Home/ All Articles/Security/How to Enable Binance Withdrawal Whitelist? How Long is the Cooling-Off Period

How to Enable Binance Withdrawal Whitelist? How Long is the Cooling-Off Period

Updated on 2026-04-13 · 20 minSecurity

Once the Binance withdrawal whitelist is enabled, you can only withdraw to pre-specified addresses, and adding a new address requires a 24-48 hour cooling-off period to take effect. This delay might seem inconvenient, but it is exactly what saves countless accounts—an attacker who gains access to your account cannot wait out the cooling-off period and will immediately give up. Enabling the whitelist + Anti-phishing code + 2FA forms the "standard defense triad" for Binance accounts. Before any account operation, verify your identity at the Binance Official Site, download the APK via the Binance Official App, and see the full-platform process in the Download Center.

What is the Withdrawal Whitelist?

The Binance withdrawal whitelist is a security mechanism:

  • Default state: You can withdraw to any address.
  • Once the whitelist is enabled: You can only withdraw to addresses in your address book.
  • Any withdrawal request to a non-whitelisted address will be directly rejected.

It acts similarly to a bank's "designated payee" feature.

How it Prevents Theft

Suppose an attacker gets hold of your account and your 2FA code:

Scenario Without the Whitelist

  1. The attacker logs into your account.
  2. Copies their own wallet address.
  3. Initiates a withdrawal and enters the amount.
  4. Inputs the 2FA code.
  5. The withdrawal succeeds, and your assets are gone.

The entire process completes in under 5 minutes, giving the account owner no time to react.

Scenario With the Whitelist Enabled

  1. The attacker logs into your account.
  2. Tries to add their address to the whitelist.
  3. Adding it → triggers the 24-48 hour cooling-off period.
  4. They cannot withdraw to this new address during the cooling-off period.
  5. You receive a "new address added" notification (Email + App push).
  6. You immediately change your password + force logout + remove the suspicious address.
  7. The attack fails.

The 24-hour cooling-off period = your reaction time window.

Steps to Enable

1. Go to Settings

  • App: "Wallets → Withdraw → Withdrawal Address Management → Address Book".
  • Web: Profile icon (top right) → Wallet → Withdraw → Address Management.

2. Turn on the Whitelist

Toggle the "Enable Whitelist" switch at the top of the page.

The system will require 2FA verification:

  • Email verification code.
  • Google Authenticator 6-digit code.
  • SMS verification code (if bound).

Once verified, the whitelist becomes active.

3. Add Frequently Used Addresses

After enabling the whitelist, add all your commonly used withdrawal addresses:

  • Your hardware wallet addresses.
  • Your Web3 wallet addresses.
  • Trusted receiving addresses of friends/family.
  • Your deposit addresses for other exchanges (e.g., OKX, Coinbase).

When adding each address, fill in:

  • Label (a custom name for easy identification).
  • Coin / Network (BSC / ETH / Tron, etc.).
  • The full address.

Once added, wait for the 24-48 hour cooling-off period to end for the address to become officially active.

4. Backup for Urgent Withdrawals

Some users worry: "What if I urgently need to withdraw to a new address?" Suggestions:

  • Estimate all potential addresses you might need and whitelist them in advance.
  • If you genuinely need a new address urgently, you must wait 24-48 hours.
  • Alternatively, route it through an already whitelisted address (e.g., Your hardware wallet → Temporary address).

Design Rationale Behind the 24-48 Hour Cooling-Off Period

Why 24-48 hours?

  • Too short (< 6 hours): Attackers can afford to wait.
  • Too long (> 72 hours): severely impacts normal user experience.
  • 24-48 hours: Gives legitimate users enough time to receive notifications and react, while attackers will not wait.

For some high-risk accounts (e.g., recent password changes, strange logins), this may be extended to 72 hours.

What You Can Do During the Cooling-Off Period

During the cooling-off period, the new address:

  • Cannot be used for withdrawals.
  • Shows a "Waiting for activation" status.
  • Displays a countdown timer indicating the remaining time.

During this period you can:

  • Cancel the addition (if you realize it was a mistake or an attack).
  • Edit the address label.
  • Add other addresses (each address has an independent timer).

Canceling during the cooling-off period is a critical security reaction window—if you notice an anomalous addition, cancel it immediately.

Withdrawing to Non-Whitelisted Addresses

If you attempt to withdraw to a non-whitelisted address while the whitelist is active:

  • The App displays "This address is not whitelisted."
  • The withdrawal request is rejected.
  • No fees are deducted.
  • No funds are transferred.

This is a strict design constraint; there is no way to bypass it.

Disabling the Whitelist

If you no longer wish to use the whitelist:

  1. Go to the Address Management page.
  2. Toggle the "Disable Whitelist" switch.
  3. The system requires 2FA verification.
  4. After disabling, you must wait 24 hours for it to fully take effect (to prevent attackers from turning it off and transferring funds instantly).

Once disabled, you can withdraw to any address, but your security is significantly reduced.

Limitations of the Whitelist

The whitelist only protects against "unknown addresses"; it does not protect against:

  • The whitelisted address itself being compromised: If the private key of your whitelisted wallet is stolen, an attacker can transfer assets from that address (but this is a wallet security issue, not a Binance security issue).
  • The whitelisted address being replaced: Attackers might try to modify your whitelisted addresses, which is why modifying an address also triggers a cooling-off period.
  • Internal App transfers: The whitelist only controls external withdrawals; transfers between Binance accounts are unaffected.

It must be used in conjunction with other security mechanisms:

  • Physical safekeeping of wallet private keys/mnemonics.
  • Anti-phishing codes to identify fake emails.
  • 2FA to prevent password leaks.

Key Best Practices

1. Enable Whitelist from the Start

Turn on the whitelist + add commonly used addresses within the first week of creating your account. Changing it when the account is "mature" can be more troublesome.

2. Use Clear Address Labels

Make sure the label (custom name) for each address is distinct:

  • "My Ledger BTC Address"
  • "My BSC Wallet"
  • "OKX USDT Deposit Address"
  • "Friend John's BTC Address"

Clear labels = No wrong selections during withdrawal.

3. Review Periodically

Review your whitelist every 1-3 months:

  • Are all addresses still needed?
  • Are there any outdated addresses (e.g., a friend changed wallets)?
  • Delete unused addresses.

A streamlined whitelist is a safer whitelist.

4. Test Withdrawal Amounts

When using a newly whitelisted address for the first time:

  • Withdraw a small amount (5-10 USDT) to test it first.
  • Confirm receipt before withdrawing the bulk.
  • This prevents address input errors.

5. Enable Notifications

Ensure you receive whitelist change notifications promptly:

  • Enable email notifications.
  • Enable App push notifications.
  • Set up an Anti-phishing code (so you can distinguish genuine notifications).

Frequently Asked Questions

Q: Is there a limit to the number of whitelisted addresses? A: Usually, there is no upper limit; you can add dozens. However, adding too many makes management difficult and is not recommended.

Q: Is there a cooling-off period for deleting a whitelisted address? A: No. Deletion is instantaneous. But re-adding that same address later will require another 24-48 hour cooling-off period.

Q: Are internal transfers (between Binance accounts) bound by the whitelist? A: Generally, no. Transfers between internal Binance users do not rely on external addresses.

Q: Can I make an address permanently whitelisted so it cannot be deleted? A: No. All whitelisted addresses can be deleted (after 2FA verification). This is actually a good thing—it prevents attackers from maliciously "locking" a whitelisted address that you cannot remove.

Q: Does enabling the whitelist affect trading? A: Not at all. The whitelist only restricts external withdrawals; trading, depositing, and internal transfers are unrestricted.

Q: If I lose my phone and my 2FA, can I temporarily disable the whitelist to move funds? A: No. Changing any security setting (including disabling the whitelist) requires 2FA. You must reset your 2FA (which takes 7-15 days to review) before you can proceed.

Summary

The Binance withdrawal whitelist is the last line of defense against assets being transferred out after an account is compromised. Once enabled, you can only withdraw to pre-specified addresses, and adding new ones triggers a 24-48 hour cooling-off period, giving the account owner ample time to react. It takes 1 minute to set up, and combined with 2FA + Anti-phishing code + Device management, it forms a complete protective shield. We strongly recommend all Binance users to enable the whitelist and add their frequent addresses in advance. Review your whitelist every 1-3 months to keep it streamlined.