The implosion of centralized exchange FTX due to fraud has re-ignited discussion in the crypto industry about the importance of proof of reserve (PoR). If FTX had been required to offer proof it was still in possession of all its clients’ crypto, their shortfall might have been uncovered much sooner. It’s also led to calls for users to store their own crypto, but the convenience of using exchanges for storage will always appeal to some.
If you’re storing coins on an exchange, how can you make sure that exchange has the resources to let you withdraw them when you want to? To understand the challenge of ensuring crypto stored on an exchange is safe, you need to know what proof of reserve (PoR) is, how it’s calculated–and why PoR may not be a guarantee that your assets are secure.
What is Proof of Reserve?
Proof of reserve is a demonstration that an organization possesses enough assets to cover all the crypto stored by its users. For an exchange with adequate reserves, a “run"–in which many users demanded their assets back at once–wouldn’t be a problem. If it has full reserves, the exchange’s users could all withdraw their holdings simultaneously.
How can an exchange offer proof of reserve? So far, exchanges are using various methods, partly dependent on whether they are centralized or decentralized in their structure. Some methods are more trustworthy than others–we’ll discuss the options below.
As you’ll see, proof of reserve is just one measure of an organization’s financial health. To really understand whether your coins are safe, you need to know not just the assets on hand, but also all that organization’s outstanding debts, also known as liabilities.
Without knowing the total of what an organization owes, you can’t tell whether your crypto is really covered. To find out, you’ll need a broader calculation known as Proof of Solvency (PoS).
What is Proof of Solvency?
An organization is solvent when it has enough assets to cover all liabilities. It has the resources to continue operating under the worst withdrawal scenario. PoS provides a more complete picture of an exchange’s health, as this formula shows:
Proof of reserve (PoR) + proof of liabilities (PoL) = proof of solvency (PoS)
Organizations often incur debts. They may borrow money they must repay, leverage existing assets by pledging them as collateral in a deal, or lend money to others, to name just a few ways assets might be committed elsewhere, often off-chain. These liabilities can be harder to track, and may not be included in a PoR calculation.
Without verifiable proof of solvency, you have no real assurance that you could withdraw all your assets from an exchange upon demand. The exchange could well be overleveraged.
So far, there is no agreed-upon standard for trustworthy verification–it’s up to the user to research what their exchange discloses for PoR and decide whether it’s satisfactory.
Now that you understand the importance of proof of reserve and of solvency, let’s look at the different ways exchanges are offering proof of reserve.
Public companies have audited financials
Coinbase is a publicly traded U.S.-based crypto exchange. As such, the company contends that its proof of reserve is evident in its publicly available, audited quarterly financial statements, which include a balance sheet that states the company’s assets and liabilities.
This doesn’t satisfy all users, some of whom would like to be able to personally verify their own crypto is covered in the PoR calculation. But so far, Coinbase has refused to offer users or the public on-chain verification tools.
Your attestation quality may vary
In 2022, ten exchanges that are not public companies offered some form of proof of reserve, as tracked by Coinmetrics cofounder Nic Carter. The simplest method of offering PoR is that owners or project organizers sign a statement attesting that they have reserves equivalent to the value of their users’ stored crypto. For instance, Binance made a PoR statement in November 2022 that for each coin a user buys, Binance buys a coin to back it, storing it in a separate account from its corporate holdings.
Without access to an organization’s back-end, it’s difficult to verify the company’s claims about PoR. This problem was demonstrated in January 2023, when it came to light that Binance had mistakenly stored some of its PoR coin purchases in a wallet that also held some customer assets, raising questions about whether the company truly had adequate reserves. Binance said it was fixing the issue.
As the Binance glitch demonstrated, unless an attestation is backed with some hard evidence, it lacks credibility. That’s why some exchanges, including Binance and Crypto.com, have taken the step of giving their users the addresses of all the wallets on their exchange. Using Merkle trees, users are able to track down and verify their accounts are included in the PoR calculation.
Client-only is the most common level of disclosure, at this point, meaning the public remains in the dark. To date, only BitMEX and Deribit have released wallet addresses to the public, Carter found. But at least most crypto users can personally check the amount of crypto stored on their exchange, verifying that their holdings haven’t mysteriously disappeared and are still present on the blockchain.
Another verification approach that preserves more user privacy is to use cryptographic methods that allow the exchange’s crypto total to be disclosed without revealing the holdings of individual wallets. Again, remember that any off-chain liabilities may be missing from this calculation.
There’s one more problem with PoR as it’s currently being disclosed. People rapidly trade crypto, and most PoR attestations occur only infrequently.
Obviously, the amount of crypto present on any given exchange may change by the minute. When the market is in flux, trading volumes can be huge. But so far, most PoR attestations are issued rarely.
Carter reported that the most frequent attestations come from Deribit, which is releasing daily figures. BitMEX releases PoR attestations twice a week. Thus far, Kraken only releases PoR numbers twice a year. Several other exchanges that issued at least one PoR attestation in 2022 haven’t committed to any regular schedule.
The infrequent PoR data means most exchange users must rely on outdated information. If the exchange is growing rapidly, the reserve could be quickly outstripped.
Worse, this PoR reporting may not take off-chain liabilities into account. Until there is real-time PoR reporting at all exchanges that includes any off-chain debts, aging PoR figures quickly become a guesstimate.
Worse, in most cases these figures are self-reported by the organization, without verification by a disinterested, trusted third party. That’s a big problem–and it recently got bigger.
When you’re an exchange that’s storing crypto worth hundreds of millions or even billions of dollars, it would reassure users if you had a qualified auditor verify your PoR figures. And until recently, some exchanges were doing just that.
Two major accounting firms had carved out a specialty in crypto audits, Mazars and Armanino. Six of those ten exchanges that currently release PoR attestations were using one firm or the other, including Kraken and Kucoin.
Unfortunately, both accounting firms have recently gotten out of the crypto business.
Armanino was FTX’s auditor. It fled the space after FTX declared bankruptcy, and the exchange’s many off-book liabilities and back-room deals with sister company Alameda Research came to light. Mazars followed suit shortly afterwards, closing its website that published PoR work for crypto exchanges.
This leaves the sector without experienced accountants who can provide an outsider’s perspective on an exchange’s balance sheet. Until another firm steps into the breach, users have to take exchanges’ word for the accuracy of their PoR attestation. If more users decide to store their own crypto on hardware wallets they control, it won’t be a surprise.
Will regulators demand PoS?
While verifying PoR and PoS is a free-for-all of different approaches right now, regulators may change that. Multiple proposals for regulating crypto are floating around Capitol Hill, with exchanges particularly in the crosshairs. We may well see new regulations soon that standardize expectations around audits and/or timing for providing PoR, or for disclosing off-chain liabilities.
For its part, Coinbase has proposed rigorous annual audits for centralized exchanges. This would be a positive step for unaudited exchanges, but wouldn’t address the need for more real-time PoR data.
PoR needs the human touch
Until we have more reliable PoR and PoS data, users need to weigh the pros and cons of safety vs convenience when considering whether to have an exchange hold their crypto. Taking a good look at the leaders of the company or organization and their track record isn’t a bad idea. Right now, you have little else to rely on but their reputation and their honesty when they attest to having adequate reserves.
In the future, it would be ideal to have fully automated techniques for calculating and publishing proof of solvency. Until we get there, it will take human investigation to make sure all liabilities are fully disclosed.
At Dragonscale, we’re building a community that will make the crypto space safer through human collaboration to spot and avert attempts at fraud. Join us.