Let's get started.
So today we are talking about proof of reserve
and we're talking about it in terms
of the cryptocurrency security standard.
That is C4's standard that's been around for a while
but we're going to delve into the details today.
So I'm Jessica Lavec, I'm the executive director at C4
and we have three of our CCSS committee members today.
So let's go around and introduce ourselves.
Michael, do you want to start?
Sure, hi, my name is Michael Perklund.
I helped found C4 back in 2014
and was a primary contributor to the original draft
of the cryptocurrency security standard
that was launched in 2014, the same year, yes.
It's a privilege to be here talking about this standard
and what it means in the context
of the last few weeks events.
Yeah, there's definitely a lot to talk
about the last couple of weeks.
Somebody yesterday said the last week has been a year,
I think, was that you, Michael?
Yes, but it was actually a quote that I heard Josh say
and I thought it was a great one.
The last week has been a very long year.
Yes, that's a good one.
All right, now Josh, would you introduce yourself?
Hi, I'm Josh, also one of the co-founders of C4,
also helped write the initial cryptocurrency
security standard and currently making blockchain games
over at Sloan Ninja, happy to be here too.
Times like this, I'm glad we have a standard,
but it's about how do we help both businesses
protect themselves and consumers protect themselves.
Yeah, okay, Jameson.
Hi, I'm Jameson, co-founder, CTO of CASA.
I've spent the past eight years
working on self custody solutions,
was originally employed by one of the companies
that helped launch the standard back in the day.
All right, awesome.
So let's start by talking about what the standard is
on a high level and then we'll get into proof of reserve.
So Josh, do you wanna explain what the standard is
and then Michael explain what proof of reserve
specifically is?
All right, I've been given a task, excellent.
So the cryptocurrency security standard was started
as a way to fill in some gaps.
There's obviously already standards out there
around information system security,
around securing businesses, both virtually and physically.
But those standards didn't necessarily take
the immutable nature of blockchain technology into account.
They didn't really take into account the fact
that there's no undo in this space.
So when things are stolen, they're gone
and there's certain things that we need to care
just a little bit more about.
So we wrote the standard as a way of filling in those gaps
and complementing those established standards
that already exists.
And we wrote it both to give businesses a way
of helping to define their own infrastructure,
helping to define their own practices
and what they need to do to either secure their own funds
or the funds of others, as well as giving others
looking at a business, be them consumers or say insurers
or even business partners to say,
you know, what kind of standards do you meet internally?
If we're all just doing something ad hoc,
then it's really hard to compare
how one business is doing to another.
So by creating the standard, it allows us to understand
at a glance of whether or not two businesses
are comparable in their security practices
and their security hygiene,
or if there's potentially things
that could be improved upon.
Great, great summary, Josh.
Yeah, C4 was founded just for measurements and standards.
We needed a way to measure whether someone knew
about Bitcoin or did not.
And that was, that became the CBP credential.
But when it came to security, as Josh pointed out,
there was a lot of disagreement
between whether a company was performing
adequate security steps or not.
So the CCSS is a measurement stick
that you can apply to any system
that deals with cryptographic private keys
in order to know whether it is doing it
in a secure way or not.
And when Joshua and I started this project back in 2014,
we enlisted the help of a lot of industry titans.
We had input from BitGo, we had input from blockchain.com,
we had input from a lot of other companies
and a lot of companies.
The principal security engineers
at each of these organizations,
including Jameson himself,
contributed a lot of insight into the hacks
that had occurred to date at the time.
Proof of reserves actually came from a control
that was contemplated after the downfall of MT Gox.
We saw that MT Gox,
they claimed to have so many Bitcoin,
but in reality, they had far fewer.
And at the time, the idea of publishing a proof
of your reserves was talked about often
as a way to at least give some credibility
to the exchanges that were operating under full reserves.
In short, the proof of reserve requirement
means that the exchange either publishes enough information
to allow anybody to know, yes,
they do have one-to-one Bitcoin backing
from what they say they do,
or it allows them to publish other information
about their system so that you don't need
to trust their word.
You don't need to read a report from them.
They've published enough information
so that you can check on the blockchain itself,
count up how many Bitcoins they truly have
and know whether they are operating a fully solvent system
or an insolvent system.
So that's what the proof of reserve requirement is.
Jameson, did you have anything to add that I may have missed?
Well, it gets a bit tricky, right?
So there is still an element of trust.
We're adding in some cryptographic proof,
but these proofs are essentially additional attestations
to complement some other audit that has been performed
preferably by a reputable third-party accounting firm
or something.
And I think one of the things that makes this contentious
or gets people upset is the belief
that it's a perfect control.
I would argue almost none of these controls
are perfect silver bullets,
but rather you've got to step back
and you have to look at the entire system of controls
and rules that comprise the different tiers
of the standard and say, this is all relative.
And so I guess what we're going to be trying
to make the case for is that it is better
to have something than nothing.
Yeah, that's definitely true.
The one detail about the standard
is that it's in three levels.
Level one being secure, good controls.
Level three being, we like to use the term
a little bit more on the paranoid side of things
and extremely difficult.
If you meet any of those, one, two, or three,
you've still done a great job protecting your business.
On proof of reserve, the third level,
that final, that like greatest level of security,
the ideal was that the system that was being assessed
didn't even need proof of reserves
because the control was fundamentally in the user's hands
and they could verify at a glance what was there.
Good point that you bring up the, sorry.
Or at least, no, go ahead.
Yeah, I was just going to say, it's a good point
that you brought up the three different levels.
A lot of the controls in the CCSS
have three different levels being very good
over the top and as Josh used the word, paranoid.
Even just level one of the cryptocurrency security standard
is damn secure.
Every company who achieves level one
should be very proud of what they've accomplished.
When it comes specifically
to the proof of reserves requirement,
under the CCSS, this is aspect number 2.03.1.
There are three levels of proof of reserve.
Level one, level two, and level three.
The first level is a company has published
a proof of reserve report, period.
That's it.
If you've published a proof of reserve, that's great.
That's more than what a lot of companies are doing.
Indeed, it was more than what FTX did.
But as Jameson rightly pointed out,
it still does command a little bit of trust.
How do you know that the company that is publishing this,
that they're being truthful?
Who knows if they've left some information out?
So level one is publishing a proof.
Level two is publishing regular proofs on a regular schedule.
This is helpful because now you can see a track record
of being committed to this process.
Level three though is the most interesting to me
because with level three,
the system publishes enough information in an automated way
so that you don't need to trust a report written by a person.
You can independently verify the reserves on their own.
One example of what this could look like
is let's say that there is an exchange,
a custodial exchange where anybody around the world
can deposit their Bitcoin
so that they can now trade on that exchange.
If every user that deposits Bitcoin
is given a unique address,
so Jameson's account gets address A,
Josh's account gets address B,
and Jessica's account gets address three,
I'm just realizing all three of your names begin with J.
That leaves me the odd man out.
If everybody has their own unique address
and everybody is depositing into their own unique address,
but all of those addresses are controlled by the exchange,
what the exchange could do once per month
or maybe even once per evening on an automated basis,
they can publish a list of every single deposit address
for all of their accounts
alongside some unique but hidden identifier.
A, B, C, D, whatever could be Jessica's account ID.
So obviously we don't see Jessica's name.
We don't see Jessica's email address
or any other personally identifiable details,
but we can see that this exchange
has these tens of thousands of Bitcoin addresses.
And now anybody can take this list.
They can look on chain.
They can count up how many Bitcoins
are in control of all these addresses
and know precisely how many coins
are in control of that exchange.
With a system like that, it becomes trivial
for anybody to verify rather than trust.
Now, of course, you still have to trust
that they are including all of the addresses in that list
and they're not missing any,
but Jessica, Joshua, and Jameson
would all have the freedom to look at that list,
control F, find on their computer
to look for their own address and see,
oh, yep, there's mine.
And yes, that is how many Bitcoins I have in that exchange.
And if all of us are independently verifying
just our own row, it's very likely
that we can trust the document in its entirety.
Yeah, and I think this idea of providing assurance
to the public is what brought us here today
because we have a situation right now
where many people trusted a company
and it didn't work out for them.
And when we're talking about blockchain technology
and we're talking about Bitcoin,
what we're really talking about
is a public way to verify information.
Like you can verify on a blockchain
using a blockchain explorer
if the money you sent to somebody has arrived or not,
and if it's moved or not.
So we should in theory be able to monitor all of this,
maybe not whose money it is,
but at least to be able to see
if I sent you Bitcoin last week, Michael,
and I know what address I sent it to,
I can look that up and see.
And if you say you're just holding it for me
for a couple weeks and I look and it's gone,
then right away I know that there's something amiss
and that maybe I shouldn't have trusted you with my Bitcoin.
So we're in this situation now
where there's a company that has made some mistakes,
shall we say it appears.
Does anyone wanna give a rundown
on what it is that is happening right now
that has everybody kind of not sleeping
and maybe going a bit crazy
if you've had your money on an exchange
or you've got somebody else holding it right now?
I volunteered Jameson after writing a very well
researched blog about this very topic.
Yeah, so what we're seeing is history repeat itself.
The repetitions are never exactly the same.
There's always a lot of variation.
The repetitions are always different.
Yes, history rhymes.
It doesn't perfectly repeat.
But the point being that this is at least the 20 something
or 30 something ish exchange over the past decade
that has been shown to be operating
under a fractional reserve.
And there are a myriad of reasons
as to why a custodial entity may end up operating
as a fractional reserve.
Some of them, such as lenders
are actually meant to do that.
But generally we consider your spot market exchanges
should be optimally operating at a one-to-one reserve
and should not be moving client funds around
without the explicit authorization of the user
that is supposed to own those.
So really what has happened is due to malfeasance
or accidents or who knows what,
because it's gonna take a long time
to figure out exactly what happened.
It turned out there was a mismatch
between the believed number of assets on FTX
and the actual amount of assets.
And so eventually this comes to light
when a company reaches such a low reserve
that they can no longer even continue
to process requests to withdraw assets
and essentially have to throw up their hands,
shut down, reorganize, go through bankruptcy
and so on and so forth.
And would proof of reserves have prevented this?
That's where the topic becomes really questionable
because proof of reserves or really any type of auditing,
it doesn't really change your security model
of how you're operating at any point in time.
What it's really showing is that up until the point
at which the audit happened,
it looks like everything is going well
and that there have been no misappropriations of funds.
So if FTX had either more regular audits
or there were more regular audits
and they covered everything,
perhaps this would have been found out sooner.
It does seem like they have probably been operating
as a fractional reserve exchange for quite a while.
It's unclear how far back that goes.
But sort of going back to one of the original points
with the nature of trust here,
you're still relying upon the audit
to actually cover everything.
And at least from some of the things
that I've heard so far,
some of the information that has come out,
it looks like there may have been audits,
but the audits did not actually cover everything
because just the expansive nature
of all of the organizations and their relationships
in this case made it a lot easier, I guess,
to hide exactly what was going around
with the left hand paying the right hand
and so on and so forth.
So we certainly cannot claim
that this would have prevented anyone from losing money,
but it might have given people a signal a lot earlier
that there was something wrong.
Yeah, that scope is certainly a big issue.
Audits are expensive and it's easy,
not only expensive in costs, but in time and resources.
If you're trying to run a business
and you're always focused on audit,
it can be very difficult to move forward.
So you kind of wanna get it done and get it out the door.
And I can appreciate why that would be the case.
It does, there's some trust there on the auditors
that they're looking for the right things.
One thing that we've seen many times over the years,
and Gox is an example of this,
if you're Canadian or watch Netflix,
you might be familiar with Quadriga,
which is arguably an example of this as well.
And I think here, it sounds like there might be
some examples of this happening here.
In many cases, it's not the only piece,
but sometimes it's this one event or several small events
in which in Gox, it was a theft of coins.
And then how do we get those coins back?
In Quadriga, it was the same thing.
There was quite a bit of Ethereum, I believe,
locked up in a smart contract, a multi-sig smart contract
that they could just never get it back.
In FTX, again, we don't know the exact details
of what's taken place here,
but given the last eight months, it's fair to assume,
was there some UST sitting around in that exchange
that was no more?
There has been quite a few collapses,
both from lenders and borrowers all over the industry.
If you were kind of holding the paper Bitcoin,
which maybe we'll get into that term in a second,
you start to think, how do I fix this?
And it's an easy way to justify
the horrible things happening,
which are completely fraudulent
and just disgusting in hindsight.
But at a certain point, it's like, oh, it's a bit of a gamble.
I can fix this.
It's just gonna take one or two trades,
and then we'll be fine, we'll be back in.
Now, if we're talking about timing a proof of reserves,
maybe it's not necessarily about a yearly or quarterly thing.
Maybe it's a situational thing,
whereas the industry, we have to go,
you know what, some big things just happened.
We need to know who's actually whole right now.
I think that's an interesting point in terms of
who needs to be demanding that the standards
that have been created or these options to look in
and actually look into something are happening.
Because if we know that these options exist,
but there's been nothing that has kind of forced
these companies to do that,
then I think we're failing as end users
and as people partnering with these companies and whatnot,
because as a society, we keep using these services
without knowing that they're safe.
And like you were just saying, it keeps on happening.
There's been, this is not just one time,
and we're like, oh, shame on us, now we know better.
It's like, at what point are people going to say,
okay, I'm gonna stop using systems that don't have,
haven't at least attempted to prove
that they're doing what they're saying.
There's an interesting connection here
that I've noticed in a few breaches
and in a few pain points when dealing with cryptocurrency.
And I think it's useful to shine a light on it here.
We know that Bitcoin is a decentralized monetary system,
completely decentralized, has no controllers,
works regardless of borders.
And one thing I've noticed is whenever you are interfacing
with a decentralized system,
by using some kind of a centralized system,
in the case of FTX,
they were a centralized company controlled exchange,
company controlled system that interfaced with Bitcoin.
It's always that boundary between the decentralized world
and the centralized world.
That boundary causes the most friction,
the most complication, the most security issues,
and the most losses for victims.
And it comes into play when,
for example, a proof of reserves.
Well, when you're dealing with a decentralized system,
I can just look it up on chain on my own
and I don't need to trust someone.
But if it's a centralized company holding all these reserves,
well, now I need to trust them.
When it comes to cybersecurity and protecting coins,
when in a purely decentralized world,
it becomes a lot easier when each decentralized entity
controls their own keys.
But when you are dealing with a centralized middleman,
now you need to trust that they are holding their keys.
And because they are signing so many more times
than a normal average user would,
because they're signing on behalf of thousands
or tens of thousands or millions of users,
now cybersecurity becomes more difficult for them.
When it comes to PII, personal information and KYC rules,
again, if we're all dealing on our own
in a decentralized world, it's easy.
But when you're doing it through a centralized intermediary,
it becomes hard.
I believe, and I don't know if I'm right about this,
and I may not know before my time is done
here on this planet,
I believe that as long as we are existing
in that transitionary period,
when we are moving from the older centralized
middleman focused world
into this new decentralized world
where there are no middlemen,
that crossover period that we find ourselves in today
is going to be rife with all these types of issues.
And I dream of the day when all of our children
will be able to wake up and use these decentralized systems
without even questioning about using a centralized system.
Kevin O'Leary was a proponent of FTX.
He advertised for FTX.
And there's a pretty shocking quote from him saying,
oh, I absolutely trust FTX.
Sam Bankman Fried's parents were regulators.
So there's no other entity that I would trust more
than FTX because of that.
So he appeals to authority
and he appeals to a need for trust.
That makes sense when you're dealing with companies
and corporations.
But again, it underscores the decentralized world
that we're building where we don't have to rely
on people's appeals to authority
or people's vouches for trust.
But in the meantime, we have a security system.
That's right.
Sorry for waxing philosophical on you all.
Well, no, I think you've got a group of people here
who agree with what you're saying.
What we're trying to do is solve the problem
that exists in the meantime until there aren't people
that are using these systems.
For now, there are lots of people
in billions of dollars worth being kept
through these companies that have the keys,
hopefully to the coins.
And so in the meantime, while we get to this ideal world
that we all wanna be in,
we do have to find a way to make it safer.
And that is, like you said,
where the CCSS comes into play.
Yeah, if you don't think
that you have good enough security with your system,
whether you are a person or you are a company
or whatever in between,
the CCSS is a perfect measuring stick
to gauge just how secure you are.
So if you haven't taken a look at it,
I definitely encourage you to do it.
I personally believe that if FTX had adhered
to the principles in the CCSS,
the proof of reserve being only one of,
I think 38 different controls that are outlined there,
we would be talking about much different things today
than we are today.
Yeah, I mean, I think to kind of piggyback on top of that,
one important aspect to point out
of quite a few of these controls is that,
we're not only creating a system
that is resistant to external attackers,
it's also meant to make the system resistant
against internal attackers.
And based upon the knowledge that we have thus far
of what occurred at FTX,
it appears like you could consider
this a type of insider attack
where there were only a handful of privileged employees
who actually knew what was really going on
with the crypto assets and with the accounting
and finances of all of these interrelated entities.
So, I think this is once again,
why some people can go out
and make these straw man arguments that like,
well, the company itself could be completely corrupt
and everybody could be colluding with each other
and create fraudulent audit reports
and so on and so forth.
And it's always possible,
but it's just a question of how much effort is there
that you would have to put in to do that.
So, if you're trying to evaluate one of these custodians
and you don't see any public audits
or proofs published, that's kind of a red flag.
If you see maybe one a year,
then that at least shows that they put some effort into it.
If they're doing it even more frequently,
I think we've seen some recently say
that they're gonna be doing either weekly
or bi-weekly reports, that's even better.
And then as Michael said, the perfect,
well, the optimal form of proofs
would be essentially a real-time system
where you can look at the state of the blockchain
and your assets without even relying upon
the company themselves to publish any additional information.
And so, this is all just about integrity
and showing that the system has a higher level of integrity
and trustworthiness.
It does not, of course, show that those funds
can't be moved without your consent.
If not your keys, not your coins definitely still applies.
But this several controls out of the dozens of controls
in the system is just one more way of showing that.
The system is just one more way of shoring up
the entire system that is meant to be
protecting these crypto assets.
I've read a bunch of people online
being very critical of the concept of proof of reserves.
Some statements that I've read
were something along the lines of,
oh, proof of reserves is BS without any explanation of why.
Or proof of reserves is too easily gameable.
Maybe it would be a useful exercise
to sort of argue on the other side
and talk about this one point, proof of reserves critically
from the opposing viewpoint,
just to sort of tease out all sides of it.
Well, I think one place to start on that
is kind of what Jameson was alluding to.
First of all, it's a piece of the puzzle.
It's not the entire piece of the puzzle.
So you can say, yes, we don't trust the auditor in this case
if we wanna go that far.
This is now like a multi-organizational scam to agree with.
If we take the CCSS as all of its components
and the CCSS is about all of these different components
coming together, a lot of it's also about managing the keys.
So how are keys created?
How are keys utilized?
How does the wallet form?
Is it a multi-sig?
Is it an MPC system involving several different keys?
Understanding the full key system
of how these different pieces come together
to actually authorize transactions.
And then on the procedural side,
understanding when a transaction is brought up,
why it's brought up, how it's authorized,
both from a business perspective
and then how is it executed
with the different signatures required
to actually bring it together.
So you're understanding, okay,
here's all the funds of this system.
Here's all the different components.
Here's how the keys all come together.
And then proof of reserve becomes a,
okay, let's prove that this is the actual system
that we're looking at too.
Let's understand,
cause you can show me a whole like theatrical performance
of how keys are created
and tell me all the procedures that are written in stone
as to how you do it.
But if we don't then follow it
through the process to understand
and all of that specifically relates to these funds
over here in this business,
the proof of reserve kind of closes the loop on that.
And you can argue, oh, well, you know,
it's a point in time.
Absolutely it's a point in time,
but it's a point in time that specifically proves
as far as the CCSS is concerned,
that the assessment on that business's key systems
actually relate to the funds that we're talking about.
Now, if suddenly we find out that, you know,
there's a backup of all the keys sitting inside the CEOs,
the CEO's, you know, office that only he has access to,
well, that's against the controls in the CCSS
and change things completely.
Yeah, I've gone to quite a few conferences this fall
and started just going up randomly,
talking to people who are from different custodial services.
They don't know who I am.
I just like bring it up, mention the CCSS.
Many of them have heard of it.
Some of them are really excited about
going through the audit process
and some of them are not excited about it.
They don't want anything to do with it, which scares me.
But this past week I was there
and someone that I was talking to was like,
oh yeah, I love that you're doing this.
And they started talking about proof of reserves
and how they are already doing this.
And like, they were looking at the standard and saying,
oh, we're doing this, so this wouldn't be a big deal.
Oh yeah.
And like literally going through it with me and saying like,
oh yeah, we can't wait to have somebody check this out.
And everything they said, they, I mean,
they might not actually have it.
We'll find out when they get audited.
But as they were going through it,
their response to it was very different
than some responses I've had where I'm thinking,
okay, you probably don't have your, you know,
ducks lined up and that's why you don't want anyone to do it
versus the really positive people where I'm thinking,
okay, like take notes, right?
And that's what we want as end users to find these companies
that really do care about other people's money.
They don't think that like, oh,
it's just a couple hundred bucks here and there.
Like they recognize that there are real people
at the end of this who are being impacted by it.
And those are the companies that I'm super excited to see
go through this process so that the rest of us know
if we want to trust somebody other than ourselves,
who we can trust.
I love hearing that Jessica and it warms my heart to hear
that there are many systems out there
that are already accounting for the majority
of the controls listed in the CCSS.
Jameson said it, Josh said it, I said it
and you referenced it right here.
An information system is like a chain
and a chain is only as strong as its weakest link.
If you're too scared to put stress on that chain,
maybe you know that there are some pretty weak links
in that chain already.
When we were putting together the first framework
of the CCSS way back in 2014,
we outlined every single hack that we knew of to date
and we researched and investigated every single one of them
to understand the root cause of all of them.
And we talked with the people who were,
who either designed or maintained the systems
at each of these companies or exchanges
that lost funds due to these hacks.
And we started grouping things together and organizing them
and it painted a very familiar picture.
One of just a classical information system.
Now, normally when people think of an information system,
you think of the tech and FTX's website,
oh, it's just the website.
Or if you're using a hardware wallet,
oh, it's just the hardware wallet.
But that is only one small piece of the full chain.
One, only one aspect of the information system.
There's five categories of any information system.
There's the hardware that you use,
the software that you use.
And again, most people erroneously think
that these two are the information system,
but they're just pieces.
The hardware, the software,
there are policies on,
thou shall do this, thou shall not do that.
Basically rules that should be followed
when using this information system.
There are procedures,
the things that people do
in order to comply with the policies.
And then of course, there are the people.
How are they trained to use the system?
Hardware, software, policies, procedures,
and people training.
Only if all five of those are covered,
will you ever have any chance
at having a truly secure system.
An example that I love to use is,
it doesn't matter how long or complex your password is,
how many M of N treasures you are using.
If you take the password for that
or the backup seed for that,
and you write it down on a post-it note
and stick it to the side of your monitor,
there's no way that that is going to be a secure system,
even if you've got some tactical grade links in that chain.
One of those is a small paper slip.
You need to worry about all of them,
not just the tech,
but how you as a human interact with it.
And the CCSS took that into account
when devising the 38 controls
grouped into those five categories.
Yeah, and I think in terms of like these five pieces
that you're talking about,
if you take any one out, there becomes a weakness to it.
And for some of us that aren't security professionals,
when we look at something like the standard,
we might be able to say like,
oh, here are some things I should or shouldn't be doing,
or here's what I want to look at
if I'm using a custodian.
But if you have a trusted expert going in
and looking like these auditors are
and giving information,
they're seeing what's happening.
They know what to look for.
It creates this additional,
a way for people like me who aren't super technical
to be able to see,
okay, somebody else is technical, they're checking it.
Does this mean it's 100% not going to have any issues?
Of course not.
But it's better than nothing, I think is the point.
So like what we've been talking about is like self sovereignty,
being able to do this yourself, it's the best way to do it.
For now, when we're not there yet,
there are these baby steps
and there are these things along the way that we can do
to make things a little bit safer
and feel more secure about it,
which is why all of us are on this call
and why we are encouraging the rest of the industry,
the space to be doing the same thing
where we should be advocating for these companies
that are doing things correct.
And for everyone watching,
you'll be seeing in the next month, maybe sooner,
some companies that are at least one
that have been undergoing the audit
and they'll be releasing that information soon.
So there are actually companies
starting to go through this already,
which I think is really exciting for those of us
who want to have multiple options
of what to do with our crypto.
With that being said,
I do think that it'd be interesting to look at,
like I think we talked a little bit about FTX
in terms of like what the proof of reserve would have done,
maybe like if they had gone through this.
But if we were to look at a company like FTX
and we were to say like,
this is a point in time audit, right?
So like the proof of reserve,
we don't look at it every single day,
we could just look at it.
What if we'd seen like a month ago?
What if there'd been an audit a month ago?
And then things had changed now.
What's the likelihood of something
like a proof of reserve audit actually catching something?
Do we have any idea?
In this case, I think it would have highlighted something
very clearly, very early.
The allegations are that FTX and Alameda,
two separate companies,
were commingling funds inappropriately.
So this proof of reserve audit, simply publishing,
here's a list of all FTX user balances.
That alone would have been very difficult for FTX to publish,
knowing that they had taken all of FTX user balances
and given them to Alameda in order to trade.
So that's one very easy flag
that would have been waving early in the day.
And ultimately it took a Twitter army
of people trying to identify the cold wallet of FTX
that started to unravel this whole story.
Because every exchange,
especially an exchange that has millions,
if not billions of dollars worth of deposits
from users all around the world,
they got to be storing that money somewhere, right?
And people couldn't find where that money was stored.
So yes, I think that kind of transparency from FTX
showing here is where all of your user deposits
are being stored,
it would have immediately prevented the kind of grift
that they have been getting away with for so long.
Do you guys think that this is going to change
how people are going about using custodians?
Like, do you think,
like I know somebody got an email from Gemini saying
that all of the money on Gemini earn is now paused
or you can't withdraw it.
Do you think that this is the time
that people are going to learn from it?
Or do you think we're gonna be on a call like this again?
The cycles are not going to end, no.
As a self-custody provider,
obviously this has been very good for my business,
not so good for exchanges.
Anyone who knows how to look at on-chain metrics
can see that there have been massive outflows
from custodians over the past few weeks.
But human nature is such that
we quickly forget the tragedies of the past.
Plus, this space is still tiny and growing
and so we will have new cohorts of entrants
who they don't learn from history
because they weren't around for it
and they don't put in the effort to learn the history.
So I think it will continue to happen,
but it will also spur improvements.
This is sort of the nature of cybersecurity.
It's always a cat and mouse game
and just as the genesis of the security standard itself
was born out of a dozen different major hacks and losses,
this doesn't end.
Every time a major incident like this happens,
the folks in the security space do root cause analysis
to understand, was there a best practice
that could have been implemented
that would have prevented this?
And if so, is that best practice already a known best practice
or is it something new that we need to add
to our sort of communal knowledge?
Now, it seems like we have,
it seems like we have hit a sort of leveling off point there
where nothing really completely novel has happened in a while
or at least like most of, I would say the novel hacks
and exploits that happen these days
are generally like smart contracts level issues.
That is a, I will say completely different problem
that the security standard does not even attempt to address.
There are other entities, organizations, communities,
ecosystems that are attacking that
because it's a multifaceted problem space on its own.
But yeah, I mean, things will get better for a bit
and then they'll get worse and then they'll get better.
But it's really about the trend
is hopefully we keep learning, keep learning,
keep getting a little bit better.
We'll still suffer setbacks,
but I believe we need to continue to make this
just a part of the culture of the space
because it's the same problem, I think,
with like both privacy and security and other things
that they require you to take on responsibility.
The result of that is that because humans
tend to prioritize convenience over everything else,
whenever there's a level of friction
or work required for people,
then we need to have some more innovative solutions at play
to try to get people to put in the effort to do that.
So, one of those is pushing the standard forward
really trying to get more community pressure
on various entities that are potential points of failures.
We don't want systemic risk to spread throughout the system
because people are not following best practices.
And the other one is what I've been doing
for eight years now, which is trying to lower the bar really,
make it easier, improve the user experience
for people to get into robust self-custody solutions
because everything that we're really talking about here
while we are obviously proponents of it
and we want to see greater adoption of it,
even if every custodian out there was tier three certified,
top level security standard compliant,
I would argue that it would still be better
for the vast majority of people to self-custody
rather than trust these various entities
because it still does put a level of systemic risk
in the system just to have large amounts
of wealth concentrated in small number of places.
Yeah, not to say something
that would crumble our business model,
but we all want people to be self-custodying, right?
This is like the entire purpose.
So it's strange probably if people are listening to this
and thinking, wait, so you've created a standard
that you eventually don't want to be used,
but that is kind of the ultimate goal
is that eventually people will have the tools
to be able to do this themselves.
We just know that in this probably very long period
in between that we need to find a way to make things safer.
And I think a couple of the things
that you were saying, Jameson,
this culture and how self-custodying
requires responsibility.
There's also that responsibility
for the companies custodying
that they need to be making different choices perhaps.
And I think what you said is very true
that we need the community to kind of push things along
to make a difference.
If the community isn't, I'd say advocating
for there to be more proof of reserves,
if the community isn't,
I don't even wanna use the word advocating,
basically like forcing these companies into doing this
if they don't want to do it,
then there needs to be someone that says like,
hey, there are tons of people
whose money you're holding onto
and you don't seem to really care about that.
Let's trace where this is going,
kind of like what happened with FTX.
We need people who are kind of going
to champion this alongside us
to make sure that we can make these changes
because the standard exists.
It's just about getting it to be used.
Yeah, and I think it's important to work
at this problem from both ends.
Jameson mentioned that he has dedicated
this chapter of his career to lowering the bar,
making it easier for people to become self-custodians
and have the self-sovereignty,
all the knowledge and the tools necessary
to do it on their own.
C4 is actually coming at it
from the opposite end of the candle.
We're coming at it from the education angle.
I'm a firm believer that in the same way
that today everyone knows how to use passwords,
everyone knows the obvious password hygiene gotchas,
like don't use your pet's name,
don't use your anniversary date
or your mother's maiden name or things like that.
Don't use those as passwords because that is bad.
We do know to use longer passwords,
use symbols in there, et cetera, et cetera.
That has entered the public consciousness
thanks to living with this technology for so long,
living with passwords for long enough
that it's just generally known what is good,
what is bad when dealing with passwords.
Private keys are a different animal.
And Bitcoin has only been around for,
what, 11, 12 years now.
Using these private keys is not yet part
of the general social lexicon.
But I believe that our children will be using private keys
as ubiquitously in their lives as we use passwords today.
I also believe that passwords will slowly be replaced
and it will become common to log into websites
using a private key rather than using a password.
But I'm not gonna go down that route.
What I think is great is that C4
is providing educational materials
to train people on how to use private keys safely,
to test them on whether or not they know
the gotchas of using private keys.
They understand the importance of what a mnemonic seed is
and how to protect it.
They understand through reading some of Jameson's
educational material that he's put on on lop.net
or how to choose the best way to back up
your mnemonic seed, et cetera, et cetera.
By raising people up through education
and lowering the bar through easier to use tools,
eventually I believe that the world will meet in the middle
and if not cross that bar
and it'll become as ubiquitous tomorrow
as passwords are today.
I feel like after all the things we've been hearing
that are so negative over the last week,
I just wanna bathe in those words of positivity
and the future, it seems so lovely.
I hope that your vision comes true, Michael.
It's just made me feel warm and fuzzy
after a week of hearing not so many positive things.
So thank you for that.
Okay, anything else we wanna say about proof of reserve
or related to FTX right now?
Anything that we're thinking in terms of moving forward
and how we're going to keep pushing this.
So I think we've talked a little bit
about this like double pronged approach,
but for those who are watching this stream right now,
what I guess advice do any of you have
for how they can help make a change,
how they can help us move these two different things,
self sovereignty and at the same time,
better choices for users because there's visibility
into these different systems.
Well, I mean, at C4, we're certainly appreciative
is that the space is always evolving
and sometimes events in the space forces
to evolve a little quicker than maybe we were.
Just yesterday, we had an incredible hour long discussion
with the CCSS committee to discuss this very topic
of how does proof of reserve fit into the standard
is the things that we need to be doing differently.
An appreciation that it's both a technical exercise
and an accounting exercise and understanding
kind of how those two can meet and merge.
And really what it boils down to is
we didn't design the CCSS in 2014
and then we'll clap our hands, pat ourselves on the back
and say, this is done, excellent.
Unfortunately, just like some of us learn as consumers
some of us also learn as professionals each day
and have to make sure that the assumptions we make,
the decisions we make are not things that we simply sit on
and go, okay, this is fact, this is all that needs to happen.
We as a committee make sure that we discuss things
that we once thought were as fact to make sure
that it's still the best way forward
or we work to figure out what the best way forward is.
I think those of us who are on the committee
those of us who are on the consumer side of things as well
we need to do that same thing.
We might have a service and we've used that service
for maybe a year, maybe two years
maybe four or five years we've used that service.
And we just have a belief that
they have our best interest at heart.
But we're not necessarily open-minded
to accept criticism of that service
because they've always treated us well.
We're too busy in our day, we don't wanna question them
and we don't even know how to question them.
There might be opportunities
throughout your normal crypto exercise and say
is this company still the company that I think they are?
Is this still a service that I'm happy with?
It's hard because things like crypto Twitter
are filled with, you know,
five lies, nonsense and just a whole bunch of crap.
And some of it might be true
and some of it might not be,
it's really hard to parse that out.
But, you know, take a step back from that sometimes
and just say, what has this company lately done
to show that they're still a good custodian of my assets?
How have they treated me in support calls?
How are things like my withdrawals?
And then maybe just a little bit of
where the hell did this company come from?
And should I not be gently alarmed
at even the story of how they came to fruition?
I don't know.
I don't know if that helps, but Godspeed.
I think that that helps.
That's interesting to hear.
I think my final thought would be this debacle,
this repeated debacle, this rhyming debacle
as Jameson pointed out,
once again shines a light on decentralized alternatives
where we could not see the balance book of FTX,
where we could not glean anything
beyond the opaque corporate walls around the fraud
that was running rampant within that company.
There are DeFi smart contracts
that are completely readable on chain.
There are systems where all reserves
are displayed transparently for everyone to audit
and see that every last shred of a coin is accounted for.
And where you could trade on a centralized version like FTX
or you could trade on a decentralized version,
it is worthwhile to investigate
the decentralized alternatives
because by using these decentralized alternatives,
you no longer need to transfer control of your funds
to a company that might be rife with fraud.
You no longer need to trust an entity
to deal with your funds on your behalf
and hope that when you request a withdrawal,
they will choose to process it and give you your money back.
DeFi transparent alternatives are a shining beacon
to fight against the fraud
that we've seen run rampant for all these years.
And I'm excited for that light being shined on it.
Yeah, Jameson, I'd like to hear your closing thoughts.
And also you mentioned at the beginning
that you've had a lot more people, companies,
I'm not sure reaching out to you right now
for what CASA offers.
And I'd be interested to hear if you can talk a little
on that before we say goodbye.
Right, I mean, this is just the general trend
that we see after every major exploits.
We're seeing a lot of both old and new people
sort of come out of the woodwork.
Generally it's like, well, I've had this in the back
of my mind for a really long time.
And now I'm scared enough to actually put in the work
to look into improving my security posture.
And yeah, that's one of the things about working
in this space that is kind of a letdown is that,
it seems like bad things have to happen
in order for people to listen to us.
I think I've heard a few people refer to it
as sort of the Cassandra complex
of working in cybersecurity,
but that's just the name of the game.
So I'm hopeful that as we continue to kind of file down
the rough edges around the usability issues in these spaces
that it won't require catastrophic losses
to spur people into using better security systems.
And so kind of tack on to Michael's point,
there's certainly a lot of interesting promise
in being able to interact with truly decentralized systems.
You're able to completely shed many classes of risk
that are inherent to using third party custodians,
but once again, not a silver bullet.
You're then taking on other classes of risks
that due to the new nature of this whole system,
the best practices and security around those risks
are kind of still in flux.
They're being fleshed out through once again,
a series of hard lessons that are learned
through various catastrophes,
but it's not going to stay the same forever, right?
These are dynamic systems.
And as long as there are dedicated people
who are continually devoting their time and resources
to improving these systems,
then we can expect the trends to continue
that the usability and the security of the systems
will improve, people will be able to operate within them
more securely and more sovereignly, if that's a word,
but with less and less trust on third parties,
which is the reason why we're all here to begin with.
Yeah, absolutely, I love that.
Let's not run away with fear,
but use that fear to help guide us
to make different choices and better decisions
as we gain the information from the CCSS
and who's going through this audit process
and be our own advocates for some better systems
and more transparency in the system.
So Josh, Michael, Jameson, thank you so much.
As always, you guys have so much important knowledge
and insight to share with everyone.
So I really appreciate you taking the time today
to join to talk about proof of reserve.
So thank you all for watching and we will talk soon.
Take care.