Proof of Reserves for Policymakers

A refresher

Smaug jealously guarding funds held in reserve [Stable Diffusion]

Proof of Reserves (PoR) isn’t just a niche procedure debated by crypto bros and accountants any longer. It’s increasingly making its way into legislation and policy. The Texas legislature recently saw a bill introduced asking for segregated custody at exchanges alongside quarterly PoR attestations. Wyoming also mentions PoR in their 2021 Digital Asset Custody Framework. I expect others will follow, both at the state and federal level. At the same time, PoR is widely misunderstood and sometimes derided, both in the crypto space, and among policymakers.

Just recently, Sens. Warren and Wyden wrote a letter to the PCAOB calling PoRs “sham audits”. The senators asked the accounting regulators to dissuade CPA firms from engaging with PoRs. Bloomberg Tax calls PoRs “misleading reserve estimates”. Paul Vigna in the WSJ says PoR “isn’t all it appears to be”. Amidst the departure of PoR stalwarts Armanino and Mazars from the crypto space, conspiracies swirled about the potential falsity of the PoR procedures they oversaw. Critics saw their exit as confirmation that PoR was indeed a sham. Why else would audit firms overseeing the procedures quit abruptly?

While some of these criticisms are made in bad faith (as is surely the case with Sen. Warren), I also tend to think that a better understanding of PoR would help allay some of these concerns. Given the noise around the procedure today, a refresher is warranted.

Proof of Reserves is widely deployed in the crypto industry today

PoR isn’t hypothetical or a mere thought experiment promoted by crypto bros. It’s a widely deployed procedure that many exchanges follow today. By my count, eleven major crypto exchanges (major defined as holding a minimum of $500m in client assets) engaged in at least one PoR attestation since November of last year. In the aggregate, these most recent PoRs covered $33b worth of assets. On average, these PoRs covered 73% of total assets held by each exchange. Five of these exchanges are doing PoRs on a monthly frequency or better, with two producing attestations on a daily or bi-weekly basis. (All these figures available in my recent article.)

The procedure has been done by exchanges dating back to 2014 (I briefly cover the history here). It is fairly mature from a technical perspective, with lots of academic and practitioner debate, and has undergone significant refinement in its decade of life. Newer innovations such as ZK liability proofs have considerably enhanced the privacy of PoR (which was historically the biggest reason exchanges didn’t undertake it). Policymakers owe it to the industry to engage with the reality of this proactive, self-regulatory phenomenon.

Proof of Reserves does cover both sides of the equation

Probably the biggest misconception around PoR is that it represents “only half of the equation”. It’s commonly said that Proof of Reserves only pertains to assets, not liabilities. This confuses the issue. In the wake of FTX, some exchanges did informal asset attestations as a short term stopgap measure in which they shared coldwallets without corresponding liabilities. This indeed, was “only half the equation,” and hence not very useful. But this isn’t what Proof of Reserve is. PoR has always meant proving ownership of client assets and demonstrating outstanding liabilities owed to clients. That has been the meaning of PoR since it was first discussed in 2013 and that’s what it means today. If we were just talking about demonstrating some quantity of assets held, we would say Proof of Assets. “Reserves” implies something held in, well, reserve — something held on behalf of someone else. So a Proof of Reserve necessarily includes the liability side too.

Proof of Reserves is uniquely possible with digital assets

Proof of Reserves is only possible with cryptoassets, as these are the only type of digitally-stored value whose ownership can be proved to a third party on a purely peer to peer basis. In other words, I can prove unequivocally that I own some quantity of Bitcoin to you, without any third party or intermediary needing to be present or participate. This isn’t true of equities, dollars in a bank account, or any other financial asset. Even a commodity like gold fails this test. Verifying the integrity of gold requires physically assaying it — or relying on a third party like LBMA to attest to its authenticity. Digital assets are genuinely unique in this context, and policymakers should appreciate that by virtue of this quality, exchanges can be reformed and made more accountable than any other type of custodial institution before. This introduces a new model of custody: one in which the assets held on behalf of depositors can be proven and demonstrated to clients or any type of third party at any time. Traditional modes of oversight are upended by this. This is a novel and truly remarkable quality of the asset class.

Proof of Reserves is not a substitute for an audit, but a different thing entirely

I’ll admit, some exchanges haven’t covered themselves in glory here. Several exchanges have called PoR procedures “audits”, which has given conniptions to more than a few accountants. It’s important to understand the difference between the two. A PoR — done well — evidences that an exchange possesses assets under their control equivalent to client liabilities. It’s not exhaustive, and it’s not equivalent to an audit. For instance, it does not prove the following:

• The exchange exclusively controls those assets
• The exchange is practicing good key management
• The exchange maintains strong controls around key man risk, privileged information, etc
• The exchange is immune to hacks or key loss
• The exchange doesn’t have any large hidden liabilities
• Customers will be senior claimants in the case of insolvency
• The exchange cannot become insolvent in the future

And so on. PoR demonstrates something pretty narrow, but it’s nevertheless quite compelling. It’s a non-audit, non-institutional, technical way of demonstrating credibility around the most important part of the exchange business: the integrity of user assets. The other issues above must be addressed through legal and contractual structuring, proper controls, a sound custody setup, good governance, and yes, actual auditor oversight. PoR does one thing, and does it well, but it doesn’t give you universal assurances about exchange quality. I could see PoR eventually being incorporated into traditional audit approaches, but not replacing them. And if you consider what traditional audits actually cover, a financial statement audit covers information included in financials, which in some cases does not cover user assets.

In the case of a publicly traded company with quarterly audited financials and strong controls, depositors may not seek the additional assurances of a PoR. There’s already a strong institutional architecture which makes it hard for the exchange to lie about its financials. However, the set of exchanges that this caveat applies to is very few — in the U.S., only one, as far as I can tell. Generally, the status quo is for crypto exchanges and platforms to not be publicly traded. They also have trouble securing financial statement audits from Big Four firms. Additionally, a PCAOB financial statement audit doesn’t really focus on reserves. It may involve taking a sample of customer assets to test. But if digital assets are held off balance sheet (as is common), they wouldn’t necessarily be within the scope of a FS audit. A controls audit would focus on things like key management and internal controls. In many cases, management simply signs off on the effectiveness of those controls, rather than the auditor investigating them. A SOC II covers controls, but that doesn’t prove the money is actually there, just that the controls are reasonable and active over the coverage period. PoR is simply a different (and complementary) part of the stack, and a vital one, in my view.

As for the CPA firms that oversaw PoRs — as far as I am aware, a list that consists entirely of Armanino and Mazars — they did not represent PoRs as “audits”. CPA firms are notoriously careful with their language. In all cases, the CPA-supervised PoRs were described as “Agreed Upon Procedures” engagements (see here for an example). An AUP is nothing like a financial statement audit. The AICPA defines it as “an attestation engagement in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion. The subject matter may be financial or nonfinancial information. Because the needs of an engaging party may vary widely, the nature, timing, and extent of the procedures may vary, as well.” Effectively, it’s an engagement whereby a client describes some procedure and the audit firm reports on it. Typically, but not always, it’s done for the private benefit of some third party, rather than the general public. Generally, it’s a way of surfacing facts in a controlled manner and sharing them officially with a third party, who then draws their own conclusions. The auditor provides no assurance or opinion.

Both Mazars and Armanino in their AUPs were careful not to characterize them as audits. So the allegation that these PoRs were “sham audits,” at least from the perspective of the audit firms who oversaw them, is unfair. They were very clear about what they were doing. If there was misrepresentation, it was on the side of the exchanges — and admittedly, some of them used “audit” in a more colloquial sense to refer to their PoRs. When I talk about PoR, I describe it as a “procedure” or an “attestation.” For now, the major standards-setting bodies in the US have yet to cover exchange PoR, so we don’t have a rigorous way to talk about them in an accounting context. Calling them audits probably implies an unearned rigor, so I suggest moving away from that.

Proof of Reserves attestations are heterogeneous

There is as of yet no standard Proof of Reserve attestation. AICPA nor FASB have not issued any guidance as to what a PoR might consist of or how a CPA firm might go about doing on. And most audit firms simply have no experience overseeing a PoR. Those factors don’t help the issue. PoRs vary widely. Here’s a few of the axes along which they vary:

• Some PoRs are overseen by auditors (always AUPs), many are not. There are currently no active CPA firms overseeing PoRs
• Exchanges prove ownership of assets in different ways. Some do self-send txns, some sign messages with their keys, some publish partial transaction data
• Exchanges disclose user liabilities in different ways: some don’t share it at all, some share liability data with third parties, some use Merkle trees to let clients verify liability inclusion, some use Merkle sum trees, some disclose the entire liability set, and others use ZK proofs to disclose the presence (but not the contents) of the liability set
• Some PoRs are done on a daily basis, others every six months
• The number of assets covered varies widely, as does the share of client assets attested to (recent PoRs vary between 15% and 100% of client assets demonstrated)

In short, ‘PoR’ is not a singular concept, but the general idea of demonstrating the equivalence of assets held on deposit alongside outstanding liabilities. Today, due to this heterogeneity, PoR attestations must be evaluated individually. This is why I created a simple rubric to help users reason about their credibility.

Proof of Reserves would have helped prevent Mt Gox, Quadriga, or FTX

Imagine a parallel Earth identical to ours in every way, except for the fact that crypto exchanges had embraced PoR far earlier. In this world, only exchanges unable to carry out the procedure (on account of malfeasance poor controls or accounting) would have failed to produce one. These exchanges would have stuck out like sore thumbs (and indeed, each of Gox, Quadriga, and FTX was likely insolvent for years before collapse). Clients could have acted accordingly and steered clear, and regulators could have intensified their investigations into these platforms. On-chain analysts would have started to interrogate why these exchanges weren’t producing PoRs while all of their peers were. In the case of FTX for instance, sleuths looking at the blockchain after the Alameda balance sheet revelations were some of the first to confirm that something was amiss.

Proof of Reserves has drawbacks, but they aren’t dealbreakers

PoR skeptics like to say things like “PoR is worthless” or “PoR is easily gamed.” This isn’t really the case if you run through the objections. In fact, none of the objections appear to be dealbreakers. PoR works well and provides strong and distinct assurances which can’t be obtained through other methods. Here are the main issues people have with PoR and my responses:

“PoR leaks data, especially if exchanges are disclosing the full liability set”

If you consider one of the more advanced PoR attestations, like BitMEX’s implementation — which allows any third party to compare the entire liability set to the assets on chain — you will see that there are controls which preserve user privacy. Of course, no user PII is leaked, as everything is anonymized: users are assigned a string in their own client dashboard which uniquely identifies their account. User balances are split randomly into parts, so third parties cannot triangulate user behavior over time. What is leaked is the aggregate asset base on the exchange, and the distribution between assets. However, this information is published already by numerous chain analysis companies (including Coin Metrics, a data firm I cofounded), and there’s no way for exchanges to prevent these inferences. Additionally, newer zero-knowledge tools are coming to market which allow exchanges to perform their liability attestations while keeping all balance and distribution data private. As far as I’m concerned, the fact that these ZK-PoR tools exist now obviates the privacy objection, which was historically one of the biggest issues people had with PoR.

“PoR is unnecessary because you could simply regulate exchanges through some other mechanism”

Right now, exchanges in the U.S. are lightly regulated. Mainly they are regulated on a patchwork, state-by-state basis as money transmitters. This approach isn’t really fit for custodial institutions holding billions of dollars of client assets. In this context, PoR legislation (and all the accompanying features, such as requirements that client assets to be segregated from operating capital, or held in a separate trust which is insulated from bankruptcy) definitely ameliorates this. Some may think that a unifying federal framework for exchanges might simply require better custodial practices, making something like a PoR irrelevant. However, we aren’t there yet, and such legislation could take years.

Additionally, PoR measures are being actively undertaken by numerous exchanges throughout the industry, so PoR legislation simply codifies an existing process that exchanges have embraced. PoR is a crypto-native solution which, in my view, surpasses the level of assurance you get from traditional audits in a reserve context. Other types of custodial oversight are purely regulatory. If you were reinventing bank oversight from scratch, but this time it was possible to prove to depositors (rather than just state or federal supervisors) that banks literally had sufficient liquidity, wouldn’t you prioritize that? After all, all of this regulation is meant to be for the benefit of end users and depositors.

Lastly, many exchanges are offshore and completely unregulated. We can debate the morality of this, but if you take a harm reduction approach, supporting PoR is an unalloyed positive. While no proof of reserve legislation could compel offshore exchanges to undertake the procedure, if all onshore exchanges were doing it, that would put pressure on their offshore peers to do the same. Additionally, a regulatory compulsion to use PoR domestically would create a market for more and better technical tools and CPA firms to oversee the attestations, making it more convenient for offshore exchanges to engage in PoR. PoR is most useful for exchanges where traditional assurances don’t exist. There are many of these, so standardizing PoR and encouraging CPA firms to cover them would improve the overall credibility of these exchanges, even if offshore.

“PoR can be cheated by borrowing funds (“window dressing”)”

This is a very common objection by folks in the industry who believe (mostly erroneously) that exchanges have already cheated PoR by borrowing funds. In fact, the recent Gate/Crypto.com transfer was not actually a case of window dressing to cheat a PoR (although it was weird and puzzling). The fact is that proving asset ownership means disclosing wallet addresses. If you wanted to cheat a quarterly PoR by borrowing huge amounts, this would be obviously visible on-chain. Would you really risk committing fraud if anyone with an internet connection could trivially expose you? Additionally, higher frequency PoR is immune to this issue. Deribit does PoR on a daily basis, and BitMEX on a biweekly basis. In this case, window dressing is also out of the question, because it would make no sense to borrow and return funds daily. Frequency solves the window dressing issue — which is another way in which PoR vastly outperforms traditional audits (which are done yearly, or at best, quarterly).

“PoR can be cheated by hiding liabilities”

First of all, for modern PoR like the ones done by Derebit of BitMEX, the entire liability set is released, so there’s no real uncertainty around the completeness of liabilities. Any standard PoR is also user-verifiable, so presumably any user could blow the whistle if they found that their liability entry was understated. Today, most PoRs are done with the Merkle proof method where liabilities are only disclosed on a per-client basis, which creates more possibilities for liability hiding. But this is solved with next generation PoRs which rely on ZK proofs, making disclosure of the full liability set possible without privacy drawbacks. Newer cryptographic technologies have largely made this objection obsolete.

“Exchanges could have massive out of scope liabilities”

Yes, PoR doesn’t fix this kind of issue (no one has ever claimed it is a panacea). Exchanges could have some massive hidden liability. This is just a general problem though, not a PoR problem. This is more the domain of legal and contractual structuring. The way to fix this is to ask exchanges to hold assets in a segregated trust held for the benefit of clients, which is insulated from other liabilities. In the case of liquidation or insolvency, depositors are whole. Any PoR legislation should include this stipulation. To their credit, NYDFS have already laid out how this would work. Problem solved.

“PoR doesn’t fix poor key management, key loss, or fraud”

Yes, but it makes it impossible to run at a fractional reserve for any sustained period of time. In the case of prior exchange collapses like FTX, Quadriga, or Gox, these exchanges were insolvent for months and years. They never had sufficient reserves to honor all possible client withdrawals. The moment an exchange was even under-reserved, the PoR would have been impossible to pass. So PoR makes it virtually impossible to behave badly for any meaningful period of time. If any exchange did PoR and became insolvent, they would stop doing PoRs. This would be a massive red flag.

“Forget PoR, just do an audit”

Imagine if there was a type of audit that allowed a custodial institution to prove with no uncertainty, on a daily or weekly basis, to their customers, the government, or the public, that they had all the assets they said they had. This simply doesn’t exist in traditional audit land. Financial statement (FS) audits are slow, expensive, infrequent, and very broad in scope, covering far more than just reserve management. To the extent they cover client reserves, they generally involve sampling — rather than investigating all client assets. Certain major exchanges that did have FS audits did not include customer assets in their scope prior to 2022.

Practically speaking, audits are expensive and cumbersome, and CPA firms are very averse to working with crypto companies. This isn’t helped by folks like Sen Warren trying to bully audit firms into further spurning crypto. Given this reality, Proof of Reserve is a highly complementary solution. It is frequent, narrow in scope (but covers the specific thing that clients care about), and relatively cheap. It doesn’t even strictly require an audit firm — BitMEX’s and Deribit’s PoRs, two of the best in my opinion, don’t have audit oversight. Think about PoR as a targeted tool to give depositors confidence over one domain of an exchange’s practice — their custody — which can, and probably should, be supplemented with traditional assurances such as audit and contractual depository assurances. A PoR isn’t sufficient on its own, but it’s a vital piece of the puzzle.

Proof of Reserves introduces a whole new design space for assurance

Ultimately, PoR is far broader than exchanges proving the existence of coins to their clients or to regulators. The key technologies that make PoR possible are generalizable to all sorts of financial trust-provision. I could see interlocking or recursive Proofs of Reserve allowing an ecology of custodians, exchanges, prime brokers, trading firms, and lenders to transact with each other with confidence. These proofs could allow counterparties to demonstrate the existence and nature of assets on their balance sheet (or facts about the assets, without actually revealing sensitive info — a perfect use case for ZK proofs). Imagine lenders able to demonstrate the solvency of their portfolio by pulling through balance sheet data provided by their borrowers. Borrowers could also demonstrate the exclusivity of pledged collateral to their lenders (eliminating Archegos or Three Arrows type problems). The design space is enormously large, and has barely been explored yet. ZK-proofs are particularly well suited here, as they allow for the provision of metadata without revealing the underlying data. Exchange solvency is just the most pressing need, so that’s where this tech is being applied first.

Takeaways for policymakers

As you start to investigate PoR and consider incorporating it into policy, keep a few things in mind. Post FTX, exchanges are doing their best to demonstrate their credibility and solvency to clients, regulators, and the general public. If they have gaps in their PoR implementations, that’s most likely because the procedure is still fairly new and still not standardized. Ultimately, a fraudulent or insolvent exchange will likely not go to the trouble of creating a PoR and hiding liabilities or engaging in other high-risk fakery. They would simply not do a PoR and hope they could avoid the pressure to do one. If an exchange is voluntarily incurring the costs associated with doing a PoR, they are demonstrating their willingness to come to the table and prove their credibility.

PoR is still evolving technologically, so don’t fixate on one specific implementation over another. Any guidance should be technology-neutral. Today, most PoRs rely on the Merkle tree method to prove inclusion in the liability set, but in the future, I expect ZK proofs to largely take over, because of their superior privacy guarantees.

If you do consider creating legislation on the topic, the objective should be to create a framework which actually helps enhance exchange credibility, while still being mindful of the cost of compliance (so as to not create gigantic fixed costs which erode the ability of small exchanges to compete).

There’s a couple things which could make PoR requirements prohibitively expensive:

• Insisting that an exchange cover 100% of assets by AUM with a PoR. Because many exchanges have a long tail of smaller assets, and a PoR requires a new treatment (requiring a fixed cost) for each blockchain (or L2), implementing a PoR universally would be very expensive. For this reason, most exchanges that have done PoRs have not covered 100% of assets (in fact, there’s only one exchange that was able to achieve universal coverage in the most recent round of PoRs). I would suggest a high, but doable threshold, like 75% or 90%.
• Insisting that PoRs be supervised by audit firms is also potentially exclusionary. Today, there are no active CPA firms that supervise PoRs. I do expect this to change in the future, but this will take time. So asking an exchange to get coverage from a CPA firm would require them to pay a significant amount of money and coax an audit company to enter the business. This disfavors smaller exchanges. Also, getting an audit is at best a quarterly undertaking. However, PoRs provide the best assurances when they are done weekly or monthly (to avoid the potential issue of borrowing funds on a short term basis to match the liabilities). Thus, insisting on a slower cadence, as would be required by audit firm oversight, would actually stand to inhibit some of the guarantees that PoR provides. Thus, I would ask for something like a frequent PoR (maybe at a monthly cadence) with more periodic audit oversight. Additionally, a sunrise period might be warranted, to give audit firms time to reenter the market.

Audit firms will be leery of Proof of Reserve as long as accounting standards don’t exist. I would consider asking their regulators and trade organizations to start to build a body of knowledge around PoR and eventually release standards around them, so CPA firms can take these engagements without incurring excessive risk.

To get a sense of the state of the art in PoR, I would investigate various PoRs. There is no need to reason from the armchair. I maintain a dossier of all major PoR procedures on my website, alongside related attestations like stablecoins. BitMEX’s and Deribit’s are of particular interest, because any third party can verify them without being a client of the exchange in the first place. There is also a vibrant academic and practitioner literature on PoR. An accessible and thorough introduction is the Digital Chamber’s Proof of Reserves: The Practitioner’s Guide.

And lastly, because PoR is only one piece of the puzzle, it should be paired with other requirements that give end users strong guarantees around custody. These include segregating client and operating capital and protecting depositor capital from bankruptcy. Proof of Reserve is an increasingly important part of the toolkit, but not sufficient on its own.

Thanks to Jeremy Nau for his feedback and contributions.