Does «Proof of Reserves» provide meaningful trust and transparency?

Bastian Stolzenberg
Director, Blockchain Assurance, PwC Switzerland

In November 2022, crypto exchange FTX – the world’s fourth largest crypto exchange in trade volume at the time – filed for Chapter 11 bankruptcy protection in the state of Delaware, USA. As the story unfolds, published documents cast significant doubts about the exchange having retained sufficient (customer) assets to honour its liabilities. While a series of factors have contributed to this situation, we would like to comment on an increasingly popular response within the digital assets industry.

Several players have been quick to propose using the transparency of public blockchains to demonstrate the existence of customers’ assets in an organisation’s custody via a so-called «Proof of Reserves» (PoR) mechanism to reassure clients and investors that their funds are safe. While this might seem like a good solution at first glance, PoR’s limitations make it unsuitable for the intended purpose, with the result that it does not actually provide meaningful trust.

What is Proof of Reserves («PoR»)?

In essence, Proof of Reserves is the result of a set of procedures, usually conducted by an independent third-party, to provide transparency on the digital assets held on addresses controlled by a custodian or exchange. It sometimes includes the possibility for customers to verify by themselves, through a feature offered by the custodian or exchange, that their assets are indeed included in the Proof of Reserves balances.

To achieve this, the third-party, with the support of the custodian, creates a snapshot of the organisation’s balances on the blockchain addresses it controls or claims to control. Those balances are then matched with customers’ balances as per the custodian’s books. Using cryptographic proof, it is possible to aggregate the sum of all customers’ balances and compare it to the assets held without exposing specific client information in the process, while demonstrating that all customers’ assets are included in the comparison.

The limitations of Proof of Reserves in its current form

PoR in its current form suffers from several irrecoverable flaws, the main ones being as follows:

The PoR relies on a snapshot of assets at a given date. This means that, even if properly executed, the picture drawn by PoR is only valid at a specific point in time; this ignores what might have happened before and after that point.
It is one thing to know that assets existed in the past, it is another to have assurance that those assets will still be in safe custody in the future. Therefore, the evaluation of the internal control system surrounding the handling of customers’ funds provides more information about the proper measures in place to limit the risks of misappropriation of assets. Interested parties should not be satisfied with anything less than an independent assessment of custodians’ processes and controls and a demonstration of the proper handling of clients’ assets over a period of time, if they are to feel comfortable about their deposited assets. Such assurances can only be obtained from dedicated SOC1 or ISAE 3402 Type 2 reports issued by a reputable auditor.

The PoR approach limits its scope to compare the clients’ assets recorded with information directly from the respective blockchains (“on-chain data”). This approach ignores the wider picture of the custodian or exchange as a group or organisation and provides no information on the actual liabilities beyond assets held for customers.
Therefore, PoR provides no information with regard to other liabilities or risks (e.g. operational risks) to which the group or organisation is exposed. Beyond that which can be observed on-chain, exchanges and custodians have multiple activities that entail specific risks, which must be addressed appropriately. Assets subjected to PoR might have been borrowed, for the purpose of the PoR or for other reasons, or might not even be (solely) controlled by the custodian or exchange. Other liabilities are expected, as it is common for any group or organisation to have rights and obligations that cannot be traced down to on-chain activities. Consequently, only a proper, full-scope (consolidated) financial statements audit of the entire group or organisation, undertaken by a reputable auditor under professionally recognised auditing standards, can provide stakeholders with the necessary understanding of the financial position of the custodian or exchange as a whole.
No professional audit standards for PoR currently exist.
In the absence of any professional audit standards it is up to the independent third-party to define how those PoR procedures are conducted and reported. This calls into question the quality of such procedures and prevents results from being comparable across the industry.

The next step for the industry

More trust within the digital asset ecosystem is needed, especially when it involves groups or organisations that have custody of material amounts of customer assets. To achieve this, the industry needs to reach a level of transparency that can only be achieved through more rigorous risk management and transparency reporting than PoR in its current form can provide.

From a counter-party risk perspective, the existence of a robust internal control system at the custodian is essential. In addition to ensuring continued access to digital assets by the group or organisation, a solid control framework also provides comfort with regard to private keys being under the safe and sole control of the custodian or exchange. SOC1 and ISAE 3402 are well-known attestation standards that, when appropriately applied to digital assets operations, can provide assurance on the proper handling of digital assets by custodians. Such reports should start with controls over the initial setup of the custody solution (i.e. the ‘key ceremony’ or ‘initialisation’) and extend, over time, to the key management and digital assets operations.

Furthermore, financial statements audits conducted by a reputable audit firm provide meaningful assurance on the financial position of a custodian or exchange as a whole, taking into account all assets and liabilities. In many cases, an audit of consolidated or combined financial statements, including entities affiliated with the group or organisation with which the custodian or exchange might be frequently transacting, would be necessary. The reputable auditor will also be required to perform procedures to ensure that the custodian or exchange is able to continue as a going concern; this will also provide a stakeholder with some forward-looking reassurance.

#social#