Binance, Coinbase, and Kraken are among the major exchanges that have announced the submission of proof of funds in custody.
The tests of reserves would be complete with a list of the liabilities.
These reserve tests also require users to be able to verify their balances.
After the FTX collapse, major bitcoin and cryptocurrency exchanges published so-called Proof of Reserves (PoRs) to reveal their custody funds. This attitude of the exchanges aims to demonstrate that the funds in their possession equal or exceed the total funds of the users, which implies that they can fulfill any withdrawal request.
In the case of the fall of FTX, after the liquidity crisis in this exchange became evident, its CEO and co-founder, Sam Bankman-Fried, told investors that he needed emergency funds. He revealed the existence of a deficit of $8,000 million due to the balance withdrawals requested by his users. FTX did not carry out reserve tests that would show transparency in the management of its funds.
According to the Bitcoin Policy Institute, Proof of Reserves is "a method that uses cryptographic verification techniques to publicly demonstrate that you hold enough digital assets to cover obligations or liabilities." So, if the Test of Reserves is limited to showing an inventory of funds under custody without detailing liabilities, it would offer an incomplete image.
It is also necessary for an external audit to obtain proof of the reserves through a random check of the users' balances, maintaining the anonymity of these. For this, a hash of each account and its balance is generated, thus forming a Merkle tree. The user himself could verify his balance in the mentioned tree.
Reserve tests must include a list of liabilities
The leading exchanges in the world, Binance, Coinbase, and Kraken, were the first to present their respective PoR. But, in the case of Binance, the proof of reserves only gives details of some addresses and their funds. In the report, however, there is no mention of possible liabilities. On the other hand, the exchange notes that it "is working on a Merkle tree that we will share with the community in the coming weeks."
Reviewing recent PoR outreach efforts, Coin Metrics co-founder Nic Carter says in his analysis that Kraken conducted an auditor-assisted Proof of Reserve, which includes user validation using a Merkle tree. On the other hand, Carter points out that although the PoR conducted by BitMex does not have external auditors, it contemplates user validation.
Funds testimony delivered through an address list does not fully guarantee that those funds belong to the declarant, Carter says. "Proving that you control certain on-chain funds may seem trivial, but those funds could come from a short-term loan."
The Market requires more than an address as proof of funds
With a "simple" reserve test, where an exchange only provides a list of addresses with funds, one or more addresses associated with funds not owned by the filer may be referenced.
A malicious actor could pick any address on the network and claim to be in control of the funds by just querying an open blockchain. The most dangerous thing about this method is that, even if the valid owner of the funds later proves the attribution of those funds false, an aura of "trust" would already have been created by the wide dissemination of the information.
In this sense, the exchanges must demonstrate that they have access to the relevant addresses and that the money deposited there does not come from a loan to simulate liquidity it does not have.
Trusted third parties should intervene in proof of reserves
One characteristic of proof of reserves could be that the exchanges themselves emphasize the need to trust third parties about proofs of reserves, as is the case with tests validated by auditing firms, such as KPMG, Deloitte, and others.
The need to resort to audit firms has been justified, specifically concerning the accurate assessment of obligations and liabilities.
"The liability side of the equation is tricky, and to give users confidence that the accounting is complete, it pays to engage a trusted auditor willing to contribute their professional reputation to a liability assessment." Nic Carter.
This reliance on third-party validation is contrary to the purpose of Bitcoin technology, which posits that you should not trust others. Still, rather it should be possible for users to verify themselves.