Bitcoin Forum

I wonder if there is any demand from the Bitcoin community for an auditing service. Currently, the most suitable people to audit Bitcoin exchanges are people who have an in-depth understanding of Bitcoin - e.g. people like Roger Ver (who audited Mt. Gox in 2011), Andreas Antonopoulos (who audited Coinbase), Mike Hearn (who audited Bitstamp), and Stefan Thomas (who audited Kraken).

Only problem is, those who have the technical capability to audit Bitcoin exchanges do not have the capability or knowledge to properly audit the fiat aspects of a business. And the people who have the capability to properly conduct an audit of the fiat aspects of a business (typically performed by charted professional accountants) do not have the technical know-how to audit the Bitcoin side of things.

Why is the fiat component important? If you're dealing with an exchange, it is possible for a business to make up for its shortage of BTC by borrowing or buying BTC with fiat. Someone like Roger Ver or Andreas Antonopoulos would look at the Bitcoin wallet and think that everything is OK, but a closer look at the fiat side might indicate that the exchange is actually insolvent.

NXT has an auditing service called NXTInspect which calls itself "the first crypto audit service". They look at whether a security listed on the NXT asset exchange is legitimate or not by looking at its business plans. This is great but NXT assets typically don't deal with fiat, so while their team may be competent enough for auditing the crypto side of things, they are unlikely to have the accounting know-how to undertake a proper audit of the fiat dealings of a business.

What do you think? Do you think that having a Bitcoin auditing business which teams up fiat experts with crypto experts is a good idea?

Regularly audit check is really needed , exchanges / offchian services should also provide their 100% reserve 24/7 .
But , the platforms especially Chinese exchanges refuse to prove they are doing a clear biz . And you can't enforce them to do this .
That's the real painful problem . 

bitlicense will solve this, what do u think

It's more likely that a real auditing firm would get some Bitcoin expertise if they needed to audit a Bitcoin-oriented firm. Auditing firms audit all kinds of hard-to-audit companies. Bitcoin companies aren't that hard to audit - so far, they're basically cash businesses. Asset valuation isn't a big problem.

The problem is that suckers Bitcoin users have been putting their trust in  un-audited companies. Is Bitstamp broke? We don't know.

auditing service is important to check the exchange's bitcoin or fiat balance, or check the technical strength  or potential bugs that may be existing. It will make the exchange embedded with the highest level of protection.

Well you do have a good point there and I think when it comes to implementation, it won't be that hard as long as the two groups of people, one as bitcoin expertise, another as chartered accountant, can team up and work together to achieve the common goal.

The real problem is...who's paying the auditors and who do they work for?

The last thing you want is a conflict of interest where the exchanges in question are hiring their own auditors under the table.

With real life business auditors in the U.S., they're sub-contracted by the government...so they're held to the highest standards should they misreport any information. 

I think it is a very good idea. The auditing service should join Bitcoin specialist that will learn about audititing and audit specialist that will learn about Bitcoin.

Apologies for digging up a slightly older thread but the recent analysis of the Mt. Gox coins kind of re-piqued my interest.


I'm not sure if it should be compulsory though.

There will always be different interpretations of what level of security and what type of security practices are sufficient for an exchange or business and some people might prefer to deal with companies that are quite lax about their security knowing fully well the risks of doing so.

Alternatively, some people might prefer to deal with companies that have higher standards of security than others in the industry.


This is possible. There are far more accountants than Bitcoin experts though. Also, it would be preferable if whoever supplied the Bitcoin expertise was a developer or an otherwise highly regarded member of the community.


Wouldn't an auditing service that accepts bribes eventually be discovered and suffer from a ruined reputation? Auditing services have an incentive to remain impartial and unbiased since if they are suspected of not being so, their accreditation will become meaningless and others will jump in and take their place.

Yes, definitely. Every single BTC investment service, exchange, cloud, staking wallet, etc. should have their services audited by a reputable company. This is an example of good business practice, it adds to credibilty and transparency of the company which translated into new investments. Stop with that anonymity shit, that brings no good to anyone.

Anonymous services will always be less reputable compared with non-anonymous services when everything else is equal but I don't think anonymity is always a bad thing. BTC-e is an anonymous exchange but they make up for it by providing a great service and not running off with their customers' coins despite having had many opportunities to do so in the past. They were also hacked at one stage but were able to reimburse everyone's funds and have continued to provide a great service since then.

On the other hand, an anonymous exchange can't really be audited as thoroughly as a non-anonymous one but some parts of the audit such as proof of reserves can still be performed regardless of anonymity.

Then there are other types of businesses where being anonymous might even be necessary. Gambling sites usually have anonymous owners, and for good reason too - since governments tend to look down on that sort of stuff. Mixing services might also benefit from having anonymous owners since it means that they can't be tracked down and forced to reveal their customers' identities.

Good idea. A successful audit would greatly improve the credibility of an exchange. ...and we will always have some smaller, more shady exchanges for our pump and dumps :).

in 99.9% cases, people choose anonymity cause they have something to hide. Either some kind of scam, tax fraud, drugs, etc. I simply do not want to be related to anything like that. If you analyze it a bit more, this relationship between BTC and criminal activities is probably number 1 reason people list for NOT getting into BTC. So, if you are legit and you know this prevents market acceptance, why support anonymity?

Wouldn't the audit need to be repeated, every single minute, by an automated process, that locks down the exchange and if necessary doublespends hacked BTC with a higher fee to an emergency evac address, as soon as any funny business is detected?

Are we talking about exchanges here or other types of businesses like the ones I previously mentioned which might have a legitimate need to stay anonymous? (e.g. gambling sites, mixers, VPNs, etc.)

When it comes to exchanges, I agree that non-anonymous ones are preferable over anonymous ones but I'd much rather do business with an anonymous exchange that has been running for 3 years without serious issues than a brand new one with no reputation or worse yet, a scammy one that isn't anonymous. I don't know why the owners of BTC-e feel they need to remain anonymous but in a world where 90% of anonymous Bitcoin services have turned out to be scams (plus a good 50-70% of non-anonymous ones), they are probably more of an exception rather than the norm.

It's a free market so there will always be anonymous and non-anonymous exchanges, dice sites, mixers, cloud mining firms, investment firms, payment processors, shops, etc. I believe the option of doing business with only those that have passed an auditing process should exist (currently no such auditing services exist) but those who wish to risk their money and do business with non-audited companies which may or may not be anonymous should be free to do so as well.

If enough people choose to stay away from businesses with anonymous owners, then they will go out of business or their owners will be forced to reveal their identities so if you believe that anonymous owners are a problem, then it's a self-correcting one.

And there are plenty of companies that turned out to be scams where the owners were publicly known. For example, BFL, Mt. Gox, the Moolah CEO, etc.


Frequent audits would be preferable but it wouldn't need to be any more or less frequent than those for non-Bitcoin businesses. Mt. Gox was audited in 2011 but the results of that audit had no relevance by the time it collapsed in 2014. An audit once or twice every year or so would have been much better since even a yearly audit would have found serious problems with the exchange much earlier compared to not doing one at all.

Yes

But the companies do hire and pay the auditors, that's how it works. But as Bizmark13 said, no audit firm will damage their reputation by accepting the bribe. Look at what happened to Arthur Andersen LLP after the Enron scandal (no bribe involved, but failed to do the job properly), they pretty much don't exist anymore and they were one of the 'Big Five'.


This. Once the bitcoin businesses start falling under 'statutory audit requirements' we'll likely see audit firms using either internal or external experts (there will be some nice well-paid job opportunities). What I wonder is how does one become official cryptocurrency expert. There is no officially recognised qualifications/certificates afaik, although Princeton University offers some Bitcoin course, but don't know about anything else.

As for BitStamp, they will have to file their 2014 accounts in the next 3 months, I hope they'll be more detailed than the last one (and hopefully audited).

There's a huge demand in my opinion, but the biggest problem is: Who should we trust? The general consensus here is that it should be some sort of 'respected' authority in the financial world. Some sort of independent party. Of course this problem doesn't arise with the amounts of BTC held with the exchanges - that's pretty simple to prove!

That authority is called 'statutory auditor' and there are few well-known international firms (PWC, KPMG etc) that could do the job.

Since there's high competition between exchanges, hopefully some of them will opt for voluntary audit and gain the advantage over competitors showing they have nothing to hide. I'm surprised we haven't seen that yet.

If you want to prevent a second MtGox, you have to audit these exchanges on a regular basis. From what I have read recently, the supposed <hack> at MtGox, was due to small amounts being stolen on a daily basis. This would have been prevented, if it was audited regularly.

There are even some people, who are asking for a Crypto currency audit on the protocol level for all Alt coins.

Huh, interesting - I'm not that familiar with the financial world. Well, I think Kraken did something like that though, didn't they? Back in Gox's big days they still proved their BTC-wise solvency by sending around a huge transaction... :D

There is a demand for an organization which audits some of the major bitcoin exchanges, these exchanges require documents from the users according KYC/ AML policies , and we should also like wise get an independent third party audit of these exchanges. These auditing reports will ensure that these exchanges are transparent and are running fair business.

If I'm reading http://blog.wizsec.jp/2015/04/the-missing-mtgox-bitcoins.html right, the theft effectively started right after the 2011 audit. So if another audit had been done a year later, it would been the better part of 365 days too late. Hence my question above.

So far, it has mostly been the developers who did the audits:


This won't be scalable once more and more businesses start popping up though so you do have a good point. Since cryptocurrencies are such a new thing, experience in the field is probably more important at this stage than having a degree although having the latter also helps. For example, I'd much rather trust someone like Vitalik Buterin (who despite not having a degree, knows far more about Bitcoin and cryptocurrencies than most people) to audit an exchange than your typical comp sci graduate who probably doesn't know a thing about Bitcoin.

As for what academic degrees might be of most relevance to being a Bitcoin expert, computer science and a cryptography are the majors that come to mind. Even so, someone with degrees in either or both these fields would still need to be highly familiar with how Bitcoin works in order to call themselves a Bitcoin expert.



Kraken passed an audit by Ripple developer Stefan Thomas which only looked at their BTC reserves:

http://www.coindesk.com/krakens-audit-proves-holds-100-bitcoins-reserve/

Proof of reserves is only one step towards a full-scale audit. It's much, much better than nothing, but a truly comprehensive audit should also look at the fiat side of things to insure that the exchange isn't actually insolvent (since they could have purchased the coins with their customers' fiat deposits) as well as how their security is set up and what security measures are in place to protect against the possibility of future attacks.


Some exchanges have already opted to undergo a voluntary audit (see the examples in my original post) although most of these weren't as comprehensive as full audits for the reasons I mentioned above.


Yes, regular audits are good. Mt. Gox was audited in 2011 but the results of this audit had no relevance by 2014.


The auditing process for an altcoin is pretty much just a code review, isn't it? That's far easier to do, especially since no fiat is involved and most altcoins don't differ significantly from Bitcoin/Litecoin. I think many exchanges already look at the code of new altcoins before they add it to their exchange. I know Poloniex does this for all their new coins.


Agreed.


Well of course the more frequently the audits are done, the safer it is security-wise. But eventually you reach a point where it would become impractical. If Mt. Gox chose to audit themselves every year, then at least the damage would have been minimized to a single year and detected much sooner vs. not being audited at all which was the actual situation. Those who believe that yearly audits to be too infrequent could take their business to another exchange that might offer more frequent audits as a bonus security feature (although the costs would probably be translated to higher fees). You'd essentially be paying more for a higher level of security.

I'm very sure that there is an insanely high demand for such services. There also need to be clear regulations and guidelines on how to do that. There need to be fixed rules and criteria, an exchange has to abide by. Preferably those criteria will be enforced by the governments, I'll leave that way they can really be enforced.