Jump Crypto (JC) released a research article on Dec. 21 that analyzed Proof of Solvency (PoS) vulnerabilities and how PoS works in theory, but failed in practice. .
of articlethe research-driven quantitative trading firm said:
“In order to prove the solvency mechanisms that prevent exchanges from misappropriating consumer deposits, consumers must verify that their deposits are on the exchange’s reported deposit list.”
As a mechanism used by exchanges to show customer deposit holdings, the report showed that the PoS mechanism is not always effective in practice.
“If exchanges can predict future verifications or be suspicious of failed verifications, they can successfully divert consumer funds.”
JC says that the “strong probability guarantees” that underpin PoS in theory are “very weak in practice.”
JC’s findings present three perspectives that reveal the reliability flaws of the PoS mechanism. they are:
- From a verifiability point of view: “Exchanges may not have control over the on-chain addresses they claim,” said JC.
- From a financial point of view: JC said PoS “is not a guarantee of actual corporate solvency as exchanges retain other assets and liabilities on their balance sheets.”
- From a technical point of view: JC says PoS is “not necessarily plug-and-play, and choosing the right approach can be tricky.”
JC acknowledged that the crypto community was already partially aware of these flaws, but suggested further consideration of exchanges’ suppression of failed PoS checks.
PoS check failure
JC proposed that it is essential for both exchanges and users. It is to consider the mechanisms by which users initiate checks and raise potential issues to restore the effectiveness of PoS.
“Exchanges are more likely to be able to predict which consumers will check, and exchanges are also likely to suppress a small number of failed checks. may weaken or weaken the
JC also suggested that users learn the arbitration mechanism for failed PoS checks.
“If a check fails, there is often no formal mechanism to escalate or verify it, requiring users to make it public on Twitter and other social channels.”
By promoting it on social media, JC said, “One voice, or a few voices, arguing on Twitter could easily be mistaken for FUD.”
JC also warned that malicious exchanges could “easily lean into this narrative”, directing public criticism at them, labeling them “engagement farmers” and promoting them to their user base. persuade them to ignore it.
JC mentioned five distinct changes that exchanges could implement to mitigate the discussed vulnerabilities, but flaws remain.
- Exchanges can help users verify their financial stability, but they may collect more user information and confuse users.
- Exchanges can offer rewards for finding false proofs, but this can lead to false positives and false accusations have no effect.
- Exchanges can automatically send trees or user-specific proofs to users. This can increase false positives and deter new users.
- Exchanges can generate evidence faster and more often, allowing exchanges to change evidence after investigation.
- Exchanges can use secret auditors, but this can reduce trust in the process.
JC concluded the research article by stating:
“This article is not intended to criticize exchanges that are rapidly building proof of solvency infrastructure. We expect it to mature over time.”