CCSS V8.1 Update

Background

In April 2023, the CCSS steering committee was presented with questions from a CCSS Auditor (CCSSA) regarding the Proof of Reserves Aspect (PoR) of the CryptoCurrency Security Standard (CCSS). The questions posed came to light in the context of scoping and preparing for the CCSS audit of a large exchange. After consideration, the CCSS Steering Committee decided that the questions about the nature, scope, testing requirements, and sufficiency of proof when testing for the Proof of Reserves Aspect warranted a PoR sub-group that would work to make recommendations.

Consensus of the Working Group

The working group on the PoR Aspect concluded that: (1) it would be appropriate at this time, and beneficial to the Standard to remove the PoR Aspect; and (2) after much consideration, it would not be appropriate at this time to add a replacement or supplement to the PoR Aspect. 

Rather, the Working Group determined that, “Key Control” would be an appropriate Aspect to add to the Standard and that the best course of action would be to: 

  1. Outline testing of key control (generally signing of messages or movement of assets for some or all of the private keys in scope) a matter of CCSSA judgment and add notes to the Auditor Guide that would allow a CCSSA to perform testing procedures that are tailored to the tested environment as well as their own risk tolerance and perception of audit risk. 
  2. In series, and after sufficient time for CCSSAs and the market to give feedback on Key Control testing, work to add Key Control as a formal Aspect in the Standard and provide notice to CCSSAs, management, and prospective CCSS Certified companies that the Aspect would be included and effective for audits after a certain date. 

 

Summary of Analysis 

 

Proof of Reserves

  1. While technical in nature, PoR is most commonly understood as a measure of financial assurance. This inherent need for the CCSSA to either measure outstanding liabilities or rely on evidence (potentially widely variant evidence) produced by another party or management itself that the system controls sufficient assets to meet customer liabilities. 
  2. Proof of Reserves attestations quickly become technical and could, in practice, expand the scope, timing, and cost of CCSS audits to prohibitive levels. 
  3. Most current CCSSAs, as cybersecurity and cryptocurrency experts, are likely not confident in testing the PoR Aspect or performing an independent PoR to test the Aspect. 
  4. Many CCSSAs may be concerned with potential liabilities created by signing off on the PoR Aspect when it is understood to mean that potentially millions of customer accounts are sufficiently reserved with billions of USD worth of crypto assets. 

 

Key Control 

  1. The working group narrowed in on Key Control as the more narrowly focused version on Proof of Reserves. Here again, Key Control is not about assets, but rather about whether control of the private key material can be exercised during the time of the audit. 
  2. The working group dug into what types of evidence would be sufficient to meet a prospective Key Control Aspect, if it was generally considered to mean that management would perform digital signatures and/or movement of assets to demonstrate that key material was usable. The group quickly realized that the “complexities” that arise in a proof of reserve attest engagement (where 100% of wallets are tested), would also arise in testing a Key Control Aspect.  Specifically, tested wallets can quickly reach thousands or hundreds of thousands in total, and tooling for the task is problematic. Auditors lack access to robust bulk signature verification tools and management would almost certainly have to write custom scripts for HSM, MPCs, and other systems in order to make bulk signing feasible.
  3. Together the large scope and lack of tooling would present impediments to adoption of the standard and to reasonable completion of audits for those companies that did take on the task. 
  4. Lastly, the group considered whether Key Control was even needed; whether the other Aspect and controls actually adequately covered the core considerations of Key Control. The group generally agreed that Key Control would not be a redundant Aspect but did present sufficient operational hurdles such that inclusion in the standard was impractical at this time.

 

CCSS Committee Decision

The CCSS committee was presented with the above information regarding the Working Group findings and during a committee call voted unanimously (1) to remove the PoR Aspect from the Standard; and (2) not add a replacement or supplement to the PoR Aspect at this current time. 

Date of CCSS update: May 22, 2023

The Committee acknowledges the importance of Proof of Reserve within the cryptocurrency ecosystem and suggested that a PoR working group reconvene in the future to continue to address this subject.

Note: the Committee will discuss and implement a formal change control cycle for the Standard.

CCSS Level 1 Training Course now available!