In light of the FTX collapse, cryptocurrency exchanges are implementing proof-of-reserves (PoR) as a form of on-chain accounting that shows their entire holdings and customers’ assets. As centralized entities, this is a big step towards a more transparent crypto ecosystem, but some argue it might not be enough to regain investor trust. In this article, we will explain how PoR works and why it matters.
What is Proof-of-Reserves (PoR)?
Proof-of-reserves (PoR) is a cryptographic method to verify that an exchange has enough assets to cover all customers’ deposits. In doing so, the exchange ensures customers they have sufficient liquidity on hand to process all withdrawals, should a bank run occur.
This came to light after FTX secretly used $10 billion of customer funds to prop up its sister company Alameda Research, which ultimately led to a liquidity crunch amidst mass withdrawals.
This has left the crypto community wondering what other crypto exchanges might be doing with customer assets. As a result, Binance CEO Chengpeng Zhao (CZ) urged all crypto exchanges to do PoR, albeit Kraken was one of the first exchanges to prove their reserves in February 2022.
How Does Proof-of-Reserves Work?
Proof-of-reserves essentially involves taking a snapshot of all balances held on the exchange which are aggregated into a Merkle tree — a data structure designed to encapsulate and encrypt data. These Merkle trees, also known as hash trees, function as a map of the exchanges’ assets and liabilities (customers’ tokens).
From there, a Merkle root is obtained, which is a cryptographic fingerprint that uniquely identifies the combination of these balances at the time when the snapshot was taken. Afterwards, digital signatures produced by the exchange are collected, which prove ownership over the on-chain addresses with publicly verifiable balances. To put it simply, the exchange discloses these addresses and provides proof that they have access to the associated private key.
Because Merkle trees are part of blockchain technology, anyone can compare and verify if these balances exceed or match the customers’ balances represented in the Merkle tree. In the case of crypto exchanges, this process is either self-attested by the exchange or carried out by an independent third-party audit. As of now, most crypto exchanges have been working with Nansen, a blockchain analytics platform, for their PoR audit.
Downsides of Proof-of-Reserves
Although proof-of-reserves is certainly a step in the right direction, there are still several improvements that could be made to enhance transparency and trust.
Proof-of-Reserves are Pointless without Proof of Liabilities
A proof-of-reserve audit without disclosure of total liabilities, not just customers’ tokens, does not paint a full picture of an exchange’s solvency. This would include anything the exchange owes such as debts and taxes. Kraken CEO Jesse Powell expressed that Binance’s PoR is pointless without liabilities. This is also in reference to other platforms publishing their PoR without mentioning any liabilities. He also added that accounts with negative balances must also be included in the sum of total liabilities.
However, the problem is that these liabilities are NOT on-chain, which means an independent auditor has to step in. At that point, crypto exchanges will have to provide the same proof as all public and regulated companies provide — audited financial statements. (Clonazepam) Coinbase is one of the few exchanges to do this. Since they are a public company subject to U.S. regulations, they have already been proving their reserves using balance sheets audited by the SEC.
Therefore, the most reliable way to prove an exchange’s assets are more than its liabilities is via third-party auditors. In fact, CZ responded to Powell’s comments that Binance would involve third-party auditors to audit their PoR results.
Proof-of-Reserves Audits Can be Falsified
Although the cryptographic proof do not lie, it can be manipulated and framed to look healthy. There is the issue of crypto exchanges moving their funds right after the snapshot for the audit was taken. Recently, Crypto.com mistakenly transferred 280,000 ETH to a Gate.io address after it released its proof-of-reserves audit. Many speculated that exchanges were borrowing assets to show a healthy balance sheet, only to return them after the snapshot.
Moreover, a PoR audit is only as good as its verifier. There is also the issue of exchanges colluding with third-party audits to produce false results. Unless the exchange is audited by a reputable source such as the Big Four accounting firms, we will just have to take their word for it.
Proof-of-Reserves Do Not Prevent Customer Fund Misappropriation
Even then, audits and attestations may not suffice. At its core, crypto exchanges are not the same as banks — crypto is not insured by government depositary schemes. Even if all the steps are done correctly, customers can still lose their crypto if mishandled.
Merkle tree-based PoR would not prevent the misappropriation of customer funds completely. It only tracks the money, providing information. It does not provide customers with greater control over their funds. If the exchange is caught in the act, you would not be able to get your crypto back as it is likely to be tied up in litigation.
Not your keys, not your crypto. We strongly suggest keeping your crypto on hardware wallets such as Ledger Nano X, Ledger Nano S Plus, Ledger Nano S, Trezor One or Trezor Model T.
Why Proof-of-Reserves is Crucial
At the end of the day, proof-of-reserves is the first step towards a more transparent crypto ecosystem. In effect, it functions as a verification tool to filter out fraudulent crypto exchanges, albeit not completely.
By leveraging blockchain technology, PoR brings crypto exchanges closer to the treasuries of DeFi protocols, allowing anyone to trace funds on-chain at any time. However, there is much to improve in this aspect. But with on-demand, real-time tracking of exchange reserves, the industry is working towards a decentralized and trustless system, where customers do not need to trust the institution, only the math.