Here is the final audit report for the OKCoin audit.
As always, an audit does not constitute an endorsement and it does not address any risks outside of present insolvency. It's also not infallible, exchanges can borrow money or ask others to sign their audit message. Finally, until we can implement fully zero-knowledge, cryptographically provable audits, you have to trust the auditor, i.e. me, to have done my job correctly.
Also same as always, I did not receive any compensation for the audit and I did it in my free time. I requested the exchange donate any fees they would have paid me to a charity of my choice: Ludvig von Mises Institute For Austrian Economics Inc. in Auburn, Alabama
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
AUDITOR: Stefan Thomas
AUDITED ENTITY: OKCoin Inc.,
https://www.okcoin.cnROOT HASH: dbb26444331293a04b289ba632b8f942b550d6873fed1afd6c53fca52825d1c7
BLOCK HEIGHT: 316837
RESULT: >100% reserves
August 21, 2014
San Francisco
This post is to report on an audit I performed for the OKCoin Bitcoin exchange on August 21st, 2014 from my home office here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.
Statement
=========
The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by OKCoin matches the amount required to cover an anonymized set of customer balances. I am attesting to the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of OKCoin, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was matched by an equivalent or greater amount of bitcoins in the block chain at the time of the audit.
The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit. At the same time it maintains absolute privacy for customers, the auditor only sees anonymized balances and the general public only sees the overall level of reserves.
Note that there are limitations to this type of audit. It does not verify an exchange's fiat assets and liabilities or other aspects of their balance sheet. It is also difficult to prove definitively that the bitcoins in question are actually owned by the exchange versus being on loan for instance.
In order to reduce reliance on the auditor, the audit should be repeated using different auditors at different times.
Claims
======
Claim 1: OKCoin controls a certain amount of Bitcoins.
Proof: OKCoin provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.
The version of libcoin used was commit 5424505e2fb5866be96e9af35874cf9c289e3ccd.
Here is the audit code used:
https://github.com/libcoin/libcoin/blob/5424505e2fb5866be96e9af35874cf9c289e3ccd/applications/cryptoshi/cryptoshi.cpp#L638-690Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.
Proof: OKCoin provided a JSON file containing a set of anonymized user balances. I used my own tool "easy-audit" to calculate the reserve ratio and root hash.
The version of easy-audit used was commit 663c38be6767175764d13d249a6c18905ebae76f
Available at:
https://github.com/justmoon/easy-auditHere is the audit code used:
https://github.com/justmoon/easy-audit/blob/663c38be6767175764d13d249a6c18905ebae76f/lib/audit_reporter.js#L10-31The tool's output was:
ASSET OWNER: okcoin.cn
BLOCK HEIGHT: 316837
ROOT HASH: dbb26444331293a04b289ba632b8f942b550d6873fed1afd6c53fca52825d1c7
RESERVE RATIO: 104.86%
The actual holdings were 4.86% higher than the required holdings, meaning OKCoin had greater than 100% reserves at the audit block height.
// Stefan Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT94OBAAoJEMlHNwCksIvzYg8QAIyFbfRq2jRcb5WtL2EElcbS
z7lZr3/TJfKodOtfsjqX8yYM/iJ6laoMn03Y72+mC2+yUxXkSaRj6zYfcTbmlsAG
0SLzOK99XrIPbcBBtc/A6/MQL0t+O3QT2Ot/7Cs5xEu0vr6XVCfztThqCBHXduPx
QAQa59ZUaFbSA+/bxJrP3RM9oJiDRZOoGWBR6619Yuy2UkNfG56Rk10MsEUT6wqM
TXEF0s8+1G4tFGpC+8MT98ngxRkKr6igMzgh/pJiGTBD+RhYRDdQj/aqq4zvXDni
VOz3B+BSjeKEVbaMglnhPzlePly/JkJTakVzqLo8uCQjibb0cOJdZDh2OzwqLpm2
3erJcE0tJIpLXm7idbVz8nrRs9Z+265+HNqbqJFELFLUlGuJk3VoFeZEym51oIeM
ZLD8hAwk8HCqjltIvv/u7cLh49LDk57O0GIFgAnHotVXQ06qEZ7C68aW/2D3uCnE
gtfKnC3bwLmMU+ctxXgu9hP8mt7McerCI1g8Mk4H+8kNKVlKKfcjaqbRl2l3frAw
A+DhBaz8CYvG3iV+TXrPM2umYc3Ckc7F75o2TTIbYvIgHlFOgv6j1nIXh2JU855O
V1hMd83ULlgdJK20xKV/T4bEPV+jOcBlaxU+ZPq5E8/eE+ORGL9e6rYVcLXG0SXY
AByBvMz1Tn74v/EMlFLi
=x9FT
-----END PGP SIGNATURE-----