Proof of Reserves
Nic’s PoR ✨ Wall of Fame ✨
Summary of recent major PoRs (note: snapshot as of Jan 2023 – some data is out of date)
Entities which have conducted a recent PoR attestation (updated 05/02/23):
‘Gold standard’ PoR (includes full liabilities disclosure OR done with auditor oversight)
- BitMEX (self-assessment, user validation with merkle approach, full liability release, BTC, bi-weekly) (01/2023)
- Kraken (auditor-assisted, user validation with merkle approach, semi-annual, many assets) (Armanino AUP report) (06/2022)
- Deribit (self-assessment, user validation with merkle approach, full liability release, BTC, ETH, ETHW, SOL, USDC, daily) (01/2023)
- OKX (self-assessment, user validation with zk proofs, full liability, 21 assets, monthly) (05/2023)
- [Non-active] Coinfloor (self-assessment, user validation with merkle approach, full liability release, monthly) (08/2021)
Good quality PoRs
- Kucoin (auditor-assisted, user validation with merkle approach, BTC, ETH, USDC, USDT ) (Mazars AUP report) (11/2022)
- Gate.io (auditor-assisted, user validation with merkle approach, point in time, BTC & ETH) (Armanino AUP report) (10/2022)
- Bybit (self-assessment, user validation with merkle, BTC, ETH, USDC, USDT, snapshot) (12/2022)
- Bitget (self-assessment, user validation with merkle, BTC, ETH, USDT, monthly) (12/2022)
- Binance (self-assessment, user validation with zk proofs, 24 assets) (02/2023)
- SwissBorg (self-assessment, user validation with merkle, unknown number of assets, unknown frequency) (04/2023)
Other PoR attestations (no auditor oversight, user verifiability, or other drawbacks)
- Binance prior assessment (later revised) (self-assessment, user validation with merkle, BTC only) (11/2022) (Mysten Labs security report, archived Mazars dec. 7 AUP report, later deleted)
- Crypto.com (auditor-overseen, user validation with merkle, many (but not all) assets) (Mazars AUP report) (12/2022)
- Luno (audit firm assisted, no user validation, many assets, quarterly/ongoing) (Mazars AUP report) (12/2022)
- HBTC (self-assessment, user validation with merkle approach, point in time) (05/2021)
- Revix (audit firm assisted, no user validation, point in time) (Q3 2022)
- Bitbuy (forensics firm assisted, no user validation, point in time)
- Shakepay (forensics firm assisted, no user validation, point in time)
- Huobi, Poloniex, Bitfinex
Informal asset attestations (no cryptographic proof of assets held, and no corresponding liabilities provided)
- Binance (Binance, Nansen)
- Bitfinex (Bitfinex, Nansen)
- Crypto.com (Nansen)
- OKX (Nansen)
- Kucoin (Nansen)
- Deribit (Nansen)
- Huobi (Nansen)
- CoinDXC (Nansen)
Other related attestations
Lenders (note: these are still opaque and I don’t consider these ‘true’ PoR):
- CakeDeFi (quarterly attestations with proof of assets) (11/2022)
- Nexo (auditor-assisted, ongoing) (daily attestation)
- Ledn (user validation with merkle approach, ongoing [semi-annually]) (08/2021)
Stablecoins/ETP issuers (I don’t describe this as PoR but they still produce strong assurances)
- TrustToken True Currency stablecoins (auditor assisted, daily attestation)
- Paxos BUSD stablecoin (auditor assisted, monthly attest, CUSIPs listed)
- Circle USDC stablecoin (auditor assisted, monthly attest, CUSIPs listed)
- CoinShares XBT Provider ETP Real-Time Attest with Armanino
Note: I am presenting these claims ‘as is’ with no endorsement or guarantee of their correctness
Proof of Reserve introduction
If there’s a single thing I could do to better this industry, it would be to convince every custodial service provider in the cryptocurrency space to adopt a routine Proof of Reserve program.
Proof of Reserves is the idea that custodial businesses holding cryptocurrency should create public facing attestations as to their reserves, matched up with a proof of user balances (liabilities). The equation is simple (in theory):
Proof of Reserves + Proof of Liability = Proof of Solvency
The idea is to prove to the general public, and in particular your depositors, that your cryptocurrency held on deposit matches up with user balances. Of course, in practice, this isn’t quite so simple. Proving that you control some funds on chain is trivial, but you could always borrow those funds on a short term basis. This is why point-in-time attestations mean relatively little. And additionally, exchanges can have hidden liabilities or have creditors claim seniority to depositors, especially if they don’t legally segregate client assets on the platform. This is why policy like Wyoming’s SPDI law clarifying the legal status of depositors relative to custodial institutions is so important.
Proving liabilities is tricky, and generally requires an auditor to engage in a full assessment. For instance, exchanges can omit certain liabilities to ‘cheat’ a PoR attestation. This is why I recommend both a user-facing PoR protocol, allowing users to obtain ‘herd immunity’ by collectively verifying their individual balances, and an auditor-facing PoR protocol, to prove that the claimed liabilities are faithful to reality.
Another issue is that exchanges could have unaccounted-for liabilities that a mere cash flow analysis might not capture. For instance, given that many exchanges exist under muddy regulatory regimes and legal contexts, it’s not guaranteed that depositors would be senior to creditors in the case of bankruptcy. This means that it’s possible that large debts could consist of a hidden liability that would weaken depositor claims on reserves in a worst case scenario. This is why I recommend including an auditor in a PoR process, so these more complex liabilities (and an assessment of the seniority of depositors) can be understood. More generally, exchanges should adopt a legal policy in which depositors are absolutely privileged and senior to all creditors.
So a Proof of Reserve program isn’t entirely trustless. However, it’s still worth doing, for several reasons:
- It’s good housekeeping. A periodic PoR attestation demonstrates to your end users that you have your house in order, and that you are being vigilant with regards to solvency
- It’s a strong self-regulatory measure. If exchanges collectively adopted PoR, regulators might be more inclined to adopt a light touch approach. Much better to operate in relative freedom with voluntary self-regulatory measures rather than suffering onerous regulatory impositions later on
- It helps safeguard against toxic operators by making fractional reserves virtually impossible to hide. These exchange failures reflect badly on the whole industry, so it’s in everyone’s interest to avoid them
To those who reject PoR because it’s not perfectly trustless in its current implementation, I would respond that the perfect is the enemy of the good. At present, the industry standard is virtually no transparency. Those exchanges that are more stringently regulated, under the NY Trust License for instance, can credibly claim to be fair stewards of user funds. Some exchanges conduct financial statement audits to obtain bank partners, or as part of the normal course of business as public companies. But these audits are generally not consumer facing, and many exchanges are loosely regulated. A far more potent trust signal would entail allowing depositors to individually verify that their deposits genuinely exist under the control of the exchange. If we let a commitment to perfection stall the adoption of processes like PoR, we will likely end up with a much worse situation where onerous, top-down regulation is imposed on exchanges. I always prefer proactive industry-driven self-regulation to state regulation, and I think you should, too.
A brief note on nomenclature
In my view, ‘Proof of Reserve’ refers to a specific procedure in which a custodian transparently attests to the existence of on-chain reserves, and then provides an equivalent proof (typically with the help of an auditor) that the liabilities outstanding do not exceed those reserves.
I am aware that the term is used generally to refer to related procedures. For instance, stablecoin attestations are sometimes referred to as PoR. But in the case of stablecoins, it is the liabilities which are on chain and the reserves which are in the banking system. Additionally, the term is sometimes used to refer to a setting in which a wrapped token is compared to equivalent tokens on a different blockchain. This would more accurately be described as a proof of on chain equivalence, or something related. There is no proof of underlying reserves in that situation. I would discourage the usage of PoR for these alternative uses to avoid muddying the meaning of the term. In my view, proving reserves specifically refers to the procedure whereby an entity demonstrates the existence of on-chain crypto reserves matching some off-chain liabilities that they have issued.
Proof of Reserve Resources
Quick start here:
- Nic Carter on Medium, Proof of Reserve for Policymakers
- Nic Carter on Medium, The Status of Proof of Reserve as of Year End 2022
- Nic Carter in Coindesk, Let’s Actually Commit to Proofs of Reserve This Time, Okay?
- Nic Carter on Medium, Proof of Reserve for Policymakers
- Nic Carter on Medium, The Status of Proof of Reserve as of Year End 2022
- Coinbase, How crypto exchanges can provide Proof of Reserves
- Nic Carter in Coindesk, Let’s Actually Commit to Proofs of Reserve This Time, Okay?
- Nic Carter in Coindesk, How to Stop the Next Quadriga: Make Exchanges Prove Their Reserves
- Karim Helmy in The Block, Exchange Proofs of Reserves & Solvency: a mechanical explanation
- Vitalik Buterin, Having a safe CEX: proof of solvency and beyond
- Nic Carter on Medium, How to scale Bitcoin (without changing a thing)
- Mauricio Di Bartolomeo in Bitcoin Magazine, Why Proof of Reserves is Important to Bitcoin
- Matt B on Medium, Proof-of-Reserves: A Standard for Enhanced Transparency
- Jason Tyra, Proof of Reserves is Not and Audit; Agreed Upon Procedures As Proof of Reserves; and Bitcoin Proof of Reserves as Part of an Audit
- Ledn’s Proof of Reserve FAQ
- BitMEX Research, Addressing the Privacy Gap in Proof of Liability Protocols
- BitMEX Research, Proof of Reserves & Liabilities – BitMEX Demonstration
- Jump Crypto, Statistical Attacks on Proof of Solvency
- On The Brink, A New Model for Proof of Reserve, with Luuk Strijers of Deribit
- On The Brink, Contemporary Proofs of Reserve, with Jeremy Welch of Kraken
- On The Brink, The auditor view of Proof of Reserves, with Noah Buxton and Jeremy Nau of Armanino LLP
- On The Brink, The Proof of Reserve Restoration, with Noah Buxton and Jeremy Nau of Armanino LLP
- Galaxy Digital’s Galaxy Brains, Proof of Reserves, with Nic Carter
Papers (🔥 = must read):
- Proof of Assets: A Summary Analysis, Bitcoin Policy Institute (2022)
- Chalkias, Chatzigiannis, and Ji, Broken Proofs of Solvency in Blockchain Custodial Wallets and Exchanges (2022) 🔥
- Ji and Chalkias, Generalized Proof of Liabilities (2021) 🔥
- Proof of Reserves: The Practitioner’s Guide (2021) 🔥
- Chalkias, Lewi, Mohassel, and Nikolaenko, Distributed Auditing Proofs of Liabilities (2020)
- Designated-verifier proof of assets for bitcoin exchange using elliptic curve cryptography (2020)
- Systemizing the Challenges of Auditing Blockchain-Based Assets (2019)
- Revelio: A MimbleWimble Proof of Reserves Protocol (2019)
- Breaking the binding: Attacks on the Merkle approach to prove liabilities and its applications (2019)
- MProve: A Proof of Reserves Protocol for Monero Exchanges (2019)
- Confidential and efficient asset proof for bitcoin exchanges (2018)
- Making Bitcoin Exchanges Transparent (2015)
- Provisions: Privacy-preserving Proofs of Solvency for Bitcoin Exchanges (2015) 🔥
- Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk (2013)
- Blockstream, Standardizing Proof of Reserves (2019)
- Zak Wilcox, Proving Your Bitcoin Reserves (2014). This is Zak’s (since-deleted) description of the Maxwell/Todd ‘merkle approach’ to proving liabilities
- Olalonde’s Proof of Liabilities code on Github (2015)
- Bitfinex’s Proof of Solvency Proposal (2018)
- BitMex’s Tool Suite for Generating and Validating Proofs of Reserves(PoR) and Liabilities(PoL) (2021)
- Nansen, Exchange holdings dashboards (live updated)
- OKLink CeX Rankings
- Coinbase, 2023 PoRL developer grant program
Exchange commentary on PoR:
- Kraken, Proof of Reserves or Proof of Nothing: There is no in between
- Coinbase, How crypto companies can provide proof of reserves
- Gemini, Gemini Is Built on Trust, Safety, and Compliance: Ask For Permission, Not For Forgiveness
Why ‘Proof of Reserve’ if you really mean ‘Proof of Solvency’?
Proof of Reserve sounds better, and Solvency is a much higher bar to clear. Ideally a PoR would be paired with a full accounting of liabilities, known and hidden, and stronger solvency assurances would be obtained.
Is PoR “one sided” – does it avoid liabilities?
No. PoR is a term of art that refers to the attestation whereby both the assets held on deposit and the user liabilities are compared. Under standard PoR, liability holders have the ability to determine that they were included in the liability set (that’s what the merkle tree is for). The “hard part” is the liabilities – proof of assets on chain is normally trivial. So PoR is not “underpowered” or “incomplete”. A proper PoR really does give you assurances that the exchange is solvent at least in the narrow context of on-platform balances.
What about exchange/user privacy?
As long as exchanges are ok with people knowing how the total value of assets on deposit, they don’t have to divulge any additional information. In practice, it’s trivial to determine how many coins an exchange has, and many third party providers actively publish this data. So trying to hide the number of coins on deposit is a lost cause anyway. Through the proof of liability tool, user information is anonymized and hashed. This allows only users with a knowledge of their account ID and their balance to verify that they are included in the merkle proof without spying on other users.
What about DEXes?
The growth of DEXes is exciting and great for the industry. However, cryptocurrency users have a revealed preference for custodial ownership, at least for a portion of their coins. Self-custody is hard and it isn’t for everyone. Approximately 20-25% of BTC and ETH is held in a custodial setting. By encouraging custodial exchanges to adopt PoR, I am hoping that user assurances at custodial exchanges can be bettered. However, it goes without saying – not your keys, not your coins. You are ALWAYS vulnerable if you choose to use a custodial exchange.
Do you need an auditor?
In BitMEX’ case, I believe users are getting sufficient assurances without the input of a 3rd party auditor. Effectively, by running the process, users can determine that BitMEX controlled a specific number of BTC, and that their account balance is included in the final merkle tree of balances, such that if enough users ran the analysis, you’d have sound assurances that BitMEX was not selectively excluding any liabilities, thus overstating their solvency. In this case it’s only BTC being attested to in a relatively simple full-reserve setup. However in more complex setups where it may be a fractional reserve model or more bank-like context, or with multiple assets and even non-blockchain assets and potentially fiat, you will want to incorporate an auditor.
I want to adopt PoR. What do you recommend?
1. I recommend updating your legal ToS to clarify a) the segregation of client deposits and operating capital, b) the seniority of client deposits in liquidation, and c) the responsibilities you have towards depositors under your regulatory regime, if any.
2. As for adopting a PoR strategy, I suggest following the rubric laid out above. Top-scoring PoRs are frequent (monthly or better), involve either a full disclosure of liabilities (like BitMEX or Deribit) or auditor oversight, cover most or all platform assets, and allow users to verify inclusion in the liability set. The current state of the art is the Merkle method, but ZK-liability solutions are emerging and should be considered.
Why do I need an auditor or external third party assistance?
The liabilities side of the equation is tricky, and for users to have confidence that the accounting is complete, it’s worth considering engaging a trusted auditor willing to contribute their professional reputation to an assessment of liabilities. Historically, these have consisted of more limited ‘agreed upon procedures’.
Can you cheat a PoR by borrowing funds from other exchanges?
You could, yes. But it would also be the most obvious thing ever (as evidenced by the immediate outrage over Crypto.com and Gate’s questionable transaction). As I’ve said before, a point in time attestation proves very little. Even a quarterly cadence isn’t optimal. Higher frequency assessments – paired with either audit firm oversight or simply the on-chain transparency that comes with a periodic asset attestation – means that it is much harder or impossible to cheat a PoR. For instance, window dressing wouldn’t help with a daily or biweekly PoR attest, as is done by certain exchanges.
Either way, if you are publicly revealing your addresses, it would be come very clear very quickly if you were borrowing large amounts of funds every month to ‘pass’ a PoR and then sending them back. It’s not like this is an unknown, dastardly new concept. It’s known in the accounting space as “window dressing” – manipulating accounts on a short term basis to make them look better for a specific filing period, say at the end of the quarter. Audit firms are quite familiar with the concept and know how to look for it. The fact that blockchains are innately transparent helps too – anyone can be on the lookout for this kind of misbehavior.
Doesn’t PoR leak data, especially if exchanges are disclosing the full liability set?
If you consider one of the more advanced PoR attestations, like BitMEX’s implementation — which allows any third party to compare the entire liability set to the assets on chain — you will see that there are controls which preserve user privacy. Of course, no user PII is leaked, as everything is anonymized: users are assigned a string in their own client dashboard which uniquely identifies their account. User balances are split randomly into parts, so third parties cannot triangulate user behavior over time. What is leaked is the aggregate asset base on the exchange, and the distribution between assets. However, this information is published already by numerous chain analysis companies (including Coin Metrics, a data firm I cofounded), and there’s no way for exchanges to prevent these inferences. Additionally, newer zero-knowledge tools are coming to market which allow exchanges to perform their liability attestations while keeping all balance and distribution data private. As far as I’m concerned, the fact that these ZK-PoR tools exist now obviates the privacy objection, which was historically one of the biggest issues people had with PoR.
Isn’t PoR unnecessary because you could simply regulate exchanges through some other mechanism?
Right now, exchanges in the U.S. are lightly regulated. Mainly they are regulated on a patchwork, state-by-state basis as money transmitters. This approach isn’t really fit for custodial institutions holding billions of dollars of client assets. In this context, PoR legislation (and all the accompanying features, such as requirements that client assets to be segregated from operating capital, or held in a separate trust which is insulated from bankruptcy) definitely ameliorates this. Some may think that a unifying federal framework for exchanges might simply require better custodial practices, making something like a PoR irrelevant. However, we aren’t there yet, and such legislation could take years.
Additionally, PoR measures are being actively undertaken by numerous exchanges throughout the industry, so PoR legislation simply codifies an existing process that exchanges have embraced. PoR is a crypto-native solution which, in my view, surpasses the level of assurance you get from traditional audits in a reserve context. Other types of custodial oversight are purely regulatory. If you were reinventing bank oversight from scratch, but this time it was possible to prove to depositors (rather than just state or federal supervisors) that banks literally had sufficient liquidity, wouldn’t you prioritize that? After all, all of this regulation is meant to be for the benefit of end users and depositors.
Lastly, many exchanges are offshore and completely unregulated. We can debate the morality of this, but if you take a harm reduction approach, supporting PoR is an unalloyed positive. While no proof of reserve legislation could compel offshore exchanges to undertake the procedure, if all onshore exchanges were doing it, that would put pressure on their offshore peers to do the same. Additionally, a regulatory compulsion to use PoR domestically would create a market for more and better technical tools and CPA firms to oversee the attestations, making it more convenient for offshore exchanges to engage in PoR. PoR is most useful for exchanges where traditional assurances don’t exist. There are many of these, so standardizing PoR and encouraging CPA firms to cover them would improve the overall credibility of these exchanges, even if offshore.
Can PoR can be cheated by hiding liabilities?
For modern PoR like the ones done by Derebit of BitMEX, the entire liability set is released, so there’s no real uncertainty around the completeness of liabilities. Any standard PoR is also user-verifiable, so presumably any user could blow the whistle if they found that their liability entry was understated. Today, most PoRs are done with the Merkle proof method where liabilities are only disclosed on a per-client basis, which creates more possibilities for liability hiding. But this is solved with next generation PoRs which rely on ZK proofs, making disclosure of the full liability set possible without privacy drawbacks. Newer cryptographic technologies have largely made this objection obsolete.
Couldn’t exchanges could have massive out of scope liabilities, invalidating a PoR?
Yes, PoR doesn’t fix this kind of issue (no one has ever claimed it is a panacea). Exchanges could have some massive hidden liability. This is just a general problem though, not a PoR problem. This is more the domain of legal and contractual structuring. The way to fix this is to ask exchanges to hold assets in a segregated trust held for the benefit of clients, which is insulated from other liabilities. In the case of liquidation or insolvency, depositors are whole. Any PoR legislation should include this stipulation. To their credit, NYDFS have already laid out how this would work. Problem solved.
PoR doesn’t fix poor key management, key loss, or fraud, right?
Yes, but it makes it impossible to run at a fractional reserve for any sustained period of time. In the case of prior exchange collapses like FTX, Quadriga, or Gox, these exchanges were insolvent for months and years. They never had sufficient reserves to honor all possible client withdrawals. The moment an exchange was even under-reserved, the PoR would have been impossible to pass. So PoR makes it virtually impossible to behave badly for any meaningful period of time. If any exchange did PoR and became insolvent, they would stop doing PoRs. This would be a massive red flag.
Why can’t exchanges just do an audit instead?
Imagine if there was a type of audit that allowed a custodial institution to prove with no uncertainty, on a daily or weekly basis, to their customers, the government, or the public, that they had all the assets they said they had. This simply doesn’t exist in traditional audit land. Financial statement (FS) audits are slow, expensive, infrequent, and very broad in scope, covering far more than just reserve management. To the extent they cover client reserves, they generally involve sampling — rather than investigating all client assets. Certain major exchanges that did have FS audits did not include customer assets in their scope prior to 2022.
Practically speaking, audits are expensive and cumbersome, and CPA firms are very averse to working with crypto companies. This isn’t helped by folks like Sen Warren trying to bully audit firms into further spurning crypto. Given this reality, Proof of Reserve is a highly complementary solution. It is frequent, narrow in scope (but covers the specific thing that clients care about), and relatively cheap. It doesn’t even strictly require an audit firm — BitMEX’s and Deribit’s PoRs, two of the best in my opinion, don’t have audit oversight. Think about PoR as a targeted tool to give depositors confidence over one domain of an exchange’s practice — their custody — which can, and probably should, be supplemented with traditional assurances such as audit and contractual depository assurances. A PoR isn’t sufficient on its own, but it’s a vital piece of the puzzle.
What’s the deal with exchanges attesting to their reserves, eg on CoinMarketCap, Nansen, or on Twitter? Are these ‘real’ Proofs of Reserve?
Recently, some exchanges have begun to post informal attestations as to their reserves, for instance by sharing a list of cold wallet addresses. CoinMarketCap has even taken to calling summary data on exchange holdings (see e.g. Binance) ‘Proofs of Reserve’, even though these are issued without any proof of ownership. These attestations do not satisfy either side of the conventional PoR procedure: there is no cryptographic proof of assets held (merely disclosing an address is insufficient, as it could belong to anyone), and there is no accompanying proof of liabilities outstanding. To call this a ‘Proof of Reserve’ is a blatant misuse of the term. Users should demand the highest standard and should be extremely wary of exchanges using PoR in marketing collateral without committing to the rigorous version of the practice (see the caveats in the PoR wall of fame above).
Which CPA firms are active in the PoR / real time attest space?
Armanino has the most historical experience overseeing the procedure but curtailed their activity in the wake of post-FTX criticism. Mazars also used to do the procedure but also stepped back.
Cohen & Co and Withum, and Grant Thornton are all active in facilitating attestations in the stablecoin space, though none have overseen an exchange PoR as far as I know. All of the big four as well as RSM, in my esteem, have the technical competency to undertake a PoR but have thus far appear to have been unwilling to on a perceived risk basis.
What’s up with these audit firms helping with PoR? Are these ‘real audits’?
So far, every PoR that has been done with the assistance of an audit firm – Armanino, Mazars, etc – has been an “Agreed Upon Procedures” engagement. An AUP is a process whereby a firm asks an auditor to verify that it has followed a specific procedure within narrow boundaries, in this case, a faithful extraction of liabilities and a proof of assets held. AICPA defines an AUP as “an attestation engagement in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion.” So an AUP isn’t a “financial statement audit” (there are many types of audits, that is just one) that public companies undertake in which an audit firm reaches a view regarding the totality of a firm’s financial statements and disclosures. Specifically audit firms stake their reputation on their oversight in a financial statement audit – they are actively determining whether the financials surveyed appropriately reflect the firm’s financial position. An AUP doesn’t grant these same assurances – but that doesn’t mean that a PoR with an AUP is worthless. It’s just that consumers of the PoR are placing their trust more in cryptography rather than the reputation of an audit firm. Undeniably, an audit firm supervising a PoR helps provide assurances that the liabilities were extracted faithfully – but it isn’t the be all end all.
Have a suggestion? Get in touch at nic [at] niccarter [dot] info