Doing “Proof-of-Reserves” the Right Way

Post FTX: How can you trust a CEX?

Fishy On-Chain

Published in

Web3 Insights

13 min readNov 24, 2022

Web3.com Ventures Original Research Analysis

0xFishylosopher

Introduction

The past few weeks have been a mess in the world of crypto. With FTX’s collapse, there has been an industry-wide reckoning, calling for centralized exchanges to prove that they hold user funds — a so-called “Proof-of-Reserves.” In this essay, I will first outline a rationale for why crypto exchanges need to have “Proof-of-Reserves,” before diving into an analysis of its implementation using technologies such as Merkle Trees and zk-SNARKs.

Rationale for “Proof-Of-Reserves”

Why do we need Centralized Exchanges?

FTX’s collapse was as sudden as it was dramatic. It’s not an overstatement to compare the centralized exchange’s recent bankruptcy to “crypto’s Lehman moment” [1]. In January 2022, FTX had a $32 billion dollar valuation, and was one of crypto’s largest centralized exchanges by volume. Yet, in the beginning of November, after people started casting doubt on the true value of FTX’s assets (mostly denoted in FTT, it’s own crypto token), the exchanged faced a liquidity crisis. The price of FTT tanked over 90% seemingly overnight, creditors rushed to withdraw funds, and when the dust settled, FTX filed for Chapter 11 bankruptcy [2].

Unsurprisingly, all of this shattered the confidence in the crypto market, particularly on centralized exchanges (CEXs). Indeed, CEXs occupy an awkward position in the crypto world as centralized trust-based entities in an industry that ideologically prizes trustlessness trough decentralization. While there are a great many decentralized exchanges (DEXs) that can rival if not surpass centralized exchanges’ liquidity and variety, there is a persistent need for centralized exchanges’ existence, even in the face of all their obvious shortcomings and risks.

Fundamentally, centralized exchanges are one of the main gateways for people to onboard into the crypto industry. Consider all the moving pieces and technical know-how needed for a user to make a $5 ETH for (wrapped) BTC crypto trade on a DEX like Uniswap v3. First, the user needs to know and install a wallet, say Metamask. With it’s 12-word seed phrase, account management of different chains, different tokens etc., this alone is enough of a barrier to the average user out. The user then needs to use a third-party vendor (say, MoonPay) to put credit card money into their wallet. This also involves registering, KYC-ing etc. for this third-party vendor, as well as knowing their 64-bit wallet address — another hassle. The user also needs to know about gas fees, wrapped coins, concentrated liquidity etc. for all of this. Very beginner-unfriendly. Now contrast this with a CEX purchase: the user completes registration and KYC in a familiar process, swipes their credit card, chooses the “ETH/BTC” pair and clicks “buy.” Very beginner friendly.

Furthermore, centralized exchanges don’t only serve individual users — institutional clients, such as traditional financial firms, and corporations, also rely on centralized exchanges to invest their holdings. In addition to simplicity-of-use, these institutional clients also want centralized accountability and support — someone to turn to in the case of need, and someone to sue in case of extra greed. All of this is not something that DEXs can match in any meaningful capacity; for Web 3 to become mainstream, it requires the support of traditional institutions and must have an easy onboarding mechanism accessible to the masses. Thus, we cannot substitute centralized exchanges for decentralized ones. In fact, even the the FTX fiasco has not dramatically the amount of crypto supposedly “fleeing” CEXs. As Chainalysis points out, the largest destination for funds leaving CEXs is actually other CEXs [3].

All this should point to one cold-hard fact: despite all the potential fraud and risk that may come with centralized exchanges, ditching CEXs is just not an option.

Why Should CEXs Have Full-Reserve Backing?

Thus far, we have established that we need CEXs, even in the aftermath of disasters such as the FTX collapse. But why do reserves need to have full-reserve backings? Why shouldn’t CEXs run on fractional-reserves, in the same way that banks do?

Simply put, a crypto exchange does not operate in the same way that a bank does. Consider first the role that a bank plays in the economy. Fundamentally, the bank is a platform that brings together borrowers and lenders. Suppose that Alice deposits $1000 to Bob the Banker (at a 5% savings interest rate) and that the Reserve Ratio is 20%. While Bob would promise to Alice that she can get her money whenever she wants, Bob would actually keep only $200 (the Reserve Ratio of 20%) on hand in case Alice wants to withdraw some money to pay the bills, and takes the bet that Alice will not want all of her money back at once. For the other $800, Bob loans this to an entrepreneur Carol at an interest rate of 10%. Suppose that Carol the entrepreneur builds a new shoe factory and sells enough shoes to return the $800 principal and the $80 interest. Upon receiving this $80 interest, Bob would accrue $50 to Alice’s account and keep $30 to himself.

Fractional Reserve Banking Example. Source: Original Content

In the best case scenario, everyone wins: Alice gains $50, Bob gains $30, and Carol gets her new shoe factory. More importantly, the economy wins: Carol produces more shoes from her factory, something she could not have done so had Alice kept her $1000 underneath the mattress. It is in this sense that economists say “banks create money” — through lending and borrowing, banks create the new capital necessary to help entrepreneurs like Carol create more economic output. The specific amount of money that banks create is equivalent to DepositAmount * (1/ReserveRatio), with 1/ReserveRatio also known as the “money multiplier”. The lower the reserve ratio, the value of economic output that the bank creates will increase, but so will the risk that banks will not have enough cash on hand to meet withdrawal demands. On the other hand, if you required Bob to keep a 100% reserve ratio, then Carol would not get her shoe factory, and the economy would stagnate, and Bob would have to pay out of pocket for Alice’s deposit interest. Everyone loses. Thus, the bottom line here is that because economic activity is largely financed by borrowing, banks are crucial in keeping a healthy economy afloat and growing [4].

Banks employ fractional reserves to “create money” and spur economic growth. But there is no analogous mechanism to crypto exchanges. A centralized exchange, like Binance, Coinbase or FTX, does not create new value for the economy. The users (usually) do not gain any interest, and crypto exchanges usually don’t engage in lending and borrowing in the same way that traditional banks would. Instead of a bank, it behaves more like a stock exchange — it simply connects people with cash with people with crypto. These centralized exchanges keep your funds for you (as a custodian) just as a side-bonus, because keeping track of your own crypto can be hasslesome (especially if you are frequently trading) and technically challenging. This is only somewhat true for banks with fiat money — it is not that difficult to get a safe and lock up your cash.

A CEX is no bank: the most important role of a CEX is to facilitate the trading and withdrawal of funds, not the borrowing and lending of them in order to stimulate economic production. More importantly, running a fractionalized reserve model does not really benefit traders on the CEX in the same way that fractionalized reserves benefit depositors in traditional banking. Thus, while banks may need to have fractional reserves to fully realize their economic importance, crypto exchanges do not need fractionalized reserves in the same way. Given this, for a centralized crypto exchange the trust and safety that full-reserve backing brings by far outweighs any advantages that a fractional-reserve model may bring. Therefore, centralized crypto exchanges should employ a full-reserve model.

Implementation of Proof-of-Reserves

So far, we’ve established a clear rationale for why centralized crypto exchanges should employ a full-reserve model. Now, we need to look at how exactly do we implement it, especially in a Web 3 native way; in other words, using native Web 3 technologies rather than a traditional auditor model to do achieve this. A full “Proof-of-Reserves” comprises of two components: a proof of liabilities, and a proof of assets, in order to show that the assets of the CEX are equal to (or greater than) its liabilities, such that if every user decided to withdraw all their funds from the exchange, the exchange would not face a solvency issue.

Proof of Liabilities

First, let’s look at a proof of liabilities, or proving that users’ deposits are actually recorded correctly in the exchange. After all, I don’t want to deposit 1 ETH to Binance and have them come back and tell me that I can’t withdraw it because it wasn’t recorded in the system.

The simplest way to provide a full proof of liabilities would be to simply release an (account, value) pairing of everyone’s assets. But this results in a privacy issue: everyone can see how much money everyone else has. A marginal improvement on this is to simply release a randomized hash of the user’s account along with the user’s balances. But still, the leaking of all these balances is still a privacy concern. Moreover, all of the changes of the transactions – essentially all the transactions of this exchange, would all be leaked to an attacker.

In an actual proof of liabilities, we want to assure everyone that their balance is kept on the exchange, but at the same time not reveal the balances of any other user or any transaction information to any given user. How do we do this? Enter the Merkle tree, one of the most important data structures in Web 3.

A Merkle tree (also known as a binary hash tree) provides a succinct way of proving that an element exists in a list while providing minimal information about all the other elements. It does this by first putting the hashes of all the data in a list as leaf nodes on a binary tree, and each parent node consisting of the sums of the hashes of its two child nodes. At the top of the tree will be a root node that is publicly shown to everyone [5]. To prove that a given leaf node (say my account) are kept in a list (say Binance’s account list), Binance provides me with a short proof (of size O(log(n)) called the Merkle proof of certain key nodes in the tree that will allow me to reconstruct and verify the root of the tree.

Merkle Tree Proof of Liabilities. Source: https://vitalik.ca/general/2022/11/19/proof_of_solvency.html

In the following example, we have 8 users on with differing amounts of ETH. Say that I am Charlie, and am holding my balances on Binance, which uses a Merkle proof implementation of “proof of liabilities.” Binance would give me a Merkle proof, consisting of the hash values of the three blue nodes. I can then use the Merkle tree formula (parentValue = hash(leftValue, rightValue)) to hash my own value, add it successively retrace up the Merkle tree, ultimately getting to the root node. If the root node value that I get is the same as the published value, then Binance indeed has my balances accounted for.

In practice, the Merkle tree implementation for proof of liabilities is essentially “old but gold.” Though it’s been around for a long time, most of the recent calls for “proof of reserves” have been virtually interchangeable with calling for exchanges to use Merkle trees to prove deposits [6]. As Vitalik notes, “the Merkle tree technique is basically as good as a proof-of-liabilities scheme can be“ [7]. Other than using Merkle trees, Zero Knowledge Proofs (ZKPs) in the form of zk-SNARKs also can be leveraged for a more powerful proof of liabilities. The fundamental utility of zk-SNARKs is to provide a succinct proof that something exists without revealing any details of what that “something” is. In the case of a proof of liabilities, this “something” is essentially account balances. Thereby, using ZKPs, we can prove that an exchange has my account balance without compromising privacy.

Proof of Assets

Proof of liabilities is only one side of the equation. In order to show that a centralized exchange is fully reserve-backed, we need to show that the assets on this exchange are greater than or equal to these liabilities. So how do you show that you have the money? In the case of fiat, the simplest answer is basically just “bring a briefcase of cash to me.” The crypto equivalent of this is sending your exchange funds to a publicly agreed-upon wallet, so that everyone can see that the money is there. As Vitalik points out, if you don’t want to pay fees moving this cash on-chain, you can send an off-chain signed message [7].

But of course, reality is not that simple. The main problem that comes with this method of proof of assets is that much of exchanges’ balances are stored on off-chain, air-gapped cold storage wallets [7]. These “cold storage” wallets are primarily used to guarantee the security of funds: it is much harder to steal the private key from a computer that is never connected to the Internet. Cold storage wallets generate and sign a transaction offline, and this signed transaction is usually transmitted onto the network through a QR code. So submitting a transaction (or rather, any information) from even a single cold wallet is a very hasslesome process. Combine this with the fact that exchanges usually need to have large amounts of cold wallets for each different token and for each different chain. Thus, sending a proof-of-ownership message every time a user wants a proof of the exchange’s assets becomes a very expensive and unsustainable task.

Furthermore, while exchanges can publicly show to everyone which addresses they control and how much funds are in these address, this method of proof of assets doesn’t show where these funds are coming from. Suppose that on my balance sheet, I only have 80 ETH, but my depositors have deposited 100 ETH. When the time comes and I need to do a proof of reserves, I could easily just borrow 20 ETH (from a friend or from a bank) to make 100 ETH, send this to the agreed-upon wallet, and brag about how responsible of an exchange I am. After the publicity stunt is done, I quietly return that 20 ETH (perhaps gradually, obfuscating as user withdrawals), and go back to having fractional reserves. This is particularly worrisome in the case of one-use wallets that are designated to be proof of reserve wallets.

The easiest way around both these problems, as Vitalik points out, is to use a few long-term addresses that you permanently use to store all of your funds on [7]. You only need to prove ownership once, and the rest of the time people only need to monitor the transactions in and out of these addresses to track the movement of your funds, and check if these match up to the purported liabilities in your proof of liabilities Merkle tree. But, do you as an exchange with billions of dollars of user funds want to be storing all those in just a few never-changing addresses? Undoubtedly this brings security issues and are juicy targets for any attacker wanting to milk your funds.

Thus, proof of assets is really not as simple as it seems at first sight. Though you can use some technical measures, such as publicizing addresses, or even zero-knowledge proofs of these addresses, there always seem to be ways (such as the borrowed-money example) for the exchange to cut corners and cheat its consumers. In other words, at least in the proof of assets, purely technical measures can only go so far. You ultimately still need a traditional auditor to truly verify that the funds are from legitimate sources.

Conclusion

Centralized exchanges are necessary, but for them to thrive, they need to gain trust, and guarantee that catastrophe’s such as FTX’s collapse will not happen again [8]. One important step to do so is to operate on a full-reserve backing. As Binance CEO CZ states, “banks run on fractional reserves, but crypto exchanges should not” [9].

[Binance CEO Changpeng Zhao (CZ) stating that crypto needs proof-of-reserves. Source: https://twitter.com/cz_binance/status/1590055819416330240](https://twitter.com/cz_binance/status/1590055819416330240?ref_src=twsrc^tfw|twcamp^tweetembed|twterm^1590055819416330240|twgr^bc5d54449fa42fb071ea1d20eb2b307317793d57|twcon^s1_c10&ref_url=https%3A%2F%2Fcointelegraph.com%2Fnews%2Fproof-of-reserves-can-reserve-audits-avoid-another-ftx-like-moment)

Binance CEO Changpeng Zhao (CZ) stating that crypto needs proof-of-reserves. Source: https://twitter.com/cz_binance/status/1590055819416330240

Ever since the FTX collapse, many people have suggested, either explicitly or implicitly, that centralized crypto exchanges can have purely technical “Proof-of-Reserves” through measures such as Merkle trees, and thus that auditors are an institution of the past. Even the name of “Proof-of-Reserves” implicitly reinforces this, calling to mind the purely mechanical processes of “Proof-of-Work” and “Proof-of-Stake.” But in this case, reality is much more complex.

Purely objective algorithms, such as the use of Merkle proofs, certainly help generate some assurances about the state of an exchanges’ solvency (such as showing that it has on-record all of its users deposits). But this is oftentimes not enough. As our exploration of “proof of assets” have shown, oftentimes a smart (and evil) exchange can easily outmaneuver these very algorithms that supposedly guarantee its solvency. After all, because a solvent exchange needs to prove both its assets and its liability. So simply stressing that Merkle trees solve everything is at best misguided and at worst intentionally deceiving. The key takeaway here is that even in the technocratic world of Web 3, there still needs to be a human in the loop to police wrongdoing. There still needs to be an auditor, even if the auditor’s role is less crucial than in traditional financial audits.

And so, long live the accountant.

🐦 @0xfishylosopher

📅 20 November 2022