Cold Storage, Hot Wallet DeFi

This pattern keeps assets in a cold Safe while allowing a hot wallet to execute narrowly-scoped DeFi actions.

Goal

Keep assets in a cold storage Safe while allowing a hot wallet to:

• Execute only approved DeFi actions
• Interact only with scoped protocols and parameters
• Avoid direct transfers or arbitrary contract calls

Useful for

• Cold treasury + hot operator model: Keep custody in a cold Safe while an ops wallet executes only whitelisted DeFi flows.
• DeFi position maintenance: Delegate routine actions (e.g., supply, withdraw, claim) with tight parameter scoping.
• Minimizing hot-wallet blast radius: Block transfers and arbitrary calls while still allowing narrowly-scoped protocol interaction.

Setup steps

1. Open Policies and create a new policy (for example, “Cold Safe DeFi Ops”).
2. Choose the cold storage Safe as the vault the policy applies to.
3. Add the hot wallet address as a Member. This wallet will be the executor for DeFi operations.
4. In Actions, add one or more DeFi templates for the exact protocols you want to allow.
5. Scope the protocol and the exact operations (for example, supply or withdraw only). Limit tokens and amounts if the template supports it.
6. Do not add Transfer actions and do not add Custom actions. This prevents the hot wallet from moving assets directly or calling arbitrary contracts.
7. Click Apply Changes to deploy the policy.

The hot wallet can now execute scoped DeFi operations from the cold Safe without having broad transfer or unscoped call permissions.