Why Bitcoin Exchange Audits Don't Go Far Enough

Several exchanges have already instigated inspections to reassure customers – but more thorough auditing is needed, argue experts.

AccessTimeIconMay 6, 2014 at 3:03 p.m. UTC
Updated Mar 6, 2023 at 3:22 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Bitcoin exchanges have further to go to prove their good standing to customers, say the experts that inspected them – but solutions are just around the corner.

, CoinDesk explored bitcoin exchange Kraken, and showed you how the company did its best to prove it possessed the bitcoins it claimed.

Bitcoin luminary Stefan Thomas used cryptographic proofs to confirm that the US exchange wouldn’t be caught short if there was a run on its bitcoins, and that it wouldn’t suddenly be embarrassed, Mt. Gox-style, to find that a hacker had secretly been stealing its coins.

Kraken passed the inspection with flying colours, as have others. But did the inspections go far enough? How in-depth should an audit be, and what else should it cover?

Why improvements are needed

The audit that Thomas conducted focused on how many bitcoins the exchange possessed, and how many it owed to customers. In a legitimate exchange environment, the former should be greater then the latter.

The Kraken audit followed a flurry of activity in the wake of the Mt Gox debacle, in which exchanges rallied to reassure customers that they had the bitcoins they claimed.

"It’s a reaction to Mt Gox," says Thomas. The company, which suspended withdrawals and then said that it had lost hundreds of thousands of bitcoins, left angry users in its wake.

Things used to be even worse, Thomas told CoinDesk, stating:

"I remember when these services were run anonymously and the MyBitcoin.com calamity happened, and then almost no one would use an anonymously run service anymore."

This was a reference to the anonymously operated wallet that claimed to have lost just over half its users’ bitcoins.

He added: "In future, people won’t use exchanges that don't allow any form of audit."

These inspections were a best-effort attempt to deliver something tangible in a short timeframe, but they are unlikely to be the ultimate solution.

When is an audit not an audit?

Jesse Powell, CEO of Kraken, says that he’s already planning a follow-up to his exchange's initial audit in the near future.

[post-quote]

A spokesperson from Coinbase, which also carried out a third-party inspection of its bitcoin reserves, added that it, too, is conducting more comprehensive follow-up inspections.

What should such inspections cover, and what was omitted the first time? We can learn a lot from Andreas Antonopoulos, Chief Security Officer at Blockchain, who was called in to inspect Coinbase’s bitcoin reserves back in February.

‘Audit’ isn’t a throwaway word, said Antonopoulos, who specifically didn’t refer to his inspection as an audit the first time around.

He prefers to call it a spot check, adding: "I purposefully used less strong language, because in my mind an audit is far more comprehensive and rigorous. If you see an audit that takes less than three or four weeks, it isn't an audit."

"[In an audit] they take visits to the sites, and they have teams to create a comprehensive report, and to sign off on that."

Implementing comprehensive audits

A proper audit wouldn’t focus solely on the bitcoin reserves, continued Antonopoulos, arguing that there are three broad areas a satisfactory bitcoin exchange audit would require:

  • Bitcoin reserves

Auditing the bitcoin reserves proves that the exchange has the bitcoins it claims to.

  • Fiat operations

An unscrupulous exchange without enough bitcoins to cover its customers' accounts could simply buy more of them with dollars or another currency, and hiding any gaps in its accounts by simply moving money from fiat currencies to bitcoin and back again. Auditors of a bitcoin exchange would ideally nose through the company’s fiat accounts to spot if this is happening.

  • Security

Checking the firm’s current cybersecurity systems would confirm that nothing had been visibly hacked.

However, these points alone do not satisfy Antonopoulos’ criteria for a true audit.

Companies don’t stand still, and a proper audit would include an element of future proofing. So, he divides each of these three areas into a further two areas: immediate checks, and forward governance.

That gives us a structure like this one (pictured), which, he said, any truly comprehensive bitcoin audit would have:

 (Click to enlarge)
(Click to enlarge)

There are challenges in both the spot check and the governance areas. For a start, a truly comprehensive bitcoin audit would span multiple disciplines.

There are a lot of very good bitcoin technologists in the world, and there are a lot of good accountants, but there isn’t much of an overlap.

"It is a business that could generate a lot of revenue and create a useful service to the industry," said Antonopoulos. "It would be a business combining CPAs and financial auditors, security auditors for infosecurity and knowledge of cryptographic currencies, and it would be able to do specialised audits for these kinds of businesses."

Right now, this is something that exchanges must cobble together for themselves, however.

Jesse Powell, who said that he is working on audits covering the fiat side of his operation, elaborated on Antonopoulos' ideas:

"The firm would need to independently have a strong grasp of bitcoin, crypto, the ability to review code or write their own, be aware of opportunities for either party to compromise the audit and have the ability to prevent those compromises. Traditionally, this skill set is not what accounting firms are known for.”

Kraken’s future audit will take these issues into account. The firm is working towards a fiat-based audit, he said, explaining:

"The next one will be comprehensive, including all cryptos, and fiat. Following that would be other types of audits on the company as a whole, [including the] management team, security, etc."

Coinbase has also confirmed that it’s focusing on both fiat and cryptocurrency checks for its next audit.

This challenge is daunting enough for exchanges trying to grow their business and deal with a plethora of regulatory and technical hurdles. And, this is just one snapshot in time. Audits are supposed to happen repeatedly to ensure that businesses remain compliant.

Why exchanges need repeat audits

As it stands, Kraken and Coinbase’s proof of reserves are ageing: they’re snapshots taken in the past. The older those snapshots become, the less relevant they are. Repeat audits keep validating the exchange, which assures customers their funds are safe.

However, there’s another reason why audits should be repeated, says Thomas: having subsequent audits handled by different parties reduces the need to place trust in one expert, such as himself.

“The way you get trust in these audits is that they're repeated by different people. It seems to be less likely that the exchange will lie, or bribe the auditor.”

To this end, he has resolved not to carry out any follow-up audits for Bitfinex or Kraken, because he wants to encourage the firms to use other third-party auditors. Although he has none planned at present, he is happy to conduct audits for other exchanges, though.

There are ways to increase the ongoing impact of an audit, by ensuring good governance, and this can be done across several of the audit areas highlighted here.

On the cybersecurity side, white-hat programs are certainly laudable ways to find software bugs, but it’s also important to check that companies have sufficient controls in place to avoid getting hacked in the future. There are well-established standards for this, such as the ISO 27000 series, and COBIT.

On the bitcoin reserves side, it should be possible to conduct regular automated spot checks that are automatically updated each day, suggested Antonopoulos.

An exchange could automatically hash the Merkle root for its cold storage, to create a proof of its assets – the bitcoins it has in hand.

It could also hash the balance of user accounts to create a Merkle root for the bitcoins held in its customers’ accounts, which would be a proof of liability.

These two Merkle roots could then be compared together.

How would the users automatically check that their balances were included in the proof of liabilities, though? They could use the same feature implemented during the Kraken audit, whereby users can personally check that their address was included in the tree that created the Merkle root.

Automating the process

The problem is that currently, an exchange’s users have to be technically adept to carry out these checks, meaning that many of them won’t. Instead, this check could be done for them using independently verified software, Antonopoulos said:

“One of the things we might want to see in the industry is essentially a much more user-friendly widget. Let's imagine that you have a third-party JavaScript widget that pops up inside the page from a third-party service, that runs the crypto check for you. You get a green check mark with the balance.”

The bitcoin community doesn’t stand still for long and at least one such system already exists. This proof of solvency system can be plugged into exchanges to offer both proof of liability and proof of solvency, says its creator.

And, yes, there is a browser-based widget designed to automatically check that a user’s balance has been included in a hash representing an exchange’s liabilities.

Bitcoin exchanges that have made an effort to reassure customers in this way are headed down the right track, but conducting a financial audit is a daunting task when you're a new organisation dealing with an entirely new asset class that many accountants don't even understand.

Hopefully, more exchanges will soon step up to prove not only their bitcoin reserves, but also their good governance in other areas. Like the bitcoin network and business ecosystem itself, exchanges’ ability to prove their good standing to customers remains a work in progress.

Tools image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.