Appendix: Don't Trust, Verify—A Deep Dive into Proof of Reserves

Introduction

Proof of Reserves (PoR) has become a critical trust mechanism in cryptocurrency exchanges. This guide explores which exchanges implement verifiable PoR systems, analyzing their methodologies, strengths, and areas for improvement.

Verifiable Proof of Reserves: OKX and BitMEX Lead the Way

OKX: Transparent and Open-Source Verification

Key Features:

• Monthly Updates: Proofs are recomputed and published monthly.
• Multi-Asset Support: Includes BTC, ETH, USDT, and 20+ other cryptocurrencies.
• Open-Source Tools: Verification code available on GitHub.

How to Verify OKX’s Reserves

1. Reserves:

   • Download the 211MB CSV file from OKX’s PoR page.

   • Run the Go-based verifier:

     ./build/VerifyAddress --por_csv_filename okx_por_2024041301.csv

2. Liabilities:

   • Use the Python script zk_STARK_Validator.py to validate JSON proof files.

Limitations:

• Private keys sign a static message ("I am an OKX address"), which doesn’t prove current control.

👉 Learn how OKX ensures transparency

Recommendations:

• Sign time-stamped messages (e.g., blockhash) to prove active control.
• Improve CLI usability for liability verification.

BitMEX: Bitcoin-Focused but Robust

Key Features:

• Biweekly Updates: Proofs are generated every two weeks.
• BTC-Only: Currently supports only Bitcoin.
• Merkle Sum Proofs: Uses a modified Maxwell scheme for liabilities.

How to Verify BitMEX’s Reserves

1. Reserves:

   • Download YAML files from BitMEX’s PoR dashboard.
   • Validate via validate_reserves.py with a Bitcoin full node.

2. Liabilities:

   • Check inclusion in the Merkle tree using validate_liabilities.py.

Recommendations:

• Expand support to other cryptocurrencies.
• Enhance documentation for clarity.

Proof-of-Reserve Theater: Exchanges Falling Short

Kraken: Limited Verifiability

• Lack of Data: No full proof files or open-source code.
• User Interface: Only displays Merkle tree paths per account.
• Assets Supported: ADA, BTC, ETH, USDT, etc. (updated semi-annually).

Recommendations:

• Publish complete proof datasets.
• Release verification tools on GitHub.

👉 Why transparency matters in crypto exchanges

Deribit and Gate.io

• Deribit: No public code; relies on pseudocode explanations.
• Gate.io: Untested PoR system; GitHub repository available.

FAQs

Q: How often should exchanges update PoR?
A: For hot wallets, biweekly (like BitMEX). Cold wallets may require less frequent updates due to operational costs.

Q: Which exchanges truly support PoR?
A: OKX and BitMEX are verifiable. Kraken and Deribit lack transparency.

Q: What’s the biggest flaw in current PoR systems?
A: Static key signatures (OKX) and limited asset coverage (BitMEX).

Conclusion

While OKX and BitMEX set the standard with verifiable PoR, other exchanges must improve transparency. Users should prioritize platforms offering open-source tools and frequent audits.