Can reserve audits avoid another FTX-like moment?

Related articles

In the wake of the FTX collapse that came about as a result of the now-bankrupt cryptocurrency exchange funneling user funds to mitigate its own risks, crypto exchanges came up with a transparency solution called proof-of-reserves. 

A practice, which was recently endorsed by Binance CEO Changpeng Zhao, offers a way for exchanges to show provide transparency to users in the absence of clear regulations.

Proof of reserves (PoR) is an independent audit conducted by a third party that seeks to ensure that a custodian holds the assets it claims to own on behalf of its clients. 

This auditor takes an anonymized snapshot of all balances held and aggregates them into a Merkle tree.

A Merkle is a cryptographic commitment scheme in which each “leaf,” or node, is labeled with a data block’s cryptographic hash. Their chief use to is to verify data that has been handled, sent or stored between computers. While invented in 1979, the concept has found extensive use in blockchain peer-to-peer networks.

After taking the snapshot, the auditor obtains a Merkle root: a cryptographic fingerprint that uniquely identifies the combination of these balances at the time when the snapshot was created.

The auditor then collects digital signatures produced by the crypto exchange, which prove ownership over the on-chain addresses with publicly verifiable balances. Lastly, the auditor compares and verifies that these balances exceed or match the client balances represented in the Merkle tree so that the client assets are held on a full-reserve basis.

A total of five centralized exchanges (CEXs) including Kraken, Bitmex, Coinfloor, Gate.io and HBTC have completed their proof-of-reserve audits while the likes of Binance, OKX, KuCoin, Huobi, Poloniex, Crypto.com, Deribit and Bitfinex have announced their plans to do the same.

Recent: Banks still show interest in digital assets and DeFi amid market chaos

The PoR practice made sense and was lauded by many in the crypto community as it seemed like a step toward a more transparent crypto ecosystem. Centralized exchanges can note the liabilities of each account on a public ledger with specific assets held. They would have to publish with a tag that only account owners can know, thereby retaining public anonymity. 

Hassan Sheikh, co-founder at decentralized venture capital firm DAO Maker, told Cointelegraph that PoR provides a clear summation of due liabilities that can be matched against assets. He added that good PoR practice could make it very difficult for exchanges to fake liabilities, explaining:

“If liabilities are ever faked, users can publicly raise a red flag. Even if 1% of users ever bother to verify, it’d be impossible for any CEX to which users would fall in that cautious 1%. The larger accounts would almost always verify, and the CEX could at best get away with skipping only a small fraction of small accounts before being detected.”

He added that with publicly released liabilities that retail investors can easily verify, “the asset disclosures which exchanges are making would finally make sense,” adding that the balances presented in these audits only “hold weight under the assumption liabilities are properly presented.”

Ben Sharon, the co-founder at digital asset management firm Illumishare SRG, told Cointelegraph that scammers will try to fake any audit, no matter how reliable proof of reserves are. He added that a proof-of-reserves audit is still a viable step to keep a check on crypto exchanges, but it’s not enough and suggested other measures, such as:

“Having a separate cash reserve, an asset-backed token, or better yet, having both, in addition to a proof-of-reserves certificate would offer investors a far better solution. At the end of the day, the only solution is complete transparency. When a crypto exchange is fully transparent, users should not be afraid to trust it with their assets.”

Showing proof of reserves without the liabilities means nothing

While the practice of PoR is becoming accepted by centralized exchanges with many starting to release PoR audit data, there is still the issue of crypto platforms moving their funds right after the snapshot for the audit was taken. 

Crypto.com recently transferred 280,000 Ether (ETH) to Gate.io address after it released its PoR audit, fueling rumors about crypto exchanges potentially faking their reserve audits. Many in the crypto community claimed exchanges were borrowing assets to show a healthy financial book, only to return them back right after the snapshot.

Crypto.com CEO Kris Marszalek came out to clarify that the $400 million ETH transfer was a mistake and was meant to be sent to another cold wallet, raising even more suspicion.

And, while some exchanges give detailed breakdowns of their reserves during a PoR, other firms simply provide quick responses claiming they are in the black. Nexo has simply come up with a one-page snapshot that says they have more assets than customer deposits of around $3.2 billion.

Looking at some of the reserves audits published by exchanges, Philipp Zimmerer, core contributor at decentralized finance protocol Spool.fi, told Cointelegraph that the main issue is that there are no formal rules for what exactly constitutes a proper PoR audit. This means that the procedure will differ between exchanges. He explained:

“Even if implemented in the most good-faith interpretation, a proof of reserves still cannot prove exclusive ownership of private keys or detect any funds that were borrowed to manipulate the outcome of the audit. Generally, the practice is only as trustworthy as the exchange and the auditors were to begin with, and will never constitute 100% proof of anything.”

He further noted that showing assets without showing liabilities is worth nothing. Only ones that can be “trusted to a degree are fully regulated, on-shore banking license holders that undergo regular, complete audits from known and independent firms.” He cited the example of Coinbase, which, as a publicly traded firm, makes its assets and liabilities public information. 

Zimmerer also noted Kraken, another exchange registered in the United States, that does regular audits, the results of which it publishes and disseminates to the public.

Stefan Rust, CEO of data infrastructure provider Truflation, told Cointelegraph that looking at early implementation of PoR, it seems it is a good first step forward but in order to gain more trust and better transparency, a wiser approach will be to look at the overall balance sheet and monitor the liabilities while having transparency around capital reserves. It’s not just the reserves but also the exposure that the company has.

In the case of FTX, they had over 130 companies where they had divested the liabilities and the income. The same happened with WeWork and a number of other blowups in corporate land. Rust said:

“Proof of reserve is the first step. Proof of liabilities would be great, and in light of FTX, a must-have edition. Lastly, some sort of proof of incorporation or consolidation across related companies. We need to educate the market and the community on not only how to use these tools, but also the benefits of these tools. It’s important for users to understand why decentralization is really an essential part of not only the crypto ecosystem but the future financial and Web3.”

When asked the most reliable way to keep tabs on crypto exchanges, Don Guillaume, head of PR and communications at Gate.io, told Cointelegraph, “Regulation. Over the last few years we’ve seen positive steps across the world by regulators to ensure crypto exchanges, and really any company operating in the crypto industry, are regulated and following the rules of the law.”

Recent: Could Hong Kong really become China’s proxy in crypto?

Overall, the fallout from the collapse of FTX has led to calls for greater regulatory oversight of the crypto market. While key market players continue to offer some form of transparency in order to regain public trust, experts believe proof of reserves alone cannot solely be relied upon.