Withdrawal whitelist — also called "withdrawal address book" or "address allowlist" — is the exchange feature that restricts outbound transfers to a pre-approved set of destination addresses, with a mandatory waiting period before new addresses can be used. The single most cost-effective configuration change at any centralized exchange, and the one most US-resident holders skip.
The mechanism
Enabled at the account level. Once turned on:
You define a list of approved withdrawal addresses (your hardware wallet, your other exchange accounts, family member wallets). Each entry typically requires email and 2FA confirmation when added.
Withdrawals to any address not on the list either fail outright or trigger a multi-day waiting period (24-72 hours, exchange-dependent) plus an explicit confirmation flow.
Modifications to the list — adding a new address, removing an existing one — also trigger waiting periods and multi-factor confirmation. The list itself becomes a protected resource.
What this defends against
The threat model is straightforward: an attacker who has compromised your exchange account credentials but lacks physical access to your devices. Without whitelist, the attacker logs in, generates a withdrawal to their own address, exits the account. With whitelist, the attacker can attempt to withdraw — but only to your pre-approved addresses (useless for them) — and the attempt to modify the list itself takes days during which you receive notifications and can revoke access.
This is the actual mechanism that has saved a substantial number of US holders during real attacks. The 2022 phishing wave that drained credentials from hundreds of Kraken users, the 2023 Coinbase support-impersonation campaign — in both cases, users with whitelist enabled lost nothing despite having credentials compromised.
How to set it up at the major US exchanges
Coinbase: Settings > Send & receive > Address Book. Enable Address Book. Add your hardware wallet address. Coinbase enforces a 48-hour waiting period before new addresses can be used.
Kraken: Funding > Withdrawal address book > Edit. New addresses require email confirmation plus a configurable waiting period (default 24 hours, can be extended).
Gemini: Settings > Withdrawal Address Whitelist. Mandatory feature for institutional accounts; opt-in for retail.
Binance.US: Profile > Security > Withdrawal Address Management. Configurable per-asset waiting period.
The friction trade-off
Whitelist adds 24-72 hours of latency the first time you withdraw to a new address. For a US-resident holder withdrawing primarily to a known hardware wallet, this friction is invisible after the initial setup. For a holder who frequently changes destination addresses (DeFi yield farming across many wallets), the friction is real but mitigated by adding all the addresses up front.
The single most common failure mode: holder gets impatient, disables whitelist temporarily to make a fast withdrawal, forgets to re-enable. Discipline rule: never disable whitelist; if you need to add a new address, take the waiting period.
Further reading: CEX, Exchange evaluation handbook.