Author: Jiang Changhao, Co-founder and CTO of Cobo

With the collapse of FTX and the ensuing loss of trust in centralized institutions, CZ called on exchanges on Twitter to adopt the Merkle Tree reserve proof method to demonstrate that they have not misappropriated user assets. Subsequently, several exchanges began to respond and actively prepare reserve proofs to assure customers that their funds are safe. However, the Merkle Tree reserve proof method has some fundamental flaws. Specifically, centralized institutions can easily bypass the non-misappropriation checks that this reserve proof method aims to achieve through various means.

In the following text, I will outline two fundamental flaws of the existing Merkle Tree reserve proof method and propose some ideas for improvement.

How Existing Reserve Proof Methods Work

To alleviate the information asymmetry between users and centralized institutions, existing reserve proofs typically use traditional auditing methods, where a trusted third-party auditing firm issues an audit report to verify that the amount of assets held on-chain by the centralized institution (reserve proof) matches the total balance of user assets (liability proof).

For the liability proof, the centralized institution needs to generate a Merkle Tree containing user account information and asset balances. The Merkle Tree essentially creates an anonymized and tamper-proof snapshot of user account asset balances. Each user can independently calculate the hash of their account and determine whether their account is included in the Merkle Tree.

For the reserve proof, the centralized institution needs to provide its on-chain addresses and verify and audit them. A common practice is to require the centralized institution to provide a digital signature to prove ownership of the on-chain addresses.

Once the snapshot of the Merkle Tree and the confirmation of on-chain address ownership are completed, the auditing agency verifies the total asset amounts on both the liability and reserve sides to determine whether the centralized institution has misappropriated user funds.

Flaws in Existing Reserve Proof Methods

1. Possibility of Using Borrowed Funds to Pass Audits

One issue with the reserve proof method is that audits are based on a specific point in time and are typically conducted every few months or even years. This means that centralized exchanges still have the opportunity to misappropriate user funds and easily fill the gaps during the audit period through borrowing.

2. Possibility of Collusion with External Funders to Pass Audits

Providing relevant digital signatures does not equate to ownership of the assets on the corresponding addresses. Centralized institutions can collude with external funders to provide proof of on-chain assets. External funders can even use the same funds to provide asset proof for multiple institutions simultaneously. Current auditing methods find it difficult to identify such fraudulent activities.

Some Ideas for Improving Proof Methods

An ideal reserve proof system should provide auditors and end-users with the ability to conduct real-time checks on liabilities and reserves. However, this would also come with high costs and/or the risk of leaking user account information. With sufficient data, third-party auditing firms could even infer users' position information based on anonymized data.

To prevent the possibility of reserve proofs being fabricated during audits without compromising user information, I propose the following two main ideas:

1. Randomized Spot Audits

Conducting random audits at unpredictable intervals would make it difficult for centralized institutions to manipulate account balances and on-chain assets. This method could also deter misconduct through the fear of being randomly audited.

How to Implement: Audit requests can be randomly sent to centralized institutions by trusted third-party auditing firms. Upon receiving the request, the centralized institution must generate a Merkle Tree that includes user account balances (liability proof) marked by the specific point in time, identified by block height.

2. Accelerating Reserve Proofs with MPC-TSS Solutions

During random audits, centralized institutions need to provide reserve proofs in a very short time frame. This poses a significant challenge for centralized institutions (such as exchanges) that manage a large number of on-chain addresses for users. Even if centralized institutions can store most of their assets in a few fixed addresses (such as hot wallets or cold wallets), the total amount of funds stored across numerous on-chain addresses remains substantial. Consolidating funds from all these addresses into a few public addresses during the audit is a very time-consuming task. Such time delays also provide enough space for misappropriation activities to seek borrowing or financial assistance to fill the gaps.

Is it possible for centralized institutions to prove reserves directly at the addresses where they truly hold assets, without consolidating on-chain assets into a few addresses? One possible approach is to utilize MPC threshold signature scheme (MPC-TSS) technology.

In summary, MPC-TSS is an advanced cryptographic technology that divides a private key into two or more private key shares, which are held by multiple parties after encryption. The holders of these private key shares can collaboratively sign transactions without exchanging or merging their respective private key shares. This MPC-TSS custody technology is also a product recently launched by Cobo.

Under this solution, third-party auditing agencies (which can include law firms, auditing firms, custodians, trustees, or even regulatory agencies themselves) can hold one private key share, while the centralized institution holds the remaining private key shares. As long as the "threshold" is set to a number greater than one, all assets will still remain under the control of the centralized institution. It should also be noted that to allow centralized institutions to generate a large number of addresses co-managed by auditors, the MPC-TSS co-management scheme needs to support the BIP32 protocol. By holding one private key share, the auditing agency can determine the set of addresses on-chain for the centralized institution and calculate the asset scale of the centralized institution at the specified block height.

Acknowledgments

Thanks to Cobo colleagues including Discus Fish, Lily King, Jeanette, Tavia, Linfeng, and Ellaine for all the valuable discussions and constructive suggestions during the writing of this article.

If you are interested in Cobo MPC WaaS (a self-managed/co-managed solution based on multi-party secure computing threshold signature technology), please feel free to contact our customer success department. We are very happy to discuss solutions for Web3 asset custody and security layout in DeFi with you.

Contact Cobo

Cobo is a global leading digital asset custody and blockchain technology provider headquartered in Singapore. As an innovation-driven technology company, Cobo focuses on building scalable infrastructure to promote the development of the Web 3.0 space.

Since its establishment in 2017, Cobo has been committed to creating a professional, one-stop secure digital financial technology service platform, serving over 500 global institutional clients (including well-known family offices, listed companies, top hedge funds, exchanges, etc.), earning their continued trust. Currently, Cobo's product services include: Cobo MPC WaaS (a co-management solution based on multi-party secure computing threshold signature technology), Cobo Argus (a multi-signature solution for teams conducting DeFi on-chain smart contracts), and Cobo Custody (a centralized secure custody solution). Additionally, Cobo has launched WaaS (Wallet Service) and NaaS (NFT Custody Service) for specific institutions and sectors to meet the comprehensive asset custody needs of institutions.

In terms of compliance, Cobo has obtained SOC 2 Type I certification, a principle approval letter from the Dubai Virtual Assets Regulatory Authority (VARA), and holds licenses in the United States, Hong Kong, and Lithuania.