Proof of Reserve

How Can Organizations Prove They Have the Crypto They Claim to Have?

The CryptoCurrency Security Standard (CCSS) is a free and open set of industry guidelines and best practices for securing cryptocurrency and related systems. The CCSS recommends that organizations implement a variety of security controls to protect their cryptocurrency holdings, such as creating cryptographic keys and seeds on a system with sufficient entropy, using secure communication channels, and conducting regular security audits. However, these security controls only take us so far and proof that the assets an organization claims to hold remains vital. This is why systems that control assets must prove that they are solvent in order to be CCSS certified.

What is Proof of Reserve (PoR)?

Proof of Reserve (PoR) is a method that an organization can use to prove that it has the funds or assets that it claims to have. PoR is important in the context of cryptocurrency exchanges and other organizations that hold cryptocurrency on behalf of customers. In these cases, PoR can help to provide assurance to customers that their cryptocurrency is safe and that the organization has the assets it claims to have.

There have been instances where exchanges or other organizations have failed to maintain sufficient reserves of cryptocurrency, leading to financial losses for customers. A recent example of this is the FTX meltdown, wherein more than $8 billion dollars worth of customer funds have been lost, and FTX could owe money to more than one million people and businesses. FTX lent its affiliate, Alameda Research, billions of dollars which led to FTX’s customers being unable to access their assets. The bottom line is that real people with bills, mortgages, and families, who thought their assets were being safely held, have been deeply impacted by the loss of their funds.

Why do we need CryptoCurrency Security Standard’s PoR Control?

The CCSS PoR control means that the organization holding customer funds either publishes enough information to prove, for example, 1:1 bitcoin backing, or one can view on the blockchain itself to see if they are operating a fully solvent system or an insolvent system.

The CCSS and PoR can provide assurance that customer deposits are safe and that the institution has the funds available to meet its obligations. This can be especially important in cases where an institution is not federally insured, there is concern about the financial stability of the institution, or customers are requesting proof of assets.

CCSS audits are conducted by an external third-party auditor and a peer reviewer. As with all standards, no controls are perfect silver bullets. But it is better to have something than nothing. The CCSS certification requires a PoR audit, completed and published online, that proves full control of all funds held by the information system. The PoR audit must be signed by an independent party that attests to the accuracy of the audit at the time it was performed. Therefore if FTX had undergone a CCSS audit the lack of funds would have been identified and customers would have known by the lack of certification that something was amiss. If we as an industry demand that we won’t use custodians that aren’t CCSS certified, then people will be able to make more educated decisions and lower the risk of losing their assets.

As of the date of this publication, the only system that has completed a CCSS audit and been certified by C4 is Fireblocks Limited, however there are additional systems being audited. You can keep an eye on the growing list of security conscious CCSS certified organizations on our website.

PoR helps to build trust and confidence in financial institutions and other organizations, and it helps to ensure the stability and integrity of the financial system as a whole. Knowing that a standard, created by cybersecurity and cryptocurrency experts, exists and is open to use, we must ask ourselves: why might custodians holding others’ money NOT want to prove solvency? If the reserves are as promised, why would a company not want to provide that assurance to customers?

You can find more information about PoR in this blog post written by CCSS Auditor Marc Krisjanous.

Disclaimer

The information presented in this article is for educational and informational purposes only. It does not constitute financial advice, investment recommendations, or any form of endorsement. 

The views and opinions expressed by individuals in this article are solely those of the speakers and do not necessarily represent those of C4 or any other organizations with which they are affiliated.

The mention or inclusion of any individuals, companies, or specific cryptocurrency projects in this video should not be considered as an endorsement or promotion.

Regulations and legal frameworks around cryptocurrencies may vary in different jurisdictions. It is your responsibility to comply with the applicable laws and regulations of your country or region. 

The CryptoCurrency Security Standard (CCSS) has been updated to version 9.0. See the updated CCSS here.

Systems certified under 8.1 are still valid.