With the traditional auditors out, where will the CEX reserve certificate go?

秦晓峰

Odaily资深作者

@QinXiaofeng888

2022-12-28 10:52

This article is about 3710 words, reading the full article takes about 6 minutes

Move from law-dependent third-party audits to cryptography-based autonomous audits.

Author | Qin Xiaofeng

Editor | Hao Fangzhou

Produced | Odaily

Author | Qin XiaofengEditor | Hao Fangzhou）。

Produced | Odaily

With the collapse of FTX, the issue of asset reserves of centralized platforms, especially CEX, has attracted much attention. A number of trading platforms have also announced the account addresses of the exchanges one after another, showing the status of each company's reserves. Odaily has previously written an analysis (recommended reading

"Analyzing the details of the asset reserves of the seven major exchanges, who exposed potential risks? "

However, the reserve fund is only the first step to improve transparency, and it cannot really show the solvency of the exchange. It should also consider the exchange's liabilities (that is, the amount of user deposits) and issue a complete "reserve certificate". For CEX, "Proof of Reserves" is also an important step to reassure people and give users a better understanding of how the platform manages assets.

In the past few weeks, Binance, Crypto.com, Kucoin, etc. have announced "reserve certificates" issued by third-party auditors. However, as institutions such as Mazars and Armanino have canceled the encryption audit business, encryption users have become suspicious, and the trust of CEX has once again sparked discussions.

In this article, we will explore why traditional audit institutions shun cryptographic reserve proof audits? In the absence of traditional auditing, where does the road to transparency of CEX go? Can the proof of reserve based on the Merkle tree become an effective way for the industry to save itself?1. Why did the audit firm abandon the encryption enterprise?。

What is Proof of Reserve (PoR)? It is a way of verifying that a crypto platform does provide 1:1 support for the digital assets it holds in custody on behalf of its clients. To put it simply, if the reserve in the wallet address of the encrypted platform is greater than or equal to the user's deposit, it can prove that the platform has sufficient funds and can make rigid payments.

Usually, encryption platforms will seek a third-party well-known audit company to conduct an audit and issue a reserve certificate. Earlier this month, Binance, Crypto.com, and Kucoin all hired Mazars Group to issue "proof of reserves"(Note: Mazars Group is a global auditing, accounting and consulting firm, established in 1945, serving more than 90 countries around the world)However, Mazars Group's report also attracted more controversy. The Wall Street Journal commented that Mazars' report was actually a five-page letter rather than a proper audit report because it did not address the effectiveness of internal financial reporting controls. In the end, Mazars Group, facing pressure from many parties, deleted the audit report on its official website, completely stopped Mazars Veritas, an audit tool used for cryptocurrency exchanges, and stated externally that it would stop any work with cryptocurrency companies and no longer issue reserve certificate reports.

Coincidentally, Armanino, an accounting firm that provides audits for FTX US Station (FTX.US), also plans to end the encryption audit business and stop providing financial statement audits and reserve certification reporting services to encryption companies. also,

The Wall Street JournalAccounting firm BDO also plans to suspend auditing services for cryptocurrency clients, the report said. Currently, none of the Big Four accounting firms (Deloitte, Ernst & Young, KPMG, and PwC) have any plans to provide proof-of-reserve audits of private cryptocurrency companies.

Why are audit firms shunning crypto corporate reserve certifications? The core reasons are as follows:From the perspective of the audit company itself, encryption is still a brand new field. Auditors are not familiar with on-chain business and their professional ability is not good enough, so they can only learn by doing.Binance founder Changpeng Zhao commented that most accounting firms do not know how to audit cryptocurrency exchanges. It is not difficult for encryption companies to deceive "novice" auditors in their familiar fields.

Moreover, when auditing companies serve encryption companies, they often can only carry out their work in accordance with the specific requirements of the company, and their autonomy is not enough; they only audit reserve certificates, and do not involve internal control audits and financial conditions, and the reliability of the final report must be discounted .For example, a platform user deposits 8,000 BTC, and there are 9,000 BTC in the wallet address, but this does not mean that the exchange has 100% solvency, because 3,000 BTC may be obtained by the platform from a third party, and the audit company Did not know.

(Note: Auditing companies usually only audit the internal control and financial status of listed companies, but not for private companies. This is also a contradiction.)Judging from the actual combat results, the audit company will also get into a lawsuit for auditing (platform) for an encryption company, and its reputation will be greatly reduced, which will affect the development of non-encryption business.

Recently, Armanino and Prager Metis CPAs LLC, two accounting firms cooperating with FTX, were both sued by FTX users and accused of conspiracy to extort money. The Wall Street Journal commented that the two accounting firms are cheerleaders for FTX, not skeptical auditors. Other non-encryption industry clients of these audit firms are worried that the firm’s reputation risk will make their audit reports questionable, thereby putting pressure on the audit firms.

Finally, due to the FTX incident, the U.S. Securities and Exchange Commission (SEC) is stepping up its oversight of auditors, forcing them to abandon crypto clients.

2. Merkle tree reserve proof guarantees transparency

Due to the absence of third-party auditors, more encrypted trading platforms are committed to having their own proof of reserves, using more encryption-native methods to prove asset reserves.

Among them, the Merkle Tree (Merkle Tree) reserve certificate promoted by Binance has attracted much attention. OKX, Bitget and ByBit basically adopt similar methods, and the specific details vary from exchange to exchange. In the past few weeks, many platforms, including OKX, have used this scheme for auditing and publicized it on their official websites.

image description

(OKX reserve announcement)

What is the principle of reserve proof based on Merk tree?

Merkle tree is a cryptographic technology that can compress data. By using Merkle tree, multiple data can be combined into one data, and the results of large-scale data aggregation can be stored; means to prove that the corresponding data is compressed in the aggregated results. The leaf part of the Merkle tree consists of the hash value of each data in the data set. Specifically, the construction of the leaf part is to connect two adjacent hash values, pack them together and hash them again to generate the parent hash value. The hash value that is finally packaged to the top layer is called the Merkle Root. The hash value of the root of the Merkle tree contains the hash characteristics of all data, and any node whose data is tampered with will present a completely different value.

In simple terms, a Merkle tree is a binary tree of hashes capable of spotting any manipulation or tampering of data. If the user's assets are changed, it will be reflected in the root data of the tree, and will present a completely different value. This mechanism can ensure that the data of the Merkle tree cannot be tampered with.For example, the exchange aggregates snapshots of all trading account assets of users into each user's total assets, and then assigns each user a unique and anonymous user hash ID; each user's total assets will be used as a leaf node The information of each user is saved in the Merkle tree, and the assets of all users will be aggregated into a Merkle tree root; as long as the asset information of each user is included in the leaf node of the Merkle tree, it can be proved that their assets are Included in total user assets. In order to help users verify, each platform has also released its own open source verification tool "Merkle Validator", users can enter their own hash value and user code and other information to verify whether their assets are included in the Merkle tree snapshot .

Of course, the reserve proof based on the Merkle tree also has some flaws.

One is that the reserve certificate is only a snapshot of the user's assets during the audit. Any asset transactions after the snapshot and assets not covered by the audit will not be included in the audit results. The platform can transfer funds on the audit day through Merck tree audit, and transfer funds out after asset snapshot.The solution is that the trading platform can increase the frequency of audit publicity (currently both OKX and Binance publish PoR reports monthly), from once a month to once a week, and even develop to real-time proof in the future. In addition, the third-party monitoring agency can also keep an eye on the wallet address announced by the exchange to observe whether there are large inflows and outflows of funds around the audit day.

Second, like traditional auditing, Merk tree-based reserve proofs are also difficult to reflect the company's internal financial status such as liability relationships and related transactions, which reduces the reliability of isolated reserve audits.

The third is the problem of front-end fraud.The Merkle tree data is stored on the exchange's own server, and the front-end pages that users interact with the exchange are controlled by the exchange. The exchange may return fake pages to deceive users, and there is a possibility of front-end fraud; considering user inertia, The possibility and frequency of self-verification by users through the open source verification tools of the platform are relatively small.

As a solution, third-party PoR services can be used to increase reporting reliability. For example, Chainlink Labs provides a set of out-of-the-box solutions. Specifically, the service uses Chainlink nodes connected to the exchange's API and its vault address; these nodes are then connected to a proof-of-reserve smart contract that can be queried by any account on the network to determine the exchange's whether its assets equal its liabilities.

Fourth, the reserve certificate only covers part of the assets and cannot fully reflect the status of the exchange's funds.

Although regulatory agencies such as the SEC are not optimistic about the proof of reserves, in the absence of third-party audits, the proof of reserves based on the Merk tree is an effective attempt for the industry to save itself. The encryption market needs more open and transparent information, and the encryption platform is rebuilding user confidence through its own efforts. Of course, on-chain verification of reserves is new territory and still has a long way to go.