Audit Reserves


Established digital asset service providers must pass a proof-of-reserves audit to satisfy regulatory requirements. This PoR audit ensures customers and the public that their funds are secure, liquid, and solvent at all times; thus granting transparency regarding the availability of their assets. With this in place, clients can be fully confident knowing they have access to their money whenever necessary..

Coming Spring 2023
Verify my funds

Our Commitment to Transparency

At NYXEX, not only are we empowering our clients to trade the most innovative digital assets on the market, but we're also ensuring that every transaction is maximally secure and transparent. Through our comprehensive Proof of Reserves audits, all customers can quickly verify their account balances—all with just a few simple clicks!

Twice a year, trusted auditors use sophisticated cryptographic accounting processes to verify that NYXEX is meeting and surpassing the accountability standards of legacy financial firms by providing unprecedented transparency in multiple markets - this is known as Proof of Reserves.

What is Proof of Reserves?

An independent Proof of Reserves audit is carried out by a third-party auditor to guarantee that the custodian retains all resources owned on behalf of their customers. This inspector takes a confidential snapshot of all financial balances held and compiles them into Merkle tree—a secure data arrangement that contains client account balances. By executing this verification process, clients can rest assured knowing their holdings are safe and secure with the custodian.

Subsequently, the auditor obtains a Merkle root: an exclusive cryptographic signature that documents the combination of these balances when the snapshot was taken.

The auditor then acquires digital signatures from NYXEX, demonstrating the ownership of on-chain addresses with publicly verifiable balances. Subsequently, these amounts are compared and checked against those held in a Merkle tree to confirm that client assets have been reserved at full capacity.

Clients can easily validate that their funds were included in a Proof of Reserves audit by comparing some data with the Merkle root. Any adjustment made to the rest, even the smallest one, will alter the root – making any manipulation unmistakable.

Verifying that your account was audited

Follow the steps below to cryptographically verify the inclusion of your NYXEX account balance in the most recent Proof of Reserves.

Note: This verification will only reflect your account's balances in the supported assets at the time of the audit. It will not reflect any subsequent trades or transactions, nor will it reflect balances held in assets that are not covered by the audit.

1. Log in to your NYXEX account and navigate to your account settings (Profile > Audit Reserves).

2. Your account will display recent audits in which your account balance was verified, the associated Audit ID, the date of the audit, the name of the firm conducting the audit, and the type of audit that was conducted. The Audit ID is the identifying string associated with a particular audit; as NYXEX expects to be conducting regular Proof of Reserves audits, it’s important that each is uniquely identifiable.

3. Select the audit date you want to verify. Here, you will find confirmation of the audit type, your Record ID (specific to your account and this particular audit), the assets that were covered, and your asset balances at the time of the audit.

The Record ID enables you to independently confirm that your account balance was included, via the third-party auditor.

Verifying your record with the auditor

Simple:
The quickest way to verify your account record is by using the third-party auditor’s portal with your Record ID:
1. Copy the Record ID corresponding with your account and the specified audit (refer to the previous section to locate this).
2. Visit the website of the third-party auditor responsible for the Proof of Reserves audit.
3. Enter your Record ID in the third-party auditor’s portal. The auditor’s website will use this ID to find the record of the cryptocurrency held in your account on-chain at the time of the audit.
4. Verify your balances.

Advanced:
Tech-savvy clients may wish to independently reconstruct their particular Merkle Tree leaf node hash and look up their balances in the third-party auditor tool using this hash, rather than just the Record ID.

This allows clients to verify that their Record ID (as well as the associated balances of their account at the time of the audit) were included in the Merkle Tree structure, which resulted in the Root Hash published by the auditor:
1. The audit details on kraken.com also include an "Account Code", another code unique to your account and this particular audit, which avoids any identifying code from being reused across audits.
2. You’ll also see a Merkle Hash that you can either use directly or reconstruct (per below) using details of your account and the particular audit. The Merkle Leaf that you’ll use for lookup on the auditor tool is the first 16 characters of the SHA256 of this Merkle Hash.
3. The requisite steps, in pseudocode, to reconstruct the Record ID and Merkle Leaf from your Account Code, Kraken IIBAN, Audit ID and Balances are outlined below. Note that the results are sensitive to the particular string formatting of balances, and the order of assets audited, as displayed on the Audits page.

Record ID = SHA256(concatenate(Account Code, Kraken IIBAN, Audit ID))
Balances = ""
ForEach Asset:
• Balances = concatenate(Asset, ":", AssetBalances[asset])
• Merkle Hash = concatenate(Record ID, “,”, Balances)
• Merkle Leaf = substring(SHA256(Merkle Hash), 0, 16)

Specific examples are also demonstrated in the code snippets below. The resulting Merkle Leaf is also visible on the audit details to help confirm you’ve reconstructed this correctly.

Phyton

import hashlib

account_code = "8dc20f34da8cea8dd0f46b001694f5123ecd30d786c5eb92ad1a013703a4f8d1"
iiban = "AB12C34DEFG5KSQI"
audit_id = "PR30JUN22"
record_id = hashlib.sha256((account_code + iiban + audit_id).encode('utf-8')).hexdigest()

balances = "ADA:15129.4,ADA.S:0.0,BTC:0.2600852178,BTC.M:1.25,DOT:50.0,DOT.S:20.5,DOT.P:0.0,ETH:5.27518778,ETH2.S:10.123,USDC:50000.0,USDT:0.0,XRP:0.000002"

print("Record ID: {}".format(record_id))
print("Merkle Hash: {}".format((record_id + "," + balances)))
hash_result = hashlib.sha256((record_id + "," + balances).encode('utf-8')).hexdigest()
print("SHA Result: {}".format(hash_result))
print("Merkle Leaf: {}".format(hash_result[0:16]))

Rust

use sha2::{Digest, Sha256};

const ACCOUNT_CODE: &str = "8dc20f34da8cea8dd0f46b001694f5123ecd30d786c5eb92ad1a013703a4f8d1";
const IIBAN: &str = "AB12C34DEFG5KSQI";
const AUDIT_ID: &str = "PR30JUN22";
const BALANCES: &str = "ADA:15129.4,ADA.S:0.0,BTC:0.2600852178,BTC.M:1.25,DOT:50.0,DOT.S:20.5,DOT.P:0.0,ETH:5.27518778,ETH2.S:10.123,USDC:50000.0,USDT:0.0,XRP:0.000002";

fn main() {
    let mut record_hasher: Sha256 = Default::default();

    record_hasher.update(ACCOUNT_CODE);
    record_hasher.update(IIBAN);
    record_hasher.update(AUDIT_ID);

    let record_id = format!("{:x}", record_hasher.finalize());
    let merkle_hash = format!("{},{}", record_id, BALANCES);

    let mut merkle_hasher: Sha256 = Default::default();
    merkle_hasher.update(&merkle_hash);
    let merkle_result = format!("{:x}", merkle_hasher.finalize());

    println!("Record ID: {}", record_id);
    println!("Merkle Hash: {}", merkle_hash);
    println!("SHA Result: {}", merkle_result);
    println!("Merkle Leaf: {}", &merkle_result[..16]);
}

Go

package main

import (
	"crypto/sha256"
	"fmt"
)

func main() {

	accountCode := "8dc20f34da8cea8dd0f46b001694f5123ecd30d786c5eb92ad1a013703a4f8d1"
	iiban := "AB12C34DEFG5KSQI"
	auditId := "PR30JUN22"

	secret := accountCode + iiban + auditId

	data := []byte(secret)
	hash := sha256.Sum256(data)
	recordId := string(hash[:])
	fmt.Printf("Record ID: %x\n", recordId)

	balances := "ADA:15129.4,ADA.S:0.0,BTC:0.2600852178,BTC.M:1.25,DOT:50.0,DOT.S:20.5,DOT.P:0.0,ETH:5.27518778,ETH2.S:10.123,USDC:50000.0,USDT:0.0,XRP:0.000002"

	merkleHash := fmt.Sprintf("%x%s%s", recordId, ",", balances)
	fmt.Printf("Merkle Hash: %s\n", merkleHash)

	hashResult := sha256.Sum256([]byte(merkleHash))
	hashResultStr := string(hashResult[:])
	fmt.Printf("SHA Result: %x\n", hashResultStr)
	fmt.Printf("Merkle Leaf: %x\n", hashResultStr[0:8])

}

Bash

#!/bin/bash

ACCOUNT_CODE="8dc20f34da8cea8dd0f46b001694f5123ecd30d786c5eb92ad1a013703a4f8d1"
IIBAN="AB12C34DEFG5KSQI"
AUDIT_ID="PR30JUN22"
RECORD_ID=$(echo -n "${ACCOUNT_CODE}${IIBAN}${AUDIT_ID}" | sha256sum | head -c 64)
BALANCES="ADA:15129.4,ADA.S:0.0,BTC:0.2600852178,BTC.M:1.25,DOT:50.0,DOT.S:20.5,DOT.P:0.0,ETH:5.27518778,ETH2.S:10.123,USDC:50000.0,USDT:0.0,XRP:0.000002"
MERKLE_HASH="${RECORD_ID},${BALANCES}"
HASH_RESULT=$(echo -n ${MERKLE_HASH} | sha256sum | head -c 64)

echo "Record ID: ${RECORD_ID}"
echo "Merkle Hash: ${MERKLE_HASH}"
echo "SHA Result: ${HASH_RESULT}"
echo "Merkle Leaf: $(echo -n ${HASH_RESULT} | head -c 16)"

Shortcomings and Future Improvements

To continue our commitment to transparency, we are publicly sharing some of the areas where improvement can be made in regards to the Proof of Reserves process.

• Verifying Reserves requires proof of command over on-chain funds at the time of auditing, but does not guarantee control of potentially replicated private keys by malicious actors.

• The process is unable to uncover any secret encumbrances or guarantee that funds were not taken for the purpose of fulfilling the audit. Moreover, keys could have gone missing and money stolen since the most recent audit.

• To ensure that the auditee's actions remain honest and fair, it is essential to have a reliable auditor who is not only knowledgeable but also unbiased. This reduces any potential risk of deception or collusion between all parties involved.

To address these issues, we collaborate with credible and trusted independent third party companies to provide Proof of Reserves. We conduct audits on a regular basis so that our customers can have peace of mind knowing their funds are secure.

*Note: To ensure a successful and accurate Proof of Reserves Audit, we will hire an independent accounting firm to conduct an attest engagement based on the regulations issued by the American Institute for Certified Public Accountants. The results yielded a comprehensive Independent Accountant's Report on Agreed Upon Procedures that highlighted specific procedures performed as well as key conclusions reached.

Verify my Audit
Coming spring 2023