Proof of Reserves | When Trust Matters

One of the few bright spots after the FTX fraud is the renewed interest from customers in clarity about the assets held by crypto exchanges. Ever since that fateful FTX week in November 2022, crypto exchanges and brokers have been bombarded with demands from their clients: prove to us that you actually hold our assets. How would this so-called proof of reserves work?

In the days after the FTX collapse, one exchange after the other published the amount of assets they held, backed by the public keys. And whereas it was nice to hear that – for example – Binance held 69 billion dollars worth of crypto assets, it begged the question: what are their liabilities? Binance was the first to admit that their publication was only a first step. Only the combination of proven reserves and liabilities paints the complete picture. We could call that: a proof of solvency.

Two Ways of Proof of Reserves

Roughly speaking, there are two main ways in which a crypto exchange can prove it has sufficient assets to match their liabilities (claims from their customers). There is the classic one, by traditional accounting firms. And then there’s audits that involve on-chain cryptographic proof of balances.

1. Traditional Accounting for Proof of Reserves

Don’t write off good old audits by accountancy agencies for establishing proof of reserves of a crypto company’s balance sheet. Publicly traded companies like Coinbase must comply with Sarbanes-Oxley rules (SOX). SOX, from 2002, puts strict rules in place for accountants and auditors. Coinbase, a publicly listed company, has to comply. And that’s why in their quarterly earnings statement they can reassuringly state:

‘Investors can now calculate Assets on Platform based on line items on our balance sheet. Please add our “customer crypto liabilities” and “customer custodial cash liabilities” together to calculate total Assets on Platform.’

But can accountants apply these requirements to crypto assets? Sure enough, dealing with crypto wallets and private key storage has posed some challenges to this profession. But they are learning fast. 

SEC Created Guidelines for Accountants

And, to be fair to the American financial watchdog SEC, despite their reputation of being hostile towards crypto, they have recently published guidelines in their Staff Accounting Bulletin (SAB). This summarizes the SEC’s views of how Generally Accepted Accounting Principles (GAAP) are to be applied to crypto companies. For example, the SEC answers some burning questions accountants might have:

• How should Entity A account for its obligations to safeguard crypto-assets held for platform users?
• What disclosures would the staff expect Entity A to provide regarding its safeguarding obligations for crypto-assets held for its platform users?

Pros and Cons of the Traditional Approach

The problem with the traditional way of proving your balance sheet, of course, is a practical one: most crypto exchanges are not publicly listed companies. Coinbase is the only publicly listed crypto exchange in the United States. In Coinbase’s quarterly earnings reports, you can gather a great deal from the health of their organization. Even if these are, admittedly, reports from the past state of affairs.

Also, for crypto purists, an audit plus signature from an account will feel laughable, old-fashioned and inadequate. They will want cryptographic proof. Fair enough. But still. If an accountant signs off on a publicly published balance sheet, you can be quite sure they are confident things are in order. There is a lot on the line for accountants (even jail time), so they don’t take their accounting job lightly. 

To sum up, the traditional way of proof of reserves won’t be 100% fool-proof. But it would mean a giant leap forward if all crypto exchanges would be audited in this way.

2. Cryptographic Proof-of-Reserves

As mentioned, knowing the assets of a company is the easy part. The tricky part is the liabilities side of the balance sheet. How to show, backed by on-chain data, the amount of customer’s funds? After all, you don’t want to dox your clients.

Fortunately, there are cryptographic tools to accomplish this. Still, an auditor would be needed.

1. For the liabilities side of the story, a third-party auditor takes an anonymized snapshot of user balances. This works by hashing a user’s account balance with their unique ID. The auditor aggregates these into a cryptographic Merkle sum tree that produces a Merkle root — a cryptographic hash that uniquely represents a combination of all user balances.
2. With the Merkle tree, it is possible to verify the accuracy of all balances by only comparing a few anonymous balances with the verified ones. 
3. For the assets side of the balance sheet, the auditor asks for the digital signatures from the custodian/exchange, which prove that they control the on-chain addresses holding the assets.

 Merkle sum tree of hashed account balances. Source: Kraken  

Applying Zero-Knowledge Proofs to Eliminate Negative Balances

In a recent post, Vitalik Buterin proposes some thoughts about making such a merkle tree fool-proof. In what way could such a tree be vulnerable? Well, an insolvent exchange could sneak in fake accounts with negative balances, thus under-reporting the sum of their liabilities. A ZK-SNARK, (a form of zero-knowledge proof) would need to be flown in to prove that there are no negative balances in the tree. With zero-knowledge proofs, this is possible without compromising the privacy of all the accounts. 

Don’t Trust, Verify Your Proof of Reserves

This type of auditing is a nice blend of crypto tools and traditional auditing. We at least imagine someone showing up in a suit, while at the same time, the mantra ‘don’t trust, verify’ does apply.

Why? Because we don’t have to rely on the auditor alone. With this method, any user can verify if their account balance was included in the tree. They hash their account balance and unique ID and look their merkle leaf up in the merkle tree. Their coin balances at the time of the audit will show up, if everything went right. 

But does every client have to do this to get a definitive proof of reserves? Not really: a sample of people taking the trouble and getting reassurance will be enough for the exchange to be publicly perceived as safe. Still, it would in theory be possible for all clients to come together and recreate the merkle tree.

Challenges with Cryptographic – But Infrequently Audited – Proof of Reserves

This cryptographic proof-of-reserves isn’t completely fool-proof. For example, an exchange could loan funds right before the audit takes place. Also, proving you own the private keys doesn’t exclude the possibility that an attacker also has them. To help mitigate the first risk, the audit could be executed more often than once every year or even quarter. Or at random, unannounced times.

Bleeding Edge: Automated, On-Chain Proof of Reserves by Chainlink

To solve for the incompleteness of the snapshots of infrequently audited proof of reserves, automated, on-chain proofs can be used. Chainlink has a PoR protocol that verifies reserves every 30 seconds. This system is for example used by stablecoin issuer of TUSD: they can prove that a mint of new stablecoins is backed by sufficient funds in the escrow banks.

Conclusion: A Massive Opportunity for the Industry

Not only will regulators probably start to demand proof of reserves, customers will too. Sure, in a bull market, exchanges compete on other things than credibility. But in bear markets, when there is fear, trust becomes a unique selling point. Especially after FTX.

Both the classical and cryptographically backed audits can be useful to regain users’ and regulators’ confidence. The upside of the cryptographic approach is that there’s a publicly verifiable component to it. And even though neither approach is completely fool-proof, instantiating these kinds of audits would be a massive improvement compared to the current state of affairs. It’s pretty safe to say that a drama like FTX wouldn’t have happened.