This is the second of four pieces exploring how Proof of Reserve works in practice. Our next post will dive into the limitations of Proof of Reserve.
The Technology Behind Proof of Reserve?
Proof of Reserve (PoR) is an attempt to provide public transparency to centralized cryptocurrency reserves through a verifiable auditing practice. It uses cryptographic proofs and public wallet address ownership verification in combination with periodic third-party audits to publicly attest that a centralized platform holds enough assets to match user deposits. This cryptographic approach makes it possible for individual users to verify that their account balance is included in the attestation.
PoR relies on a technique, the Merkle Tree (also known as a binary hash tree), to provide a cryptographically secure method of verifying assets in a reserve. The Merkle Tree data structure is used to verify the integrity of the data by comparing the hash of the data to the hash of the root node. If the two hashes match, the data is considered to be valid.
An example of a Merkle Tree, courtesy of Bitpanda
Gate.io sheds light on the steps that can be used to create a Merkle Tree, which includes:
Proof of Reserve ensures transparency with the help of a Merkle Tree. It is a privacy-friendly data structure that assures quick and easy verification of large volumes of data, enhancing accountability, credibility, and trust between protocols and their users.
Merkle Trees are also ideal for data integrity since user data is anonymized using a unique salt before being added to the Merkle Tree. Each user’s balance can only be viewed if one has access to this salt. Furthermore, the Merkle Tree makes it easier for users to check whether their accurate account balance was included in the audit by comparing selective data within the Merkle Tree. They can verify this in two simple steps:
Proof of Reserve, while underpinned by a single technique, is a complex process requiring trust in third-party auditors and the accounting practices valuing any off-chain assets. That process at a high level is as follows:
The auditor is an essential piece of the Proof of Reserve puzzle, responsible for collecting data from financial institutions and exchanges and verifying whether or not it matches the user balances mentioned in the Merkle Tree.
To help enhance trust and transparency in the industry, Gate.io has made its Proof of Reserve auditing solution open-source. In 2020, Gate.io became the first exchange to provide third-party certified, user-verifiable Proof of Reserve audit.
The company carries out audits with the help of a leading U.S. firm: Armanino LLP. Armanino LLP first conducts an audit and publishes the report on Gate.io’s reserve alongside user account balances that are compiled and encrypted using Merkle Tree. Users can then independently verify if their account balances are reflected in the reserve report correctly.
Thanks to Gate.io and other companies, many cryptocurrency exchanges are increasingly using Proof of Reserve audits.
According to disclosures, Coinbase Global Inc. reported customer crypto assets and liabilities totaled $95.11 billion for the September quarter, up from $88.45 billion in the previous quarter. To prove that they have the reserves to cover all customer deposits, many exchanges such as Huobi, Binance, Crypto.com, Deribit, KuCoin, OkxKraken, and BitMEX, are now using PoR.
Even though the audits have been conducted, there are many instances where due process has not been followed. For instance, Binance and HBTC submitted their PoR audit without the oversight of an auditor. Similarly, Luno, Revix, Bitbuy and Shakepay, in their audit filing have not adhered to user validation by the Merkle approach. Furthermore, many organizations took Informal asset attestations into account in which neither a cryptographic record of the assets is retained nor a disclosure of liabilities is offered- Bitfinex,Crypto.com, OKX, KuCoin, and Huobi being the primary ones.
Since the assets are not audited and don’t go through the standard cryptographic verification, these audits and the subsequent attestations lack the credibility of the standard PoR audit. When it comes to exchanges using PoR, it is blatantly used for industry reputation and marketing purposes therefore users need to exercise extreme diligence and, to a greater extent, exercise caution. It should be noted that the disclosure of proof of reserve provides only a partial picture of a crypto exchange's assets - investors should confirm that all liabilities are disclosed and accounted for before choosing a crypto exchange as well.
Proof of Reserve is one of the two variables in the Proof of Solvency equation. PoR only paints half of the picture, whereas disclosing an exchange’s liabilities gives a fair idea of the exchange’s status. Proof of Solvency in theory would be an optimal way for clients, partners, and third parties to verify the solvency of exchanges without compromising their users’ privacy.
Here, an exchange first needs to prove custody and ownership of the reserves. Next, it would publish the liabilities on its books. Once both of these are known it becomes fairly apparent if the exchange has enough reserves to cover its liabilities. This output is what we call “Proof of Solvency”, which can be used to build trust and transparency between the exchange, its clients, and regulators and prove that an exchange is backed by assets enough to meet all withdrawal requests at any given time.
Proof of Solvency = Proof of Reserve + Proof of Liabilities
Proof of Reserve is an incredibly fascinating process utilizing Merkle Trees, but may not fully address the problems posed by FTX’s downfall. To fully appreciate the limitations of Proof of Reserve, stay tuned for our next piece.