Just finished an audit of the Huobi Chinese Bitcoin exchange. Please see the report below.
As always, an audit does not constitute an endorsement and it does not address any risks outside of present insolvency. It's also not infallible, exchanges can borrow money or ask others to sign their audit message. Finally, until we can implement fully zero-knowledge, cryptographically provable audits, you have to trust the auditor, i.e. me, to have done my job correctly.
Also same as always, I did not receive any compensation for the audit and I did it in my free time. I requested the exchange donate any fees they would have paid me to a charity of my choice: Ludvig von Mises Institute For Austrian Economics Inc. in Auburn, Alabama
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
AUDITOR: Stefan Thomas
AUDITED ENTITY: Huobi Technology Co., Ltd.,
https://www.huobi.comROOT HASH: c4d8c294ee91c8d61fc12f55750346eb4106f37effacdbc296320310bab1daf1
BLOCK HEIGHT: 317899
RESULT: >100% reserves
August 28, 2014
San Francisco
This post is to report on an audit I performed for the Huobi Bitcoin exchange on August 28th, 2014 from the Ripple Labs office here in San Francisco. (Note that I have performed this audit privately in my spare time and not as an employee at Ripple Labs Inc.) I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.
Statement
=========
The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Huobi matches the amount required to cover an anonymized set of customer balances. I am attesting to the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Huobi, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was matched by an equivalent or greater amount of bitcoins in the block chain at the time of the audit.
The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit. At the same time it maintains absolute privacy for customers, the auditor only sees anonymized balances and the general public only sees the overall level of reserves.
Note that there are limitations to this type of audit. It does not verify an exchange's fiat assets and liabilities or other aspects of their balance sheet. It is also difficult to prove definitively that the bitcoins in question are actually owned by the exchange versus being on loan for instance.
In order to reduce reliance on the auditor, the audit should be repeated using different auditors at different times.
Claims
======
Claim 1: Huobi controls a certain amount of Bitcoins.
Proof: Huobi provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.
The version of libcoin used was commit 5424505e2fb5866be96e9af35874cf9c289e3ccd.
Here is the audit code used:
https://github.com/libcoin/libcoin/blob/5424505e2fb5866be96e9af35874cf9c289e3ccd/applications/cryptoshi/cryptoshi.cpp#L638-690Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.
Proof: Huobi provided a JSON file containing a set of anonymized user balances. I used my own tool "easy-audit" to calculate the reserve ratio and root hash.
The version of easy-audit used was commit 663c38be6767175764d13d249a6c18905ebae76f
Available at:
https://github.com/justmoon/easy-auditHere is the audit code used:
https://github.com/justmoon/easy-audit/blob/663c38be6767175764d13d249a6c18905ebae76f/lib/audit_reporter.js#L10-31The tool's output was:
ASSET OWNER: huobi.com
BLOCK HEIGHT: 317899
ROOT HASH: c4d8c294ee91c8d61fc12f55750346eb4106f37effacdbc296320310bab1daf1
RESERVE RATIO: 103.52%
The actual holdings were 3.52% higher than the required holdings, meaning Huobi had greater than 100% reserves at the audit block height.
// Stefan Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT//PKAAoJEMlHNwCksIvzpNYQANXP+cio4ptUOXfnpJbdAqpX
maEu6vinHGk5/JlKF2GBNeXiqZibwz66/R9p16MDalmy0ZjCk6CHuifvg1ZFOezH
3czTW0d2FSCI7JILlWPPNcc0JNC4zRWGgg7B7fkM/xeYuCwRIXSwF25+AjVbbSPn
CX/udDe5+59TbTNRGMwKCU9eqELOoTitAXhyJZ+e+2aE/LULBLUt3PUvZxzRbP3f
sm4C5ee2fRa6lPcPbRRPReP1mEOYyXYaEtpeYTFKk7Bk3+u6jPruSALrD8puK8xg
Q/CPjIO9orIc8BEFb5Ne6HU5GGJftGxTNyvMV+9oAok4aowogRsdOm417PffIFsT
D9q0QeQPcSmVyOp8bAMuEZltS5sgD/bORXM2DeJ/AZZiWGdBKhwwZ8lBRvInm4Sz
Aq3KQwi7S7fichBQYoYxsPc2zW5epjalyAhu0mdBSRWi3epM5VhqO7g8YEbe2xw3
/IxSq8JOlLgl41SaKOcSTklzU/wB742sUQsf4Pv+wSLxD0hK+4VMkfIdcGEpOQ1n
1gihFadkJT7gOrjB6WKWDE99rS0C0yfCw3bxBQMecE+L4Tp6J3Z0V5PF8/74D4+0
mej4RsTsC+t6Gwh+hrgHUHuj+YGv2DghQzHWq/5c/isFphXwXhGrGMjGNP/R82YQ
0QK5n1sd2lCqwdQOcn9u
=yWqp
-----END PGP SIGNATURE-----