What Are Proof of Reserves Audits

Since point-in-time attestations can be easily manipulated and simple cash flow analysis fails to cover everything (like unaccounted liabilities), the PoR becomes all the more critical in providing an accurate picture of held balances and helps crypto exchanges, for instance, gain the trust of users. Proof of Reserves not only helps improve quality and transparency but also acts as a vital safeguard against different security risks that are commonly encountered in the crypto industry. 

Proof of Reserves audits benefit both users as well as custodians. Consumers gain a powerful tool to audit digital asset reserves while the custodians gain the trust of their users and this helps in user retention. 

Another advantage worth mentioning is that PoR is also an appealing prospect for regulators as this self-regulating measure is in line with their overarching vision for the industry. In essence, 

Proof of Reserves is a win-win situation for all parties involved: the users, the industry, and the government.   

Named after Ralph Merkle, the Merkle tree or binary hash tree is a data structure that holds immense significance in the domain of cryptography. Each leaf node of a Merkle tree is a hash of a block of data while a non-leaf node is a hash of its children. The use of hashes instead of the full file makes the Merkle tree an efficient means of data verification.  

During Proof of Reserves, the third-party auditor takes an anonymous snapshot of the balances and a Merkle root is obtained after passing the data through the Merkle tree. The Merkle root is used to establish the combination of the balances in the form of a cryptographic fingerprint. In cryptographic terms, the root serves as a ‘commitment scheme’, meaning that the root of the tree is a commitment that reveals the leaf nodes to be part of the original commitment. 

During Proof of Reserves (PoR), the auditors use this to verify the balances. A few selections of data are compared to the Merkle root. Even a small change to data affects the Merkle root and thus auditors are able to identify any tampering with the data.       

Exchanges that currently make use of Proof of Reserves include Kraken, Coinfloor, Gate.io, BitMex, HBTC, and Ledn. Meanwhile, Bitbuy and Shakepay use a forensic firm-assisted partial validation. Both of them are not using user validation or point in time. Kraken and Gate.io use auditor-assisted, user validation with the Merkle approach. On the other hand, Coinfloor, HBTC, and BitMex use self-assessment and user validation with the Merkle approach.

The use of Proof of Reserves (PoR) enables these crypto exchanges to offer more security to their customers and help gain their trust. For example, Kraken enables users to verify that their balances are backed by real assets directly on the platform with just a few clicks.

Although Proof of Reserves does have a lot of advantages, it also comes with some inherent drawbacks. PoR is unable to prove the possession of the private key, as it requires to prove control of on-chain funds at a certain point in time of the audit. This is relevant because attackers may have duplicated the key. 

Secondly, PoR is also unable to prove whether the funds in question have been borrowed in order to pass the audit. It is entirely possible that the keys were lost or that funds were stolen after the last audit was done. Lastly, other important factors to consider are the skills and credibility of the PoR auditor in question.

Even though some shortcomings do exist, Proof of Reserves continues to pave the way in offering a semblance of standardization in the crypto industry. It is also important in promoting transparency and ensuring the security of the digital assets of users. If you want to learn more about how blockchain organizations can secure their assets, connect with our blockchain security experts at halborn@protonmail.com.