On The Brink with Castle Island - Hong Fang (OKX) on Refining Proof of Reserves (EP.467)
Episode Date: November 1, 2023Hong Fang, President of OKX, joins the show to to announce their twelfth consecutive monthly Proof of Reserve attestation and to discuss how their PoR implementation has changed over time. Covered in ...this episode: OKX's brand refresh Why OKX chose to launch their monthly PoR attestations a year ago The importance of PoR today and who is asking for it Which PoRs they looked at for inspiration How OKX evolved the procedure from inception to now The move from merkle liabilities to ZK PoL The PoR security model and how many users need to check for it to be valid Handling issues like margin, leverage, and negative balances in their attestation The relationship between Proof of Reserve and conventional audits Future directions in PoR and ways to improve Technical PoR versus audit-enhanced PoR and the role of an auditor Attacks on PoR and mitigations Common criticisms of PoR Why numerous exchanges need to do PoR for it to work overall Content mentioned: Nic Carter on Medium, The Status of Proof of Reserve as of Year End 2022 OKX Proof of Reserve Dashboard
Transcript
Discussion (0)
Hello and welcome back to On the Brink. I'm Nick Carter. This is another episode in the Proof Reserve
miniseries. Here's a funny story. Some time ago, I developed a rubric to evaluate proofs of reserve
along a few different dimensions and scored all of the major exchanges doing it at the time. I gave
OKX a sort of average score at first. They called me and asked me how they could improve their score and I
gave them some feedback and they actually implemented it. It was amazing. As of right now, OKX is one of the top
scores on my rubric. And we're releasing this episode today because they've just completed their
12th consecutive monthly POR, which is pretty impressive. Not only have they done that, but they've
also been refining the procedure the hallway, which we'll dig into in this episode. So I'm delighted
to be sitting down with Hong Fang, president of OKX to cover their work in proof of resort. Let's dig it.
Hello and welcome back to On the Brink. I'm Nick Carter. This is the POR proof of a result.
miniseries. There's always more stuff to talk about with POR. So this will certainly not be the last
episode, but this one I've wanted to do for a long time with Hong Feng, president of OKX.
Hong, thanks for joining us. Thank you for having me, Nick. So I feel like we've been chit-chatting
about POR for a long time. Yes. So I'm really glad we could sit down. And this is an auspicious
occasion, this is the 12th consecutive month of OKX's rebooted PR program. So,
congrats on that milestone. That's very exciting. Yeah. No, I also want to put myself on
record because, you know, since our first program back in November last year, we have been
talking in the background and because our team want to get more feedback from the industry,
particularly including yourself as a, you know, basically a POR guru,
and want to get feedback in terms of how we actually can continue to iterate and improve the program.
So really appreciate all the feedback you've given to us,
particularly those constructive ones.
So thank you.
Yeah, no, pleasure is all mine.
You know, I love it when people actually listen to me.
So, you know, that's great.
Not everyone does.
All good advice.
So, you know, before POR, let's talk.
about okay x is you're kind of having a brand refresh we were deprecating the okay coin name and we're
going okay x am i right about that yeah that's right yeah we have put that in motion already um we have
a global platform for okay coin um end of last year early this year we decided to uh bring okay coin and
okay x together and and after a lot of internal work we started to uh to bring the two brands together
So for OKCoin, we are starting jurisdiction by jurisdiction where we feel ready from both external and internal product perspective.
So one by one, yeah.
So Singapore is done.
Most of the other jurisdictions and done are next moving to Europe and then U.S.
So it's interesting because I know you're a global organization, but where primarily you're focusing your efforts regulatory-wise these days?
It's really global.
I cannot really tell you which one is the most important one because everyone.
We have quite a few license approval and slash license applications in our pipeline.
And for each of them, our key strategy is to really, on top of our global compliance program and legal infrastructure,
we also have strong local leadership to really drive local.
both from a compliance perspective as well as from a business and product perspective.
So we have local compliance officers as well.
So there are quite a few important ones, as you can imagine, right, from Europe.
We have Europe and UK, Dubai, for MENA.
In Asia, we have Singapore and Hong Kong.
Obviously, U.S. is very important for us and we continue to work on U.S. states.
We actually have most of the states already.
MTFs, yeah.
Waiting for more clarity in the place here.
We all are.
We all are.
I feel like OKX has had a really good 2023 in terms of market share.
So congrats on that.
And you guys were all over the conference circuit as well.
Big presence that took in 2049.
So whatever you're doing, it seems to be working.
Some of our teams are definitely happy about that.
Yeah.
But more importantly, I feel like, you know, it's also combined efforts from product perspective and business perspective.
Ultimately, it's about what we built for the customers and whether those are things that can fit into local infrastructure, local framework, right?
That's, you know, that's more sustainable.
So on the proof reserve front, such an interesting topic because initially it was a very bottom-up thing with,
folks asking for it and only a small handful of exchanges doing it.
And then every time there was a major collapse like Quadriga,
actually it's always a major collapse that catalyzes.
At first you had Gawks.
There was a spate of PRs.
Actually, OK, Coin did one back in 2014.
Yeah.
Along with some others, then you had the Quadriga collapse and you had some PRs after that.
But of course, after FDX, that's when it really took off.
And then subsequent to that, now we see actual pieces of legislation,
the reference proof reserve,
Texas passed a bill.
There is an act introduced in Congress.
Senator Dittlis' Act called the Proof Act.
I now talk to regulators globally that are trying to do it.
And so this thing that really strikes me
is that it's driven by the exchanges themselves
without people strictly asking them from the top down to do it.
The exchanges themselves made the decision to do it.
So tell us a little bit about that decision
that you made to introduce
a new modernized POR system a year ago.
Yeah.
I think you nailed it.
It's really driven, unfortunately, by crisis moments in the industry.
And the bottom line is about trust, right?
When the trust score in the industry is at the lowest point, there's a stronger need
to do something about it and increase that.
There are different ways of increasing and building trust and increasing trust.
One way is to...
Regulation is definitely one.
way of approaching it. Having third-party auditor coming in and do audit is another way of doing it.
From our perspective, when FTX thing happened, we know that it's important to do a proof of reserve,
and we actually try to approach it from both angle, i.e., we do a internal technical or technological
program to prove the solvency of the platform, and then enhance it with the technology.
auditor reviewing. Unfortunately in that time frame, most of the auditors who have either done it
before or potentially will be able to do it, don't want to actually take on your clients. So I think
that is also an impetus to push us internally to really double down and focus on doing the
technical version of the on-chain POR and really nail it. Like we started in November, I think that was the
first proof of reserve that we delivered covering three assets, PTC, Ethereum, and Tether.
Those three assets cover, I think, more than 90% of the total customer assets on the platform.
We, I can talk about, you know, a lot of the things that go went into it, but, but we knew
back then that that program needs update, right? First, it needs.
automation. We want to do it monthly because it's important to not to provide just once in a
at a point snapshot to the customer, but to increase the efficiency, the frequency as much as
possible and to keep it consistent. So there's less room for maneuvering around the numbers on
exchange side. So our product and engineering team focused on automating it. And I think our
think our second program update was automated and then we keep doing it on a monthly basis.
And after that, we also, you know, obviously talking to you and a few others in the industry,
we know that there are quite a few other things that we want to kind of fix in the program.
First of all, you know, there's the liability site. The first one that we did was Merkle Tree.
but it's not a full liability exposure, a disclosure,
because if we disclose the full liability in our first version,
then theoretically people can go and check and figure out for each customer,
you know, what their activity is and like there's no privacy.
So we were kind of trying to provide more visibility at the full liability level
without sacrificing the privacy for the customer.
So for that, we actually looked at Bitmax and we thought that Bitmax approach was a pretty good one, basically randomly separating any individual customer's assets when we take the snapshot, separated it to more than one nodes.
And as a result of that, you know, that asset splitting exercise can help preserve privacy while we disclose the full liability.
So we actually updated our Proof of Reserves program in March in our fifth POR update to make it a full Merkel tree update.
So that was one major gap that we see in our first program.
The second one was the second biggest gap was the negative value of a node.
For margin accounts?
Yes.
Yeah.
Yeah.
Yeah.
When we did our exercise, that was one of the major weaknesses, if you will, that we identify
ourselves.
And we also, honestly, I think when finance did a audit, the auditor also flagged that
as well.
Right.
So essentially, from our perspective, from our platform perspective, we are not doing evil.
we're not creating a non-negative node out of nowhere to cover up.
But from a customer perspective, you know, customers don't know.
You or as a third party, you don't know.
So it's hard for you to verify.
That's where you kind of need an auditor or, you know, some way to prove that the platform is not doing that.
And every customer's value is actually non-negative is positive.
So we know back then that we actually need to do a ZK Zero Knowledge Proof upgrade to bridge that gap.
So that was the second update, major update that we did in May, which is our sixth Proof Reserve update.
We added the ZK Stark update to basically prove, among other things that for each customer,
that we have on our platform in our proof reserves update,
every customer has a non-negative asset balance with us that is being fully reserved.
Obviously, in that process, we also added more assets.
We added 18 assets in that process, which operationally is actually a lot to cover.
Yeah, I mean, it's impressive because that's a small fraction of client assets,
but there's a fixed cost associated with every distinct asset that you're adding,
especially on different blockchains.
Yeah, yeah, absolutely.
Yeah.
And the calculation is also complicated, right?
The process is complicated.
It takes up a calculation cost and then time and server and all that stuff.
Well, when you were designing your procedure,
were there other PORs that you look to for inspiration?
I know you mentioned Bitmex.
how did you determine what kind of software stack to use and things like that?
The team looked at Bitmax looked at Cracken, also checked Italics paper on ZK.
I think they started with Merkel Tree because they believed that Merckle Tree is a good starting point.
And when they implemented the Merkel Tree for the first proof of reserve,
update. They actually intentionally did something different from, I think, what Binance and some of the other
platforms did. For example, they used a summation Merkel tree method instead of a plain
macle tree method. So they actually add up all the hash value for each node layer by layer.
So it's actually some of every nodes. So there's no room to kind of
gain that.
To hide big negative balances, right?
Yeah.
And then our team also decided that we don't want to truncate the myrtle tree leaves
and instead we use the full 32 bytes.
So again, there's no room for gaming it.
And obviously we make sure that, you know, each customer has a unique ID on other stuff.
but they did a lot of analysis to decide on Mercl Tree.
And then later when they start to evaluate zero knowledge technology,
obviously there are different technologies available.
There's ZK. Stark and there's ZK. Snark.
I think those is probably, those two are a pretty close choice for our team.
And I think we marginally feel like the ZK. Stark is,
is better and more transparent and more secure.
And are there existing open source libraries
that you can use for these kinds of things?
I'm sure they do.
I don't have engineer background
so I don't think I can speak to that
as eloquently as I would like to.
But our team actually had quite a few people
with that background.
Our program is also open source as well.
Our, you know, both the Mercaltree version and the ZK version is both our open source.
So they put it out there as well.
That's one thing I've appreciated about a lot of these PR initiatives at the exchange level is open sourcing the software for reuse purposes.
So not being particularly greedy about it or anything and just hoping that even competitor exchanges end up using the same stack.
Exactly.
for the benefit of the whole industry.
So for those who aren't as familiar with the ZK liability method,
what does that prove to the user?
And what's the benefit relative to the Merkel approach?
So for our ZK Stark approach, what it basically does is it looks at all the liabilities
that we as a platform hold for our customers,
So basically all customers' assets that we as a platform mode custody for them.
So it includes all the liabilities.
It proves through zero knowledge approved technology that the exercise include all customers.
It's all inclusive.
It proves that basically the sum that we show is indeed the sum of all the customer's balance.
it also proves that for each customers included in the exercise, every customer has a positive asset balance.
Because again, customers have different assets, particularly for a platform like ours,
where the customers has more complicated product, where they can do margin, where they have leverage,
they can borrow BTC or USDT and kind of end up trading outcoins or vice versa.
So specific asset, you may see negative value, but combined, you need to make sure that each customer
has actually a positive number accounting for, you know, collaterals that they have on the platform.
So that is also included in the ZK exercise.
And then also the process, basically the process of comparing the liabilities that we have calculated for the customer.
And when you compare that to the assets that the platform holds.
So what we also do as part of the proof of reserve program is that we make public our,
public addresses, the on-chain addresses.
We started with 23,000 plus addresses when we started with the three assets.
Now we cover 22 assets actually and have like 450,000 addresses that we already put out there.
So in that calculation, the program would basically add up the assets value in those public-sized addresses and then
compare liability and assets.
So that ZK program would affirm that the two actually is comparable.
And the process of calculation and comparison has integrity.
So basically that's what it does.
It's almost functioning as a auditor.
Basically, in math, we trust.
We want to self-regulate.
We don't want to rely on the availability or trustworthiness of a auditor.
We want to make sure that we can automate as much as we can.
We can put as much as we can into the code and encourage our customers to verify for themselves.
The asset side of the attestation, you sign the addresses on chain, right?
Am I right about that?
Yeah, yeah.
We use private key to sign for the addresses.
It's an LKX address, something like that.
Do you broadcast that on chain or no?
It's on chain.
It is broadcasted on chain.
So for 400,000 addresses.
I'm not sure if we sign everyone, but we do post all those addresses.
I need to confirm if we, at least initially with the 23,000, I think we signed them.
Hopefully you can see an Ethereum.
I'm not sure as we add all the alt coins, we sign all the other addresses too.
Yeah, one, you know, I have my little proof reserve.
evaluation rubric, which I think you're familiar with. And one of my criteria is attesting to
the addresses. And not everyone does that, actually. You know, not everyone actually proves that they
have the addresses that they claim to control. Yeah. And so some exchanges ask you to take their
word for it. Yeah. Which is not good enough in my opinion. Let me, I will confirm if we have
everyone.
No, I mean, they don't have to be signed on chain.
You don't have to sign a message on chain.
I mean, you can prove ownership of an address by publishing signature, you know.
So in terms of the security model now that you've moved to ZK, do you need a sort of critical
threshold of users to do the procedure?
Or is the ZK proof that's created itself kind of sufficient at that point?
So that is actually a question that I ask our product and engineering team as well,
because I'm curious to know whether the program itself is sufficient enough.
Right.
The answer I got, a technical answer I got is, yes, it is sufficient.
As in if just one user runs the ZK proof, they can have assurances that the whole system works.
No, yeah, let me explain.
So I think what our product and engineering team working on this,
what they believe is that number one,
because our program is open-sourced.
So that program can, the integrity of the setup can be challenged,
openly challenged and verified by any way.
who has either the intention and or the capability of doing it.
So theoretically, it is there.
But putting on my regular customer hat, I would say, you know, I don't know, right,
particularly a customer who have seen this come and go and people end up just trusting and
just take the words.
And don't really, like, we would always say, verify, don't trust, but most people probably
just trust.
It's very fine.
So we have seen a lot of traffic coming to our Proof Reserve, basically, lending page.
About 600,000 unique users have come in, and quite a lot of them actually have downloaded
the code and actually do the exercise.
But internally, we haven't really mapped how many of those.
numbers of users where people who downloaded actually completed the process of verification
because it is pretty complicated, right?
It's not for everyone, let's be honest.
So when I ask them, like, how many do we actually need to prove without inviting an auditor
to say this process and program is what it is and it has integrity?
they looking around and they saw I think Misson Labs used to publish something and talk about the security of a program.
It seems that between 2 and 5 percent, if 2 and 5 percent of customers who come in and individually check their assets against the programs and confirm that it's accurate, then there's a pretty good.
high probability to say the program is what it is.
Yeah.
But I'm curious to hear your thoughts on this, you know, how, where it actually stands.
And this is actually one area that I think we would like to continue to push.
Yeah.
Yeah.
How to make the program more friendly to normal users for them to verify and increase.
Yeah.
What I expect is that ultimately.
POR moves to more real time even, you know, moving away from even monthly or even frequency
based, but basically based on your login as a user. And so technically I still have to kind of figure
out how this would be done, but that's kind of what I envision as part of your login process.
there is a kind of instantaneous proof generation.
Not entirely sure how technically feasible it is right now,
but that's one interesting place to go.
I mean, can you imagine that trust model whereby,
merely by logging into the platform,
you have the proof that your assets correspond to the liabilities.
But yeah, I know this was a debate back in kind of the Merkle tree days.
But for what you described, sorry to interrupt,
what you describe, it's also, it's still trust and not verify, right?
So it's still like, as a customer, I would take the platform's words as at the face value.
If I see in my app, it shows my, you know, it matches what I have.
I would have to take it at face value that it is what it is instead of me actually go and verify.
Like how do you actually make it easy for customers to verify in the program?
Yeah, I mean, I think basically the.
real trust model is that there's power users that are technical and are willing to do this.
And if they were to detect something, then they would say something.
And, you know, so I think that's the real immune system here is the existence of a small
number of power users that are highly motivated to do this. Like, let's say maybe other funds
that have like a fiduciary obligation maybe to evaluate the solvency of the platform.
So maybe we even do some of the bounty hunter.
you know, bounty stuff that you are doing these days for the analysis.
Yeah, no, I think that could be interesting,
user bounties to do the POR.
I remember when it was the Merkel Treatise,
one of the attacks that people would talk about with POR was
the exchange tries to guess who's going to do the verification, who's not.
And then if they guess that your account is dormant
and you're not going to,
then they give you as kind of a zero,
liability entry, even if you have large liabilities.
And so you can hide liabilities strategically by doing that.
So that was one of the attacks.
Yeah, that's a potential gap.
Yeah, I would agree.
I would need to look and see if the ZK liability method mitigates that.
That's kind of an open question.
Yeah.
But yeah, I mean, like, PR is still developing.
We're still all coming to grips with the assurances.
what it tells you what it doesn't.
And I think people often with PR,
they let the perfect be the enemy of the good.
They think, okay, here's an edge case,
here's a way that they could maybe fail,
and they kind of throw the whole procedure out as a consequence.
Yeah.
Which is, you know, and I also hear the same, like,
hey, what about just a full financial statement audit?
You know, that's better than a POR, so to speak.
But obviously that's, like, incredibly expensive
and often difficult to get.
and you can't get it with high frequency
and it doesn't prove the same set of things.
So it is,
it kind of is baffling to me sometimes
that critics of POR will,
you know,
use the fact that it's not 100% ironclad and perfect
as an excuse to throw away the procedure.
Yeah.
When it's still providing a lot of value.
Yeah, I think I'm in the same camp with you.
I think the current technical POR solutions
that we have as an industry,
and obviously on our platform is a big step forward
from an even audit perspective
because it has higher frequency.
It is on chain.
It has more transparency in the code.
You know, for the question that you were talking about
whether a platform is actually including all customer liabilities
or actually having some game theory,
guessing which customers are checking or not, right?
That, I think, is not only an issue for our technical POR program, it's the same challenge for auditor, too, in traditional finance or other traditional audit exercise.
How many times have we seen fraud?
Yeah.
That either auditor is not capable or, you know, somehow they didn't discover everything that's actually in place.
So I don't think that is something that can be actually addressed by a traditional audit piece.
However, what the POR program does not cover is the Fiat side of the situation for a platform like ours.
That part cannot be addressed on chain because it's not on chain, it's Fiat.
So that part can only be addressed by a traditional audit exercise.
unless you chose to have your Fiat reserves in stable coin format or something like that.
Right.
Yeah.
Yeah.
Yeah.
The other element there is, of course, the more legal and contractual things.
Like, where is the exchange registered?
What is the regulatory context there?
Yeah.
What is the treatment of client assets in bankruptcy?
Yeah.
And, you know, I often find myself repeating that a POR isn't complete, so to speak.
without information or assurances on those points?
Yeah, I would agree.
And also, okay, are there other hidden liabilities, big debts owed
that obviously aren't captured by the technical procedure?
Yeah.
So it's kind of a pattern of evidence,
but the technical procedure itself is essential.
I would agree.
I think my expectation is that the industry will continue to evolve
and we continue to do better as part of the self-referral.
regulation and then have a combination of the technical solution for on-chain plus the you know the financial audit that you were talking about licenses would also help right particularly licenses with strong jurisdictions in those jurisdictions that the bar is pretty high there and you know the onsite check from the regulators are also quite often so a combination of those I think would would help but I do think that the technical part of this is
is not replaceable by traditional means.
And it's actually a big advance forward.
And it does bother me when people say,
well,
just do a financial statement audit or something.
Because it's a completely different concept.
An audit is very broad.
I'd say it's like broad and shallow in some ways.
Like it covers like, you know,
key man risk and insurance.
and it may not even cover strictly all the assets on the platform.
Like people don't know this about audits,
but sometimes they use a sampling methodology
where they investigate a subset of the assets on the platform, right?
It's not always the case, but the point is, like, the financial statement audit,
it doesn't, it's not designed to do what a PR does.
Of course, it gives you assurances, yes.
But it's not designed to do what a PR does.
PR is narrow and deep, you know.
It covers the client liabilities and the client assets,
and it reconciles them.
At a high frequency, it's obviously cheaper than a full audit.
And it gives you very precise assurances that the funds that you are owed by the platform are there.
Yes.
That's a totally distinct concept from a, you know, big, conventional, slow-moving, infrequent.
audit. And I think people don't understand that they're more complementary than they are substitutes
for each other. Absolutely. Yeah. And also when the addresses, more addresses are made public,
theoretically, you can just monitor the inflow and outflow into those addresses.
And sometime you can identify patents, right? If the PRR program has been more of a standard
a year earlier or two year earlier, probably would be able to identify the,
the influence outflow on the FTX and Alameda
relationship earlier.
Do you remember after the Alameda balance sheet was leaked,
people started looking carefully at the FTCS Alameda wallets
and they're really like, hey, there's too much churn here,
there's too much movement, this isn't makes sense,
like, why are the funds going from FDX go right to Alameda?
And you're exactly right.
If everyone had been doing a PR at that point,
FDX would have not been able to do a PR
because they didn't have the assets, right?
Yeah.
And let's say they had done a PR.
We'd know what addresses they had for sure,
and we'd be able to evaluate the flows and see that something was amiss.
Yeah.
So PR is most functional when most of the firms in the industry do it.
And then by via negativa, you can identify the firms that are,
there's something wrong with them because they're not doing a PR, basically.
And we need a power users who can actually verify for the industry.
Yeah, we need more.
More people like me that actually are psychotic enough to actually...
Not on the bounty, but actually do it.
So in terms of your regulatory conversation, so I'm excited by the fact that policymakers worldwide that I talk to are now excited by POR.
And so Texas passed a bill, there's been two bills of the federal level here in the U.S.
that mentioned POR.
There's other regulators that are now thinking about it.
Does this come up in any of those conversations
or is this not an issue that is on the radar
for you in your regulatory conversations yet?
For our current licensing conversations with the key regulators,
this one hasn't come into the center arena yet.
not in its own,
but the focus on customer assets has always been there.
They just haven't specifically asked and make POR a mandatory piece,
but they all care about customer assets being fully accounted for.
They all care about the local entities, customers are there,
and it's separate, and it's easy to track, and, you know, those type of,
thing. They care about the lack of the confirmatory move that there is no Alameda situation.
Yeah. So those are definitely a focus area of the conversations, but to my knowledge, we haven't
specifically encountered a specific ask of making POR program a mandatory part of our fabric.
But I wouldn't be surprised if that's coming up more in the future.
I think there's probably a trend that is building up there.
Was part of your analysis that if you engage in the self-regulatory measure,
that when regulation eventually does manifest,
it's ultimately lighter touch and more accommodating
because you've proven that you can self-regulate?
I would hope so.
I would hope that not only for our platform,
but most of the platforms in the industry
does that and do it diligently and real and had enough conversations with our regulators to basically educate them what we are doing
so that ultimately when there is a regulatory framework for it, it actually goes in the right direction, right?
The worst case you want is to have regular coming and say you have to do a monthly
third-party audit and take everything off-chain and do actually off-chain stuff because that
wouldn't be heading the right direction.
Hopefully it's whatever framework that comes up with is supporting the direction of using technology,
using a trustless program and trustless system, and then enhance where it needs to be enhanced.
When you talk to your clients, especially larger ones, is this something they care about in terms of diligence in the exchange? That's the case today?
Yes, I think all the partners, institutional partners, brand partners, customers, institutional or retail. I do think that they care.
That's great. I mean, that definitely was not the case a few years ago. You know, people didn't know what PR was. They didn't understand the need for it.
I think FTCS changed everything.
Yeah, for good enough for bad.
Yeah.
I think that's good for us.
Short term, it's painful, but it raises the awareness.
It's interesting you even mentioned brand partners
because now post-FTX, they had so much branding activity
and their partners were kind of disgraced by virtue of their affiliation with them.
Yeah.
So now even your brand partners are considering the proofers or out of station
in their decision to partner with you.
I think so. I don't know if it actually plays a critical role, but I do think that having this in place and having a consistent program where we actually keep making improvements, it speaks to our commitment to the transparency and also, you know, if we put everything out there, you cannot really game, right? You don't know out of all the customers who will check and we cannot check.
Yeah, the consistency is key in the relatively high frequency, which is why in my framework,
I ask for monthly or better.
And I think the number one objection I hear about POR, here's so many, the number one is that
you can borrow funds on a short-term basis and true up your reserves if you're short,
and then you return them at the beginning of the next quarter or whatever.
Yeah.
This isn't really a real critique if you're doing it on a high frequency basis.
Absolutely.
And if you're publishing your addresses, so people can monitor the flow,
it's like they would see, oh, there's huge month-end flows every month.
They would see that.
Yeah.
It put a lot of check and balance on the system, right?
Because if you regularly borrow, people will see when you get to that point and just
like in-flow and then out-flow.
And that pattern will become very obvious.
time.
Yeah, and that's the job of an auditor normally to, I call it, it's called cash wind addressing
in traditional audit land.
Now what's interesting in crypto world is anyone can do that analysis.
Yeah.
So it's just democratizing the audit work.
Exactly.
Anything else you want to share in terms of how you feel about where you're at with PR,
future plans there?
I think we've made solid progress on this, right?
We have added assets.
We started with three.
Now we are 22.
We have increased the number of addresses we put out there from I think 30,000 to 400,000,
350, I think.
23,000 to 350,000.
It's consistent on the monthly basis.
I think the next pieces for us internally is really one to continue to improve our internal efficiency because again the way we calculate the liability side within the, you know, in the ZK program.
Because of the nature of the business model, it's quite complicated.
It takes a lot of calculation space and resources.
So, you know, we need to continue to figure out there's any room for further efficiency.
That way later we can increase the frequency from monthly to even higher frequency.
And then the second piece is what we talk about, right, how we can actually increase the trust model without relying on the third party auditor.
And it really relies in how we can get more people to actually go and verify for themselves.
From our perspective, it's about whether there is anything.
thing we can do to increase the easiness and friendliness of the checking process.
That's one piece that we are kind of thinking about how to iterate and welcome any feedback
there.
And then secondly, obviously, you know, people like you who continue to advocate in the space,
hopefully can increase the awareness and push people to do the verification more often
for themselves.
And then outside the proof of reserves program, obviously on the FISA, we need to continue to do audit.
We do have audit already in place, but hopefully we're able to upgrade to a big four audit at some point for the group level.
So that's one thing that internally we're kind of trying to pursue.
Obviously, there are additional upgrade that we want to do on the wallet system, make it entity separate and all that stuff going forward.
So there's some optimization that we are trying to do internally.
Yeah, that's a long list of things.
Good luck.
Hong, I'm grateful for the leadership that you've shown here
and your willingness to engage with folks like me.
And I think you're really setting a standard here
in terms of the right way to pursue PR.
So congrats again on 12 consecutive ones.
And I can't wait to see what you do from here.
Thank you.
And I very much appreciate our team also very much appreciate
your guidance and feedback. Without people like you, it's going to be so much harder to raise the
awareness of the industry and continue to push this forward. So thank you. Appreciate that.
