in

What are proof-of-reserves audits, and how do they work?


With the rising interest in digital assets from institutional and retail investors, custody options have also experienced parallel growth. As a result, different kinds of custody choices have evolved as the market changes, and new providers are working to establish the structures and controls that are most effective for particular markets and offerings.

Self-custody, exchange wallets and third-party custodians are the various choices available for users to safeguard their cryptocurrencies. Custodians in the world of digital assets function similarly to traditional financial markets in that their primary duty is to take care of and protect their clients’ assets by holding the private key on behalf of the asset holder, preventing unauthorized access. 

However, despite such efforts, events such as the collapse of FTX (a cryptocurrency exchange and crypto hedge fund) and the liquidation of Three Arrows Capital (a cryptocurrency hedge fund) shocked the cryptocurrency industry. They made people question the reliability and integrity of crypto custodians.

To ensure the financial soundness of custodians, a proof-of-reserves (PoR) audit confirms that the company’s on-chain holdings are identical to the client assets listed on the balance sheet, reassuring customers that the business is solvent and liquid enough to continue business with them.

This article will discuss what is a proof-of-reserves audit, why proofs of reserves are important, how to access the proof of reserves, and how to verify proofs of reserves.

What is a proof-of-reserves?

In traditional finance, reserves are a company’s profits kept aside to utilize in unforeseen circumstances. In contrast, in the crypto space, a proof of reserves refers to an independent audit conducted by a third party to confirm that the entity being audited has sufficient reserves to support all of its depositors’ balances.

For trustworthy and experienced digital asset service providers, undergoing a proof-of-reserves audit is a critical step in the regulatory process. The PoR audit ensures customers and the public that the custodian is sufficiently liquid and solvent, and they can withdraw funds anytime, providing transparency on the availability of their funds. 

A proof-of-reserves audit also benefits crypto companies acting as custodians, as by ensuring absolute asset backing, they can retain customers and enhance trust in their operations. Moreover, through PoR, centralized exchanges are prohibited from investing depositors’ money in other companies, minimizing the risk that businesses will maximize the returns from their consumer assets. Additionally, such an audit also helps prevent the likelihood of events such as the great financial crisis of 2007–2008.

How does a proof-of-reserves audit work?

Before understanding how a proof of reserves works, let’s get familiarized with the overall auditing process. In general, the audit should assess an exchange’s solvency, which produces only two outcomes: either the exchange is solvent if its assets exceed its obligations or liabilities or insolvent in all other cases. However, it is conceivable that there are instances where this binary result is insufficient, such as when an exchange has to demonstrate fractional reserves.

In the case of fractional reserves, a portion of an exchange’s deposits is maintained in reserve and made instantly accessible for withdrawal (as cash and other highly liquid assets), with the remaining balance of the funds being lent to borrowers.

The auditing procedure can be divided into three distinct steps:

Proof of liabilities

The exchange’s liabilities are the outstanding cryptocurrency balances due to its clients. The sum of all customer account balances is used to compute the exchange’s total liabilities. To determine solvency, the computed amount is later contrasted with the total reserves. The proof of liabilities component also calculates the hash of the fraction factor and the root of a Merkle tree.

The user account information is used to construct a Merkle tree using the cryptographic hash of the customer’s identity, and the amount owing to the customer would be used to generate a leaf of the tree. The nodes in the following tier of the tree are created by pairing the leaves together and hashing them; to build the tree’s root, nodes are merged and hashed.

Proof of reserves

The assets that the exchange has stored on the blockchain as cryptocurrencies are called reserves. The total assets are computed by summing up the balances of crypto addresses if the exchange possesses the private keys of those addresses. 

By providing the public key linked to a cryptocurrency’s address and signing it with the private key, the exchange may prove that they are the rightful owner of the crypto address. For additional security, the exchange should also sign a nonce (such as the hash of the most recent block that was added to the blockchain), a value that may be used to validate the signature. The outputs of the proof of reserves are the sum and the hash of the address balances.

The audit program does not have to parse the entire blockchain to determine which balances should be added up; instead, it uses a preprocessor, a deterministic aggregate of data readily accessible to the public.

If given identical input values, a deterministic function will always produce the same results. This is a fundamental criterion for any blockchain since it is difficult to achieve consensus if transactions do not result in the same outcome each time they are executed, regardless of who initiates them and where they occurred.

Proof of solvency

The outputs of the audit and an attestation that may be used to confirm that the auditing software was run in a trustworthy environment are the two components of the proof of the solvency of a cryptocurrency exchange. 

The final audit result is either true or false (a binary number). It will be true if reserves exceed liabilities and false otherwise. The attestation serves as a signature for the hashes of the executed program and the platform measurements. The consumer can verify that the calculation considers its account balance into account by using the Merkle tree’s root.

How are PoR audits conducted?

The proof-of-reserves auditing process is often carried out by a third-party auditor to confirm that the assets on a crypto custodian’s balance sheet are sufficient to balance its customers’ holdings. The following steps are involved in the process:

  • The external auditor or the auditing firm initially takes an anonymized snapshot of the institution’s balances. An auditor organizes these balances into a Merkle tree, which contains custodial data and has several branches that are authenticated using hash codes.
  • The auditor then collects individual user contributions by utilizing the distinctive signatures of each account holder.
  • The next step involves authenticating whether customers’ assets are held on a full-reserve basis — i.e., the individual contributors’ reported balances are at least equal to those obtained from the Merkle tree. It is done by comparing the digital signatures to the Merkle tree records.

After the PoR audit, users can verify their own transactions. For instance, if anyone has held their crypto assets on Binance, they can find their Merkle leaf and Record ID by logging in to the Binance website, clicking on “Wallet” and clicking on “Audit.”

The next step is to choose the audit date to confirm the audit type, the assets that were covered, your Record ID, and your asset balances included in an auditor’s attestation report concerning Binance’s proof of reserves audit.

Benefits of proof-of-reserves audits

The PoR audit has several advantages, as it reveals that exchanges’ on-chain holding of cryptocurrency corresponds with users’ balances. For instance, through proof-of-reserves audit, it can be verified if tokens like Wrapped Bitcoin (wBTC) are actually backed by Bitcoin (BTC). Decentralized finance applications receive the information they need to audit the Wrapped Bitcoin reserves from a network of Chainlink oracles that check the custodian’s BTC balance on the Bitcoin blockchain every 10 minutes. 

In addition, proofs of reserves appeal to regulators as a self-regulating approach that fits with their broad industry strategy. Furthermore, addressing the lack of confidence brought on by exchanges’ inability to cover consumer deposits with sufficient assets also increases product adoption. 

Moreover, users can independently verify the transparency of the proof-of-reserves audit using a Merkle tree hashing approach. Similarly, investors will have a due diligence tool to acquire relevant data about specific institutions’ client asset management practices, decreasing the likelihood of losing funds. At the same time, users start to trust custodians, which helps the latter with client retention.

Limitations of a proof-of-reserves

Despite the above advantages, proof-of-reserves audit has some disadvantages that cannot be overlooked. The critical issue with a PoR audit is that its correctness depends upon the auditor’s competence. Also, a fraudulent audit result may be produced by a third-party auditor in collaboration with the custodian under consideration.

In addition, a cryptocurrency exchange may manipulate the facts, as the correctness of verified balances is only valid during the time of audit. The legitimacy of the proof-of-reserves audit can also be impacted by the loss of private keys or users’ funds. Moreover, a PoR audit cannot determine if the money was borrowed to pass the audit.