In the crypto industry everything is done in it its own way - sometimes because it is technically effective, sometimes just because there is no other choice. These proof-of-reserve reports have the aim to assure crypto exchange customers that the balances on their accounts are not just made up. Unlike conventional audits, these do not require year-long checks and costly verifications. The so-called Merkle tree, method that was used in these reports, allows customers to check their own account from the website of an audit firm, to perform a check for the total balance in minutes.
The technology behind the method is simple: the verifier is given access to the crypto exchange database where they can enter the address and the associated balance. If it matches, then everything is ok. To preserve privacy and security, instead of dealing with the absolute numbers, the verifier works with the hashes of these two numbers combined. In a simplified form, instead of typing “User ID: 12345, Balance 1000” the user types 112030405 which is the transformation of these numbers in a way no one can break (if you are interested, you can learn more about hashes here). It is the same way auditors check multiple accounts - in that case, the hashes are prepared for the groups of accounts, branches, etc.
The method has its limitations, and they are not only in the tech domain. As a very basic example, the verification of the balances adds little value if the exchange has borrowed these funds for a short time to pass the attestation. So only a full audit, the one that verifies not only assets but also liabilities in this case can give some assurance.
Anyway, large exchanges like Binance and Crypto.com have recently published their Merkle tree method proof-of-reserve reports. The results were encouraging: for every audited token, the exchanges had over 100% of reserve funds. The report was signed by the audit firm Mazars.
Mazars is a global audit firm that is ranked between 10-20th positions in different charts in different years. We have observed involvement with crypto companies by the audit firms in the same ranking range before - BDO performed attestation of reserves for Tether stablecoin. However, Big4 companies (PWC, Deloitte, EY, KPMG) are distancing themselves from the risky industry. Even SEC listed Coinbase could switch from Grant Thornton to Deloitte only in 2020. Unlike other industries, in audit, Big4 are not just a revenue ranking. These firms are trusted by investors and shareholders of the largest companies, under constant monitoring by regulatory bodies and structure their client acceptance risks accordingly.
The fact that the engagement is not a full audit has some side risks for audit firms too. The audit performed according to international financial reporting standards requires a full set of financial statements, with multiple disclosures and standard procedures, that not only help investors to assess the company, but also the auditor to form its opinion. And, there is a risk that the public will be misled by the “partial” attestation since not everyone goes deep to check the contents in detail.
Nevertheless, the interest for the crypto industry audit is high. They are interested to publish reliable information and ready to pay for that. Even the partial audits of Binance and Crypto.com were important to the market and highly welcomed by crypto enthusiasts. Mazars was among the companies that undertook the risk of doing it. In the beginning of December, the firm handled both exchanges’ proof of the reserves reports.
After just two weeks, however, Mazars Group withdrew the results of the validation and removed all information from their website. They also announced that they would cut ties with crypto companies globally because of “concerns regarding the way these reports are understood by the public.” The FUD around Binance and negative events in the crypto industry have obviously impacted their decision.
“Mazars is trying to reduce its risk profile. Its team probably discovered that they’re understaffed and not as knowledgeable about the crypto industry as they need to be to conduct a comprehensive audit.” – RA Wilson, chief technology officer of 1GCX.
We cannot exclude the version that there was something wrong with Binance and Crypto.com report as well. However, given the limitations and the very limited scope of the attestations, most probably things were fine.
What do you think? Will Binance be able to engage any of the Big4 auditors any time soon?