https://www.kraken.com/security/auditBig thanks to Stefan Thomas, CTO of Ripple Labs (founder of WeUseCoins.com, BitcoinJS, and Bitcointalk admin), for being our volunteer auditor.
Timing didn't work out for Stefan
to post this himself but he will confirm as soon as he is available:
-----BEGIN PGP SIGNED MESSAGE-----
=====BEGIN AUDIT REPORT=====
AUDITOR: Stefan Thomas
AUDITED ENTITY: Payward, Inc., https://www.kraken.com
ROOT HASH: 306daae528dc137c9053554c45e90a631ef859490a3ede651d488135602500a3
BLOCK HEIGHT: 289859
RESULT: >100% reserves
March 22, 2014
This post is to report on an audit I performed for the Kraken Bitcoin exchange on March 11th, 2014 and March 22nd, 2014 at their offices here in San Francisco. I've not received any payment for this audit - my personal goal with this is to help improve the stability of and confidence in the math-based currency industry overall.
The audit process is designed to allow the auditor - in this case me, Stefan Thomas - to verify that the total amount of bitcoins held by Kraken matches the amount required to cover an anonymized set of customer balances. I am attesting to is the root hash of a merkle tree containing all balances that were considered in the audit. If you are a customer of Kraken, you'll be able to verify using open-source tools that your balance at the time of the audit is part of this root hash. If it is and if you believe that I am trustworthy, then you can be confident that your balance was covered by 100% reserves at the time of the audit.
Compared to audits performed by other exchanges, this approach is very strict while still maintaining absolute privacy for customers. The most difficult part of an audit is normally to verify that the exchange is not under-reporting the number and balances of account holders. With this approach each account holder can verify that they were considered in the audit.
Trust in this type of audit still requires trust in the auditor. For now, this will rest on my shoulders, but Kraken have expressed interest in doing regular audits with different auditors each time. This serves to renew the audit and also to increase the confidence in the audit process and the validity of the result.
Claim 1: Kraken controls a certain amount of Bitcoins.
Proof: Kraken provided a JSON file with a list of their Bitcoin addresses and balances. I used the `cryptoshi audit` command in libcoin to verify the JSON file against a copy of the block chain.
The version of libcoin used was commit f8c66accf2af88c039bd7c6678da7a338b8befa0.
Here is the audit code used:https://github.com/libcoin/libcoin/blob/f8c66accf2af88c039bd7c6678da7a338b8befa0/applications/cryptoshi/cryptoshi.cpp#L637-691
Claim 2: The amount from claim 1 is greater than the amount contained in the root hash of balances.
Proof: Kraken provided a binary file containing a set of user balances. This binary file can read and manipulated using the tool "krakendb".
The version of krakendb used was commit 78d3504a7d68256a9a664125fa86a224c479ad42
Available at: https://github.com/payward/krakendb
To calculate the sum of all balances in the tree as well as a merkle tree of all balances, I used the "krakendb root" command. The root hash was:
The actual holdings were very slightly (< 0.5%) above the required holdings, meaning Kraken had greater than 100% reserves at the audit block height.
// Stefan Thomas
=====END AUDIT REPORT=====
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
-----END PGP SIGNATURE-----