Crypto 4 min read 22 April 2026

What we learned building an OTC desk for traders who text at 3 a.m.

Six months into operations, our trader pinged us at 02:47 IST on a Tuesday. "Hot wallet sweep glitched. Settling a deal. Need eyes." We discovered, in that moment, that "production-ready" meant something different to us than to him.

Published 22 April 2026   All field notes

Five things we learned that were never in the original spec. All of them surfaced in the first three months of real operations.

1. Production starts at the worst hour, not the launch hour

Latency budgets, error pages, oncall escalation, status dashboards — all designed for business hours by default. Crypto liquidity doesn't keep business hours. Build for the 3 a.m. case from day one, or you'll rebuild for it after the first incident.

Our oncall rotation now starts the day a feature lands in staging, not the day it lands in production. That single change has caught two outages that would otherwise have been Telegram-message-driven debugging.

2. Hot-wallet thresholds are a product feature, not a config value

We started with a global rule: sweep to cold custody when hot balance exceeds X USDT. The trader wanted per-counterparty thresholds. Per-asset thresholds. Time-of-day thresholds. And the ability to override on a single specific deal because he had inside knowledge about a settlement at 4 a.m.

The sweep threshold isn't a config value. It's the product.

The day we stopped treating it like infrastructure and started treating it like a first-class UI surface, the platform got useful.

3. Escrow felt over-engineered until it didn't

A programmatic escrow with a multi-step release flow felt, in week one, like enterprise theatre. The trader knew his counterparties. Why all the ceremony?

Then a deal went sideways. Counterparty in dispute. Funds were locked in the escrow account. The dispute resolved cleanly in 36 hours because nobody had to trust anybody on the spot — the workflow did the work.

We never argued the case for "minimal viable trust" on a money platform again.

4. The chat module is the riskiest service on the platform

File attachments. Deal-term screenshots. PDF settlement docs. Pasted wallet addresses. Every message is a phishing vector, a compliance artifact, and a potential leak surface all at once.

We rebuilt that module twice in the first year. Once for attachment scanning, once for an audit trail strong enough to survive a regulator's questionnaire. Treat chat in a trading product like a custody system, not like Slack.

5. The reputation system runs the marketplace

We shipped reputation as a feature. We thought it was the cherry on top.

It turned out to be the whole product. Without a reputation score, every new counterparty is a first-time risk for the other side, and every deal needs a phone call before it can close. With it, repeat deals close in minutes — sometimes from a single Telegram message and a transaction hash.

When the trader asks for a "small tweak" to reputation scoring, drop everything else.

None of this was in the original spec

All of it was in the first three months of operations.

If you're building anything that handles money at unpredictable hours, assume the spec is incomplete. The traders will tell you what was missing. They will do it at 3 a.m. Be ready to listen.

VM · Principal Engineer, leads the crypto platforms practice
More from the trenches
Engineering
Why we don't mock the database in fintech tests.
4 min read
 Practice
Five questions we ask before we look at any code.
3 min read