Thank you for asking me a question where I am uniquely qualified (most likely top 10 worldwide) to answer. So last year I developed my PoR evaluation framework (see here: https://medium.com/@nic__carter/the-status-of-proof-of-reserve-as-of-year-end-2022-48120159377c). It evaluates PoRs on the basis of credibility. It consists of six criteria:

• Cryptographic asset verification
• Asset coverage
• Frequent ongoing PoRs
• User verification of liabilities
• Liabilities credibly accounted for
• Auditor oversight

These criteria cover the narrow PoR procedure. As I mention in this article (https://medium.com/@nic__carter/proof-of-reserves-for-policymakers-ae59c4b1f917), PoR doesn’t cover a lot of things, like segregated client and operating capital, the existence of any large superseding liabilities, the official bankruptcy remoteness of client deposits, and operating in a jurisdiction with strong property rights and a functional legal system. These are accounting, contractual, and legal concepts which cannot be satisfied by a technical procedure like PoR. So I will add another three prongs to the above analysis:

• Bankruptcy remoteness
• Segregated client and operating capital
• Stable and functional regulatory domicile

Now running through the various PoRs, starting with Binance

Binance PoR

• Cryptographic asset verification: It’s not clear that Binance is signing these addresses. It looks like they are just publishing a list of addresses. 0/1
• Asset coverage: their coverage is comprehensive. Well done 1/1
• Frequent ongoing coverage: they are doing PoRs on a monthly basis, which gives them full marks. 1/1
• User verification of liabilities: they are using the ZK method, having moved on from the merkle method. This means users can verify their inclusion in the liability set without leaking data. This is the state of the art, although it’s more black box-y. 1/1
• Liabilities credibly accounted for: this means being clear about how they are accounting for things like loans against the business and margin accounts on exchange (which have to be treated with negative values for the PoR ordinarily). Binance is not clear about these. 0/1
• Auditor oversight. The website claims ‘third party audit’ but there doesn’t appear to be an audit report, and certainly no Big 4 auditor would engage with them. It isn’t clear who they are using and it’s not easy to find any kind of audit report, whether from a CPA firm or a security company. 0/1
• Bankruptcy remoteness: Binance is unclear about the treatment of client funds, most likely clients are unsecured (aka junior) creditors of the exchange. 0/1
• Segregated client and operating capital: Binance is notoriously sketchy about this, there is no question they have comingled in the past and likely do today. 0/1
• Stable and functional regulatory domiciles: it is unclear where they are regulated. 0/1

Overall, while Binance has come a long way since their early efforts at PoRs and should be lauded for that, they still score poorly on my rubric, getting a score of 3/9.

The main problems are the obvious lack of a regulatory jurisdiction, the apparent comingling of exchange and client funds, and the apparent lack of an audit. Some of these issues are easy to solve, like cryptographic attestations to the attets and being more clear about how they are dealing with different types of liabilities. Regarding the comingling, I will say that Binance does appear to have a meaningful amount of assets which are growing stably. You can see this on Nansen (https://portfolio.nansen.ai/dashboard/binance) or Cryptoquant (https://cryptoquant.com/asset/btc/chart/exchange-flows/exchange-reserve?exchange=binance&window=DAY&sma=0&ema=0&priceScale=log&metricScale=linear&chartStyle=line). In fact, they’re almost at an ATH in terms of their BTC reserves. So It’s far fetched to think this is all operating capital and not client capital. The concern is simply that they may not be segregating the two in an accounting or custodial sense. The probability I give them of maintaining client funds on a 1:1 basis over the next 4 years is 70% (this is based on the strength of their balance sheet and likely ability to fill a possible hole, however the level of regulatory scrutiny they are under is hampering their operations).

OKX PoR

I happen to know OKX leadership personally, so consider that a disclaimer. (Granted, I’ve also interacted with Rana at Binance who was on a panel I hosted, and I think highly of her).

• Cryptographic asset verification: OKX signs all the wallets they control. 1/1
• Asset coverage: comprehensive. 1/1
• Frequent ongoing coverage: monthly. 1/1
• User verification: they are using the ZK method, partly at my suggestion actually. Clear instructions for clients on how to verify 1/1
• Liabilities credibly accounted for: they are very clear about their “constraints” - namely that their assets are the sum of all user balances, balances cannot be negative (that’s one way to cheat a PoR), and that every users balance is included. This is clear and helpful. However, there’s still a certain amount of trust here, that would be ideally extinguished with a third party audit. So they get partial scores here. 0.5/1
• Auditor oversight: Not present. 0/1
• Bankruptcy remoteness: OKX has licenses in Bahamas, HK (I recently confirmed with the regulator the quality of this license) Brazil, and Seychelles. I took a cursory read through the ToS and did not find language saying assets were bankruptcy remote, held in a trust for the ultimate benefit of users, senior in the case of liquidation, etc. I may be missing something important here, and I will actually clarify with OKX leadership to see what the situation is. Given my understanding of HK regs, their digital license there should be fairly sound with respect to user assets, but that may only apply to HK persons. I give them partial scores here and recommend they make this more explicit in their ToS. .5/1
• Segregated client and operating capital. I assumet they do this, but the ToS again isn’t clear on this front. 0/1
• Stable and functional reg domiciles. Partial marks here. .5/1

OKX gets a 5.5/9. Very good marks. They can improve by clarifying their ToS with respect to bk remoteness and segregated client / operating capital. Obviously the other next step would be getting auditor coverage which would further improve their score, but naturally that’s extremely difficult as auditors are notoriously leery of the PoR space. The probability I give them of maintaining client funds over the next 4y is 90%. This is based on their credibility, my knowledge of leadership, their demonstrated commitment to transparency (they did a PoR in 2015!), and the overall quality of their PoR.

Bybit PoR

I previously gave Bybit a 4/6 on the PoR score (that’s the first six tests) (https://medium.com/@nic__carter/the-status-of-proof-of-reserve-as-of-year-end-2022-48120159377c). Let’s dive in.

• Cryptographic asset verification: Bybit uses the send to self method 1/1
• Asset coverage: very comprehensive. 1/1
• Frequent ongoing coverage: every two months. This is better than quarterly, so I give them full marks, although it could be better. 1/1
• User verification: Bybit uses the merkle approach. This could be more private, but this is still an acceptable method. I recommend they consider ZK. 1/1
• Liabilities credibly accounted for: Bybit is quite clear what the verification applies to. However without audit coverage it is hard to know how exactly they are treating margin accounts etc. 0.5/1
• Auditor oversight: Not present. 0/1
• Bankruptcy remoteness: There’s no clear language in the ToS about client deposits being senior or protected in bankruptcy or liquidation. Also, their legal domicile is unclear. They mention Singapore in their ToS but I don’t think they’re officially licensed there, although I could be wrong. 0/1
• Segregated client and operating capital. ToS unclear on this front. 0/1
• Stable and functional reg domiciles. Again, unclear. Mentions of BVI, Singapore, Dubai in the press. Work to do here. 0/1

Bybit gets a 4.5/9 on my expanded framework. They need to bring in an auditor and clarify client asset status and find a stable domicile for a license. I give them a 65% chance of maintaining client assets 1:1 over the next 48 months.

Lastly, on your question regarding exchange risk. I think the glassnode tools mentioned are usefully indicative, including especially the metric measuring turnover relative to exchange held supply. Rapid inflows or outflows are also indicative, although failures in tagging could add noise to this data (for instance if they rotate to an untagged address). Also, the rise of 3rd party custodians complicates this analysis, as exchange assets are held elsewhere. With the rise of copper, clearloop, hidden road, and others, expect this to get murkier.