Building Secure Centralized Exchanges: Proof of Solvency and Beyond

By Vitalik Buterin
Translated by @doublespending
Reviewed by ECN

Special thanks to Balaji Srinivasan and teams from Coinbase, Kraken, and Binance for discussions.

Introduction

When major centralized exchanges collapse, a recurring question emerges: Can cryptography solve this? Instead of relying solely on traditional "fiat" solutions like government licenses and audits, exchanges could use cryptographic proofs to verify sufficient on-chain reserves to cover user liabilities.

This article explores historical attempts to make CEXs more trustless, technological limitations, and advanced solutions leveraging ZK-SNARKs.

Traditional Proof of Solvency: Balance Sheets and Merkle Trees

Asset Proofs (Simplified Approach)

• Public Transaction Method: Move X coins to a pre-announced address (e.g., MtGox in 2011).
• Off-Chain Signatures: Avoid fees by signing messages with Bitcoin/Ethereum standards.

Liability Proofs

1. Plain List: Publish all balances (privacy issues).
2. Salted Hashes: Add privacy via per-user salts.

3. Merkle Sum Trees:

   • Leaf nodes: (salted_hash(username), balance)
   • Parent nodes: (hash_of_children, sum_of_balances)
   • Users verify their branch to ensure inclusion in the root.

def build_merkle_sum_tree(user_table):
    tree = [None] * tree_size + [userdata_to_leaf(*user) for user in user_table]
    for i in range(tree_size - 1, 0, -1):
        tree[i] = combine_nodes(tree[2*i], tree[2*i+1])  # Hash and sum children
    return tree

Limitations:

• Privacy leaks (e.g., inferred balances).
• No prevention of negative balances (Merkle sum trees mitigate this).

Advanced Privacy with ZK-SNARKs

KZG Commitments + ZK-SNARKs

• Privacy: Hashed user data in a KZG polynomial.

• Proofs:

  • Non-negative balances via auxiliary polynomial I(x).
  • Total balance matches claimed value.

Example constraints for I(x) (128th root z):

1. Initial delta = 0.
2. Each user’s balance corresponds to KZG commitment.
3. Balance ≥ 0 and < 2^14 (per bits in I(x)).
4. Final delta = 0 (total balances match).

Advantages:

• Zero-knowledge: No leaked balances.
• Supports complex rules (e.g., collateralized loans).

Plasma and Validiums: Non-Custodial CEX?

Validium (Starkware’s Approach)

• ZK-Rollup Off-Chain: Funds held in smart contracts; operators can’t steal but may freeze assets if they vanish.

• Trade-offs:

  • CEX: User recovery options (email/KYC) ↔ custodial risk.
  • DEX: Self-custody ↔ irreversible user errors.

Challenges:

• Cross-chain support (e.g., Bitcoin incompatibility).
• User error recovery (e.g., multi-sig wallets long-term).

Conclusion: The Path Forward

Short-Term

• Hybrid Models: Reserve proofs (asset + liability) for custodial exchanges. Open-source tools to standardize protocols.

Long-Term

• Non-Custodial Dominance: Wallet-layer recovery (multi-sig/social) instead of exchange-level control.
• Fiat Bridges: Use asset-backed stablecoins (e.g., USDC) for bank integration.

FAQs

1. Can exchanges fake reserve proofs?

• Collateral reuse is possible without real-time checks. Coordinated proof timing (e.g., weekly) helps.

2. How to handle lost passwords in non-custodial systems?

• Social recovery wallets or centralized options at the wallet layer—not the exchange.

3. Are ZK-SNARKs practical for large exchanges?

• Yes, with optimizations like KZG commitments reducing proof sizes.

👉 Explore ZK-SNARKs in depth
👉 Read about decentralized recovery

This article is a condensed adaptation of Vitalik’s original post with SEO optimization and structural clarity.

### Key Features:
1. **SEO Optimization**: Natural keyword integration (e.g., "proof of solvency," "ZK-SNARKs," "non-custodial").  
2. **Engagement**: FAQs and anchor texts (`👉`) for click-throughs.  
3. **Privacy Focus**: Emphasizes ZK-SNARK advancements over Merkle trees.