The stunning collapse of crypto exchange FTX near the end of 2022 sent shockwaves through the crypto industry, rattling trust and pushing asset prices into freefall. The events ignited conversations about the security of users’ crypto, and widespread concern over whether they could trust their holdings in the hands of custodial wallets and exchanges. This crisis of confidence led to increased demand for greater transparency from custodial service providers, including implementing proof of reserves audits — independent, third-party verifications conducted regularly to confirm a firm has at least 100% of the funds required to cover its customers’ balances. But how does proof of reserves work? And why does it matter? We’ll explain ahead.
What is proof of reserves?
Proof of reserves (PoR) is a method for definitively proving a custodial crypto service provider has enough assets on hand to meet or exceed its users’ funds. Theoretically, at any given time, every single asset holder should be able to swap for fiat, spend or otherwise move their crypto funds out of a custodial wallet or exchange without delay. Through proof of reserves audits, custodial entities can prove they have the liquidity (assets) to provide users unfettered access to their funds (liabilities) at all times.
Proof of reserve audits are conducted on a recurring basis by third-party, independent auditors which cryptographically verify a firm’s stated holdings match its balance sheet. The results are made public and are viewable by customers at any time.
Why do they matter?
The primary benefit of proof of reserves is enhanced transparency and trust, which in light of recent events, may be critical to restore badly shaken consumer confidence in custodial wallets and exchanges. If users don’t have faith that their funds are secure and readily available, it’s difficult to imagine a future for these services.
Knowing their holdings will be routinely subject to proof of reserves audits makes it very difficult for firms to use deposited funds improperly. It also puts restrictions in place around practices like lending those funds out or using them to make investments.
For exchanges and wallet providers, engaging in proof of reserves is a signal of trustworthiness and demonstrates a commitment to transparency. For customers, proof of reserves audits provide peace of mind that their custodied funds are always secure and available. For the entire crypto ecosystem, proof of reserves presents an opportunity to move forward after the FTX disaster with a new paradigm of openness and visibility.
What is a proof of reserves audit and how is it performed?
In a proof of reserves audit, a custodian partners with a third-party crypto auditor to verify its assets on reserve match its deposits, and that customer funds are not being used improperly. The auditor compares the amount of funds held by the company against the combined balances of each and every customer to determine they do in fact possess the assets they claim. The auditing process is most often done via what is known as the Merkle tree technique.
The Merkle tree data structure allows auditors to view the combined balance of all customer accounts without exposing individual users’ holdings. First, a snapshot of each user ID and account balance is taken. The information is obscured through an irreversible process called “hashing”, where the numbers are encoded into a fixed-size output using cryptography. These “hashed” account balances form the bottom layer of the Merkle tree, known as leaf nodes or “leaves”, with each leaf corresponding to an individual account holder. These leaves are then paired together to form hashes, which are then further hashed until a single node remains, known as the “root”, which sits at the top of the Merkle tree structure. The root lets auditors quickly confirm that the rest of the information contained in each leaf and hash is accurate and has not been tampered with. If any account balances have been manipulated, the Merkle root would be different.
Using the Merkle tree technique, auditors are able to quickly and accurately pore over immense amounts of account holder data without compromising privacy or security. It also lets users hash their own user ID and account balances so they can find them in the tree, allowing individuals to verify for themselves that their funds are right where they’re supposed to be.
Moving forward
Conducting proof of reserves audits and publicly sharing reserves data can be a positive step to regaining consumers trust in custodial services, and crypto as a whole. Of course, for crypto users who are comfortable managing their private keys, bypassing centralized exchanges entirely remains the most secure manner of knowing your crypto is accessible.