Group items tagged

Circle's Chief Financial Officer explains the difference between stablecoin audits and attestations. An audit is an assurance engagement that verifies the accuracy of financial statements and is typically performed annually by a public accounting firm. The audit verifies the accuracy, completeness and composition of the reserve and tests the internal controls over financial reporting that ensure financial statement accuracy. In an attestation - the accounting firm "attests" to the accuracy of a set of statements. It is different from an audit (it makes little sense to test financial controls monthly, for example), but it provides the same standards of assurance over the statements.

"In this 2024 paper we propose, implement, and evaluate two extensions to OpenCBDC, an open-source transaction processor designed for central bank digital currency. First, we enable the central bank to audit the monetary supply. This feature reduces the trust required in sentinels - the most exposed components of this architecture - so that it can in principle be outsourced to intermediaries. Second, we leverage Pedersen commitments and zero-knowledge range proofs to hide transaction amounts while maintaining auditability. This feature improves privacy beyond the level offered by the original OpenCBDC design. Performance measurements show that auditability and privacy reduce the throughput of the shards to 30 % of the original, but the scalability remains close-to-linear in the number of shards. For example, 8 shards can process peak loads of ≈135,000 transactions per second. By adjusting resources, CBDC operators can meet their throughput goals with auditability and privacy."

Calibra published a paper on a novel distributed auditing proofs of liabilities (DAPOL) protocol designed to introduce additional optimization and enhanced privacy to existing distributed audit procedures. It allows entities to undergo a distributed audit of their liabilities and it works in any situation where an entity does not have a motivation to overstate its liabilities.

"Proof of reserves is all the rage on crypto platforms. The idea is that if the platform can prove to its customers' satisfaction that their deposits are fully matched by equivalent assets on the platform, their deposits are safe. And if the mechanism they use to prove this uses crypto technology, that's even better. Crypto tech solutions have surely got to be much more reliable than traditional financial accounts and audits - after all, FTX passed a U.S. GAAP audit. No, they aren't. Proof of reserves as done by exchanges like Binance does not prove that customer deposits are safe. It is smoke and mirrors to fool prospective punters into relinquishing their money, just like claims that exchanges and platforms are "audited" or have "insurance". There are no audits in the crypto world, there is no insurance, and as I shall explain, proof of reserves proves absolutely nothing." [Frances Coppola]

For now, PwC can audit eight tokens, including Bitcoin and Ethereum. Each cryptographic requires its own audit tool given the different blockchains they use, Weinberger said, one reason it took so long to design the technology.

"EY's audits of defunct payments group Wirecard suffered from serious shortcomings over a period of years, a German investigation has found. The Big Four firm is said to have failed to spot fraud risk indicators, did not fully implement professional guidelines and, on key questions, relied on verbal assurances from executives. A special investigator who scrutinised the EY audits came to a damning verdict about the quality of the work, according to people with first-hand knowledge of the report."

Yam Finance, the yield farming sensation which aggregated $600M in assets in less than 48 hours before being shut down, is set to see a second life. After $115,000 was donated for a security audit, Yam presented a two-phase rollout to transition the protocol transitions to a fully audited system. In the great DeFi migration, YAMv1 holders will migrate to YAM2 - a 1:1 match of YAMv1 with no rebases in place. YAM expands and contracts (or rebases) its supply twice a day to keep its $1 peg. Once the results of the audit have been implemented, YAM2 will undergo a migration to YAM3 - the final form of the protocol (for now) which incorporates all code updates and re-enables both rebases and community governance of Yam's treasury in Curve Finance's liquidity pool yCRV.

PwC has added a new tool to its Halo auditing suite to provide assurance services for entities engaging in cryptocurrency transactions. It will permit the firm to provide independent evidence of private-public key pairing (to establish crypto asset ownership), and gather information about transactions and balances from blockchains.

Coinmetrics digs into how they audit crypto-assets, what difficulties can be encountered during this exercise and what can be learned from it. It then attempts a ranking of assets along two different dimensions of auditability: node operation and ledger reconstruction.

The Association of International Certified Professional Accountants (AICPA) Digital Assets Working Group has developed a practice aid, which includes vital information for professionals on how to account for and audit digital assets. It is intended for those with a fundamental knowledge of blockchain technology, is based on existing professional literature and the experience of members of the Digital Assets Working Group and is specific to U.S. GAAP (for non-governmental entities) and GAAS.

The Association of International Certified Professional Accountants (AICPA) Digital Assets Working Group added 13 questions and answers to its Accounting for and Auditing of Digital Assets Practice Aid. The Aid includes vital information for professionals on how to account for and audit digital assets. It is intended for those with a fundamental knowledge of blockchain technology, is based on existing professional literature and the experience of members of the Digital Assets Working Group and is specific to U.S. GAAP (for non-governmental entities) and GAAS.

"This paper presents zkLedger, the first system to protect ledger participants' privacy and provide fast, provably correct auditing. Banks create digital asset transactions that are visible only to the organizations party to the transaction, but are publicly verifiable. An auditor sends queries to banks, for example "What is the outstanding amount of a certain digital asset on your balance sheet?" and gets a response and cryptographic assurance that the response is correct. zkLedger has two important benefits over previous work. First, zkLedger provides fast, rich auditing with a new proof scheme using Schnorr-type non-interactive zero-knowledge proofs. Unlike zk-SNARKs, our techniques do not require trusted setup and only rely on widely-used cryptographic assumptions. Second, zkLedger provides completeness; it uses a columnar ledger construction so that banks cannot hide transactions from the auditor, and participants can use rolling caches to produce and verify answers quickly. We implement a distributed version of zkLedger that can produce provably correct answers to auditor queries on a ledger with a hundred thousand transactions in less than 10 milliseconds."

In a move to lure more institutional money into the space, U.S. crypto exchange Coinbase just completed two major security audits for its custody solution.  Coinbase Custody, the exchange's custody subsidiary, recently underwent its SOC1 Type 2 and SOC2 Type 2  compliance certifications for the second half of 2019.

The ECB and BoJ suggest that a single trusted source, either an existing DLT component or a credible third party, could provide the necessary information to the auditor. But the introduction of such a model would also increase risks to the network. "While reliance on … [a single] source of information has obvious benefits for auditing from all three perspectives, it may become a single point of failure in the auditing arrangement," the authors say. If there was a single entity storing all transaction information, the central banks conclude, a potential security breach could result in a leak of the transactional details of all participants.

"The question remains as to why Tether management still refuses to provide more transparency. If indeed the company has nothing to hide, putting all questions to rest is astonishingly easy: move the money to a select pool of large well-known banks, and have the statements properly audited by a select pool of large well-known auditing firms. Commit to performing and documenting funds certification for example quarterly and that's it, you're done. If Tether wanted to go a step further it could also disclose the investment strategy (or lack thereof) it pursues with the cash under its responsibility. In my mind there can be only one reason why the firm doesn't follow those very simple steps."

EY failed for more than three years to request crucial account information from a Singapore bank where Wirecard claimed it had up to €1bn in cash - a routine audit procedure that could have uncovered the vast fraud at the German payments group. EY said that there were "clear indications that this was an elaborate and sophisticated fraud, involving multiple parties around the world in different institutions, with a deliberate aim of deception". The company argued that "even the most robust audit procedures may not uncover this kind of fraud".

"Binance indicated a full audit of its assets and liabilities is some way off amid calls for more transparency following the collapse of rival FTX. The company's goal is to hire an auditor for the whole balance sheet but big accountants are still learning about the crypto sector, which lacks agreed standards for challenges like price volatility, Binance's Asia-Pacific head Leon Foong said."

On November 8, 2022, Binance announced that it will soon start a Merkle tree-based Proof-of-Reserves audit system to provide full transparency. OKX also plans to follow suit, saying that they consider it to be an "important step" in establishing a "baseline trust" in the industry. A Proof-of-Reserve audit is typically conducted by an independent third party to ensure the custodian's assets are owned as claimed. Kraken implemented its "advanced cryptographic accounting procedure" to allow users to verify their token balances in February 2022.

The European Central Bank and the Bank of Japan have conducted a joint research effort on how to balance confidentiality and auditability in a distributed ledger technology (DLT) environment. This collaboration marks the fourth phase of a joint project called Stella, which started in December 2016 and aims at exploring DLTs through conceptual studies and practical experimentation.

The Wirecard debacle begs fundamental questions about regulation, audit and more. How can BaFin say the bank is fine and not check the balance sheet of the holding company? How would EY sign off accounts for years, without any checks and balances? And how come no one listened to the FT and, instead, took them to court? Another big issue is that the ecosystem model of Banking-as-a-Service could implode because of Wirecard. When you have a company within a company within a company dealing with financial service, and no one can point at which company actually has the money: that's a problem.