arguably the most critical — step toward building a truly transparent CEX. The ultimate goal here is to produce audited financial statements at a global platform level, something few exchanges have managed to achieve. 

Yet, for many CEXs, PoR remains an essential intermediary measure that offers a verifiable snapshot of total user balances against the platform’s actual holdings. Despite its importance, a concerning industry statistic indicates that only a minority of the biggest exchanges conduct routine PoR checks, and in the majority, not for all listed assets. Those that do not are effectively leaving their solvency open to question.

By regularly verifying 1:1 asset backing and publicizing key findings, CEXs can dispel doubts tied to past mismanaged funds events. However, PoR checks alone are not enough — they must be complemented by frequent third-party audits, internal controls, and complete liability disclosures. This includes exchange-owned tokens and outstanding debts.

Metrics we suggest:

1. Live Proof-of-Reserves (PoR): Clear figures for total user balances vs. total funds held in public crypto wallets.
2. Audit Logs: Summaries of the external auditors’ key findings, published with each audit cycle.
3. Liabilities Disclosure: Explanation of exchange-owned tokens and outstanding debts.

Distinguishing CEXs from Brokers

Unlike brokers, CEXs usually manage their own order books. However, some platforms source liquidity externally, effectively mirroring bigger exchanges, but not always disclosing this setup. The only cost-efficient setup to do that is to transfer user funds to bigger exchanges, which happens in many cases in our industry and is a common practice. Funds are sent without the user’s consent.

There’s nothing inherently wrong with acting as a broker, where orders are routed through external venues, provided that role is clearly disclosed. However, the word CEX should have a definition and those who are mirroring liquidity have to disclose this setup. If a platform mirrors the order books of large exchanges, it should explicitly communicate that setup so that users can be aware that their deposits effectively become liquidity for other markets.

Cooperation with top crypto aggregators and regulators is key to ensuring CEXs are held to this higher standard. Through standardized reporting and licensing, a CEX can instill confidence in the legitimacy of its operations, liquidity sourcing, and trade execution.

Metrics we suggest:

1. Internal vs. External Liquidity Ratio: Percentage of trades filled in-house vs. those matched on other platforms.
2. Settlement Details: Average time it takes to settle trades, especially those directed externally.
3. Collateralization Rates: The amount of user funds locked to facilitate external liquidity.

Market Manipulation Indicators

Traditional stock markets, such as the New York Stock Exchange (NYSE) and the National Association of Securities Dealers Automated Quotations (NASDAQ), enforce clear and meticulous transparency on trading volume, market depth, and regulatory compliance. 

CEXs could learn (and benefit) greatly from these examples by adopting a similar ethos to regularly publicize order book data, settlement times, and liquidity coverage to standardize industry comparisons and build long-term credibility. 

Specific disclosure of token wallet balances vs. daily trading volume and order book size can instill trust in users/investors, while order book depth ratios and spread stability further reinforce that transparency. Any deviations from benchmarks of order book size or volume can quickly reveal bad practices like wash trading.

In many cases, some CEXs have operated as modern-day boiler rooms — creating artificial hype, inflating volumes, and manipulating prices to attract unsuspecting retail traders. A few examples of manipulations are:

Manipulating Internal Prices:
The exchange may use non-transparent or manipulated price feeds, setting their own internal rates slightly different from global market prices. This lets them trigger stop-losses or liquidations unfairly, especially in thin or volatile markets.

Margin Liquidation Exploits:
With access to full user position data, the exchange can intentionally spike prices (or crash them) momentarily, just enough to liquidate large leveraged positions. This is often called a “stop-hunt.”

Front-Running User Orders:
The exchange might use insider knowledge to trade ahead of large user orders, profiting off short-term price changes — a conflict of interest that exploits users.

Artificial Volatility:
They may create fake volume or price swings (via bots or wash trading) to give the illusion of market movement, enticing users to take risky margin positions.

Enforcing public reporting of metrics like abnormal volume spikes, narrow spreads with low depth, and rapid price oscillations could significantly reduce fraudulent activities and secure CEX user trust. 

Exchanges that align their practices with TradFi rule norms will draw institutional investors, who are often otherwise cautious of murky crypto markets.

Metrics we suggest:

1. Order Book to Token Balance Ratio: Flags fake liquidity by comparing displayed depth with actual exchange-held assets.
2. Volume to Token Balance Ratio: Detects abnormal trading activity vs. held reserves, signaling possible wash trading.
3. Perpetuals vs. Spot Price Deviation: Highlights market manipulation or liquidity gaps through consistent rate divergences.

Digital Assets On-Chain Data Verification & Monitoring

Without transparent, verifiable data on who holds how many tokens and under what vesting schedule, retail participants are left to guess at the true market dynamics. This blind spot fuels suspicion and can trigger market manipulation. Conversely, making such information publicly accessible helps promote a fairer and more predictable trading environment.

There should be regular independent audits carried out on the circulation supply of the all tokens and that should be a mandate for CEX listing. With this data clearly laid out for the public to review panic and speculation is deterred, creating a stabilizing effect as knowledgeable traders can act on publicly available facts — not rumors.

CEXs should provide monitoring and analytics on key supply changes and all vesting unlocks and cliffs should also be made publicly available for all assets traded on the platform. All supply changes should be in accordance with the specifics laid out in the white paper. This is particularly relevant now since the EU’s MiCA regulations require MiCA-verified white papers that incur penalties for those who do not deliver the white paper’s promises. CEXs must monitor this.

Projects unwilling or unable to comply with periodic supply audits should face restrictions or potential delisting to ensure only verifiable tokens remain tradable, protecting user confidence and market integrity. Sharing data revealing only the top wallets is not enough and never was.

Metrics we suggest:

1. Live Allocation Updates: Pie charts or tabular reports showing tokens held by founders, teams, early investors, and the public.
2. Vesting Schedules: An interactive timeline of upcoming unlocks, their potential impact on the market and monitoring white paper supply vs. the actual supply.
3. Top 50 Wallet Distributions: This clear and insightful data highlights whether a handful of addresses hold a high percentage of the total supply, helping traders make better-informed decisions.
4. White paper third-party audits: Regular audits of token distribution in comparison with the white paper tokenomics. 

Digital Assets Investors’ Disclosure

In traditional stock markets, significant shareholders and insider transactions are subject to detailed disclosure requirements that ensure minority investors are well aware of who holds substantial stakes, and under what terms. 

Crypto could greatly benefit from a similar framework, mandating that each newly listed token provide independent verified reports about its presale investors—including initial entry prices and specific lockup terms. This would help investors mitigate the risk of becoming potential ‘exit liquidity’ for undisclosed insiders who got invested at rock bottom prices, support price stability, and promote long-term sustainability.

A third-party verified report for all new listings regarding presale investors and co-founders wallets should be publicly available and that data should be trackable in the future for retail investors to trace those wallets to exchanges. Equally, CEXs should publicly disclose those balances to ensure the transparency comes full circle, further ensuring user confidence and trust in their decisions.

Metrics we suggest:

1. Investor Report Disclosure: A file or dashboard showing presale participants, entry prices, token amounts, and key vesting milestones.
2. Presale Wallet Monitoring: Real-time tracking of founders and large investor wallets — especially as they move tokens onto exchanges.
3. Exit Tracking: Exchange data on how many tokens from presale wallets have been sold improves accountability and enables community oversight.

Verified User Metrics

It can be baffling to see how many exchanges with billions in reported volume remain silent about the true size or composition of their user base. Disclosing genuine user metrics dispels suspicions around inflated volumes or wash trading. 

Public verification of user counts, average trading frequencies, and the number of long-term holders can create real data and real trust, distinguishing legitimate exchanges from exchanges that falsify their user volume. When reliable user data is made available, CEXs can acquire better analytics and more accurate models by employing independent analysts and market watchers.

Basic metrics that should be made publicly available include: 

• Total holders
• Time tokens have been held
• Number of traders 
• Average distribution between big and small holders

Metrics we suggest:

1. Number of Active Monthly Traders: Clearly distinguish new and returning users.
2. Average Holdings per User: Clarify whether the platform hosts many small accounts or is home to whales too.
3. Token Holdings Distribution: Breakdown of token ownership between whales and retail users, revealing centralization risks and potential for price manipulation.

Formal Delisting & Annual Token Reports

All markets evolve, but none quite like digital asset markets. Over time, not all projects remain viable, and exchanges must outline clear pathways for delisting underperforming (or non-compliant) tokens. 

By establishing periodic reviews, CEXs can assess whether a token continues to meet the platform’s listing criteria and whether its market liquidity, development activity, or regulatory compliance standards. In tandem, encouraging or mandating projects to release annual reports on their technical, financial, and operational health can help inform CEXs whether tokens should remain available for trading or be delisted.

These annual reports—including product development annual reports—should be audited by third-party entities to ensure compliance and independent data and should include revenue, costs, and treasury data. These figures should be publicly available and strictly highlighted to ensure all token holders can make informed decisions. They are at the core of investor trust.

Metrics we suggest:

1. Annual Third-Party Audit Reports: Detailed public audits including financial data (like revenue, treasuries and expenses), development milestones, team updates, core technical changes, governance information, and compliance/regulatory updates. 
2. Token ‘Report Cards’: Summaries of each project’s key performance and development milestones, updated at least yearly so that users and investors can determine token health and the risk of delisting.
3. Delisting Criteria: Maintain a transparent and public checklist of the CEXs’ delisting criteria, such as failing liquidity thresholds, illegal activities, or unaddressed security flaws.

Reinforcing Security & Learning from Breaches

Security lapses happen, but the real difference in investor confidence — and the exchange’s long-term viability — often comes down to how transparently and effectively it responds. Rather than hiding behind PR spin, CEXs must communicate root causes, fix timelines, and share the steps taken to prevent future incidents. 

Take the recent Bybit hack, for example. After suffering a $1.4 billion attack, the platform responded by introducing stronger internal controls and real-time fund monitoring. This proactive, transparent model is what all CEXs should strive toward if they want to earn (and maintain) user trust.

We could also consider the Binance incident involving Dogecoin (DOGE). Due to the failure to promptly upgrade DOGE infrastructure after a protocol update, Binance inadvertently triggered a series of duplicate withdrawal transactions. The glitch results in disruptions, financial losses, and suspended withdrawals for over two weeks.

Operational & Supply Chain Security

Adopting recognized standards such as the CryptoCurrency Security Standard (CCSS), ISO 27001, or SOC 2 is essential for governing key management, fine-tuning internal controls, and keeping third-party dependencies in check. But let’s be clear: a single penetration test isn’t enough. 

True readiness requires year-round vulnerability scanning, close monitoring of vendor compliance, and routine red-team drills to ensure no gap slips through the cracks. Security will never be static and CEXs must build dynamic and adaptive defenses, especially for critical infrastructure and blockchain node software.

Blockchain Security

Traditional web security strategies simply don’t translate one-to-one to blockchain. Consensus mechanisms, node configurations, and the complexities of smart contracts demand specialized expertise well beyond what most Web3 CISOs have encountered. 

Independent third-party audits are vital for revealing hidden vulnerabilities, and that’s why we conducted a deep dive into the DOGE incident — where a small oversight led to unintended withdrawals on a massive scale. The lesson is clear: never roll out updates without extensive testing in a closed environment — and always maintain strong monitoring measures to catch any anomalies the moment they arise.

Metrics we suggest:

1. CCSS Compliance: Adherence to the Cryptocurrency Security Standard (CCSS), ensuring secure key management and infrastructure protocols.
2. Annual Supply Chain Security Audits: Public annual audits of third-party dependencies, aligned with frameworks like the EU’s DORA regulation.
3. Annual Operational Security (OpSec) Audits: Evaluations of internal processes, access controls, and organizational security hygiene.
4. Annual Penetration Tests: Independent assessments of security posture, including summaries of scope, findings, and mitigation timelines 
5. Annual Bug Bounties: Aggregated data on vulnerability submissions and security responsiveness.

Third-Party Audits of Internal IT Controls

“Trust takes years to build, seconds to break, and forever to repair.” In crypto, this is even more true. 

For CEXs, trust must be earned through constant exposure of internal systems to independent scrutiny, and it’s not just financial audits. Exchanges must undergo cybersecurity, operational risk, and internal control audits — specifically verifying that superadmin permissions cannot be used to unfairly alter user balances without detection.

The QuadrigaCX collapse is a prime example. The exchange’s founder had sole control over customer funds and was able to move assets off-platform without oversight; ultimately leading to a total loss for users after his death. Such failures are a clear example of why we need strong, verified internal IT controls — not just certifications like SOC 2 or ISO 27001.

A related issue is the handling of dormant accounts. Too many CEXs have wallets inactive for years and without clear policies, there’s a risk that these funds could be misused. Exchanges should introduce transparent dormant account policies like administrative fees after a specific inactivity period and publicly disclose the rules to prevent unauthorized appropriation.

Internal audits should also include Bucket Shop Testing conducted periodically and the results remaining public at all times. These tests verify that the exchange is not secretly trading against its users.1

Metrics we suggest:

1. Internal IT Controls Audits: Third-party audits that can verify superadmins and make sure no user’s balance was unfairly changed.
2. Dormant Account Policy Transparency: Clear, disclosed rules for unused funds.
3. Bucket Shop Test Results: Public reports confirming fair market practices.

Real-Time Blacklisting of Hacked Wallets

As someone who lives and breathes cybersecurity, I’ve witnessed firsthand the chaos that ensues when hacked wallets aren’t flagged and frozen immediately. At Hacken, we’ve dedicated ourselves to ensuring that bad actors have no place to hide.

Unfortunately, many major Know Your Transaction (KYT) providers face the threat of legal pushback, slowing the blacklisting process almost to a halt. Hackers exploit this lag by using techniques like address poisoning and sending small sums to multiple wallets to muddy the waters and then slip beneath the radar.

To truly protect investors and the ecosystem, decisive action is a must. Exchanges must collaborate with cybersecurity experts, law enforcement, and their stakeholders to shorten the gap between a hack and the suspect wallets being neutralized. Real-time blacklisting shouldn’t be an optional upgrade — it’s a necessity. When we fail to act quickly, stolen assets are laundered across countless accounts and made almost impossible to recover.

By knitting together timely data-sharing protocols and airtight risk-scoring mechanisms, we can drastically reduce a malicious hacker’s window of opportunity — and greatly boost chance of asset recovery. In an industry that is constantly changing, speed and precision can mean the difference between recovery and a total loss. Real-time blacklisting is one of the most urgent and impactful ways to curb these crypto crimes.

Metrics we suggest:

1. Hacked Wallet Notification Speed: Time to identify and flag wallets post-exploit should be faster.
2. Address Poisoning Countermeasures: Effectiveness of strategies and tools for parsing through “poison” transactions.
3. Exchange Reaction Time: The promptness with which exchanges freeze assets once suspicious activity is detected.
4. Public Dashboards: Exchanges should actively support real-time blocking of hacked wallets and show that data on a public dashboard. Those who fail to implement or act on real-time data should be publicly flagged as their inaction enables money laundering and asset losses.

A Glimpse into the Future (3, 5, and 10 Years)

As a final note, I think it’s critical to recognize that these reforms cannot and will not happen overnight. We need a transition period during which legacy oversights are addressed and, where appropriate, old sins are forgiven. If we fail to implement at least half of these steps within the next three years, the CEX sector may look significantly different. Major exchanges could collapse under regulatory pressure, and user mistrust would likely pave the way to TradFi dominance.

We must ask ourselves: do we really want that?