As the crypto industry rallies around the transparency of Proof of Reserves (PoR) audits, Kraken is encouraged to see a greater focus be placed on proof, rather than promises.
However, as others rush to catch up, we have observed attempts by other platforms and exchanges to pass off diluted and misleading methodologies as a Proof of Reserves audit.
Aside from causing marketplace confusion, these incomplete practices being touted as Proof of Reserves audits will erode trust and undermine the shared mission of accelerating financial freedom and inclusion for all.
In order to deliver the level of transparency clients deserve, the crypto industry at large must adopt rigorous standards surrounding Proof of Reserves audits. Amid the chaos of the past month, the industry has failed to explain what Proof of Reserves audits should truly entail and convoluted the process in order to cash in on the hype.
Crypto stakeholders that do not understand the actual purpose and proper application of Proof of Reserves audits are at risk of being deceived. Clients are now presented with misleading and incomplete claims of Proof of Reserves, leaving them open to deception and therefore financial harm. Kraken voluntarily conducted the industry’s first Proof of Reserves audit and set a legitimate standard by accounting for not only our crypto balances, but also our client liabilities under the supervision of an independent auditor.
Kraken believes that Proof of Reserves audits must include the following five components. Failure to include one of these five means that, in Kraken’s view, there is room for manipulation of the results. At the most fundamental level, Proof of Reserves audits are a combination of Proof of Assets and Proof of Liabilities. The absence of one or the other fails to meet the gold standard and fails to be valuable to an exchange’s clients.
In short, Kraken believes that you deserve proof, not promises, when understanding the health of your crypto exchange.
What are the components of Proof of Reserves?
As a company that strives to lead the industry in transparency and trust, it is our responsibility to call out the shortcomings and vulnerabilities of less rigorous practices being labeled as Proof of Reserves audits.
While pioneering the practice of regular Proof of Reserve audits, Kraken established the framework for how to conduct the practice effectively. Despite our disagreement with others attempting to redefine what Proof of Reserves audits are, there is an opportunity to standardize the practice and deliver transparency in a decentralized way across the crypto industry.
Simply put, Kraken believes that Proof of Reserves audits should be a combination of Proof of Assets and Proof of Liabilities, with other features that add client reassurance. The absence of one of these components should mean that the process fails to meet the standard of a true Proof of Reserves audit.
Proof of Liabilities
Tl;dr: how much the exchange needs
At its core, Proof of Reserves is first and foremost a proof of client liabilities. Without a clear picture of the amount of a given asset that is required of the exchange to cover client deposits, the following components are incomplete.
In order to not just claim, but prove client liabilities, Kraken engages a third party auditor who upholds the validity of claimed client liabilities. The auditor also plays an important role in the Proof of Liabilities component by ensuring that no negative balances, which may have resulted from liquidated margin positions and therefore would potentially lead to inaccurate audit results, have been included in the Proof of Reserves audit. The role of the auditor, as well as the potential to offset the need for the auditor through full data availability, is discussed in further detail within the following sections.
Proof of Assets
Tl;dr: how much the exchange has
Once the amount of client liabilities the exchange is responsible for is established, they must next prove their assets. Assets should be equal to or in excess of the client liabilities of the exchange, meaning that they should have, at a minimum, an equal amount of a given asset to match the liabilities of that asset according to client deposits.
A bad actor could easily point to a random wallet stuffed full of crypto and say it’s theirs. Publishing wallet addresses without confirmation is the crypto equivalent of posing in front of a big stack of money: it’s there, but no one knows for sure who is the rightful owner of that stack of money.
To start, wallet addresses without corresponding signatures are meaningless, as there is no way to prove ownership over the wallet. Additionally, even wallets with proven ownership fall short unless it can be guaranteed that no accounts with negative balances were included in the Proof of Liabilities (a process that can be accomplished through an independent, third party auditor).
Tl;dr: assigning each client balance a unique identifier
Each balance under the exchange’s control must be assigned a unique identifier, which can be recreated using the same inputs again, also known as a hash. The hash is mathematically repeatable/verifiable (and statistically/virtually unique).
These unique identifiers, assigned to each client balance, are then systematically combined into pairs and then hashed together again to form a Merkle tree. The end result of this process, after the final two hash values are hashed together one last time, is known as a Merkle root. This value serves as the digital fingerprint for all client balances and enables clients to verify that their assets were included in the Proof of Reserves audit process through a client portal.
Tl;dr: Third party oversight and authentication
Without an auditor overseeing and verifying the rigorous standards of the Proof of Reserves audit process, bad actors can obscure or mislead their clients. For example, an auditor ensures that accounts with negative balances, which artificially reduce the total liabilities an exchange is responsible for, were not included in the audit. Involving an auditor is not a complete guarantee of accuracy, but acts as an additional increment of rigor.
It is worth emphasizing that other exchanges who are not using a reputable, independent auditor (or who fail to disclose all verifiably proven assets and liabilities to the public) are not completing Proof of Reserves audits.
Tl;dr: don’t trust, verify
After all is said and done, clients must be able to independently verify for themselves that their balances (the exchange’s liabilities) were included in the Proof of Reserves audit. Exchanges should provide access to a portal hosted by an independent third party for clients to authenticate that their balance was captured in the audit. Without a client portal, clients would need to trust, and would not be able to independently verify, that the exchange and the auditor included their balance in the audit.
We believe that a proper Proof of Reserves audit requires the data to be hosted at an independent and separate location. What is needed is the ability for the clients to verify that their balance was submitted to the auditor.
Kraken believes that a Proof of Reserves audit should include cryptographic proof of client balances and wallet control. To be considered a true Proof of Reserves audit, exchanges should include:
- Proof of Liabilities
- Proof of Assets
- Merkle Tree
- Independent Auditor
- Client Portal
In order to deliver transparency and trust within the crypto industry, proof must remain a critical part of Proof of Reserves audits. Less rigorous standards will dilute the self-governing potential of Proof of Reserves audits and erode transparency across the crypto ecosystem.
For those looking for an exchange that continues to lead the way in transparency and trust, get started with Kraken today.
There are no formally accepted rules or procedures that define a proof of reserves audit. For ours, we engaged an independent accounting firm to perform an engagement under standards set forth by the American Institute for Certified Public Accountants and to issue an Independent Accountant’s Report on Agreed Upon Procedures. This report includes specific procedures performed by that firm as well as their findings.
These materials are for general information purposes only and are not investment advice or a recommendation or solicitation to buy, sell, or hold any digital asset or to engage in any specific trading strategy. Some crypto products and markets are unregulated, and you may not be protected by government compensation and/or regulatory protection schemes. The unpredictable nature of the cryptoasset markets can lead to loss of funds. Tax may be payable on any return and/or on any increase in the value of your crypto assets and you should seek independent advice on your taxation position.