Exchanges run PoR audits to reassure users, but is that enough?

After the collapse of FTX and the allegation that the exchange had misused customer assets worth $10 billion, several exchanges including some in India are going for proof-of-reserve (POR) audits to become more transparent and assure crypto investors that their assets held by the exchanges have not been misused or misplaced. 

PoR is an independent audit conducted by a third party on behalf of a crypto exchange to find out if the customer’s assets are missing from the reserves. The auditor looks into the assets in the book held by the exchange on behalf of its customers and matches them with the actual reserves. For this, they can use techniques like Merkle Tree, a mathematical data structure that encrypts blockchain data securely. 

Binance published its PoR last week, which shows that the world’s largest exchange has assets worth more than $69 billion. Indian crypto exchange Giottus said early this week that it will publish its proof of reserves after an external audit. Earlier today, CoinSwitch announced that an independent third-party audit by consulting firm INMACS has confirmed that the total INR and virtual digital assets (VDA) holdings held by CoinSwitch is greater than the VDA and INR held by CoinSwitch on behalf of the users of its platform.

“INMACS’ independent report is a testament to our commitment and proactive approach to risk and compliance measures.  We will continue to evaluate other ways of establishing trust and transparency as we help India participate meaningfully in the global crypto revolution,” said Ashish Singhal, co-founder, and chief executive of CoinSwitch.

Industry experts have welcomed the move, but also warned that a PoR audit is not foolproof. 

“Before the proof of reserve audits take place, exchanges can shuffle funds between themselves to show that the audits are fine. There are loopholes because they are the ones who are setting up the audits,” warned Sidharth Sogani, founder and chief executive of CREBACO, a crypto rating, and intelligence firm. 

In fact, Sumit Gupta, co-founder of Indian exchange CoinDCX, also said that PoR only showcases one side by providing standalone asset value. "There’s no visibility of liabilities. PoR without Proof of Liabilities is only half the picture," he said, adding that the exchange is working on publishing the risk-to-liability ratio periodically, along with audit certificates.

“Though they are using blockchains Merkle tree for audits, it doesn’t mean that it is foolproof. Certain internal transactions don't get hashed on the blockchain. Moving from account 1 to account 2 in the same exchange may not be visible on the blockchain,” added Sogani. 

For instance, early this week Singapore-based crypto exchange Crypto.com accidentally transferred 80% of its ETH token holdings to a whitelisted address that belonged to its corporate account on another exchange Gate.io. Though Crypto.com was able to recover the transferred assets, the incident sparked withdrawals of assets by many customers. Some experts suspect that the transfer of funds can also be done to tamper with proof of reserve audits. 

“The same auditors behind FTX also approved the "proof-of-reserve" snapshots that are coming under scrutiny at Gate and Huobi!! These snapshots look to have been fluffed up by wash transactions from http://crypto.com, which claims that this was a mistake. Hard to believe,” Mario Nawfal, founder and chief executive of IBC Group, which invests in blockchain projects, said in a Twitter post. 

Sogani feels that what has happened with FTX is an eye-opener and will make people realize the importance of holding their own keys.  “It is important that you own your keys in self-custody wallets. The scams and misuse of funds are happening because users are trusting a  third party to take care of their funds. As long as users continue to do that, we will see such scams,” said Sogani. 

He noted that self-custody wallets will gain more importance going forward.