If you hadn't seen my previous post about Binance and its child company CoinMarketCap misleading users about PoR, a quick tl;dr: Binance, indirectly through CoinMarketCap, was misleading users about Binance having provided PoR, when in fact, it had only publicly disclosed wallets in its control.
Soon after my original post, Binance "released" its "Proof of Reserves" system. Unfortunately, once again, Binance is misleading users about having produced full proof of its reserves.
As a quick disclaimer, Binance has not provided full Proof of Reserves. My post here is meant to show the efforts Binance is taking to portray itself as having done so when, in fact, it has not. This is not a post claiming that Binance doesn't have reserves to match user liabilities. There's no way to know because Binance has not provided sound proof.
What is Proof of Reserves (PoR)?
Let's first establish what PoR is. There isn't one standard definition for PoR, but there is a right and wrong way. Nic Carter, a blockchain expert, has covered this topic in-depth for several years, so I'll reference info from his website:
Proof of Reserves is the idea that custodial businesses holding cryptocurrency should create public facing attestations as to their reserves, matched up with a proof of user balances (liabilities). The equation is simple (in theory):
Proof of Reserves + Proof of Liability = Proof of Solvency
So what is the recommended way to conduct PoR?
Proving liabilities is tricky, and generally requires an auditor to engage in a full assessment. For instance, exchanges can omit certain liabilities to ‘cheat’ a PoR attestation. This is why I recommend both a user-facing PoR protocol, allowing users to obtain ‘herd immunity’ by collectively verifying their individual balances, and an auditor-facing PoR protocol, to prove that the claimed liabilities are faithful to reality.
Binance "releases" its "Proof of Reserves" system
So, yesterday, Binance announced the launch of a feature that allows users to "verify" that their deposited cryptocurrency has been included in an "audit." The problem is that there has been no public disclosure of a third-party audit of Binance's liabilities to users as of writing this post.
Binance is misleading users. Again.
The announcement directs users to Binance's Proof of Reserves landing page. This is where the misleading info really comes to light.
In order to show that Binance has all user assets 1:1, we have built and implemented the Merkle tree (shown below) to allow people to verify their assets within the platform...
This way people will be able to confirm that their funds are held 1:1 and they can have it verified by a third-party audit agency...
We use these properties of Merkle Trees during our Proof of Reserves assessments to verify individual user accounts are included within the liabilities report inspected by the auditor...
The Record ID enables you to independently verify that your account balance was included by the third-party auditor...
Snippet from the UI example on Binance PoR landing page
Where is the liabilities report inspected by an auditor? Who is the auditor? We don't know because Binance hasn't done any of this yet. Binance has announced plans for third-party audited reserves but has yet to produce anything from an external auditor. So yes, they may very well do this at some point, but they haven't yet. So why are they portraying that they have?
Well, at least, all the way at the bottom, below all the instructions and info about the new feature:
Snippet from the Binance PoR landing page
As it stands
Binance has not produced the very form of PoR that it is branding in the new feature, meaning they haven't disclosed any report or data from a third-party auditor that would prove that the claimed liabilities are faithful to reality.
At least this time, not all media ate it up...
While I was writing this post, CoinTelegraph.com dropped this article covering Jesse Powell's (Kraken co-founder) criticisms of Binance and its misleading PoR branding. Jesse calling out Binance is not surprising, considering Binance is also misleading users about the origin of "its" PoR implementation (which it hasn't even implemented yet).
Snippet from the Binance PoR landing page
For context, Gate.io (in 2020) followed by Kraken (in 2021) were the original exchanges to implement a PoR model that Binance is now claiming to have "built". Also, Binance didn't build anything other than a UI for this already open-source PoR method. Moreover, before any third-party auditors were available or capable of doing such audits, Kraken was doing PoR all the way back in 2014 (minus the third-party audit, opting for an attestation from Stefan Thomas).
Final note
Something I hadn't highlighted in my last post is that even Nic Carter called out CoinMarketCap, and indirectly, Binance, for this user-misleading behavior.
Recently, some exchanges have begun to post informal attestations as to their reserves, for instance by sharing a list of cold wallet addresses. CoinMarketCap has even taken to calling summary data on exchange holdings (see e.g. Binance) ‘Proofs of Reserve’, even though these are issued without any proof of ownership. These attestations do not satisfy either side of the conventional PoR procedure: there is no cryptographic proof of assets held (merely disclosing an address is insufficient, as it could belong to anyone), and there is no accompanying proof of liabilities outstanding. To call this a ‘Proof of Reserve’ is a blatant misuse of the term. Users should demand the highest standard and should be extremely wary of exchanges using PoR in marketing collateral without committing to the rigorous version of the practice (see the caveats in the PoR wall of fame above).
Submitted November 26, 2022 at 12:37AM by Uglarknog https://ift.tt/1R8tXpO https://ift.tt/MxNkPBL
No comments:
Post a Comment