During an interview at the Indonesia Fintech Summit in November, Binance CEO Changpeng Zhao (CZ) told audiences that the reason his cryptocurrency exchange wasn’t audited was because firms were “running scared” of them because they (Binance) weren’t regulated.
“We also want to educate regulators about the list of things they should look for (while conducting audit checks),” he added and listed a bunch of practices that he said constituted “real time reconciliation of assets.”
But his company’s latest Proof of Reserves (PoR) report, prepared by accounting consultancy Mazars’ office in South Africa, falls well short of both goals. It doesn’t educate on crypto exchange audit processes, nor does it provide a comprehensive reconciliation of assets and liabilities at Binance.
An “Agreed Upon” PoR Report
There are several problems with Binance’s Proof of Reserves report. Here are some of them.
First, the report is not an audit but an Agreed Upon Procedures (AUP) report.
In an AUP request, the standards and procedures used to examine and conduct an attestation are designed by the party being audited and not by the firm conducting the audit. This means the client decides the auditing processes and assets to be audited. An AUP differs from the more comprehensive and independent Generally Accepted Accounting Principles (GAAP) practice followed at most auditing firms.
Second, Binance’s proof of reserves report is susceptible to manipulation. It is a snapshot of the company’s holdings at a specific moment in time, in this case, Nov. 22, 2022, and verified on public blockchains. There are already allegations on Twitter that Binance simply moved a billion dollars from one of its wallets to a smart contract to inflate its balance and prove that it has the required reserves.
The procedures outlined to generate the report are hardly comprehensive. A step simply consists of asking management to prove their ownership of private keys by moving small balances between two addresses. There is also no independent verification of self-custodied addresses.
One of the steps calls for computation of Merkle Root Hash so that customers can validate account balances and transactions. Mazars’ notes about that step end at computation of the hash, meaning there was no independent customer verification of balances. Thus, the firm simply confirmed the existence of data supplied by the exchange by asking it to move balances between wallets controlled by it. Customers of the exchange were not asked to independently confirm their balances or transactions using the hash generated.
Finally, the parameters for the customer liability report, which should list customer deposits, were prepared by the exchange itself. The assets in scope for that report include wrapped bitcoin tokens that have illiquid markets and zero utility.
They include BTCB – a crypto-backed stablecoin – and BBTC, also known as Baby Bitcoin. From the latter’s website: It (the token) works as a utility and contracting currency of the “Powabit” ecosystem. Importantly: the report clearly states that it does not distinguish between native BTC, BTCB and BBTC. “…therefore, they will be assessed interchangeably for the purpose of this engagement.”
In simple words, this means that the report does not distinguish between bitcoin and “shitcoins” that have no utility or value whatsoever. It would not have been difficult for Binance to stuff wallets with the latter and inflate their Bitcoin balance.
There are many more problems with the rudimentary report, but it would be a waste of time to write or discuss them. The biggest takeaway from this report is that a public blockchain is no guarantee that companies will not fudge their balances. Clearly, we need proof about Binance’s attempt at transparency.
The FTX and Binance Connection
As must be clear by now, almost every entity is linked to another one in crypto’s small ecosystem. Genesis seems to have lent funds to almost every bankrupt crypto company. Digital Currency Group – a grandaddy of sorts in crypto – has funded most major companies, including Coinbase, in the ecosystem.
But the most toxic connection seems to have been between Binance and FTX. The former company invested in the crypto exchange and was rewarded with worthless FTT tokens that it then sold off to instigate a run on them and crash FTX.
I came across another connection between them yesterday. FTX’s venture capital arm (yes, they had one apparently) is an investor in stablecoin company Paxos, an outfit that partners with Binance to issue its stablecoin BUSD.
BUSD produces attestations for its reserves. In content and format, they are similar to the ones that Tether produced, meaning they are not comprehensive audits and are snapshots of reserves held for BUSD at a specific date and time.
Based on its October report, there is no capital cushion for BUSD and its reserves are mostly backed by US Treasury bills, overnight repurchase agreements, and a little cash. BUSD is an integral component of Binance’s operations and among the only parts of its business that is overseen by regulators.