In November 2022, crypto exchange FTX – the world’s fourth largest crypto exchange in trade volume at the time – filed for Chapter 11 bankruptcy protection in the state of Delaware, USA. As the story unfolds, published documents cast significant doubts about the exchange having retained sufficient (customer) assets to honour its liabilities. While a series of factors have contributed to this situation, we would like to comment on an increasingly popular response within the digital assets industry.
Several players have been quick to propose using the transparency of public blockchains to demonstrate the existence of customers’ assets in an organisation’s custody via a so-called «Proof of Reserves» (PoR) mechanism to reassure clients and investors that their funds are safe. While this might seem like a good solution at first glance, PoR’s limitations make it unsuitable for the intended purpose, with the result that it does not actually provide meaningful trust.
What is Proof of Reserves («PoR»)?
In essence, Proof of Reserves is the result of a set of procedures, usually conducted by an independent third-party, to provide transparency on the digital assets held on addresses controlled by a custodian or exchange. It sometimes includes the possibility for customers to verify by themselves, through a feature offered by the custodian or exchange, that their assets are indeed included in the Proof of Reserves balances.
To achieve this, the third-party, with the support of the custodian, creates a snapshot of the organisation’s balances on the blockchain addresses it controls or claims to control. Those balances are then matched with customers’ balances as per the custodian’s books. Using cryptographic proof, it is possible to aggregate the sum of all customers’ balances and compare it to the assets held without exposing specific client information in the process, while demonstrating that all customers’ assets are included in the comparison.
PoR in its current form suffers from several irrecoverable flaws, the main ones being as follows:
More trust within the digital asset ecosystem is needed, especially when it involves groups or organisations that have custody of material amounts of customer assets. To achieve this, the industry needs to reach a level of transparency that can only be achieved through more rigorous risk management and transparency reporting than PoR in its current form can provide.
From a counter-party risk perspective, the existence of a robust internal control system at the custodian is essential. In addition to ensuring continued access to digital assets by the group or organisation, a solid control framework also provides comfort with regard to private keys being under the safe and sole control of the custodian or exchange. SOC1 and ISAE 3402 are well-known attestation standards that, when appropriately applied to digital assets operations, can provide assurance on the proper handling of digital assets by custodians. Such reports should start with controls over the initial setup of the custody solution (i.e. the ‘key ceremony’ or ‘initialisation’) and extend, over time, to the key management and digital assets operations.
Furthermore, financial statements audits conducted by a reputable audit firm provide meaningful assurance on the financial position of a custodian or exchange as a whole, taking into account all assets and liabilities. In many cases, an audit of consolidated or combined financial statements, including entities affiliated with the group or organisation with which the custodian or exchange might be frequently transacting, would be necessary. The reputable auditor will also be required to perform procedures to ensure that the custodian or exchange is able to continue as a going concern; this will also provide a stakeholder with some forward-looking reassurance.