Proof of reserves has been the talk of the town in the wake of the FTX collapse, with the investor community demanding exchanges provide attestations of their crypto holdings.
But what exactly are they, and why do they matter?
Proof of reserves (PoR) refers to a method of verifying that a trading platform or crypto firm does indeed have 1:1 backing across the digital assets it holds in custody on behalf of its customers.
Firms will often turn to a third-party organization to conduct the attestation. They publish the results, with some caveats (which will be unpacked below) to help investors understand a centralized exchange’s state of finances and whether they have enough funds to match customer deposits.
Since the trend has emerged, tons of different kinds of attestations have been executed, with some instilling more confidence in a firm than others.
Merkle Tree-based Proof of Reserves
One way to execute an attestation is via a PoR protocol that uses a Merkle Tree proof to integrate large amounts of data into a single hash and verify the integrity of the data set.
Using cryptographic proofs, the PoR protocol verifies the validity of user balances and transactions.
Crypto exchanges may publish Merkle Tree-based PoR attestations at regular intervals, including on a weekly, monthly, or quarterly basis, in the form of snapshots. Alternatively, firms might provide real-time attestations available on their website.
While snapshots may be sufficient to prove a crypto firm’s solvency at a set point in time, real-time attestations are considered to be superior when verifying an exchange’s reserves as they allow anyone at anytime to ensure that funds are indeed by an exchange.
Chainlink launches proof-of-reserves protocol
Chainlink Labs, the company behind the popular decentralized oracle network, is offering its own version of a proof-of-reserves system, which, it said, is “designed to help projects across Web2 and Web3 prove asset reserves through automated verification.”
Launched in 2020, with the first user being the TrueUSD stablecoin, the system connects Chainlink nodes to an exchange’s API, its vault addresses, as well as a proof-of-reserve smart contract that can be queried by any other account on the network to determine whether the exchange’s crypto reserves are equal to its liabilities.
Its blockchain-agnostic system provides data on how much is deposited, borrowed, and staked at a particular protocol at any point in time.
Exchanges can also use Chainlink’s system to provide security around the guarantees that they cannot issue more tokens than assets stored in reserves.
Which exchanges have proof of reserves?
Some exchanges and crypto lending platforms, including Kraken, Nexo, BitMEX, and Gate.io, moved to launch their proof of reserves before the implosion of FTX.
Events in November 2022, however, saw more trading platforms work towards having their own proof of reserves, which, depending on the exchange, varied in detail.
These included Binance, the world’s largest crypto exchange by trading volume, which released a Merkle Tree-based system for Bitcoin and Ethereum, with OKX, Crypto.com, and ByBit taking a similar approach.
Coinbase, on the other hand, said that as a publicly listed company, it already proves its reserves via audited SEC filings.
On November 25, the San Francisco-based crypto exchange, however, noted that “on-chain accounting is the future” and that it is exploring “various novel ways to prove reserves using more crypto native methods.”
Part of the effort is Coinbase’s newly launched $500,000 developer grant program.
These grants are meant to support individuals or teams “who are advancing the state of the art in on-chain accounting, privacy-preserving techniques related to proof of assets or liabilities (including the application of zero-knowledge techniques) and or closely related technologies.”
What are the concerns?
While proof of reserves is clearly a step in the right direction, theoretically helping to ensure that customer funds are safe and cryptographically proving that the company has sufficient liquidity, it can also give users a false sense of security.
The reason for this is that by simply providing a snapshot, exchanges give an overview of assets held on the platform’s associated addresses; however, they—with few exceptions—do not disclose the company’s liabilities to customers, meaning users are required to trust the auditor’s attestation about the assets in question.
This may potentially lead to a scenario where an exchange uses its proof of reserves to appear transparent without disclosing its true solvency risk.
This is what Kraken CEO Jesse Powel recently highlighted, saying that attestations must have three components: A sum of client liabilities (auditor must exclude negative balances), user-verifiable cryptographic proof that each account was included in the sum, and signatures proving that the custodian has control of the wallets.
Powell was especially critical of Binance’s November attestation, describing it as “either ignorance or intentional misrepresentation” and saying that “the statement of assets is pointless without liabilities.”
More controversy around Binance
Binance moved to quell concerns over its state of finances by drafting the South African arm of the international audit, tax, and advisory firm Mazars to prepare an additional proof of reserve report.
Released last week, it said that at the time of assessment, Binance controlled in-scope assets in excess of 100% of their total platform liabilities.
Yet, the report drew more controversy, with experts stressing that the Mazars report means little without any information about the quality of Binance’s internal controls, such as its systems for keeping accurate books and records.
Moreover, as highlighted in a recent WSJ report, the Mazars report was, in fact, a five-page letter rather than a proper audit report. It did not address the effectiveness of Binance’s internal financial-reporting controls, stressing that Mazars did “not express an opinion or an assurance conclusion,” meaning it wasn’t vouching for the numbers.
Mazars said it performed its work using “agreed-upon procedures” requested by Binance and that Mazars made “no representation regarding the appropriateness” of the procedures.
On top of that, the figures in the letter essentially state Binance’s Bitcoin is only 97% collateralized, with a Binance spokesperson explaining “the 3% ‘gap’ is due to BTC loaned to customers, through the margin or loan programs, who may have used tokens out of the report’s scope as collateral.”
Shortly after, Mazars, which had executed similar attestations for Crypto.com and Kucoin, announced that it would halt any work with crypto firms moving forward.