Proof of Reserves

The warning was issued after crypto exchanges jumped on the trend of providing proof-of-reserves reports to ease concerns after the FTX collapse.

The Public Company Accounting Oversight Board (PCAOB) — a watchdog that oversees audits of public companies in the United States — recently issued an advisory that warned investors about proof-of-reserves (PoR) reports issued by auditing firms.

Crypto entities may engage a service provider to issue “proof of reserve” reports. A new Investor Advisory from the PCAOB’s Office of the Investor Advocate urges investors to exercise caution with these reports. https://t.co/aAykzlc7k1 #PCAOBresources pic.twitter.com/7S6jLCC2np

— PCAOB_News (@PCAOB_News) March 8, 2023

The PCAOB, backed by the U.S. Securities and Exchange Commission (SEC), pointed out that investors should not “place undue reliance” on PoR reports, which are not within the board’s oversight authority. The advisory wrote: 

“Importantly, investors should note that PoR engagements are not audits and, consequently, the related reports do not provide any meaningful assurance to investors or the public.”

In addition, the board also argued that PoR reports don’t provide assurances on the state of the assets after issuing the report. According to the PCAOB, PoRs don’t reflect if the assets were used, lent or became unavailable to customers after the report’s publication. The board also said that PoR reports do not assure the effectiveness of the crypto entity’s internal controls or governance.

The board noted that PoR reports are not conducted in accordance with the PCAOB auditing standards. Furthermore, the board highlighted a lack of uniformity among service providers of PoR reports.

“Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient assets to meet customer liabilities,” the advisory added.

Related: Nic Carter dives into proof-of-reserves, ranks exchange attestations

The warning came after many crypto exchanges jumped on the trend of providing PoR reports in an attempt to assure investors of their financial safety after the FTX debacle. On Jan. 19, crypto exchange OKX declared $7.5 billion in liquid assets in its PoR report. On Feb. 23, exchange MEXC Global released its PoR after 45 days of testing.

More recently, crypto exchange Binance added 11 tokens to its PoR report, claiming $63 billion in reserves on March 7.

Crypto trading platforms Kraken and BitMEX topped the proof-of-reserves score list, while Binance received a low score for being incomplete.

Bitcoin advocate Nic Carter has released an in-depth analysis of centralized exchange proof-of-reserves and ranked the attestations provided by some of the most prominent crypto trading platforms in the space. 

Carter published a detailed examination of the quality of several exchanges’ proof-of-reserves (PoR). The crypto executive used parameters such as attestation to assets held and a disclosure of liabilities, incorporating a third-party auditor, demonstrating credibility by taking a PoR for all assets and committing to an ongoing procedure to determine which PoRs are of the best quality. 

Crypto trading platforms Kraken and BitMEX topped the list. According to Carter, Kraken, which employed Armanino for its proof-of-reserves, gives clients a "good level of confidence" that there are no hidden liabilities. Carter also praised the trading platform’s commitment to doing PoRs every six months. 

On the other hand, BitMEX, which also received praise, did not rely on an auditor but opted to go for a very transparent model. On the asset front, the exchange listed all BTC balances held by the exchange and proof that they are spendable by the BitMEX multisig. With its liabilities, the firm published the full Merkle tree of user balances. “This means that there are no issues with excluded or negative balances since anyone can vet the liability set in full," Carter wrote.

Related: CryptoQuant verifies Binance's reserves, reports no ‘FTX-like’ behavior

While some received high marks in terms of PoR score, crypto exchange Binance’s PoR did not do well on the rankings. According to Carter, the exchange’s low PoR score is because the PoR is incomplete. The crypto analyst believes that despite Binance CEO Changpeng Zhao (CZ) highlighting the importance of PoRs after the FTX collapse, the executive “hasn’t yet risen to his own challenge.” He wrote:

“Binance’s first PoR doesn’t grant strong assurances. It only covers Bitcoin, which only represents 16.5% of their client assets.”

While the PoR allows individual users to verify that they are included in the liability set, Carter said that the PoR does not show the entire liability list. This makes it difficult for a third party to verify the procedure according to the analyst.

Crypto custodians generate public attestations about their cryptocurrency holdings through proof-of-reserves audits to demonstrate their solvency to depositors.

With the rising interest in digital assets from institutional and retail investors, custody options have also experienced parallel growth. As a result, different kinds of custody choices have evolved as the market changes, and new providers are working to establish the structures and controls that are most effective for particular markets and offerings.

Self-custody, exchange wallets and third-party custodians are the various choices available for users to safeguard their cryptocurrencies. Custodians in the world of digital assets function similarly to traditional financial markets in that their primary duty is to take care of and protect their clients’ assets by holding the private key on behalf of the asset holder, preventing unauthorized access. 

However, despite such efforts, events such as the collapse of FTX (a cryptocurrency exchange and crypto hedge fund) and the liquidation of Three Arrows Capital (a cryptocurrency hedge fund) shocked the cryptocurrency industry. They made people question the reliability and integrity of crypto custodians.

To ensure the financial soundness of custodians, a proof-of-reserves (PoR) audit confirms that the company’s on-chain holdings are identical to the client assets listed on the balance sheet, reassuring customers that the business is solvent and liquid enough to continue business with them.

This article will discuss what is a proof-of-reserves audit, why proofs of reserves are important, how to access the proof of reserves, and how to verify proofs of reserves.

What is a proof-of-reserves?

In traditional finance, reserves are a company’s profits kept aside to utilize in unforeseen circumstances. In contrast, in the crypto space, a proof of reserves refers to an independent audit conducted by a third party to confirm that the entity being audited has sufficient reserves to support all of its depositors’ balances.

For trustworthy and experienced digital asset service providers, undergoing a proof-of-reserves audit is a critical step in the regulatory process. The PoR audit ensures customers and the public that the custodian is sufficiently liquid and solvent, and they can withdraw funds anytime, providing transparency on the availability of their funds. 

A proof-of-reserves audit also benefits crypto companies acting as custodians, as by ensuring absolute asset backing, they can retain customers and enhance trust in their operations. Moreover, through PoR, centralized exchanges are prohibited from investing depositors’ money in other companies, minimizing the risk that businesses will maximize the returns from their consumer assets. Additionally, such an audit also helps prevent the likelihood of events such as the great financial crisis of 2007–2008.

How does a proof-of-reserves audit work?

Before understanding how a proof of reserves works, let’s get familiarized with the overall auditing process. In general, the audit should assess an exchange’s solvency, which produces only two outcomes: either the exchange is solvent if its assets exceed its obligations or liabilities or insolvent in all other cases. However, it is conceivable that there are instances where this binary result is insufficient, such as when an exchange has to demonstrate fractional reserves.

In the case of fractional reserves, a portion of an exchange’s deposits is maintained in reserve and made instantly accessible for withdrawal (as cash and other highly liquid assets), with the remaining balance of the funds being lent to borrowers.

The auditing procedure can be divided into three distinct steps:

Proof of liabilities

The exchange’s liabilities are the outstanding cryptocurrency balances due to its clients. The sum of all customer account balances is used to compute the exchange’s total liabilities. To determine solvency, the computed amount is later contrasted with the total reserves. The proof of liabilities component also calculates the hash of the fraction factor and the root of a Merkle tree.

The user account information is used to construct a Merkle tree using the cryptographic hash of the customer’s identity, and the amount owing to the customer would be used to generate a leaf of the tree. The nodes in the following tier of the tree are created by pairing the leaves together and hashing them; to build the tree’s root, nodes are merged and hashed.

Proof of reserves

The assets that the exchange has stored on the blockchain as cryptocurrencies are called reserves. The total assets are computed by summing up the balances of crypto addresses if the exchange possesses the private keys of those addresses. 

By providing the public key linked to a cryptocurrency’s address and signing it with the private key, the exchange may prove that they are the rightful owner of the crypto address. For additional security, the exchange should also sign a nonce (such as the hash of the most recent block that was added to the blockchain), a value that may be used to validate the signature. The outputs of the proof of reserves are the sum and the hash of the address balances.

The audit program does not have to parse the entire blockchain to determine which balances should be added up; instead, it uses a preprocessor, a deterministic aggregate of data readily accessible to the public.

If given identical input values, a deterministic function will always produce the same results. This is a fundamental criterion for any blockchain since it is difficult to achieve consensus if transactions do not result in the same outcome each time they are executed, regardless of who initiates them and where they occurred.

Proof of solvency

The outputs of the audit and an attestation that may be used to confirm that the auditing software was run in a trustworthy environment are the two components of the proof of the solvency of a cryptocurrency exchange. 

The final audit result is either true or false (a binary number). It will be true if reserves exceed liabilities and false otherwise. The attestation serves as a signature for the hashes of the executed program and the platform measurements. The consumer can verify that the calculation considers its account balance into account by using the Merkle tree’s root.

How are PoR audits conducted?

The proof-of-reserves auditing process is often carried out by a third-party auditor to confirm that the assets on a crypto custodian’s balance sheet are sufficient to balance its customers’ holdings. The following steps are involved in the process:

• The external auditor or the auditing firm initially takes an anonymized snapshot of the institution’s balances. An auditor organizes these balances into a Merkle tree, which contains custodial data and has several branches that are authenticated using hash codes.
• The auditor then collects individual user contributions by utilizing the distinctive signatures of each account holder.
• The next step involves authenticating whether customers’ assets are held on a full-reserve basis — i.e., the individual contributors’ reported balances are at least equal to those obtained from the Merkle tree. It is done by comparing the digital signatures to the Merkle tree records.

After the PoR audit, users can verify their own transactions. For instance, if anyone has held their crypto assets on Binance, they can find their Merkle leaf and Record ID by logging in to the Binance website, clicking on “Wallet” and clicking on “Audit.”

The next step is to choose the audit date to confirm the audit type, the assets that were covered, your Record ID, and your asset balances included in an auditor’s attestation report concerning Binance’s proof of reserves audit.

Benefits of proof-of-reserves audits

The PoR audit has several advantages, as it reveals that exchanges’ on-chain holding of cryptocurrency corresponds with users’ balances. For instance, through proof-of-reserves audit, it can be verified if tokens like Wrapped Bitcoin (wBTC) are actually backed by Bitcoin (BTC). Decentralized finance applications receive the information they need to audit the Wrapped Bitcoin reserves from a network of Chainlink oracles that check the custodian’s BTC balance on the Bitcoin blockchain every 10 minutes. 

In addition, proofs of reserves appeal to regulators as a self-regulating approach that fits with their broad industry strategy. Furthermore, addressing the lack of confidence brought on by exchanges’ inability to cover consumer deposits with sufficient assets also increases product adoption. 

Moreover, users can independently verify the transparency of the proof-of-reserves audit using a Merkle tree hashing approach. Similarly, investors will have a due diligence tool to acquire relevant data about specific institutions’ client asset management practices, decreasing the likelihood of losing funds. At the same time, users start to trust custodians, which helps the latter with client retention.

Limitations of a proof-of-reserves

Despite the above advantages, proof-of-reserves audit has some disadvantages that cannot be overlooked. The critical issue with a PoR audit is that its correctness depends upon the auditor’s competence. Also, a fraudulent audit result may be produced by a third-party auditor in collaboration with the custodian under consideration.

In addition, a cryptocurrency exchange may manipulate the facts, as the correctness of verified balances is only valid during the time of audit. The legitimacy of the proof-of-reserves audit can also be impacted by the loss of private keys or users’ funds. Moreover, a PoR audit cannot determine if the money was borrowed to pass the audit.