As interest in digital assets continues to rise among institutional and retail investors, the options for custody have also grown. Different types of custody choices have emerged as the market evolves, and new providers are working to establish effective structures and controls for specific markets and offerings.
Users have various choices available to safeguard their cryptocurrencies, including self-custody, exchange wallets, and third-party custodians. Custodians in the digital assets industry function similarly to traditional financial markets by taking care of and protecting clients’ assets through holding the private key on their behalf to prevent unauthorized access.
However, events such as the collapse of FTX (a cryptocurrency exchange and crypto hedge fund) and the liquidation of Three Arrows Capital (a cryptocurrency hedge fund) have shaken the industry and raised questions about the reliability and integrity of crypto custodians.
To ensure the financial stability of custodians, a proof-of-reserves (PoR) audit is conducted to confirm that the company’s on-chain holdings match the client assets listed on the balance sheet. This reassures customers that the business is solvent and liquid enough to continue operations.
This article will delve into what a proof-of-reserves audit is, why it is important, how to access it, and how to verify it.
What is a proof-of-reserves?
In traditional finance, reserves are profits set aside for unforeseen circumstances. In the crypto space, a proof of reserves refers to an independent audit conducted by a third party to confirm that the audited entity has sufficient reserves to support its depositors’ balances.
For reputable digital asset service providers, undergoing a proof-of-reserves audit is a crucial step in the regulatory process. It assures customers and the public that the custodian is financially stable, solvent, and capable of facilitating fund withdrawals at any time. It also provides transparency regarding the availability of funds.
A proof-of-reserves audit also benefits crypto companies acting as custodians by instilling trust and retaining customers. It prevents centralized exchanges from investing depositors’ money in other companies, reducing the risk of mishandling consumer assets. Additionally, it helps prevent events similar to the great financial crisis of 2007-2008.
How does a proof-of-reserves audit work?
Before understanding how a proof of reserves works, it’s important to grasp the overall auditing process. Typically, the audit assesses an exchange’s solvency, determining whether its assets exceed its liabilities. However, in cases where fractional reserves need to be demonstrated, this binary result may not be sufficient.
In the case of fractional reserves, a portion of an exchange’s deposits is held in reserve and made instantly accessible for withdrawal, while the remaining balance is lent to borrowers.
The auditing process consists of three distinct steps:
1. Proof of liabilities: This evaluates the exchange’s outstanding cryptocurrency balances owed to its clients. The sum of all customer account balances is compared to the exchange’s total liabilities. The proof of liabilities component also calculates the hash of the fraction factor and the root of a Merkle tree.
2. Proof of reserves: This verifies the assets stored on the blockchain as reserves. The total assets are calculated by summing up the balances of crypto addresses for which the exchange possesses the private keys. The exchange proves ownership by providing the public key linked to a cryptocurrency’s address and signing it with the private key. The outputs of the proof of reserves are the sum and hash of the address balances.
3. Proof of solvency: This component combines the results of the audit and an attestation that confirms the software’s trustworthy execution. The final audit result is either true (reserves exceed liabilities) or false (reserves do not exceed liabilities). The attestation serves as a signature for the program’s hashes and platform measurements. Customers can verify the calculation by using the Merkle tree’s root.
How are PoR audits conducted?
Proof-of-reserves audits are typically conducted by third-party auditors to confirm that a crypto custodian’s balance sheet assets are sufficient to cover customers’ holdings. The process involves several steps:
1. The external auditor or auditing firm takes an anonymized snapshot of the institution’s balances. These balances are organized into a Merkle tree, which contains custodial data and branches authenticated using hash codes.
2. Individual user contributions are collected by utilizing their distinctive signatures.
3. The authenticity of customers’ assets being held on a full-reserve basis is verified by comparing digital signatures to the Merkle tree records.
After the PoR audit, users can independently verify their own transactions. For example, Binance users can find their Merkle leaf and Record ID by logging into the Binance website, accessing the “Wallet” section, and clicking on “Audit.” Users can then choose the audit date to confirm the audit type, assets covered, their Record ID, and their asset balances included in the auditor’s attestation report.
Benefits of proof-of-reserves audits
Proof-of-reserves audits offer several advantages. They verify that exchanges’ on-chain holdings of cryptocurrency match users’ balances, ensuring transparency and trust. They also enable decentralized finance applications to audit reserves, such as Wrapped Bitcoin, through Chainlink oracles that check the custodian’s BTC balance every 10 minutes.
These audits appeal to regulators as a self-regulating approach that aligns with their industry strategy. They address the lack of confidence caused by exchanges’ inability to cover consumer deposits adequately, thereby increasing product adoption.
Users can independently verify the transparency of proof-of-reserves audits using a Merkle tree hashing approach. Investors can acquire relevant data about specific institutions’ client asset management practices, reducing the risk of losing funds. Simultaneously, custodians gain trust from users, aiding in client retention.
Limitations of proof-of-reserves
Despite the advantages, proof-of-reserves audits have limitations. The correctness of the audit depends on the auditor’s competence, and fraudulent results can be produced if there is collaboration between the third-party auditor and the custodian.
Cryptocurrency exchanges may manipulate facts as the verified balances are only valid during the time of the audit. The loss of private keys or users’ funds can also impact the legitimacy of the proof-of-reserves audit. Additionally, a PoR audit cannot determine if the money was borrowed to pass the audit.