Abstract
Since the Mt. Gox Bitcoin exchange collapse in 2014, a number of custodial cryptocurrency wallets offer a form of financial solvency proofs to bolster their users’ confidence. We identified that despite recent academic works that highlight potential security and privacy vulnerabilities in popular auditability protocols, a number of high-profile exchanges implement these proofs incorrectly, thus defeating their initial purpose. In this paper we provide an overview of broken liability proof systems used in production today and suggest fixes, in the hope of closing the gap between theory and practice. Surprisingly, many of these exploitable attacks are due to a) weak cryptographic operations, for instance SHA1 hashing or hash-output truncation to 8 bytes, b) lack of data binding, such as wrong Merkle tree inputs and misuse of public bulletin boards, and c) lack of user-ID uniqueness guarantees.
Kostantinos Chalkias did part of this work while at Meta.
Panagiotis Chatzigiannis did part of this work during his PhD studies at George Mason University.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In certain cases, partial solvency might be sufficient, however for the purposes of our paper these cases are equivalent.
- 2.
Note that Coinbase.com exchange is different from Coinbase wallet: Coinbase.com is an OC exchange, while Coinbase wallet is a PNC wallet, similar to Metamask. This subtle distinction [6] has caused confusion in the past with people losing their keys in the Wallet (and therefore their funds as well).
References
Audit: learn about kraken’s audit process. https://www.kraken.com/proof-of-reserves-audit
Bhex 100% proof of reserve. https://medium.com/iconominet/proof-of-solvency-technical-overview-d1d0e8a8a0b8
Binance exchange. https://www.binance.com/
Bitcoin audits. https://web.archive.org/web/20210706073111/. https://coinfloor.co.uk/hodl/proof/#reports
Check your proof of reserves in 5 simple steps. https://blog.ledn.io/en/blog/proof-of-reserves/step-by-step
Coinbase blog. https://blog.coinbase.com/goodbye-toshi-hello-coinbase-wallet-the-easiest-and-most-secure-crypto-wallet-and-browser-4ba6e52e4913
Coinbase exchange. https://www.coinbase.com/
Conio wallet. https://www.conio.com/en/
Dapper account manager. https://www.meetdapper.com/
Digital wallets - variations and features. https://cryptoapis.io/blog/41-digital-wallets-variations-and-features
Electrum bitcoin wallet. https://electrum.org
Enron scandal. https://en.wikipedia.org/wiki/Enron_scandal
Mapping the universe of 460 million bitcoin addresses. https://blog.chainalysis.com/reports/bitcoin-addresses
Metamask - a crypto wallet & gateway to blockchain apps. https://metamask.io/
Nic’s PoR wall of fame. https://niccarter.info/proof-of-reserves/
Proof of liabilities implementation. https://github.com/olalonde/proof-of-liabilities
Proof of reserves. https://www.armaninollp.com/software/trustexplorer/proof-of-reserves/
Proof of solvency: technical overview. https://support.hbtc.co/hc/en-us/articles/360046287754-BHEX-100-Proof-of-Reserve
Tether’s bank says it invests customer funds in bitcoin. https://www.coindesk.com/tethers-bank-says-it-invests-customer-funds-in-bitcoin
Tool suite for generating and validating proofs of reserves (PoR) and liabilities (PoL). https://github.com/BitMEX/proof-of-reserves-liabilities
Your gateway to cryptocurrency. https://www.gate.io/
Zengo wallet. https://zengo.com/
Chamber of digital commerce: proof of reserves - establishing best practices to build trust in the digital assets industry (2021)
Bitfury: on blockchain auditability (2016)
Blackshear, S., et al.: Reactive key-loss protection in blockchains. Cryptology ePrint Archive, Report 2021/289 (2021). https://ia.cr/2021/289
Camacho, P.: Secure protocols for provable security. https://www.slideshare.net/philippecamacho/protocols-for-provable-solvency-38501620 (2014)
Chalkias, K., Lewi, K., Mohassel, P., Nikolaenko, V.: Practical privacy preserving proofs of solvency. Amsterdam ZKProof Community Event (2019)
Chalkias, K., Lewi, K., Mohassel, P., Nikolaenko, V.: Distributed auditing proofs of liabilities. Cryptology ePrint Archive, Report 2020/468 (2020). https://eprint.iacr.org/2020/468
Chatzigiannis, P., Baldimtsi, F., Chalkias, K.: Sok: Auditability and accountability in distributed payment systems. In: ACNS (2021)
Dagher, G.G., Bünz, B., Bonneau, J., Clark, J., Boneh, D.: Provisions: privacy-preserving proofs of solvency for bitcoin exchanges. In: CCS (2015)
Garman, C., Green, M., Miers, I.: Decentralized anonymous credentials. In: NDSS. Citeseer (2014)
Hu, K., Zhang, Z., Guo, K.: Breaking the binding: attacks on the Merkle approach to prove liabilities and its applications. Comput. Secur. 87, 10585 (2019)
Ji, Y., Chalkias, K.: Generalized proof of liabilities. In: CCS (2021)
McMillan, R.: The inside story of Mt. Gox, bitcoin’s \$460 million disaster (2014). https://www.wired.com/2014/03/bitcoin-exchange/
Moore, T., Christin, N.: Beware the middleman: empirical analysis of bitcoin-exchange risk. In: FC (2013)
Wilcox, Z.: Proving your bitcoin reserves. https://bitcointalk.org/index.php?topic=595180.0
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Financial Cryptography Association
About this paper
Cite this paper
Chalkias, K., Chatzigiannis, P., Ji, Y. (2023). Broken Proofs of Solvency in Blockchain Custodial Wallets and Exchanges. In: Matsuo, S., et al. Financial Cryptography and Data Security. FC 2022 International Workshops. FC 2022. Lecture Notes in Computer Science, vol 13412. Springer, Cham. https://doi.org/10.1007/978-3-031-32415-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-32415-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-32414-7
Online ISBN: 978-3-031-32415-4
eBook Packages: Computer ScienceComputer Science (R0)