Aug 15, 2022 - Economy & Business

Crypto audits are a practice in faith, less math

Illustration of a person falling backwards into two large binary code numbers with human arms reaching out to catch
Illustration: Annelise Capossela/Axios

Crypto audits are coming back in style, but it's still a voluntary practice akin to paint-by-numbers — and without all the numbers. Call it a trust exercise.

Why it matters: This voluntary math goes through cycles of popularity (usually after things go wrong) and have become important again in the wake of a pair of large crypto lenders — Celsius Network and Voyager Digital — filing for bankruptcy reorganization. But they aren't perfect.

  • Proof of Reserves, or "PoR," is just one part of the equation for proof of solvency, Saravanan Vijayakumaran, an associate professor at the Indian Institute of Technology Bombay, tells Axios. "To answer your question about [the audits] being holistic — they are not holistic."

Details: Crypto audits ideally show that crypto held on deposit matches customer account balances, but to complete the equation for proof of solvency, one would need to run a proof of liabilities, in addition to custodians attesting to reserves held.

  • To calculate the total liabilities of a cryptocurrency exchange would require handing over private, internal customer databases.

Threat level: Voluntary audits also could mean hidden liabilities and imperfect implementations.

Driving the news: Exchange operator Kraken completed the second of its PoR audits last week. It also expanded the assets covered from just bitcoin and eth to include USDC, USDT, DOT, ADA and XRP.

  • The accounting procedure cryptographically verifies crypto holdings and account balances; an accounting firm, Armanino LLP, checks this.
  • Kraken's PoR audit also allows its customers to verify the results.

Details: Other firms that have conducted PoR audits within the last 24 months, according to Nic Carter, a general partner at Castle Island Ventures pushing the industry to do regular checks:

  • Crypto platform Nexo conducts attestations in real-time.
  • Coinfloor and BitMex have conducted self-assessments.
  • Ledn has a semi-annual, user-based validation approach.

What they're saying: "Our regular Proof of Reserves audits demonstrate Kraken’s ability to pioneer a higher standard for accountability and transparency — not just in crypto, but in the broader banking and financial space, too," Kraken said in a blog post Thursday.

Yes, but: Kraken's expanded voluntary audit still only covers 63% of the total assets held by the firm. A spokesperson tells Axios that the firm will add assets to future audits.

  • When asked about the decision to expand the assets audited, Kraken's spokesperson Edith Camargo said: "Kraken had always intended to expand the amount of assets covered beyond just Bitcoin and Ethereum. With these new assets, we are now able to verify seven out of the top 10 coins by market cap." (Solana is excluded)
  • The firm started cryptographic PoR audits earlier this year.

The big picture: "[The] industry does not seem to want it," Prof. Vijayakumaran says. "Eli Ben-Sasson, founder of StarkWare, says exchanges were not interested when StarkWare offered to build proof of solvency tech."

  • "The engineering complexity seemed to be a blocker," he adds. "When Kraken CEO Jesse Powell was informed about Provisions (proof of solvency from Stanford group), he punted on it." (This was all back in Feb. 2020)
  • Lack of support for all Bitcoin address types and engineering complexity were the reasons for the punt, Prof. Vijayakumaran says, but Kraken has since started PoR attestations with an independent auditor.

Flashback: Mt. Gox, the legendary exchange that once accounted for 70% of the world's bitcoin transactions, declared bankruptcy in February 2014.

  • The crypto industry says that PoR attestations could have exposed long-term insolvencies like that of Mt. Gox and others like it.
  • As part of a reassurance effort, a handful of leaders including the CEOs of Kraken, Bitstamp.net, BTC China, Blockchain.info and Circle signed a letter admonishing the exchange for not meeting the "essential requirements as a financial services provider."

The bottom line: "To those who reject PoR because it’s not perfectly trustless in its current implementation, I would respond that the perfect is the enemy of the good. At present, the industry standard is virtually no transparency," Castle Island Venture's Carter wrote.

Go deeper