November 11th, 2022 will forever be remembered as the day FTX, one of the world’s largest and most reputed cryptocurrency exchanges, filed for voluntary bankruptcy. The company’s shocking fall from grace has led to at least $1 billion of customer funds disappearing altogether.
The collapse of the crypto exchange FTX and its subsequent bankruptcy filing underscore the need for robust digital asset risk compliance. While the FTX fallout has accelerated pressure for increased regulatory scrutiny, it also offers stark lessons in risk management, disclosure, and oversight.
It is imperative to mention the timeline and cascading effects of this fallout and how it acted as a catalyst for the 4th biggest bitcoin capitulation causing holders $10 billion in losses. The details available with the authorities suggest that:
To understand the full chain of events, here is a brief timeline leading up to the fallout:
The FTX downfall can be traced back to its close links with Alameda Research, a cryptocurrency hedge fund that Sam Bankman-Fried (SBF) founded. Concerns about FTX surfaced after CoinDesk published a piece disclosing that majority of Alameda Research's holdings consisted of FTT, native token of the FTX.
Because FTT could not be converted to cash easily, the study highlighted worries about Alameda Research's capital reserves. In response to the report, Binance CEO, Changpeng Zhao, known as CZ, stated that he will sell all of Binance’s shares of FTT for $580 million.
This massive selloff by a crypto behemoth provoked a larger withdrawal, creating extra pressure on FTX to accommodate the escalating demand for client withdrawals. Due to a liquidity shortage, FTX suspended all customer withdrawals.
Binance, the cryptocurrency exchange whose CEO largely contributed to the selloff, previously agreed to buy FTX. SBF was optimistic about the deal, saying that it is “a user-centered development that helps the entire industry.” He further added that "CZ has done and will continue to do an excellent job building the global crypto ecosystem and creating a more decentralized economic ecosystem…What is important is that the clients are protected," he continued.
Unfortunately, Binance’s due diligence into FTX combined with recent press stories indicating abuse of customer assets and probable US government investigations caused the deal to fall apart, leaving FTX with no path forward.
The failed acquisition set in motion a chain of events which started with Sequoia Capital reducing its over $210 million holding in FTX to zero. Meanwhile, the SEC and the Justice Department launched investigations into the alleged mishandling of user funds by FTX, according to the Wall Street Journal.
In the aftermath of the collapse, the cryptocurrency ecosystem is yearning for a more robust disclosure mechanism to be adopted by centralized cryptocurrency exchanges - one that strengthens user security, ensures privacy protection, and provides transparency into how funds are managed and maintained.
To achieve the above-mentioned properties, one mechanism that is currently gaining interest is the concept of ‘Proof of Reserves’ or PoR. Proof of Reserve provides transparency into the total amount of funds and allocation funds held by an exchange. PoR is not only limited to exchanges, but any entity holding client funds can use this technique to ensure its clients that their funds are in reserve and are truly backed 1:1. This in theory would help identify red flags, prevent misuse of clients funds, and can avoid Alameda and FTX-like events from happening in the future.
What is Proof of Reserve?
Exchanges have always been vulnerable to hacks. As the value of cryptocurrencies rises and cryptocurrencies gain popularity, the stakes have also become higher. In 2014, Mt.Gox, once the largest Bitcoin exchange, filed for bankruptcy after losing 850,000 Bitcoins (worth about $450 million at that time). Since then, there have been numerous other exploits such as the Wormhole Protocol hack in February 2022 and the Ronin Network hack in March 2022, where the hackers stole $320 million in wETH (Wrapped ETH) and 620 million in ETH and USDC tokens, respectively.
Proof of Reserve (PoR) requires exchanges to confirm that digital assets like fiat-backed stablecoins and wrapped tokens are collateralized by the appropriate value of assets. It entails an impartial audit carried out by a third party auditor to verify that a custodian of digital assets genuinely owns the assets that it represents to its clients.
To prove that they have the reserves to cover all customer deposits, many exchanges such as Huobi, Binance, Crypto.com, Deribit, KuCoin, OkxKraken, BitMEX, are now using PoR. The idea is to demonstrate to the depositors that the cryptocurrency held on the deposit matches the user balances. PoR provides the transparency essential for cryptocurrency protocols, markets, users and regulators, ensuring a fair and authentic environment in the ecosystem.
PoR relies on a technique called a Merkle Tree (also known as a binary hash tree) to provide a cryptographically secure method of verifying assets in a reserve.
The Merkle Tree data structure is used to verify the integrity of the data by comparing a hash of the data to the hash of the root node. If the two hashes match, the data is considered to be valid.
Here is How PoR Works:
Furthermore, the Merkle Tree makes it easier for users to check whether their accurate account balance was included in the audit by comparing selective data within the Merkle Tree. They can verify this in two simple steps:
Gate.io sheds light on the steps that can be used to create a Merkle Tree including:
PICTORIAL REPRESENTATION OF A PROOF OF RESERVE MERKLE TREE
IMAGE: GITHUB.COM
Proof of Reserve ensures transparency with the help of a Merkle Tree. It is a privacy-friendly data structure that assures quick and easy verification of large volumes of data, enhancing accountability, credibility and trust between protocols and their users.
Merkle Trees are also ideal for data integrity since user data is anonymized using a unique salt before being added to the Merkle Tree. Each user’s balance can only be viewed if one has access to this salt.
Proof of Reserve is one of the two variables in the Proof of Solvency equation. PoR only paints half of the picture, whereas disclosing an exchange’s liabilities gives a fair idea of the exchange’s status. Proof of Solvency in theory would be an optimal way for clients, partners, and third parties to verify the solvency of exchanges without compromising their users’ privacy.
Here, an exchange first needs to prove custody and ownership of the reserves. Next, it would publish the liabilities on its books. Once both of these are known it becomes fairly apparent if the exchange has enough reserves to cover its liabilities. This output is what we call “Proof of Solvency”, which can be used to build trust and transparency between the exchange, its clients, and regulators and prove that an exchange is backed by assets enough to meet all withdrawal requests at any given time.
Proof of Solvency = Proof of Reserve + Proof of Liabilities
Without the context of total liabilities, proof of reserve becomes almost irrelevant. Where proof of liabilities requires careful reviewing by an independent auditor, perhaps multiple auditors are required to ensure all unique financial products such as staking, interest accounts, rehypothecation, collateralized loans, etc. are accounted for to provide full coverage and a high level of confidence in the total amount of liabilities.
Generally, the ratio between the reserves and liabilities provides the only health status indicator. Wherein larger reserves and lower liabilities are considered “safer”. Unfortunately, this is also easier said than done.
A few of the primary challenges with this approach include:
One approach to solve this comes from Nic Carter “This is why I recommend both a user-facing PoR protocol, allowing users to obtain ‘herd immunity’ by collectively verifying their individual balances, and an auditor-facing PoR protocol, to prove that the claimed liabilities are faithful to reality.”
The auditor is responsible for collecting data from financial institutions and exchanges and verifying whether or not it matches the user balances mentioned in the Merkle Tree.
To help enhance trust and transparency in the industry, Gate.io has made its Proof of Reserve auditing solution open-source. In 2020, Gate.io became the first exchange to provide third-party certified, user-verifiable Proof of Reserve audit.
The company carries out audits with the help of a leading U.S. firm: Armanino LLP. Armanino LLP first conducts an audit and publishes the report on Gate.io’s reserve alongside user account balances that are compiled and encrypted using Merkle Tree. Users can then independently verify if their account balances are reflected in the reserve report correctly.
Unfortunately, yes. To cheat a PoR, exchanges may borrow funds to pass an audit and omit certain obligations. For this reason, it is recommended that a reputed, independent third-party auditor implements an audit for a crypto exchange or project that can ensure maximum security for investors, traders and regulators.
While Proof of Reserve can offer transparency and enhance the credibility and trust between protocols and its users, it also has some limitations:
After the collapse of FTX, one of the largest cryptocurrency exchanges, Binance published its Proof of Reserve disclosing $69 billion in assets. As of November 10th, Binance held 475,000 BTC, 4.8 million Ether, 17.6 billion USDT, 601 million USDC, 58 million BNB, and approximately 21.7 billion in its own stablecoin, BUSD. The total reserves held by Binance as of 10th November, was approximately $69 billion.
To enhance transparency, several exchanges like Crypto.com and Okx published a list of their hot and cold wallets.