Proof of Reserves Methodology
Release: Version 3.1
Document
| Field | Description |
|---|---|
| Name | Proof of Reserves Methodology |
| Creators | Hacken OU |
| Subject | Proof of Reserves; proof of ownership; proof of solvency |
| Description | A comprehensive audit methodology to verify and validate cryptocurrency reserve holdings, combining cryptographic verification, liability assessment, and ownership confirmation to ensure transparency, solvency, and trustworthiness of digital asset organizations. |
| Author | Joaquin Girardi | Lead PoR Auditor, Hacken OU |
| Date | Oct 15th, 2025 |
| Rights | Hacken OU |
Intro: Building Trust Through Proof of Reserves
Proof of Reserves Goals and Objectives
In the dynamic and evolving world of cryptocurrency, building trust is crucial for organizations operating within this space. Hacken recognizes the unique challenges faced by organizations in the crypto industry and has developed an innovative Proof of Reserves solution, specifically tailored to address these needs.
By implementing the Hacken's Proof of Reserves service, organizations can provide verifiable evidence of their reserve holdings, reassuring customers and stakeholders that their assets are securely held and fully backed. This transparency is essential in establishing trust and differentiating organizations within the crypto industry.
At Hacken we are focused on verifying an organization's liabilities, such as customer deposits or outstanding loans, to ensure that the liabilities are accurately represented and can be met by the organization's assets.
The purpose of conducting Proof of Reserves audit is to provide transparency and assurance to stakeholders that the organization is operating in a trustworthy and responsible manner. The main objectives of a Proof of Reserves audit include confirming the existence and authenticity of cryptocurrency holdings, verifying that the amount of cryptocurrency held matches the amount claimed by the organization.
Trust Reinforcing: Proof of Liabilities
Confidential and Private Approach
At Hacken, we are committed to providing transparent and honest procedures as part of our Proof of Reserves audit methodology. We also prioritize the confidentiality and privacy of our valued customers' users.
Proof of Liabilities involves calculating all liabilities, which are the balances of in-scope assets held by your users, to form the Client Liability Report. As the Proof of Reserves auditor, we collect the minimum necessary data from users of your service to ensure their privacy is safeguarded. This may include a pair of public address/balance or UID/public address/balance, depending on the specific requirements.
Client Liability Report
When generating the Client Liability Report, Hacken takes great care to verify the accuracy of the information received. We follow a rigorous procedure to ensure the utmost precision. Here's an overview of the steps we take:
-
Inspection of Tables and Scripts: We meticulously inspect the tables and scripts structures used by our customers to extract users IDs and balance data from their underlying databases. This scrutiny ensures that the logic and parameters are designed to pull a complete and accurate listing of client liabilities, encompassing all in-scope assets.
-
Observing Client Access: We closely observe client access to the production replica database, which is used to generate the Client Liability Report. By monitoring the execution of the aforementioned scripts, we validate the total balance of in-scope client liabilities and cross-verify the total number of records obtained from these scripts.
-
Extraction of the Client Liability Report: We oversee the generation of the Client Liability Report from the production replica database, focusing on the report's output fields. We reconcile the total balance of in-scope client liabilities and the total number of records observed in the report extract, ensuring consistency with the figures obtained from the previous steps.
Hacken Merkle Tree & Verifier Tool
In addition to Proof of Liabilities, Hacken may also, upon request, perform crucial procedures for the subsequent aggregation of the Client Liability Report data within the Proof of Reserves. Here's a summary of those procedures:
-
Utilizing the Merkle Tree Library: We leverage the power of the Merkle Tree library to aggregate the client data obtained from the Client Liability Report during the assessment. This allows us to determine the Merkle Root Hash, which further enhances the integrity and security of the verification process.
-
Random Sampling and Cryptographic Testing: To validate the accuracy and validity of the Proof of Reserves PoR IDs, we randomly select a sample of 10 PoR User IDs. For each selected sample, we employ the Verifier Tool in PoR project to cryptographically test whether the PoR IDs were successfully generated and included in the Merkle Tree. Additionally, we perform cryptographic testing on a sample 'dummy' account to ensure that only valid PoR Record IDs are included within the Merkle Tree.
With our meticulous Proof of Liabilities and subsequent aggregation procedures, Hacken ensures that the Proof of Reserves audit is conducted with the utmost accuracy, privacy, and transparency. Our commitment to these principles allows us to instill confidence in our customers and provide them with reliable and trustworthy auditing services.
Unparalleled Transparency: Proof of Ownership
Proof of Ownership Value
In the world of Proof of Reserves, it's not enough to simply obtain and publish the funds reserved by an organization or disclose its liabilities. It's about conducting thorough analysis, making comparisons, and delivering transparent results that showcase the reliability of the service to its users. At Hacken, we firmly believe that before calculating the assets held in your cryptoexchange reserves, it's essential to establish ownership of those reserves. As a trusted third-party Proof of Reserves Assessor, we ensure that the audit leaves no blind spots.
Establishing Ownership and Trust
With the evolving blockchain ecosystem, asset ownership verification is not limited to traditional addresses. Smart contracts and off-chain solutions have expanded the horizons and methods for verification. At Hacken, we stay abreast of these advancements and offer a wider range of tools and techniques to ensure asset ownership across different contexts. Here's how we verify ownership:
-
Single Signature Addresses: For each of the "single signature" addresses received, we execute one of the following methods:
a. On-Chain Verification
i. "Send-to-Self" Transaction: As an alternative method, we provide the client with a specific amount of cryptocurrency to execute a "send-to-self" transaction. The client shares the corresponding transaction hash with us, and we inspect the transaction details on the blockchain. By matching the amount, timestamp, and "sending" address with the specific parameters communicated, we can confirm the ownership of the address.
b. Off-Chain Verification
i. Signed Messages: A user can sign a message using their private key. This signed message can be verified by anyone with the public address of the signer, ensuring the user has control over the address without necessitating any transactions. I.e.:
const message = "I own this address";
const signature = web3.eth.accounts.sign(message, privateKey);To verify:
const recoveredAddress = web3.eth.accounts.recover(message, signature); -
Multi-Signature Addresses: In more complex scenarios involving shared ownership, multisignature wallets or contracts can be employed. In such instances, validating ownership will also involve ensuring the requisite number of signatures have been gathered to authorize operations on the staked assets.
Should there be inquiries regarding if off-chain solutions remain operative even when assets are staked, the answer is a resounding "yes." Signed messages can still serve to affirm ownership of an address, irrespective of whether assets are staked. The principle behind utilizing signed messages is to demonstrate dominion over a private key, which by implication verifies ownership of any assets associated with the corresponding blockchain address. This remains true whether said assets are liquid, staked in a contract, or otherwise engaged on-chain.
By meticulously verifying ownership through these methods, Hacken ensures the trustworthiness and credibility of the Proof of Reserves audit. We leave no stone unturned to provide you with comprehensive assurance and transparency regarding the ownership of your reserve assets. Partner with us and build trust among your users with our reliable Proof of Ownership methodology.
Ensuring Stability: Proof of Reserves Assessment
In the final stage of our Proof of Reserve Audit methodology, the Ensuring Stability: Proof of Reserves Assessment, we provide you with a comprehensive analysis that guarantees the stability of your reserves. Through meticulous procedures, we assess the financial strength of your organization, enabling you to build trust and confidence among your users:
-
Querying In-Kind Assets: Our expert team conducts a thorough examination of all in-kind spot and staked asset addresses or keys that fall within the assessment scope. We ensure that these assets are under your control, giving you a clear picture of the assets held by your organization.
-
Comparing Liabilities and In-Kind Assets: We meticulously compare the total liabilities derived from the Client Liability Report, extracted directly from your production database, with the total assets controlled by your custodied addresses. Known as "In-Kind Assets," these represent the reserves held by your organization. By employing the In-Kind Asset-to-Client Liability mapping provided by you, we calculate the collateralization ratio.
To ensure an accurate and consistent comparison of all assets and liabilities, Hacken first assesses 1:1 solvency by matching assets directly against liabilities. If a strict 1:1 balance is not achieved, Hacken then applies an approach based on a standard currency, such as the US dollar, to aggregate and compare different types of assets and liabilities in terms of their fiat value.
- Precision in Calculations: Hacken is committed to ensuring the utmost precision in its calculations. Each asset and liability is processed using the maximum possible number of decimals, ensuring that each value accurately reflects its true magnitude and detail.
- Data Sources and Prices: Hacken utilizes APIs from industry-leading platforms such as Binance, Kraken, CoinGecko, CoinMarketCap, and KuCoin to obtain up-to-date and accurate prices.
- Average Price Calculation: Once prices are obtained from these sources, Hacken calculates the average price. This average is derived by summing the prices from all sources and dividing them by the total number of sources.
- Handling Anomalous Values: To ensure that extreme or anomalous values do not distort the average price, Hacken implements the statistical method of the Median Absolute Deviation MAD. This method identifies and excludes values that significantly deviate from the median value, ensuring that the average price accurately and reliably reflects the market value.
- Calculating Collateral Ratios: As part of our commitment to providing you with a comprehensive assessment, we calculate the collateral ratio for each individual asset. These ratios give you valuable insights into the level of collateral backing your liabilities. Our detailed report includes the collateral ratios for each asset, ensuring transparency and allowing you to make informed decisions regarding your reserve management.
By conducting meticulous queries, comparisons, and calculations, we provide you and your users with a comprehensive analysis of your reserves' stability.
One-time Proof of Reserves audit can be completed in 2-3 weeks:
Elevating Proof of Reserves: Real-time Proof of Reserves
Building Confidence
Hacken’s Proof of Reserves service provides point-in-time verification to strengthen transparency, trust, and security in the digital asset industry. This approach gives stakeholders an accurate snapshot of an organization’s reserves and liabilities at a specific moment. Our audits allow users to confirm the solvency of exchanges without compromising personal information, offering a reliable and secure way to validate financial health.
Hacken's Proof of Reserves Service
Hacken’s Proof of Reserves service provides organizations with a reliable way to demonstrate that their cryptocurrency holdings are fully backed and securely maintained. By verifying both assets and liabilities, such as customer deposits or outstanding loans, Hacken ensures that reserves are accurately represented and obligations can be met. This independent verification not only strengthens transparency but also builds trust with customers and stakeholders, helping organizations stand out in the competitive crypto industry.
Team Composition
| # | Team Member and Role | Components to review |
|---|---|---|
| 1 | Lead PoR Auditor | Audit Supervision, Interview conducting, Results and Recommendations |
| 2 | PoR Auditor | Development and maintenance of Hacken's Proof of Reserves and verification tools |
| 3 | Delivery Manager | Communication & Project Management |
Deliverables
The deliverable is the detailed Proof of Reserves audit report with audit findings and results.
Stay in Touch
We’re excited to share our expertise and help you build a safer web3 future. If you have any questions, feel free to contact us.