Skip to Content
Example SetupsCold Storage, Hot Wallet DeFi

Cold Storage, Hot Wallet DeFi

This example shows a high security Safe for cold storage, with a hot wallet that can run specific DeFi operations but cannot transfer funds or make unscoped calls.

Goal

Keep assets in a cold storage Safe while allowing a hot wallet to:

  • Execute only approved DeFi actions
  • Interact only with scoped protocols and parameters
  • Avoid any direct transfers or arbitrary contract calls

Useful for

  • Cold treasury + hot operator model: Keep custody in a cold Safe while an ops wallet executes only whitelisted DeFi flows.
  • DeFi position maintenance: Delegate routine actions (e.g., supply/withdraw/claim) with tight parameter scoping.
  • Minimizing hot-wallet blast radius: Block transfers and arbitrary calls while still allowing narrowly-scoped protocol interaction.

1. Create the policy

Open Policies and create a new policy (for example, “Cold Safe DeFi Ops”).

2. Select the vault

Choose the cold storage Safe as the vault the policy applies to.

3. Add the hot wallet member

Add the hot wallet address as a Member. This wallet will be the executor for DeFi operations.

4. Add DeFi actions only

In Actions, add one or more DeFi templates for the exact protocols you want to allow.

  • Scope the protocol and the exact operations (for example, supply or withdraw only)
  • Limit tokens and amounts if the template supports it

5. Exclude transfers and custom calls

Do not add Transfer actions and do not add Custom actions. This prevents the hot wallet from moving assets directly or calling arbitrary contracts.

6. Apply changes

Click Apply Changes to deploy the policy. The hot wallet can now execute scoped DeFi operations from the cold Safe without having broad transfer or unscoped call permissions.

Last updated on
Stablecoin StakingVault Curator Ops