When the centralized crypto exchange (CEX) FTX crashed in 2022, it wiped out $8.9 billion in funds and tarnished the trustworthiness of crypto trading websites. It also left traders wondering, if such a prominent exchange didn't have the funds to meet clients' withdrawal requests, could other exchanges be equally risky?
And it's not just centralized crypto platforms traders expressed concerns over. They also worried whether there were tests to prove protocols in decentralized finance (DeFi) take proper precautions with their users' assets.
In response, some of the world's top crypto exchanges stepped forward with a solution to rebuild trust with traders called "proof of reserves" (PoR). Although PoR is a relatively new metric, it has become a significant consideration when evaluating the trustworthiness of centralized crypto exchanges.
Here, we’ll explain PoR, how it's measured, and how traders use it to find a safer trading platform.
What is PoR in Crypto?
Proof of reserves is an audit that analyzes a crypto platform's finances to ensure it has enough funds to meet the demands of its customers. Auditors gather data on an exchange's current holdings (aka assets) and obligations (aka liabilities) to see if they have the crypto on hand in case every trader requests their money simultaneously. A healthy (or “solvent”) PoR shows an exchange maintains at least a 1:1 ratio of assets-to-liabilities.
Although PoR reports are closely associated with tracking the solvency of CEXs, they are used on blockchain-native protocols such as decentralized finance (DeFi) programs or wrapped token issuers. For example, the crypto custodian BitGo releases PoRs on its current Bitcoin (BTC) holdings relative to the Wrapped Bitcoin (wBTC) tokens it issues. wBTC is a synthetic version of BTC compatible with the Ethereum blockchain, and each wBTC in circulation must have one BTC in reserve.
How Does a Proof of Reserves Crypto Audit Work?
PoRs typically use a cryptographic verification technology called "Merkle trees" to collect data on an exchange's liabilities without compromising customer privacy. Also called "hash trees," Merkle trees organize balance data from each user into smaller units moving from "branches" to individual "leaves," all of which link to a unique and verifiable "Merkle root" hash function. The Merkle root contains the total value of liabilities on an exchange and specific details on each account’s crypto without revealing traders' personal information. Auditors take a snapshot of an exchange's liabilities, or they use real-time tracking software to provide constant updates on trading balances.
Since Merkle trees are tamper-proof and compatible with decentralized blockchains, they are easy for crypto analytics firms to incorporate into a liabilities screening, and they've become the standard in PoR reporting due to their accessibility and transparency.
After determining an exchange's liabilities, auditors focus on the assets a crypto exchange holds in reserve. Typically, CEXs provide the public key addresses for their crypto wallets, and auditors scan the virtual currencies in these CEX accounts. If a CEX has non-crypto assets like fiat currency, precious metals, or cash equivalents, they add them to their PoR report.
With this information, auditors compare a CEX's current assets to their liabilities and rate each exchange's safety based on this balance. The more assets a CEX holds compared to its current obligations, the higher its safety score.
Limitations to Proof of Reserves Reports
PoR seems like a foolproof solution to verifying the trustworthiness of crypto exchanges and stablecoin issuers, but there are weaknesses to this strategy. Although PoRs often reveal valuable info to traders, these reports don't always tell the whole story.
Relies on an auditor's trustworthiness: Exchanges and crypto protocols hire third-party auditing firms to remove bias from their PoR reporting procedures. In theory, PoR auditors have an incentive to be truthful to maintain their reputation, but not all auditing companies are created equal. Traders must trust the integrity and competency of the auditor who carried out a PoR.
Lack of clear regulatory rules: Since cryptocurrency is a new industry, the "standard" procedures for completing a PoR are still in flux. Although some technologies like Merkle trees have become widely adopted, there aren't official rules or regulations to confirm a PoR ticks all of the official boxes for a "valid" test.
Snapshots capture limited data: It's easier to conceal information on a snapshot versus real-time tracking technologies. For example, bad actors might use borrowed funds to hide a hole in their balance sheet or two exchanges transfer cryptocurrencies to each other for a snapshot and send the funds back after the test is complete. To gain credibility on a PoR, snapshots must be frequent and taken at random intervals.
Difficult to trace off-chain assets and liabilities: There's no way for exchanges to hide on-chain data once they create Merkel trees and share public key addresses, but it's challenging to see non-blockchain transactions in real time. Traders need to trust the info exchanges provide about their off-chain accounts, including cash funds in a bank and investment activities.
How to Find Proof of Reserve Crypto Audits
As the push for PoR picks up steam in the crypto market, it's getting easier for traders to find reports from multiple exchanges and DeFi protocols. Taking the time to scan online sources helps traders decide which exchange they feel comfortable entrusting with their assets.
Exchange websites: More cryptocurrency exchanges voluntarily publish their PoRs, and some advertise these reports as a key selling point for the trustworthiness of their platform. If users can't find a tab for a PoR report on an exchange's homepage, check the "Security" or "About" sections for more information. Some traders also request these details from a CEX by contacting a customer service representative.
Crypto price aggregator sites: Crypto price aggregators like CoinMarketCap and CoinGecko specialize in showing real-time price feeds for virtual currencies, but they also keep track of PoRs. To find a list of these crypto audits, click the "Exchanges" icon on CoinMarketCap or CoinGecko and review the reserve data on file. For more specific details on each company's reports, select an exchange and find the "Reserves" button to look through more information.
Blockchain explorers: For open-source cryptocurrency networks like Bitcoin and Ethereum, traders use search engines called blockchain explorers to monitor the assets different projects have in their wallets. As long as people know the public wallet for a CEX or crypto protocol, it's possible to paste this blockchain address into an explorer and see what's in their holdings. Sometimes, exchanges or big crypto projects list their name with a specific wallet address on blockchain explorers like Etherscan for greater transparency.
Public earnings calls: If a cryptocurrency exchange is a publicly traded company, it needs to hold earnings calls every quarter to share its latest profits or losses with stockholders. For example, the American CEX Coinbase offers equity on the U.S. stock market, so it is legally responsible for releasing annual earnings reports. If the CEX a trader uses offers shares on a stock market, review the most recent earnings reports to verify the assets and liabilities on an exchange's balance sheet.
Eligible Traders Enjoy Perpetual Swaps on dYdX
At dYdX, we take extreme care to provide eligible traders a safe derivatives trading experience in DeFi. Since our launch in 2018, dYdX has never lost or put users' funds at risk, and we consistently publish open-source third-party code audits with the firms PeckShield and Zeppelin Solutions. Furthermore, there's no need to solely rely on proof of reserves because you can audit the dYdX smart contract in real time by visiting Etherscan. This allows you to see exactly how much and where all funds are on dYdX in real time. For more details on dYdX's latest features and security measures, visit our blog. Also, remember to check out dYdX Academy for more helpful tips on Web3 safety, including how to use a hardware wallet, how to transfer cryptocurrencies, and the common warning signs of scams.
Eligible traders can start trading on dYdX today!
The content of this article (the “Article”) is provided for general informational purposes only. Reference to any specific strategy, technique, product, service, or entity does not constitute an endorsement or recommendation by dYdX Trading Inc., or any affiliate, agent, or representative thereof (“dYdX”). Use of strategies, techniques, products or services referenced in this Article may involve material risks, including the risk of financial losses arising from the volatility, operational loss, or nonconsensual liquidation of digital assets. The content of this Article does not constitute, and should not be considered, construed, or relied upon as, financial advice, legal advice, tax advice, investment advice, or advice of any other nature; and the content of this Article is not an offer, solicitation or call to action to make any investment, or purchase any crypto asset, of any kind. dYdX makes no representation, assurance or guarantee as to the accuracy, completeness, timeliness, suitability, or validity of any information in this Article or any third-party website that may be linked to it. You are solely responsible for conducting independent research, performing due diligence, and/or seeking advice from a professional advisor prior to taking any financial, tax, legal, or investment action.
Any applicable sponsorship in connection with this Article will be disclosed, and any reference to a sponsor in this Article is for disclosure purposes, or informational in nature, and in any event is not a call to action to make an investment, acquire a service or product, or purchase crypto assets. This Article does not offer the purchase or sale of any financial instruments or related services.
By accessing this Article and taking any action in connection with the information contained in this Article, you agree that dYdX is not responsible, directly or indirectly, for any errors, omissions, or delays related to this Article, or any damage, injury, or loss incurred in connection with use of or reliance on the content of this Article, including any specific strategy, technique, product, service, or entity that may be referenced in the Article.