Author | Qin Xiaofeng

Editor | Hao Fangzhou

Produced by | Odaily Planet Daily

With the collapse of FTX, the asset reserve issues of centralized platforms, especially CEX, have attracted much attention. Multiple trading platforms have also successively announced the exchange account addresses to show the status of each exchange's reserves. Odaily Planet Daily has previously written an article for analysis (recommended reading: "Analyzing the asset reserve details of the seven major exchanges, who exposed potential risks?").

However, the reserve fund is only the first step to improve transparency and cannot truly demonstrate the solvency of the exchange. The exchange’s liabilities (i.e. user deposits) should also be considered and a complete “reserve certificate” should be issued. For CEX, the “reserve certificate” is also an important step to reassure people and let users better understand how the platform manages assets.

In the past few weeks, Binance, Crypto.com, Kucoin and others have announced "proof of reserves" issued by third-party auditing agencies. However, as Mazars, Armanino and other institutions have cancelled their crypto auditing business, crypto users are full of doubts, and the trustworthiness of CEX has once again sparked discussion.

In this article, we will explore why traditional auditing agencies avoid auditing crypto reserve proofs? In the absence of traditional audits, where will the transparency of CEX go? Can reserve proofs based on Merkle trees become an effective way for the industry to save itself?

1. Why do audit firms abandon crypto companies?

What is Proof of Reserve (PoR)? It is a method of verifying that a crypto platform does provide 1:1 backing for the digital assets it holds on behalf of its customers. In simple terms, if the reserve in the crypto platform wallet address is greater than or equal to the user's deposit, it can be proved that the platform has sufficient funds and can make rigid redemption.

Usually, crypto platforms seek third-party well-known auditing companies to conduct audits and issue proof of reserves. Earlier this month, Binance, Crypto.com, and Kucoin all hired Mazars Group to issue "proof of reserves" (Note: Mazars Group is a global auditing, accounting and consulting company founded in 1945, serving more than 90 countries around the world).

However, the Mazars Group report also attracted more controversy. The Wall Street Journal commented that the Mazars report was actually a five-page letter, not a proper audit report, because it did not address the effectiveness of internal financial reporting controls. In the end, facing pressure from multiple parties, the Mazars Group deleted the audit report from its official website, completely stopped using Mazars Veritas, an audit tool for cryptocurrency exchanges, and announced that it would stop any work with cryptocurrency companies and no longer issue reserve proof reports.

Coincidentally, accounting firm Armanino, which audits FTX US (FTX.US), also plans to end its crypto audit business and stop providing financial statement audits and reserve proof reporting services to crypto companies. In addition, the Wall Street Journal reported that accounting firm BDO also plans to suspend audit services for cryptocurrency clients. Currently, none of the Big Four accounting firms (Deloitte, Ernst & Young, KPMG, and PricewaterhouseCoopers) have plans to provide reserve proof audit services to private cryptocurrency companies.

Why do audit companies avoid the proof of reserve business of crypto companies? The core reasons are as follows:

From the auditing company’s perspective, crypto is still a brand new field. Auditors are not familiar enough with on-chain businesses and their professional capabilities are not up to standard. They can only learn by doing. Binance founder Zhao Changpeng commented that most accounting firms do not know how to audit cryptocurrency exchanges. It is not difficult for crypto companies to deceive “novice” auditors in their familiar fields.

Moreover, when auditing companies serve crypto companies, they can only carry out their work according to the specific requirements of the companies, and lack autonomy; if they only audit proof of reserves without involving internal control audits and financial status, the reliability of the final report will also be discounted. For example, a user of a platform deposits 8,000 BTC, and there are 9,000 BTC in the wallet address, but this does not mean that the exchange has 100% solvency, because 3,000 BTC may be obtained by the platform from a third party, and the audit company is not aware of it. (Note: Audit companies usually only audit the internal control and financial status of listed companies, but not private companies, which is also the contradiction.)

Judging from the actual results, auditing companies will also get into lawsuits for auditing (or standing for) crypto companies, which will greatly reduce their reputation and affect the development of non-crypto businesses. Recently, two accounting firms that cooperated with FTX, Armanino and Prager Metis CPAs LLC, were both sued by FTX users and accused of conspiracy to extort. The Wall Street Journal commented that the two accounting firms are cheerleaders for FTX, not skeptical auditors. Other non-crypto industry clients of these auditing firms are worried that the reputation risk of the firm will cause their audit reports to be questioned, and then put pressure on the auditing firms.

Finally, due to the FTX incident, the U.S. Securities and Exchange Commission (SEC) is increasing its supervision of auditors and forcing them to abandon crypto clients. A senior SEC official said that the regulator is increasing its scrutiny of the work done by auditors for cryptocurrency companies, fearing that investors may get a false sense of comfort from the reports of these companies.

2. Merkle Tree Reserve Proof Ensures Transparency

Due to the absence of third-party auditing agencies, more crypto trading platforms are committed to having their own reserve proofs, using more crypto-native methods to prove asset reserves.

Among them, the Merkle Tree reserve proof promoted by Binance has attracted much attention. OKX, Bitget and ByBit also basically adopt similar methods, and the specific details vary from exchange to exchange. In the past few weeks, many platforms, including Binance, have used this solution for auditing and announced it on their official websites.

(Binance reserve disclosure)

What is the principle of reserve proof based on Merkle tree?

Merkle tree is a cryptographic technology that can compress data. By using Merkle tree, multiple data can be merged into one data, and the large-scale data summary results can be stored; at the same time, cryptographic means can be used to prove that the corresponding data is compressed in the summary results. The leaf part of the Merkle tree is composed of the hash value of each data in the data set. Specifically, the structure of the leaf part is to connect two adjacent hash values, package them together and hash them again to generate a parent hash value. The hash value finally packaged to the top layer is called the Merkle Root. The hash value of the Merkle root contains the hash characteristics of all data. If the data on any node is tampered with, it will present a completely different value.

Simply put, the Merkle tree is a hash binary tree that can detect any manipulation or data tampering. If the user's assets are changed, it will be reflected in the root data of the tree, and a completely different value will be presented. This mechanism ensures that the data of the Merkle tree is tamper-proof.

For example, the exchange takes a snapshot of all the user's trading account assets and aggregates them into each user's total assets. At this time, each user is assigned a unique and anonymous user hash ID; each user's total assets are saved as leaf node information in the Merkle tree, and all users' assets are aggregated into a Merkle tree root; as long as each user's asset information is included in the leaf node of the Merkle tree, it can be proved that their assets are included in the total user assets. In order to help users verify, each platform has also released its own open source verification tool "Merkle Validator", where users can enter their own hash value and user code information to verify whether their assets are included in the Merkle tree snapshot.

Of course, Merkle tree-based reserve proofs also have some flaws.

First, the proof of reserve is only a snapshot of the user's assets at the time of the audit. Any asset transactions after the snapshot and assets not covered during the audit will not be included in the audit results. The platform can transfer funds on the audit date to pass the Merkle tree audit and transfer funds out after the asset snapshot. The solution is that the trading platform can increase the frequency of audit disclosure (currently OKX and Binance both publish PoR reports monthly) from once a month to once a week, or even develop to real-time proof in the future. In addition, third-party monitoring agencies can also keep a close eye on the wallet addresses published by the exchange to observe whether there are large amounts of funds flowing in and out around the audit date.

Second, like traditional audits, reserve proofs based on Merkle trees are also difficult to reflect the company's internal financial status, such as debt relationships and related transactions, which reduces the reliability of isolated reserve audits.

The third is the problem of front-end fraud. The Merkle tree data is stored on the exchange's own server, and the front-end page where users interact with the exchange is controlled by the exchange. The exchange is entirely possible to return a fake page to deceive users, which creates the possibility of front-end fraud. Considering user laziness, the possibility and frequency of users self-verifying through the platform's open source verification tools are relatively small.

The solution is to use a third-party PoR service to increase the reliability of reporting. For example, Chainlink Labs provides a solution that provides out-of-the-box support. Specifically, the service uses Chainlink nodes that connect to the exchange API and its vault address; these nodes are then connected to the reserve proof smart contract, which can be queried by any account on the network to determine whether the exchange's assets are equal to its liabilities.

Fourth, the proof of reserves only covers some assets and cannot fully reflect the status of the exchange's funds. Taking Binance as an example, its first phase of proof of reserves only involves BTC assets, and the second phase of proof extends to BTC, ETH, BNB, LTC, USDC, USDT, XRP, BUSD and LINK, a total of 9 assets. The current reports of OKX and Bitget only involve the three assets of BTC, ETH and USDT. Nansen data shows that the three assets currently account for 92.63% and 63.2% of OKX and Bitget reserves respectively; and the Bybit proof of reserves report involves BTC, ETH, USDT and TRX, accounting for 81.13% of its wallet reserves, without involving USDC (6.16%) and BIT (5.96%). Therefore, the trading platform needs to work hard to expand more currency verification in the next step, otherwise the so-called 1:1 reserve will become an empty talk.

Conclusion

"The proof of reserves is neither a comprehensive accounting of the company's assets and liabilities nor meets the customer funds isolation requirements required by securities laws." U.S. SEC Chairman Gary Gensler said that regulators will continue to focus on the financial records of crypto companies, "crypto companies should do this by complying with time-tested custody, customer funds isolation rules and accounting rules."

Although regulatory agencies such as the SEC are not optimistic about proof of reserves, in the absence of third-party audits, proof of reserves based on Merkle trees is an effective attempt to save the industry. The crypto market needs more open and transparent information, and crypto platforms are rebuilding user confidence through their own efforts. Of course, on-chain verification of reserves is a brand new field, and there is still a long way to go.