After Sam Bankman-Fried’s FTX cryptocurrency exchange dramatically collapsed last November, the pressure increased on other exchanges to be transparent and prove that they hold the digital assets they claim to have on behalf of their users.
To ensure they are transparent and safe, major exchanges started to provide their current state capital’s proof of reserves (PoR). However, nearly a year after one of the biggest scandals in crypto history, the question arises: how transparent are these PoR audits, and should we trust them?
Top Exchanges Keep Proof of Reserve Audits Flexible
Financial institutions, publicly traded companies, and large private companies are normally obliged to conduct independent financial audits frequently.
Sponsored
Audits verify the existence of assets and liabilities (like loans) to ensure that they are accurately reflected in financial statements. They are necessary to evaluate a company’s financial health, whether it is solvent, properly managed, or resistant to risks.
Audits are regularly conducted by independent third parties, such as accountancy firms or auditors, to ensure objectivity, unbiased assessment, and the integrity of financial reporting. The frequency varies by jurisdiction, but companies generally must disclose their auditing firms.
In the crypto space, they do not. The financial audits of the top 10 major crypto exchanges in recent years show flexibility both in the frequency of audits and in disclosing the names of their auditors.
Sponsored
Binance, the largest crypto exchange with more than $50.9 billion in total value locked (TVL) as of the day of publishing, has been disclosing its Proof of Reserves (PoR) data every month since November 2022, when the audit firm Mazars last time verified its reserves. Starting in January, all of its monthly PoR audits have been self-verified. All of them show an overcollateralized reserve ratio.
“We have two ways to produce verification reports. The first is the self-verification method (combined with zk-SNARKS technical solutions), and the second is third-party audits providing audit reports,” the exchange says but does not disclose the name of the third-party auditor.
Coinbase, a publicly listed company, claims it is subject to quarterly external auditor review—the exchange files annual audited financial statements with the SEC in February.
Kraken, the third largest exchange, says that “trusted auditors” conduct its Proof of Reserves (PoR) audit twice yearly. However, the only available PoR reports are dated June 2022 and December 2021. The same audit firm, Armanino LLP, conducted both.
Since last summer, at least on its website, San Francisco-based Kraken has not provided information about PoR audits. It has not responded to DailyCoin’s request for comment either.
Bybit, the biggest crypto derivatives trading platform, ranks fourth among the top crypto exchanges, with $3.55B TVL as of writing. The exchange says it has a 1:1 reserve on all user assets on the platform and conducts regular Merkle Tree PoR audits every two months starting with December 2022.
“Accounting firms thoroughly examine reserves, confirming asset-liability alignment through rigorous reconciliation and balance verification,” Bybit’s website states, but nowhere mentions the name of an independent external auditor.
Seychelles-based OKX, another top-five crypto exchange, also claims it has a 1:1 reserve of all user funds on its platform and uses a zero-knowledge proof algorithm, zk-STARK, to prove and verify the authenticity of its cryptocurrency holdings. The exchange has published its self-verified PoR audit reports every month since February 2022.
Bitstamp, Europe’s largest crypto exchange, has been audited annually by an undisclosed Big 4 (Deloitte, Ernst & Young, KPMG, and PwC) accountancy firm since 2016. At least one of its financial audits was conducted by Ernst & Young. Bitstamp does not disclose its financial reports.
KuCoin, another Seychelles-based crypto exchange, reports that an independent third-party institution certifies that it has 1:1 user assets backed by on-chain reserved. It does not specify either the name or the frequency of such audits.
The last time an undisclosed external institution verified KuCoin’s assets was November 26, 2022. The exchange has been associated with the Mazars audit group in the past.
Singapore-headquartered Crypto.com was also named as a client of Mazars until December 2022. This is when Mazars issued the latest known Proof of Reserves (PoR) verification report for Crypto.com. The crypto exchange does not specify how regularly its Proof of Reserves (PoR) audit reports are issued.
HTX, formerly Huobi, currently operates a $2.437B value locked on its platform. With Tron’s Justin Sun in a board advisory role since October 2022, HTX vocalized its determination to be transparent and reveal its reserves. It published a list of wallets holding $3.5B worth of assets in mid-December 2022 yet has never disclosed its auditor nor the frequency of audit reports.
Gate.io, a crypto exchange headquartered in the Cayman Islands, collaborated with accountancy firm Armanino LLP for its first PoR audit in May 2020. The same company also verified Gate.io’s second PoR audit 29 months later, in October 2022. Since then, no new audit report has been published. Gate.io does not specify how regularly it performs its proof of reserve audits and issues external party reports.
Independent Auditors Have Skeletons in Their Closets
As we can see from the provided data, six out of the top ten crypto exchanges have been collaborating with disclosed independent external auditors, at least since the last month of 2022.
When the FTX exchange collapsed and the pressure on crypto exchanges increased, auditing firms like Mazars and Armanino LLP, both popular among crypto clients, ceased providing crypto audit services.
Interestingly, both audit companies do have colorful reputations themselves. In 2020 and 2021, Armanino LLP, the 19th-biggest public accountancy firm by revenue in the US, audited the US branch of the now-bankrupt FTX.
California-based audit firm issued a clean bill of health for the exchange, which collapsed just a year later because of a lack of liquidity and poor management.
Armanino LLP also issued a PoR report for the crypto lender Nexo in 2021, affirming its liabilities were fully backed. Shortly thereafter, law enforcement initiated an investigation, suspecting Nexo’s involvement in organized crime related to money laundering and tax fraud.
Another accountancy firm of Binance, Crypto.com, and KuCoin, Paris-located Mazars, also terminated its services for the digital asset industry clients last December following the FTX crash.
However, earlier the same year, the UK’s accounting regulator raised questions about the declining quality of Mazars’ audits due to the company’s rapid growth and tendency to take on higher-risk clients.
Yet since the beginning of 2023, the situation with external crypto exchanges’ PoR audits has changed, as only two cryptocurrency exchanges, Coinbase and Bitstamp, acknowledge that major audit firms audit them.
Most of the top ten exchanges conduct proof of reserves audits without verification from an openly named third party.
PoR Audits Are Not Comprehensive Enough
In traditional finance, a company audit conducted without an independent third party typically raises concerns about objectivity, the reliability of the audit results, and potential conflicts of interest in assessing financial statements and controls.
The trust model here is only institutional, as traditional companies do not have other options, like cryptographical proof of asset ownership to a third party. With the crypto space, it is a bit different.
Merkle Tree, or a type of data structure in computer science, enables the verification of large datasets, and the growing number of crypto exchanges use them to prove to their clients that they have assets in custody equal to their customers’ deposits. Because of ZK rollups, the customer can do it without revealing individual account details.
While Merkle Tree PoR verification proponents believe they can replace financial audits, this is not entirely true. Merkle Tree PoR audits do not yet provide the same comprehensive verification practices as a traditional audit.
This means they can prove that there are enough assets in the reserves at a given moment but say nothing about the general financial health, internal control, and compliance with the accountancy standards of the platform.
A debated aspect is whether a Merkle Tree PoR should include an exchange’s liabilities, such as debts and other obligations, which are essential for assessing solvency and ability to fulfill customer withdrawals and financial commitments.
While it is not difficult to prove the existence of assets on the blockchain, the real challenge lies in verifying the liabilities of the platform, which is more complex to assess without a comprehensive and independent financial audit.
In auditing, there is a well-known term called “window dressing.” It refers to cosmetic changes or manipulation aimed to mislead and temporarily alter the accounts to make them look better for a specific period.
Although such behavior is traceable and observable, it does not mean that it cannot be utilized.
Merkle Tree PoR verification and external audits of cryptocurrency exchanges conducted by independent and publicly disclosed accountancy firms should become the new market standard to enhance transparency and trust in crypto.
Find out more about the SEC’s stance towards crypto auditors:
SEC Going After Crypto Auditors? Commissioner Peirce Dissents
Check out what’s ahead for stablecoins in 2023:
Stablecoin Dominance Wanes: Will MiCA End Them?
