Transparency Needs to Extend Beyond Proof-of-Reserves

The events of the past weeks have drawn so much attention to the crypto space. The top crypto-related discussion has been on how to mitigate future FTX-like insolvencies and ensure users’ funds are safe on Centralized Exchanges (CEX). Major custodial crypto exchanges have promised to publish their independently audited asset base, showing the digital assets they hold and how these assets are allocated; the independent audit of the digital assets held by a CEX is known as a proof-of-reserves (PoR) audit.

How Proof-of-Reserves Work

The concept of Proof of Reserves goes beyond the mere publication of wallet addresses and claims to the balances on the wallet addresses. CEX users’ trades and assets are not always recorded directly on the blockchain; they are recorded on a centralized, proprietary database controlled by the CEX; CEX transactions are recorded on the blockchain only when an off-exchange transaction, which requires on-chain activity, is initiated. Before the FTX crash, which has since served as an eye-opener to the crypto community to demand access to full assets audits, crypto exchanges have, for the most part, kept their assets data private. When such data is kept private, it is difficult for users to verify claims made by crypto exchanges about the safety of users’ funds. The recent FTX collapse reveals just how a CEX could be insolvent within, but publicly bold-faced as though everything was fine.

In the concept of PoR, an independent, third-party auditing firm assesses the total amount of crypto held in the reserves of a CEX. The total amount of users' assets held by the CEX, recorded in its centralized database, is measured against the actual coin controlled by the exchange. In the audit, it is expected that the total number of coins controlled by the CEX on-chain must be equal to or higher than the total number of users’ assets recorded in its centralized database.

In PoR the audited data is made public and accessible to anyone via a Merkle-tree data structure. The Merkle tree data structure, also known as the Binary hash tree, is a mathematical data structure made up of blocks of hashes. It is a fundamental part of blockchain technology and is used to encrypt blockchain data more efficiently. In PoR, an auditor takes an anonymous snapshot of all users’ balances on the CEX and combines them into a Merkle tree.  Each user’s account hash value of assets is encoded in the leaf nodes of the Merkle tree. The auditor audits the assets in the leaf node. The auditor then publishes its independent findings along with the Merkle root. This way, the hash value of users’ total assets on a CEX is made accessible to the public; users would be able to compare and verify their balance data with the publicly accessible Merkle root data.

Are Proof of Reserves Enough?

While PoR is being touted by crypto exchanges as the mitigator of CEX implosion, many still doubt if it will be the lasting solution to the CEX and DeFi insolvency problems. One key question that comes to mind is, can third-party auditors be 100% trusted? The behind-the-scenes unknown relationship between an auditing firm and a CEX might not be known. There could still be a risk of collusion between an auditor and a CEX to publish inaccurate snapshots and data. A CEX could also publish its Proof of Reserves without disclosing liabilities, which potentially far outweigh the assets under its control.

CEXs could also “prepare” for a snapshot by leaving funds in reserves that would give an inflated PoR; these funds could then be moved after the snapshot. CEXs are currently under the lens of the crypto community. PoR isn’t yet a fully trusted concept as the cons and potential risks are apparent.

As recently witnessed, days after one of the major CEX, Crypto.com, made its cold storage information public, it was discovered that the exchange sent 320,000 ETH, worth $400 million, to another CEX Gate.io just before Gate.io provided its PoR audit. The CEO of Crypto.com, however, denied any wrongdoing and claimed that the funds were accidentally transferred to Gate.io.

Proof-of-reserves are a great first step, but they alone will not suffice in providing investors with adequate protections.  Even more transparency is needed to ensure potential liabilities, snapshot preparation, or even potential collusion is taken in to account, meaning that proof-of-reserves are only a piece of the puzzle.