Old problems, new ideas
After the collapse of the FTX, uncertainty took hold in the market - how do we know that the exchanges are still holding the coins we deposited there? The Proof of Reserves is supposed to be the answer. A step in the right direction, though it's unclear if it's enough.
Proof of reserves became a topic thanks to the FTX bankruptcy, which shook the entire market. If one of the largest exchanges with a capitalization of tens of billions of dollars can collapse in a few days, what is certain? Many people have begun to seriously question whether investing in crypto is definitely a good idea. Lack of liquidity, mismanagement of funds and questionable practices not only led to the FTX crash, but also entailed the collapse of many other companies and a decline in the value of the entire market.
The problems are not new, but in fact, since the collapse of MtGox in 2014, not much has changed. The procedure used to be simple: deposit funds and hope you can pull them back out. Times are changing, however, and this practice needs to change so that the reliability of institutions can be objectively verified.
The optimal solution would be a full external audit, which unfortunately is expensive and takes months. And this is where the slightly less reliable, but definitely simpler to conduct Proof of Reserves comes in as an alternative.
Proof of Reserves (PoR) is a way to prove that a CeFi institution has the amount of cryptocurrency it claims to have. It is a cryptography-based method of verifying that 2+2 will definitely equal 4. It is meant to provide a guarantee of a company's solvency and liquidity, which is why some centralized exchanges already offer Proof of Reserves.
A question of terminology arises here. Proof of Reserves can be understood only as a check of assets held, but then it is not sufficient to prove that an exchange is safe and solvent. For that to be the case, it should be part of a larger examination that also checks the exchange's obligations to customers.
After all, the information that Company X controls $10 billion worth of BTC sounds great.... until we find out that its liabilities to customers are 20 billion.
The Proof of Reserves can theoretically be developed independently by the exchange in question, but it is far better if it hires a professional auditing firm to help.
Let's start with the basics - Proof of Reserves is not an audit! Unlike an audit, whose elements and procedures are strictly regulated, Proof of Reserves is performed differently by different companies. A well-executed, complete PoR audit is proof that the exchange has under its control funds equivalent to its liabilities. However, it is not exhaustive or equivalent to an audit.
Proof of Reserves will not show, for example, that:
* The company has no hidden liabilities beyond its balance sheet,
* Customers' funds are safe in case of insolvency,
* The assets at the surveyed addresses are owned by the company,
* The problem with the reserves will not arise in next week.
Proof of Reserves checks only the narrow scope of security, related to having enough resources at any given time. It is therefore a nice complement to an audit, but does not replace it.
Unfortunately, crypto exchanges have a lot to answer for when it comes to implementing Proof of Reserves. Not only do they call a self-performed PoR an audit, but they often only do half the job, publishing the status of assets but not liabilities.
To be clear: here, when writing about the Proof of Reserves, we will present a complete picture, including data on both assets and liabilities held.
As we mentioned, a full Proof of Reserves covers both the assets and liabilities of an exchange to confirm its solvency. Therefore, the procedure can be divided into 3 separate stages:
1. Checking liabilities. We add up the balances of all user accounts to calculate the sum of its total liabilities to customers.
2. Checking the reserves. We calculate the total assets by adding up the balances of the crypto addresses where the exchange holds funds. To make this possible, the exchange provides a public key and signs the transaction with a private key to prove that it holds the address in question.
3. Comparison of these values. The bottom line shows whether reserves exceed liabilities or vice versa.
For reliable data, a Merkle Tree is used, allowing for unambiguous verification that the processed data is true and complete. The data is merged into a tree, divided into branches and authenticated using hashes, which will be finally compared with the Merkle Root image. We described this process in an earlier article, so we will not repeat ourselves.
The very nature of the process of obtaining Proof of Reserves forces it to be up to date as of the date of the snapshot (recording the status of accounts at a given time). If something bad happens after the snapshot is taken, it will not be included in the report.
The U.S. Securities and Exchange Commission (SEC) believes that the Proof of Reserves does not provide enough information for investors to make the right decisions. "Such a report is not enough information for an investor to assess whether a company has sufficient assets to cover its liabilities," said Paul Munter of the SEC. He also warned audit firms to be cautious when accepting assignments from crypto companies.
US senators, including Elizabeth Warren, a prominent member of the Finance and Banking Committee, are of a similar opinion. They have expressed concerns about the independence and methodology of crypto accounting firms.
As a result of such actions, several large audit firms, such as Mazars Group, Marcum LLP and Armanino LLP, decided to reconsider their work for the crypto sector. It's not out of place to mention that Armanino was, among other things, the auditor of FTX US, which went bankrupt along with the rest of the group.
Proof of Reserves is a very trendy concept lately. Some exchanges boast about its implementation, others downplay its importance. This does not change the situation that in a while an exchange without PoR will look like a guy without a tie at an embassy party.
Crypto market data aggregators already publish a list of PoR for each exchange, and it flows into their security score. Coingecko has introduced an "Exchange reserve" item on each exchange's page, while CoinMarketCap refers to them as "Financial reserves." Interestingly, the data presented for the same exchanges differs. Evidently, the system needs refinement.
Those interested in the topic of Proof of Reserves and how they compare for different exchanges will find plenty of useful data on the Medium page of crypto fundamentals researcher Nic Carter.
If the cryptocurrency industry, and CeFi in particular, wants to continue to grow, it needs to reassure its customers. Adopting standards that confirm reserves and disclose potential risks would greatly increase the safety of investments. Less reliable companies may lose out, but in the long run, a safer ecosystem will attract more investors and capital.
It seems that the Proof of Reserves can be very useful - if it includes both assets and liabilities, and is updated often enough. A month seems like the maximum, but there are already exchanges updating it more frequently. Derbit publishes the PoR daily!
Clearly, if the crypto market wants to avoid potentially lethal SEC regulations, it should embrace itself - the sooner, the better. After all, if the situation in the fall of 2022 is repeated, it will be a great excuse to blow out the entire crypto industry once and for all.