Can OKX's PoR Self-Audit Feature Improve Transparency?

PoR is an audit method used to prove whether the on-chain reserves are sufficient to cover all assets of the user on the exchange. It involves two key pieces of data: exchange reserves and user asset balances. When the reserve/balance (i.e. reserve ratio) is greater than or equal to 100%, it proves that the platform's reserves are sufficient and the user's assets are safe enough.

To verify user assets, OKX uses a data architecture called "Merkel tree". In the Merkel tree, user asset information is stored in anonymous snapshots in leaf nodes, and all leaf node information is passed to the upper node layer and aggregated to the root node, which completes the record of all user assets. As long as each user's asset information is included in the leaf node, it can prove that their assets are included in OKX's total user assets. If the user assets change, it will also be reflected in the root node data. To verify the exchange reserves, OKX disclosed some crypto addresses to disclose the assets in its wallets to the public.

PoR can improve the transparency of the exchange, but there are still two questions. First, whether all users' assets are recorded by the Merkel tree; second, whether the addresses disclosed by the exchange belong to the exchange. In response to these two questions, OKX has launched a set of open source verification tools, which any user can use to verify by themselves.

Let's start with the first question. Log in to OKX account, go to the "Audits" page, click "Details" and I can see the data of my assets in this audit. In "Details", I can get the data used to manually verify whether the asset is included in the Merkel tree.

Copy the data to generate a .json file. This contains data on different heights and nodes in the Merkel tree.

Use the MerkleValidator provided by OKX to verify this file, I find that the words "Merkle tree path validation passed" appeared on the tool, which means that the data passes verification and my assets have been included in the Merkle tree snapshot. At the same time, the verification result also shows the $BTC, $ETH and $USDT balances recorded by the root node of the Merkel tree. This is consistent with the user asset holdings displayed on the OKX official website.

And if I change a few numbers in the data file,

And then verify again, the MerkleValidator shows "Merkle tree path validation failed", indicating that the verification fails.

MerkleValidator is available to all users. If each user can verify that their assets are included in the Merkel tree, then it can be proved that all users' assets are recorded in the Merkel tree.

Then comes the second question that whether the addresses disclosed by the exchange actually belongs to itself. When publishing the wallet addresses, OKX shares the crypto type, amount, signature and signs a message "I am an OKX address" with the corresponding private key. Users can download the wallet address information on the OKX website and use the VerifyAddress tool to verify. After I did the test, the words "Verify address signature end, all address passed" pop up, proving that the verification passes and OKX owns these wallet addresses.

The result also displays the sum of $BTC, $ETH and $USDT on each wallet address, which matches the wallet assets revealed on the OKX website.

By using OKX's new PoR self-audit feature, we—and any user—can find answers to the two questions raised above, which provides better transparency than just offering audit reports. Meanwhile, this approach is also in line with the motto in the crypto community: "Don't trust, verify."