btcx

Sr. Member



Offline



Activity: 302

Merit: 253









VIPSr. MemberActivity: 302Merit: 253 [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 08:01:29 AM

Last edit: March 24, 2014, 09:47:02 AM by btcx #1 https://www.kraken.com/security/audit



Big thanks to Stefan Thomas, CTO of Ripple Labs (founder of WeUseCoins.com, BitcoinJS, and Bitcointalk admin), for being our volunteer auditor.



Timing didn't work out for



-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=====BEGIN AUDIT REPORT=====



AUDITOR: Stefan Thomas

AUDITED ENTITY: Payward, Inc.,

ROOT HASH: 306daae528dc137c9053554c45e90a631ef859490a3ede651d488135602500a3

BLOCK HEIGHT: 289859

RESULT: >100% reserves





March 22, 2014

San Francisco



This post is to report on an audit I performed for the Kraken Bitcoin exchange on March 11th, 2014 and March 22nd, 2014 at their offices here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.





Statement

=========



The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Kraken matches the amount required to cover an anonymized set of customer balances. I am attesting to is the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Kraken, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was covered by 100% reserves at the time of the audit.



Compared to audits performed by other exchanges, this approach is very strict while still maintaining absolute privacy for customers. The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit.



Trust in this type of audit still requires trust in the auditor. For now, this will rest on my shoulders, but Kraken have expressed interest in doing regular audits with different auditors each time. This serves to renew the audit and also to increase the confidence in the audit process and the validity of the result.





Claims

======



Claim 1: Kraken controls a certain amount of Bitcoins.



Proof: Kraken provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.



The version of libcoin used was commit f8c66accf2af88c039bd7c6678da7a338b8befa0.



Here is the audit code used:



https://github.com/libcoin/libcoin/blob/f8c66accf2af88c039bd7c6678da7a338b8befa0/applications/cryptoshi/cryptoshi.cpp#L637-691





Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.



Proof: Kraken provided a binary file containing a set of user balances. This binary file can read and manipulated using the tool "krakendb".



The version of krakendb used was commit 78d3504a7d68256a9a664125fa86a224c479ad42



Available at:



To calculate the sum of all balances in the tree as well as a merkle tree of all balances, I used the "krakendb root" command. The root hash was:



306daae528dc137c9053554c45e90a631ef859490a3ede651d488135602500a3



The actual holdings were very slightly (< 0.5%) above the required holdings, meaning Kraken had greater than 100% reserves at the audit block height.



// Stefan Thomas



=====END AUDIT REPORT=====



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.14 (GNU/Linux)



iQIcBAEBAgAGBQJTLkKtAAoJEMlHNwCksIvzZkkP/04wdVeyYd8kKMJWKl1nP1OG

6PD1C01NdOTvsyrRUd9/h2mRc4xmH+IC5WwjhrTStOiiUIKarGb/MlHC5JsMXbQm

+NtxL8+Kbjk0DITCbydEur9udKIWi/CG/ja4aMT1jfOoMqtCNcRLl/4BjsOKUNXS

GZBP0rZTE1yqqlN/rAulQvqeoytWx6LMl9F2qoJ+EZflIRsykJPt8kXNZJudK3nR

yfNzvqa4gHoD07uIxPzTuQJXX4trGXW9K1mXsNJxqIjbR+seEANJMAS4G367Q7D8

quyhAXH8HEEk+isXHa9YXWAe1wgzV9TCYf5yoM+Ki3iWN+CcqSNAGvRAs11Vwjyt

BplgUeN+yyRLvw4cfhvn7cyBmrDBMsKo9sG5yS+Ql6HC7M4+PXp8UaR+DySgttVS

khRuSyiTssmDr/poUwx4R3jj9sn9QoUXMQTHgY56x0YO2TDHlaW/aA2uE6gSABXG

VPIoCKoukjy+W4Q4FSnpYpAQtmWRnsm63DlsMLDZvVg/45uu3/7AmKxtkvkAwwFA

vMZCIhK+VzEZT59A59JO5w/DMglsEZDXXOPV3/G0bR5+P8bpnH2W9BKOIeXtxFGn

360FF9TP2mMfQUCaqa9piLpNokGs8Nl8fb5S9+lxHkqPgw0ZikbmyLcf1h7bXx4W

ssacpTH1s0f5fAiIR5Uo

=zu+r

-----END PGP SIGNATURE----- Timing didn't work out for Stefan to post this himself but he will confirm as soon as he is available:-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1=====BEGIN AUDIT REPORT=====AUDITOR: Stefan ThomasAUDITED ENTITY: Payward, Inc., https://www.kraken.com ROOT HASH: 306daae528dc137c9053554c45e90a631ef859490a3ede651d488135602500a3BLOCK HEIGHT: 289859RESULT: >100% reservesMarch 22, 2014San FranciscoThis post is to report on an audit I performed for the Kraken Bitcoin exchange on March 11th, 2014 and March 22nd, 2014 at their offices here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.Statement=========The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Kraken matches the amount required to cover an anonymized set of customer balances. I am attesting to is the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Kraken, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was covered by 100% reserves at the time of the audit.Compared to audits performed by other exchanges, this approach is very strict while still maintaining absolute privacy for customers. The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit.Trust in this type of audit still requires trust in the auditor. For now, this will rest on my shoulders, but Kraken have expressed interest in doing regular audits with different auditors each time. This serves to renew the audit and also to increase the confidence in the audit process and the validity of the result.Claims======Claim 1: Kraken controls a certain amount of Bitcoins.Proof: Kraken provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.The version of libcoin used was commit f8c66accf2af88c039bd7c6678da7a338b8befa0.Here is the audit code used:Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.Proof: Kraken provided a binary file containing a set of user balances. This binary file can read and manipulated using the tool "krakendb".The version of krakendb used was commit 78d3504a7d68256a9a664125fa86a224c479ad42Available at: https://github.com/payward/krakendb To calculate the sum of all balances in the tree as well as a merkle tree of all balances, I used the "krakendb root" command. The root hash was:306daae528dc137c9053554c45e90a631ef859490a3ede651d488135602500a3The actual holdings were very slightly (< 0.5%) above the required holdings, meaning Kraken had greater than 100% reserves at the audit block height.// Stefan Thomas=====END AUDIT REPORT=====-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.14 (GNU/Linux)iQIcBAEBAgAGBQJTLkKtAAoJEMlHNwCksIvzZkkP/04wdVeyYd8kKMJWKl1nP1OG6PD1C01NdOTvsyrRUd9/h2mRc4xmH+IC5WwjhrTStOiiUIKarGb/MlHC5JsMXbQm+NtxL8+Kbjk0DITCbydEur9udKIWi/CG/ja4aMT1jfOoMqtCNcRLl/4BjsOKUNXSGZBP0rZTE1yqqlN/rAulQvqeoytWx6LMl9F2qoJ+EZflIRsykJPt8kXNZJudK3nRyfNzvqa4gHoD07uIxPzTuQJXX4trGXW9K1mXsNJxqIjbR+seEANJMAS4G367Q7D8quyhAXH8HEEk+isXHa9YXWAe1wgzV9TCYf5yoM+Ki3iWN+CcqSNAGvRAs11VwjytBplgUeN+yyRLvw4cfhvn7cyBmrDBMsKo9sG5yS+Ql6HC7M4+PXp8UaR+DySgttVSkhRuSyiTssmDr/poUwx4R3jj9sn9QoUXMQTHgY56x0YO2TDHlaW/aA2uE6gSABXGVPIoCKoukjy+W4Q4FSnpYpAQtmWRnsm63DlsMLDZvVg/45uu3/7AmKxtkvkAwwFAvMZCIhK+VzEZT59A59JO5w/DMglsEZDXXOPV3/G0bR5+P8bpnH2W9BKOIeXtxFGn360FF9TP2mMfQUCaqa9piLpNokGs8Nl8fb5S9+lxHkqPgw0ZikbmyLcf1h7bXx4WssacpTH1s0f5fAiIR5Uo=zu+r-----END PGP SIGNATURE----- Bitcoin, Ethereum, Litecoin, Namecoin, Dogecoin, Ripple, Stellar, US dollar, euro, British pound, Canadian dollar and Japanese yen exchange: https://www.kraken.com

AWARD-WINNING

CASINO CRYPTO EXCLUSIVE

CLUBHOUSE 1500+

GAMES 2 MIN

CASH-OUTS 24/7

SUPPORT 100s OF

FREE SPINS PLAY NOW dvertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. dvertised sites are not endorsed by theBitcoin Forum. They may be unsafe, untrustworthy, or illegalinyour jurisdiction. Advertise here.

ErisDiscordia



Offline



Activity: 1084

Merit: 1052





Imposition of ORder = Escalation of Chaos







LegendaryActivity: 1084Merit: 1052Imposition of ORder = Escalation of Chaos Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 08:38:47 AM #3 demand proof of solvency from exchanges.



This is Bitcoinland. Big Brother won't hold your hand and protect you from evil scammers so you won't have to use your head too much (and then go ahead and scam you himself ) it is your responsibility and we need to demand high quality services and weed out the bad eggs by not doing business with them ourselves.



Good job Kraken! This is why we needed the Gox fiasco to wake us up andproof of solvency from exchanges.This is Bitcoinland. Big Brother won't hold your hand and protect you from evil scammers so you won't have to use your head too much (and then go ahead and scam you himself) it is your responsibility and we need to demand high quality services and weed out the bad eggs by not doing business with them ourselves.Good job Kraken! It's all bullshit. But bullshit makes the flowers grow and that's beautiful.

sickpig



Offline



Activity: 1260

Merit: 1007







LegendaryActivity: 1260Merit: 1007 Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 09:11:41 AM

Last edit: March 24, 2014, 11:33:05 PM by sickpig #4



keep up the good work.



the next step: completely trust-less audit mechanism. I seem to remember that gmaxwell proposed something along this line...



anyway I'm more than happy for this achievement



edit1: found out gmazwell proposal, amazing!keep up the good work.the next step: completely trust-less audit mechanism. I seem to remember that gmaxwell proposed something along this line...anyway I'm more than happy for this achievementedit1: found out gmazwell proposal, https://iwilcox.me.uk/2014/nofrac-orig Bitcoin is a participatory system which ought to respect the right of self determinism of all of its users - Gregory Maxwell.

Sukrim



Offline



Activity: 2562

Merit: 1002







LegendaryActivity: 2562Merit: 1002 Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 09:27:19 AM #6 Well, "Claim 1" could be improved if the message can be chosen by the auditor (e.g. to being the headline of a large newspaper on audit day + a few random words/numbers that the auditor reveals as close as possible to the audit time (it'll take some time to generate signatures after all)). It is not clear if it was done that way. https://www.coinlend.org <-- automated lending at various exchanges.

https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.

Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf

Gaff



Offline



Activity: 924

Merit: 502







Hero MemberActivity: 924Merit: 502 Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 10:14:48 AM

Last edit: March 24, 2014, 10:35:51 AM by Gaff #8



Quote from: btcx on March 24, 2014, 08:01:29 AM Claim 1: Kraken controls a certain amount of Bitcoins.



Proof: Kraken provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.



Ok I'm probably being a noob here - but how dows this proove that Kraken actually control these bitcoins? They could have just given you a list of bitcoins that happen to be in the blockchain. Was there something signed by the private key to prove they actually control these?



*Edit:*

Just looked at the code. It has the following:



Code: if ( addr.getPubKeyHash() == verifier.verify(address + " " + message, signature) ) {



Where message and signature are provided in the audit file, and verifier does some stuff with public keys that I can't claim to fully grasp but I will trust as being a valid cryptographic check.



So the implication is that Stefan provided Kraken with a message and Kraken used the private keys of the corresponding addresses to sign this message to prove Kraken had them. Would be great if this was made clearer. First let me just say I welcome this sort of action. It's what the community needs!Ok I'm probably being a noob here - but how dows this proove that Kraken actually control these bitcoins? They could have just given you a list of bitcoins that happen to be in the blockchain. Was there something signed by the private key to prove they actually control these?*Edit:*Just looked at the code. It has the following:Where message and signature are provided in the audit file, and verifier does some stuff with public keys that I can't claim to fully grasp but I will trust as being a valid cryptographic check.So the implication is that Stefan provided Kraken with a message and Kraken used the private keys of the corresponding addresses to sign this message to prove Kraken had them. Would be great if this was made clearer.

Aleksei Richards



Offline



Activity: 38

Merit: 0









NewbieActivity: 38Merit: 0 Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 10:44:25 AM #9 I think we've missed the point here. By showing me that you have access to every users funds, you show me that at any point you can disappear with those funds.



I would prefer to see a report that the users have access to 100% of their funds and the exchange cannot access any of those funds. This is not hard to do now we have M of N signatures, why are exchanges wrapping software around naked private keys and declaring themselves secure.

samson



Offline



Activity: 1778

Merit: 1018







LegendaryActivity: 1778Merit: 1018 Re: [ANN] Kraken Passes Cryptographically Verifiable Proof of Reserves Audit March 24, 2014, 11:16:23 AM #14 I wonder when we will see BTC-e, BitStamp and Cryptsy doing this to verify your funds are safe and secure ? That's never going to happen in my opinion.



Gox and VirCurex have been robbed extensively, I see no reason why the others mentioned above would be immune.



I suspect Bitstamp is going to be the next one.