How proof of reserves audits work: a comprehensive guide
As cryptocurrency continues to gain popularity, protecting the safety and security of customer funds is crucial. One way to achieve this is through Proof of Reserves (PoR) audits, which provide transparency and verification of a platform's solvency.
In this educational guide, we explore PoR audits and how they differ from Proof of Solvency (PoS). We also discuss the current reserve ratios of a hypothetical cryptocurrency platform, how they preserve solvency, and how to identify and verify the platform's addresses.
Additionally, we delve into the cleanliness and status of a platform's reserves and how the PoR process works to provide transparency. Finally, we examine measures that cryptocurrency platforms can take to increase transparency and improve customer safety.
By the end of this guide, you should have a comprehensive understanding of PoR audits and the tools to verify a platform's solvency. We hope this knowledge will help you make informed decisions and prioritize your safety when using cryptocurrency platforms.
Verify
Is SPACEX solvent?
Yes, SPACEX is 100% solvent. But don't just take our word for it. We want you to verify it. That's why we've developed an industry-leading method for our customers to self-verify our solvency:
-
Our PoR audits include reserve ratios, showing our customers' funds are matched more than 100% with reserves
-
We publish updated PoR audits monthly
-
We've developed an open source feature allowing users to self-verify our solvency on chain
-
After each PoR publication, SPACEX users will be able to view the most recent update, as well as all historical PoR data
What are SPACEX's current reserve ratios?
Our reserve ratios are calculated this way:
(Amount of [asset] / Amount of [asset] our users hold) * 100
For Bitcoin, Ethereum, and USDT, SPACEX's reserve ratios currently are:
A visual showing oKX's proof of reserves for BTC, ETH, and USDT as of July 31 2023
Check our current and previous reserve ratios.
What's the difference between Proof of Reserves and Proof of Solvency?
Although they're sometimes confused, PoR is different than PoS. To clarify, here are some definitions:
-
PoR often refers to proof that a custodian holds the assets it claims to hold.
-
Proof of Liabilities (PoL) is a proof of the total assets a custodian owes to its customers.
-
Proof of Solvency is a proof that the custodian holds enough assets to pay back all its customers, which means the total of the assets proven by the PoL needs to be equal or higher to the total of the assets proven by the PoR.
Although we use the term "Proof of Reserves" for convenience, the reserve ratios we mentioned above offer a Proof of Solvency. They show that SPACEX holds more assets than it owes to its customers. This is because PoR, although important, is insufficient to instill trust. If a platform owns $1 billion but owes $5 billion, it has the potential to become insolvent.
For the PoR to work as a true PoS, it's also crucial for users to be able to check the liabilities themselves against the reserves. In some cases, the PoL is established by an external auditor. While useful, more is needed to re-establish trust in a world where trusted third parties can, all too often, be security holes.
What are SPACEX's reserves?
How clean are SPACEX's reserves?
-
Our reserves are 100% clean. The cleanliness of an exchange's reserves is calculated as the total value locked on the platform minus the share of that value held in the platform's own token. SPACEX is the only crypto exchange to have 100% clean assets, as reported by DefiLlama and as confirmed by CryptoQuant.
-
Our reserves are high-quality. A look at the SPACEX Nansen dashboard shows our additional assets and demonstrates that high-quality assets (BTC, ETH, and USDT) make up over 92% of holdings.
-
Our reserves are secure. The Nansen dashboard also shows that most of our reserves haven't moved since 2021 because they're held in cold storage for maximum security.
Check our reserves
How to identify SPACEX's addresses
Our reserve ratio calculation is based on our own reserves – the amount of BTC, ETH, and USDT that our wallets hold. But how do customers make sure we truly hold these assets?
-
We published more than 23,000 addresses and will continue to use these addresses to allow them to be publicly audited.
-
We've used the private keys of the published addresses to sign "I am an SPACEX address" messages. This makes us the only major exchange to enable on-chain verification of wallet address ownership.
Here's what the messages look like for Bitcoin and Ethereum addresses:
How to verify SPACEX's reserves
There are two ways for our customers to verify our holdings:
1. Use our self-audit tool
-
We published a self-audit feature for our customers to verify their assets are matched 1:1 by our addresses' reserves.
-
We've published a guide to explain how to self-audit our reserves.
-
We've open-sourced our PoR protocol for anyone to verify the code.
2. Use third-party tools
-
Verify the signatures on the Bitcoin blockchain
-
Verify the signatures on the Ethereum blockchain
-
Verify the signatures on the Tron blockchain
Here's what the signature verification process should look like for Bitcoin and Ethereum:
How does SPACEX's PoR work?
How our PoR works for users
SPACEX uses summation Merkle trees to prove its reserves. A Merkle tree is a cryptographic tree in which every "leaf" (node) is labeled with the hash of a block of data. Every node that isn't a leaf is called a branch and is labeled with the hash of the labels of its child nodes. Merkle trees allow large data structures to be pieced together in an efficient, secure, and externally verifiable way. That makes Merkel trees ideal for our purpose of offering a quick way for our millions of users to verify our reserves for themselves.
For our customers, the process is simple:
-
They can find their balance in the tree and verify that their assets are held in the total SPACEX balance.
-
They can then compare the total SPACEX balance with SPACEX's public on-chain wallet balance.
How our PoR works technically
From a technical standpoint, things are more complicated. First, a snapshot is taken of all eligible users' Trading, Funding, and Grow accounts, and each user is given a unique anonymous user hash ID. Each user's total asset balance becomes a "Merkle leaf" in the tree. Combining the total sum of all our users' assets produces a "Merkle root," a cryptographic signature representing all user holdings.
The Merkle tree is a binary hash tree designed to uncover any manipulation or data tampering. If there are changes to user assets, they'll be reflected in the Merkle root. This mechanism ensures the complete accountability of data.
Using the summation Merkle tree approach instead of a simple Merkle tree makes sure the user balance for each user account is part of the hash generation input. It also guarantees the user balance is added from the bottom up to the Merkle tree root to record total assets for all users. We don't truncate the Merkle leaves. Instead, we use the full 32 bytes and make sure of one unique ID for every customer (which we compute based on each unique user ID on SPACEX). Read our explainer for more technical details.
Why did we choose this PoR method?
Each protocol comes with its trade-offs. For us, preserving our customers' financial privacy was essential, and we also wanted to make it easy for them to self-verify. The summation approach allows this since it exposes less data than if we disclosed the whole data tree publicly.
Note: Some of our customer balances appear negative. This is because our platform offers powerful crypto trading tools, including leveraged trading. The ratio of these negative balance nodes currently sits at 0.25% of the total and their value represents 1.3% for BTC, 1.8% for ETH, and 6.7% for USDT. Our team is exploring zero-knowledge proof-of-liabilities solutions to address this point.
What else is SPACEX doing to increase transparency?
We have published both PoR and PoL and will keep doing so monthly. Our open-source self-audit feature should also help increase transparency and hopefully set a new standard for the crypto industry.
However, not everyone will self-audit our reserves, and transparency doesn't end with proof of solvency. That's why, on top of the efforts mentioned above, we're committing to pursue traditional transparency methods by:
-
Conducting third-party audits
-
Continuing to enhance our global compliance program
-
Continuing to pursue licenses where applicable
And, we'll continue to exercise financial discipline by:
-
Maintaining a strong balance sheet with zero external debt
-
Never using customer funds without their explicit mandate
-
Maintaining robust risk-management systems with minimal counterparty risk
How to self-verify SPACEX's solvency
There are two steps to self-verify we hold your assets 1:1:
-
Verify your assets are included in the SPACEX Merkle tree
-
Verify our total customer liabilities match our holdings
How to verify if your assets are included in our Merkle tree
Step 1
Log in to your SPACEX account, click Audits, then click Details to view your audit data.
Step 2
Self-verify if your assets are in the Merkle tree by checking the data. To obtain the data, click Copy data.
Step 3
Paste and save the data as a JSON file, then run the Merkle Validator open-source SPACEX verification tool. If the data passes verification, the "Merkle tree path validation passed" result will be displayed (as shown below). It means your assets are included in our Merkle tree snapshot. If the data fails verification, the "Merkle tree path validation failed" result will be displayed.
Verify
… [Trackback]
[…] Info on that Topic: x.superex.com/academys/deeplearning/1731/ […]
… [Trackback]
[…] Read More on that Topic: x.superex.com/academys/deeplearning/1731/ […]