It's more the hot wallet I'm trying to understand. It is needed for the exchange to instantly process transactions directed by customers. So there'll always be a kind of command path going from website to wallet, no matter how far away you hide the hot wallet, and we'll have to trust that path we setup ourselves. A good hacker will find that path and command the bitcoind. So there's actually no need to trust our path if we can't trust our website.
Now, of course you can have the hot wallet pull for commands and transactions, but then.. how do you trust the content of those commands and transactions? Because, basically, that is that same public website with input from customers.
If we can't trust the website giving commands into the hot wallet, [edited:]how can we trust that same website to collect and offer the hot wallet valid and intended commands to pull?
The route I am going is to have the customers sign everything using their own private keys.
If a hacker uses their private keys unauthorised that will be totally outside my control and I will have no way even to distinguish between a hacker and the actual customer, since to me the private key
is the customer.
This seems nice and safe from my end as service, but admittedly is not going to be very nice for people who let hackers get hold of their private keys.
-MarkM-