What are proof of reserves audits and how do they work?

With the growing interest of institutional and retail investors in digital assets, custodial options have also seen parallel growth. As a result, different types of custody choices have evolved as the market changes, and new providers strive to establish the most effective structures and controls for particular markets and offerings.

Self-custody, exchange wallets, and third-party custodians are the various choices available to users to protect their cryptocurrencies. Custodians in the world of digital assets operate similarly to traditional financial markets in that their primary duty is to care for and protect their clients’ assets by holding the private key on behalf of the asset holder. , preventing unauthorized access.

However, despite these efforts, events such as the collapse of FTX (a cryptocurrency exchange and crypto hedge fund) and the Liquidation of Three Arrows Capital (a cryptocurrency hedge fund) shocked the cryptocurrency industry. They have caused people to question the reliability and integrity of crypto custodians.

To ensure the financial strength of custodians, a Proof of Reserves (PoR) audit confirms that the company’s on-chain holdings are identical to client assets on the balance sheet, reassuring clients that the company is sufficiently solvent and liquid to continue business with them.

This article explains what a proof of reservation audit is, why proof of reservations is important, how to access proof of reservations and how to verify proof of reservations.

What is a proof of reservations?

In traditional finance, reserves are a company’s profits set aside for use in unforeseen circumstances. In contrast, in the crypto space, proof of reserves refers to an independent audit performed by a third party to confirm that the audited entity has sufficient reserves to support all of its depositor balances.

For trusted and experienced digital asset service providers, conducting a proof of reserves audit is a critical step in the regulatory process. The PoR audit assures customers and the public that the custodian is sufficiently liquid and solvent, and that they can withdraw funds at any time, providing transparency on the availability of their funds.

A proof of reserves audit also benefits crypto companies acting as custodians, because by ensuring absolute backing of assets, they can build customer loyalty and confidence in their operations. Moreover, thanks to the PoR, centralized exchanges Investing depositors’ money in other companies is prohibited, minimizing the risk of companies maximizing returns on their consumer assets. In addition, such an audit also helps to avoid the likelihood of events such as the great financial crisis of 2007-2008.

How does a proof of reserve audit work?

Before understanding how a proof of reserves works, let’s familiarize ourselves with the overall audit process. In general, the audit must assess the solvency of an exchange, which produces only two results: either the exchange is solvent if its assets exceed its obligations or liabilities, or insolvent in all other cases. However, it is conceivable that there are cases where this binary result is insufficient, such as when an exchange must demonstrate fractional reserves.

In the case of fractional reserves, a portion of an exchange’s deposits are held in reserve and made instantly accessible for withdrawal (in the form of cash and other highly liquid assets), with the remaining balance of funds being loaned to borrowers.

The audit process can be divided into three distinct steps:

Proof of Passive

The liabilities of the exchange are the unpaid cryptocurrency balances owed to its customers. The sum of all client account balances is used to calculate the total liabilities of the exchange. To determine solvency, the calculated amount is then contrasted with the total reserves. The liability proof component also calculates the hash of the fraction factor and the root of a merkle tree.

User account information is used to build a Merkle tree using the cryptographic hash of the customer’s identity, and the amount owed to the customer would be used to generate a leaf of the tree. The nodes of the next level of the tree are created by joining the leaves and chopping them; to build the root of the tree, the nodes are merged and hashed.

Evidence of reserves

The assets that the exchange has stored on the blockchain because cryptocurrencies are called reserves. Total assets are calculated by adding the balances of crypto addresses if the exchange owns the private keys of these addresses.

By providing the public key tied to a cryptocurrency address and signing it with the private key, the exchange can prove that it is the rightful owner of the crypto address. For added security, the exchange must also sign a nuncio (like the hash of the most recent block that was added to the blockchain), a value that can be used to validate the signature. The outputs of the proof of reserves are the sum and hash of the address balances.

The auditing program does not have to scan the entire blockchain to determine which balances should be added up; instead, it uses a preprocessor, a deterministic aggregate of data readily available to the public.

If identical input values ​​are given, a deterministic function will always produce the same results. This is a fundamental criterion for any blockchain because it is difficult to reach a consensus if the transactions do not lead to the same result each time they are executed, regardless of their initiator and their location.

proof of solvency

Audit results and an attestation that can be used to confirm that the audit software was run in a trustworthy environment are the two pieces of proof of a cryptocurrency exchange’s creditworthiness.

The final result of the audit is either true or false (a binary number). It will be true if the reserves exceed the liabilities and false otherwise. The attestation serves as a signature for the executed program hashes and platform metrics. The consumer can verify that the calculation takes into account the balance of his account by using the root of the Merkle tree.

How are PoR audits conducted?

The proof of reserves audit process is often performed by a third-party auditor to confirm that the assets on a crypto custodian’s balance sheet are sufficient to balance the holdings of its clients. The following steps are involved in the process:

• The external auditor or audit firm first takes an anonymized snapshot of the institution’s balances. An auditor organizes these balances into a Merkle tree, which contains custodial data and has multiple branches authenticated using hash codes.
• The auditor then collects individual user contributions using the distinctive signatures of each account holder.
• The next step is to authenticate whether client assets are held on a full reserve basis – i.e. the balances reported by individual contributors are at least equal to those obtained from the Merkle tree . This is done by comparing digital signatures to records in the Merkle tree.

After the PoR audit, users can verify their own transactions. For example, if someone has held their crypto assets on Binance, they can find their Merkle sheet and registration ID by logging into the Binance website, clicking on “Wallet” and clicking on “Audit”.

The next step is to choose the audit date to confirm the type of audit, the assets covered, your record ID and the balances of your assets included in an auditor’s attestation report regarding the audit proof of Binance reserves.

Benefits of Proof of Reserve Audits

The PoR audit has several advantages, as it reveals that the holding of cryptocurrency on the exchange chain corresponds to the balances of the users. For example, through a proof of reserves audit, it can be verified whether tokens like Wrapped bitcoin (wBTC) are actually backed by Bitcoin (BTC). Decentralized finance apps receive the information they need to audit Wrapped Bitcoin reserves from a network of Chainlink oracles which check the custodian’s BTC balance on the Bitcoin blockchain every 10 minutes.

Furthermore, evidence of reserves appeals to regulators as a self-regulatory approach that fits their overall industry strategy. In addition, addressing the lack of confidence caused by exchanges’ inability to cover consumer deposits with sufficient assets also increases product adoption.

Additionally, users can independently verify the transparency of the proof of reserves audit using a Merkle tree hashing approach. Likewise, investors will have a due diligence tool to acquire relevant data on the asset management practices of clients of specific institutions, decrease the likelihood of losing funds. At the same time, users are beginning to trust custodians, which helps custodians build customer loyalty.

Limits of proof of reservations

Despite the above advantages, proof of reserves auditing has some disadvantages that cannot be overlooked. The critical problem with a PoR audit is that its accuracy depends on the competence of the auditor. In addition, a fraudulent audit result may be produced by a third-party auditor in conjunction with the relevant custodian.

Additionally, a cryptocurrency exchange can manipulate facts, as the accuracy of verified balances is only valid for the duration of the audit. The legitimacy of the proof of reserves audit can also be affected by the loss of private keys or user funds. Also, a PoR audit cannot determine if the money was borrowed to pass the audit.