As interest in digital assets continues to grow among institutional and retail investors, the options for custody services have also expanded. Different types of custody choices have emerged to cater to the evolving market, with new providers working to establish effective structures and controls for specific markets and offerings.
Users have various options available to safeguard their cryptocurrencies, including self-custody, exchange wallets, and third-party custodians. In the world of digital assets, custodians function similarly to traditional financial markets, as their primary responsibility is to protect and take care of their clients’ assets by holding the private key on their behalf, thus preventing unauthorized access.
However, recent events like the collapse of FTX, a cryptocurrency exchange and crypto hedge fund, and the liquidation of Three Arrows Capital, a cryptocurrency hedge fund, have shaken the cryptocurrency industry. These incidents have raised concerns about the reliability and integrity of crypto custodians.
To ensure the financial stability of custodians, a proof-of-reserves (PoR) audit is conducted to confirm that the company’s on-chain holdings match the client assets listed on the balance sheet. This audit reassures customers that the business is solvent and liquid enough to continue operations.
This article will delve into the concept of a proof-of-reserves audit, its importance, how to access it, and how to verify it.
What is a proof-of-reserves audit?
In traditional finance, reserves refer to a company’s profits set aside for unforeseen circumstances. In the crypto space, a proof of reserves is an independent audit conducted by a third party to verify that the entity being audited has sufficient reserves to support all its depositors’ balances.
For reputable digital asset service providers, undergoing a proof-of-reserves audit is a crucial step in the regulatory process. This audit assures customers and the public that the custodian is financially sound and solvent, allowing them to withdraw funds at any time. It also provides transparency regarding the availability of funds.
A proof-of-reserves audit also benefits crypto companies acting as custodians. By ensuring full asset backing, they can retain customers and build trust in their operations. Additionally, it prevents centralized exchanges from investing depositors’ money in other ventures, reducing the risk of maximizing returns from consumer assets. Such audits also help prevent events like the great financial crisis of 2007-2008.
How does a proof-of-reserves audit work?
Before understanding how a proof of reserves works, let’s first familiarize ourselves with the general auditing process. Typically, the audit assesses an exchange’s solvency, resulting in either solvency if assets exceed liabilities or insolvency in all other cases. However, there are instances where this binary result is insufficient, such as when an exchange needs to demonstrate fractional reserves.
In the case of fractional reserves, a portion of an exchange’s deposits is held in reserve and made instantly accessible for withdrawal, while the remaining funds are lent to borrowers.
The proof-of-reserves audit consists of three distinct steps:
1. Proof of liabilities: This involves calculating the exchange’s total liabilities by summing up the outstanding cryptocurrency balances due to its clients. The proof of liabilities component also generates a hash of the fraction factor and the root of a Merkle tree. The Merkle tree is constructed using the cryptographic hash of the customer’s identity and the amount owed to the customer.
2. Proof of reserves: The assets stored on the blockchain by the exchange as cryptocurrencies are referred to as reserves. The total assets are computed by summing up the balances of crypto addresses for which the exchange holds the private keys. The exchange proves ownership of the crypto addresses by providing the public key linked to the address and signing it with the private key. The proof of reserves also includes the sum and hash of the address balances.
3. Proof of solvency: The proof of solvency consists of the audit outputs and an attestation that confirms the trustworthy execution of the auditing software. The final audit result is either true or false, indicating whether the reserves exceed the liabilities or not. The attestation serves as a signature for the executed program and platform measurements. Users can verify their account balance by using the Merkle tree’s root.
How are PoR audits conducted?
Proof-of-reserves audits are typically conducted by third-party auditors to ensure that a crypto custodian’s balance sheet contains sufficient assets to cover its customers’ holdings. The following steps are involved in the process:
1. The external auditor or auditing firm takes an anonymized snapshot of the institution’s balances. These balances are organized into a Merkle tree, which includes custodial data and branches authenticated using hash codes.
2. The auditor collects individual user contributions using their unique signatures.
3. The auditor verifies whether the customers’ assets are held on a full-reserve basis by comparing the digital signatures to the Merkle tree records.
After the PoR audit, users can independently verify their own transactions. For example, Binance users can find their Merkle leaf and Record ID by logging into the Binance website and accessing the “Wallet” and “Audit” sections. Users can select the audit date, confirm the audit type, the assets covered, their Record ID, and their asset balances included in the auditor’s attestation report on Binance’s proof of reserves audit.
Benefits of proof-of-reserves audits
Proof-of-reserves audits offer several advantages. They provide transparency by ensuring that exchanges’ on-chain holdings of cryptocurrencies match users’ balances. For instance, through a proof-of-reserves audit, it can be verified if tokens like Wrapped Bitcoin (wBTC) are genuinely backed by Bitcoin (BTC). Decentralized finance applications receive the necessary information to audit Wrapped Bitcoin reserves from Chainlink oracles that check the custodian’s BTC balance on the Bitcoin blockchain every 10 minutes.
These audits also appeal to regulators as a self-regulating approach that aligns with their broader industry strategy. Furthermore, addressing the lack of confidence caused by exchanges’ insufficient asset coverage for consumer deposits increases product adoption.
Users can independently verify the transparency of proof-of-reserves audits using a Merkle tree hashing approach. Investors also have a due diligence tool to acquire relevant data about specific institutions’ client asset management practices, reducing the risk of fund loss. Building trust with custodians through these audits helps with client retention.
Limitations of proof-of-reserves audits
Despite their advantages, proof-of-reserves audits have some limitations that should not be overlooked. The correctness of a PoR audit depends on the competence of the auditor, and there is a risk of fraudulent audit results if a third-party auditor colludes with the custodian.
Cryptocurrency exchanges can manipulate facts since the correctness of verified balances is only valid during the time of the audit. The loss of private keys or users’ funds can also impact the legitimacy of a proof-of-reserves audit. Additionally, a PoR audit cannot determine if money was borrowed to pass the audit.
In conclusion, proof-of-reserves audits play a crucial role in ensuring the financial stability and transparency of custodians in the cryptocurrency industry. While they have their limitations, these audits provide users and regulators with confidence in the integrity of custodial services and contribute to the overall trustworthiness of the digital asset ecosystem.