Stefan Thomas



Offline



Activity: 234

Merit: 100





AKA: Justmoon







Full MemberActivity: 234Merit: 100AKA: Justmoon [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 03:26:12 PM #1



As always, an audit does not constitute an endorsement and it does not address any risks outside of present insolvency. It's also not infallible, exchanges can borrow money or ask others to sign their audit message. Finally, until we can implement fully zero-knowledge, cryptographically provable audits, you have to trust the auditor, i.e. me, to have done my job correctly.



Also same as last time, I did not receive any compensation for the audit and I did it in my free time.



-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=====BEGIN AUDIT REPORT=====



AUDITOR: Stefan Thomas

AUDITED ENTITY: iFinex, Inc.,

ROOT HASH: 37c49d606c61aab140726265099992c3dd0fba30e1ce1a8a04f0e56cec6dc19f

BLOCK HEIGHT: 294378

RESULT: >100% reserves





April 6, 2014

San Francisco



This post is to report on an audit I performed for the Bitfinex Bitcoin exchange on April 5th and 6th, 2014 from my home office here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.





Statement

=========



The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Bitfinex matches the amount required to cover an anonymized set of customer balances. I am attesting to is the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Bitfinex, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was covered by 100% reserves at the time of the audit.



Compared to audits performed by other exchanges, this approach is very strict while still maintaining absolute privacy for customers. The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit.



Trust in this type of audit still requires trust in the auditor. For now, this will rest on my shoulders, but Bitfinex have expressed interest in doing regular audits with different auditors each time. This serves to renew the audit and also to increase the confidence in the audit process and the validity of the result.





Claims

======



Claim 1: Bitfinex controls a certain amount of Bitcoins.



Proof: Bitfinex provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.



The version of libcoin used was commit e913a46fd481236f573001abbc879d89595d5fef.



Here is the audit code used:



https://github.com/libcoin/libcoin/blob/e913a46fd481236f573001abbc879d89595d5fef/applications/cryptoshi/cryptoshi.cpp#L638-692





Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.



Proof: Bitfinex provided a JSON file containing a set of anonymized user balances. I used my own tool "easy-audit" to calculate the reserve ratio and root hash.



The version of easy-audit used was commit 8dc5882c1d40f5ab9bbea14778cd1abadce6e459



Available at:



Here is the audit code used:



https://github.com/justmoon/easy-audit/blob/8dc5882c1d40f5ab9bbea14778cd1abadce6e459/proof.js#L21-45



The tool's output was:



ASSET OWNER: bitfinex.com

BLOCK HEIGHT: 294378

ROOT HASH: 37c49d606c61aab140726265099992c3dd0fba30e1ce1a8a04f0e56cec6dc19f

RESERVE RATIO: 102.82%



The actual holdings were slightly (< 3%) above the required holdings, meaning Bitfinex had greater than 100% reserves at the audit block height.



// Stefan Thomas



=====END AUDIT REPORT=====



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.14 (GNU/Linux)



iQIcBAEBAgAGBQJTQsC9AAoJEMlHNwCksIvzTqYP/AoNwhCWI0EYcUm0mulbZT5T

DfeXUI3/VdiYMkVz21LNjwzb62DCkKLlA2T042z2zj2PZQy4hFSV6a4DZWYzbgv8

9Uh5v1GCGCBkUGzkDSRZHw8ZCngZBpwYjAzVpTAgpYCpdfHxlbv60ojgWv42qO3e

oTAXslu52jPFSYH7xI3wPL0Ry5BZEa1yB1rBjGzNEkqtLr+Iqz9RXy++Cln8Fx/H

qNQuSfD1XBEUEhddNgscU9dpCFhRdtRZFkk2m7ey6iDzmuAIfVRLL9H0fYeb78Yv

IJm9ugkzNNUS4vkjOvQtEbGZKXCoR/M77xkQ184Q7hd6ewy8bfvgs9364dvt3b2Z

c89Ru/83GKDDG0kB+UWP7zLYuBs0Z7INpCZmAeFSI0K9EOa+6Vll/6NPJZUZGa4W

/nIxxRs2O9IgYxrWQ5F8q9zj+vgP83ZMBUvsBm51wa2SIWRoAzedBjNK/Qvj3dJZ

5JqWaTTXTFP4DYX8dxKeKn9u2+YZ87Rpg8n4zhbzoGvITDmOkUxtYJnBRHbS1yjY

TfoYgaHtfv2DQzu5QpgEkXYQ4dGIhVd2HgMt9mPysJ+DxGYR1AJIFLt5PiMrZJqf

bDA9/MI9k3iCJ6Cl8CCxBedkdzRo09WlNj57TQsuTnWi2UyjuiH6u3y/n1TFUX6p

BL668CgmPco71YrdM1uN

=jCJM

-----END PGP SIGNATURE----- Happy to publish today the results of an audit I performed for the Bitfinex exchange. This is similar to the Kraken audit, we simply took some of the feedback on board (hash email address into leaf nodes), improved the security in a few places (balances were anonymized even to me) and streamlined the process some more (presenting easy-audit .)As always, an audit does not constitute an endorsement and it does not address any risks outside of present insolvency. It's also not infallible, exchanges can borrow money or ask others to sign their audit message. Finally, until we can implement fully zero-knowledge, cryptographically provable audits, you have to trust the auditor, i.e. me, to have done my job correctly.Also same as last time, I did not receive any compensation for the audit and I did it in my free time.-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1=====BEGIN AUDIT REPORT=====AUDITOR: Stefan ThomasAUDITED ENTITY: iFinex, Inc., https://www.bitfinex.com ROOT HASH: 37c49d606c61aab140726265099992c3dd0fba30e1ce1a8a04f0e56cec6dc19fBLOCK HEIGHT: 294378RESULT: >100% reservesApril 6, 2014San FranciscoThis post is to report on an audit I performed for the Bitfinex Bitcoin exchange on April 5th and 6th, 2014 from my home office here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.Statement=========The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Bitfinex matches the amount required to cover an anonymized set of customer balances. I am attesting to is the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Bitfinex, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was covered by 100% reserves at the time of the audit.Compared to audits performed by other exchanges, this approach is very strict while still maintaining absolute privacy for customers. The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit.Trust in this type of audit still requires trust in the auditor. For now, this will rest on my shoulders, but Bitfinex have expressed interest in doing regular audits with different auditors each time. This serves to renew the audit and also to increase the confidence in the audit process and the validity of the result.Claims======Claim 1: Bitfinex controls a certain amount of Bitcoins.Proof: Bitfinex provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.The version of libcoin used was commit e913a46fd481236f573001abbc879d89595d5fef.Here is the audit code used:Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.Proof: Bitfinex provided a JSON file containing a set of anonymized user balances. I used my own tool "easy-audit" to calculate the reserve ratio and root hash.The version of easy-audit used was commit 8dc5882c1d40f5ab9bbea14778cd1abadce6e459Available at: https://github.com/justmoon/easy-audit Here is the audit code used:The tool's output was:ASSET OWNER: bitfinex.comBLOCK HEIGHT: 294378ROOT HASH: 37c49d606c61aab140726265099992c3dd0fba30e1ce1a8a04f0e56cec6dc19fRESERVE RATIO: 102.82%The actual holdings were slightly (< 3%) above the required holdings, meaning Bitfinex had greater than 100% reserves at the audit block height.// Stefan Thomas=====END AUDIT REPORT=====-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.14 (GNU/Linux)iQIcBAEBAgAGBQJTQsC9AAoJEMlHNwCksIvzTqYP/AoNwhCWI0EYcUm0mulbZT5TDfeXUI3/VdiYMkVz21LNjwzb62DCkKLlA2T042z2zj2PZQy4hFSV6a4DZWYzbgv89Uh5v1GCGCBkUGzkDSRZHw8ZCngZBpwYjAzVpTAgpYCpdfHxlbv60ojgWv42qO3eoTAXslu52jPFSYH7xI3wPL0Ry5BZEa1yB1rBjGzNEkqtLr+Iqz9RXy++Cln8Fx/HqNQuSfD1XBEUEhddNgscU9dpCFhRdtRZFkk2m7ey6iDzmuAIfVRLL9H0fYeb78YvIJm9ugkzNNUS4vkjOvQtEbGZKXCoR/M77xkQ184Q7hd6ewy8bfvgs9364dvt3b2Zc89Ru/83GKDDG0kB+UWP7zLYuBs0Z7INpCZmAeFSI0K9EOa+6Vll/6NPJZUZGa4W/nIxxRs2O9IgYxrWQ5F8q9zj+vgP83ZMBUvsBm51wa2SIWRoAzedBjNK/Qvj3dJZ5JqWaTTXTFP4DYX8dxKeKn9u2+YZ87Rpg8n4zhbzoGvITDmOkUxtYJnBRHbS1yjYTfoYgaHtfv2DQzu5QpgEkXYQ4dGIhVd2HgMt9mPysJ+DxGYR1AJIFLt5PiMrZJqfbDA9/MI9k3iCJ6Cl8CCxBedkdzRo09WlNj57TQsuTnWi2UyjuiH6u3y/n1TFUX6pBL668CgmPco71YrdM1uN=jCJM-----END PGP SIGNATURE-----

PGP: D16E 7B04 42B9 F02E 0660 C094 C947 3700 A4B0 8BF3 Twitter: @justmoon PGP: D16E 7B04 42B9 F02E 0660 C094 C947 3700 A4B0 8BF3

AWARD-WINNING

CASINO CRYPTO EXCLUSIVE

CLUBHOUSE 1500+

GAMES 2 MIN

CASH-OUTS 24/7

SUPPORT 100s OF

FREE SPINS PLAY NOW vertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertised sitesare not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegalin your jurisdiction. Advertise here.

unclescrooge

Hero Member



Offline



Activity: 868

Merit: 1000







aka RaphyHero MemberActivity: 868Merit: 1000 Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 03:29:30 PM

Last edit: April 07, 2014, 04:42:36 PM by unclescrooge #2 Hello everyone,



I'd like to thank Stefan for performing this audit on his free time for us. Although it is not perfect, we believe this is a good step toward a complete financial transparency, and during this challenging time for Bitcoin businesses, a good way to reassure our users.



You can verify that your balance was included in the audit by doing the following::

-Login to your Bitfinex account

-Click on your Username on the right top corner of the page

-Click then on "Audit"



From there you will have all the necessary instructions to verify that your balance was calculated correctly and included in the balances reviewed by the Auditor.



If you have any questions let us know here



Best regards

Raphael

Bitfinex team

Sukrim



Offline



Activity: 2562

Merit: 1002







LegendaryActivity: 2562Merit: 1002 Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 04:16:13 PM #5 Congratulations. Since there are funds in BTC at Bitstamp too, this means Bitfinex has significantly more BTC than 103% of user funds, right? Or did you just pull them off Bitstamp for an hour and redeposit?



How can I verify that my User ID had the correct balance at audit time? https://www.coinlend.org <-- automated lending at various exchanges.

https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.

Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf

olalonde



Offline



Activity: 25

Merit: 0







NewbieActivity: 25Merit: 0 Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 04:38:29 PM #6



That being said, congrats to bitfinex for getting audited.



PS: I also think the choice of wording here is a bit misleading ("passes proof of solvency audit"). I think "submits to proof of solvency audit" would be more adequate as the proof of solvency is only really "passed" when users individually verify the proof. It would be nice if we could standardise those proofs. Me along with iwilcox and others ( https://github.com/olalonde/proof-of-liabilities#implementations ) have put a lot of time and effort in standardising our tools so that they are interoperable and secure. It's a bit painful and frustrating to see this scheme re-implemented again and again with no attempt follow a common standard. I understand that it was not possible for you to follow the proof-of-liabilities standard due to the requirements imposed by bitfinex, but why not contact us / open a GH issue / send a pull request / etc. and explain why the standard needs to be modified / extended to support your use case? Without a standard and multiple independent verification tool implementations, it will be difficult to expect end users to actually verify the proof.That being said, congrats to bitfinex for getting audited.PS: I also think the choice of wording here is a bit misleading ("passes proof of solvency audit"). I think "submits to proof of solvency audit" would be more adequate as the proof of solvency is only really "passed" when users individually verify the proof.

unclescrooge

Hero Member



Offline



Activity: 868

Merit: 1000







aka RaphyHero MemberActivity: 868Merit: 1000 Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 04:51:42 PM #8 Quote from: Sukrim on April 07, 2014, 04:16:13 PM Congratulations. Since there are funds in BTC at Bitstamp too, this means Bitfinex has significantly more BTC than 103% of user funds, right? Or did you just pull them off Bitstamp for an hour and redeposit?



How can I verify that my User ID had the correct balance at audit time?



We left a significant stash of bitcoins on Bitstamp (though a bit less than usual) so yes, it means that we have more reserves than what was "proved". Similarly our liabilities are artificially slightly increased because in some case, you can owe Bitfinex swap interests with collateral in other assets than BTC, in which case we didn't include this negative liabilities toward us (as per the rules of the audit).



I updated my post in this thread: You can verify your information here:



Thanks



Quote from: olalonde on April 07, 2014, 04:38:29 PM



That being said, congrats to bitfinex for getting audited.



PS: I also think the choice of wording here is a bit misleading ("passes proof of solvency audit"). I think "submits to proof of solvency audit" would be more adequate as the proof of solvency is only really "passed" when users individually verify the proof.

It would be nice if we could standardise those proofs. Me along with iwilcox and others ( https://github.com/olalonde/proof-of-liabilities#implementations ) have put a lot of time and effort in standardising our tools so that they are interoperable and secure. It's a bit painful and frustrating to see this scheme re-implemented again and again with no attempt follow a common standard. I understand that it was not possible for you to follow the proof-of-liabilities standard due to the requirements imposed by bitfinex, but why not contact us / open a GH issue / send a pull request / etc. and explain why the standard needs to be modified / extended to support your use case? Without a standard and multiple independent verification tool implementations, it will be difficult to expect end users to actually verify the proof.That being said, congrats to bitfinex for getting audited.PS: I also think the choice of wording here is a bit misleading ("passes proof of solvency audit"). I think "submits to proof of solvency audit" would be more adequate as the proof of solvency is only really "passed" when users individually verify the proof.

Hello,



To be honest I was not aware of those tools, and don't know if the other persons involved in this were. However I totally agree with you on standardizing the tools for this kind of audit. We are very early in this practice and as time goes by I am pretty sure this will naturally standardize, and your work seems the good starting point for this. The only difference for Bitfinex is the calculation of user liabilities (due to margin trading/p2p swaps), but this can fit quickly into your tool.



We will look into this for the next audits.



Thanks for the nice comments

Raphael We left a significant stash of bitcoins on Bitstamp (though a bit less than usual) so yes, it means that we have more reserves than what was "proved". Similarly our liabilities are artificially slightly increased because in some case, you can owe Bitfinex swap interests with collateral in other assets than BTC, in which case we didn't include this negative liabilities toward us (as per the rules of the audit).I updated my post in this thread: You can verify your information here: https://www.bitfinex.com/account/audit ThanksHello,To be honest I was not aware of those tools, and don't know if the other persons involved in this were. However I totally agree with you on standardizing the tools for this kind of audit. We are very early in this practice and as time goes by I am pretty sure this will naturally standardize, and your work seems the good starting point for this. The only difference for Bitfinex is the calculation of user liabilities (due to margin trading/p2p swaps), but this can fit quickly into your tool.We will look into this for the next audits.Thanks for the nice commentsRaphael

Sukrim



Offline



Activity: 2562

Merit: 1002







LegendaryActivity: 2562Merit: 1002 Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 05:04:23 PM #10 Alright, I checked the new "Audit" tab, however it apparently (of course) does not take BTC used in swaps into account, as they are probably sold for USD or LTC by whoever borrowed them.



I however also have lent out some USD and I believe not all of them were used to buy LTC. Do BTC held in open positions show up somewhere too, maybe in trader's audit info?



Also it would be great to have a python script available somewhere where we can just copy-paste the hashes or whatever else is needed to verify the info. https://www.coinlend.org <-- automated lending at various exchanges.

https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.

Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf

aminorex



Offline



Activity: 1596

Merit: 1029





Sine secretum non libertas







LegendaryActivity: 1596Merit: 1029Sine secretum non libertas Re: [ANN] Bitfinex Passes Proof of Solvency Audit April 07, 2014, 05:35:59 PM #11 102% of what amount? Add some credibility: Disclose the total. We can infer it approximately by means of the block chain, but an accurate moment-in-time value would be much appreciated.

Give a man a fish and he eats for a day. Give a man a Poisson distribution and he eats at random times independent of one another, at a constant known rate.