Ultimate magazine theme for WordPress.

A brief-ish history of crypto audits

0 7

In 2014, a former Bloomberg programmer called Changpeng “CZ” Zhao become chief technology officer at OKCoin, a start-up Chinese token exchange.

Being OKCoin’s community cheerleader was a big part of the role. Bitcoin’s price had crashed following the collapse of the Mt Gox exchange, Beijing’s hostility to crypto was strengthening and miners globally had been switching off.

OKCoin helped revive interest in crypto as a gambling chip by adding derivatives and staking, while CZ used his social media profile to bolster trust among the fervent believers. He could often be found on Reddit, such as in this now-deleted but archived post where he denies that OKCoin was using bots to spoof volume. And he was a regular on podcasts such as this one, where (at around 25 minutes) CZ explains that wash trades on the exchange were because Chinese traders had been trying to win a car.

CZ left OKCoin in February 2015 after just eight months.

At first all seemed amicable, with CZ saying the exit was “a difference of direction”. Then came a Reddit post (deleted but archived) where CZ lays out dozens of accusations against OKCoin and its founder Mingxing “Star” Xu, including around its alleged use of bots to inflate volumes.

OKCoin responded on Reddit to deny what it called CZ’s “lies and desperate nonsense”, as well as adding numerous accusations of its own.

It’s easy to dismiss the public mud-slinging as a relic from crypto’s frontier age. The trading of insults — which purportedly stemmed from a contract dispute between OKCoin and Roger Ver, an early evangelist known as Bitcoin Jesus — was fought in typical messageboard bluster using jargon that can often appear impenetrable by design. Yet the fight has some relevance today around the issue of audits.

In August 2014, a few months before CZ left, OKCoin published what it called the industry’s “first Proof-of-Reserves Audit”. The report was written by Stefan Thomas, who at the time was CTO of crypto payments group Ripple and was well known to the community. He concluded (with numerous caveats) that bitcoin balances appeared to cover user funds by more than 104 per cent.

Calling this an audit was unhelpful because it wasn’t. There are lots of good explainers on the mechanism employed; the very simple version is that Thomas ran integrity tests on databases supplied by OKCoin that listed its bitcoin assets and liabilities. These tests generated a kind of checksum of assets, known as the Merkle root, from which depositors could verify that their own holdings existed on the chain. It provided a bare minimum level of transparency, as Thomas warned:

Note that there are limitations to this type of audit. It does not verify an exchange’s fiat assets and liabilities or other aspects of their balance sheet. It is also difficult to prove definitively that the bitcoins in question are actually owned by the exchange versus being on loan for instance.

In an interview with CoinTelegraph, CZ dismissed criticisms of the “audit” and denied suggestions that OKCoin might not have been given Thomas all relevant data.

Then the story changed. CZ’s Reddit post labelled the audit “fake” and claimed OKCoin had understated liabilities by hiding its own bot accounts. “In essence, these bots trade on fractional (or fictional) reserves,” he said. “Thomas was lied to during the audit. This is an unfortunate limitation of the proof-of-reserves method.”

In response, OKCoin claimed that hiding the bots was to avoid double counting of loaned coins. CZ “does not even understand what an audit is”, it added.

Eight years later, CZ is keen to stress that he knows what an audit is:

Binance, now by far the world’s biggest crypto trading venue, has been pushed by the collapse of FTX into claiming transparency. Yet what it delivered last week can’t be considered an audit any more than OKCoin’s 2014 effort.

According to a letter from the South African affiliate of accounting group Mazars to “Binance Capital Management Co. Ltd” of the British Virgin Islands, Binance appeared on November 22 to be collateralised at an underlying level by 101 per cent. The letter does not use the term audit. Instead, Mazars says it ran an agreed-upon procedure (AUP), meaning its staff could give only factual findings within the parameters Binance had predefined. The accounting firm made no extra inquiries, formed no opinions, and offered no assurances — including around the validity of the whole exercise, as the introduction to its five-page letter tries to make clear:

The management of Binance acknowledge that the AUP are appropriate for the purpose of the engagement and are responsible for the subject matter on which the AUP are performed. [ . . . ] We make no representation regarding the appropriateness of the AUP.

This AUP engagement is not an assurance engagement. Accordingly, we do not express an opinion or an assurance conclusion. Had we performed additional procedures, other matters might have come to our attention that would have been reported.

There’s no information on which of Binance’s nomadic business units was being tested. It covers only the self-reported bitcoin assets and liabilities and, according to a Wall Street Journal article, excludes the US business. Improvements to the Merkle tree methodology, such as using dummy transfers to verify an unspecified number of wallets, are at most incremental.

And even then, Binance failed.

“We found that Binance was 97 per cent collateralised,” Mazars partner Wiehann Olivier writes. Pass-marks required “taking into account the Out-Of-Scope Assets pledged by customers as collateral for the In-Scope-Assets lent through the margin and loans service offering resulting in negative balances on the Customer Liability Report.” In other words, the headline figure of 101 per cent relied on excluding from the liability side bitcoin Binance said had been lent out.

This is a plausible excuse. Collateral held against bitcoin loans would be held in currency or tokens other than bitcoin, so would fall beyond the scope of Mazars’ report. Nevertheless, it’s hard to take much confidence from an audit framed around such narrow parameters that still can’t arrive at a good answer by means other than asking for more blind faith.

Binance says it will give information about tokens other than bitcoin in the coming weeks — the most important of which in balance sheet terms are its BNB native token and the Binance USD and tether stablecoins. Shortly after FTX imploded, Binance reported that as of November 10 it was holding approximately $69bn worth of coins and that those three tokens accounted for more than 70 per cent of reserves by value. Chart below by Mike Alfred:

FTX’s failure triggered a race among crypto exchanges to avoid “not your key, not your coins” becoming an existential threat. Star Xu’s OK Group, which includes the OKCoin and OKX exchanges, is among many to advertise transparent proof of multitoken reserves though auditor-assisted token validation, albeit built around the same basic method as its contested 2014 audit.

Yet even compared with the data provided by its smaller rivals, Binance’s efforts at transparency have left many commentators unconvinced. Research group Mysten Labs (which has been funded by Binance) last month published a report in which it identified “potentially exploitable vulnerabilities” that could mean even the bitcoin liabilities were understated.

The closest thing to a public measure of sentiment in Binance, its BNB native token, was under pressure on Monday following a Reuters report that the US Department of Justice may pursue money laundering charges as part of a long-running criminal investigation into the exchange. Binance has posted a lengthy response on its website and CZ has responded on social media in his signature style — with a dig at an adversary and appeal to the community.

But after nearly a decade of bluster from CZ, it looks like the community might be wanting some new material:

Leave A Reply

Your email address will not be published.