An in-depth session on how auditors are verifying digital asset ownership and the innovative tools helping firms stay ahead. As crypto becomes more central in finance, auditors must move beyond traditional methods to prove ownership of digital assets. Whether you’re handling multi-signature wallets or navigating crypto subledgers, this session is essential for staying compliant and future-proofing your audits.
- How to prove ownership of digital assets through message signing.
- The evolving challenges and solutions for multi-signature wallets in audits.
- Leveraging Proof of Reserves to validate exchange balances.
- Introduction to LedgerLens, an audit tool to streamline crypto verifications.
Meet Our Speakers
Watch and learn from an international group of industry leaders at the forefront of Crypto Accounting
Jeremy Nau, CPA
Partner
The Network Firm
Take a Sneak Peek at the Talk
Liquid Staking for Accurate DeFi Accounting
From the complexities of liquid staking to the best strategies for syncing cryptocurrency to the main ledger. Learn about reporting strategies for liquidity pool tokens and how to navigate the ever-changing landscape of crypto accounting.
WATCH NOWHow do auditors prove ownership of digital assets?
Jeremy Nau:
Yeah, things have evolved over time, which has been interesting and good to see. At the beginning, most auditors didn’t know how to prove ownership of these digital assets. The client would say, "Hey, I have this wallet, look at my balance." And early on, auditors were saying, "Okay, it looks like a bank account, maybe that’s good enough." But quickly auditors realized, wait a second, clients could just show any address on an Explorer and claim it’s theirs. That realization led to the need to actually prove ownership of these addresses. It’s not enough just to look at a blockchain explorer.
How this generally started is that, after auditors realized this isn’t just a bank account where you can check a statement, they had to do more. These are bearer instruments. So the goal is to prove the client can exert control over these addresses that hold these balances, and more specifically, prove control over the underlying private key. The easiest way auditors first did this was via send-to-self transactions. If you think about Bitcoin, there’s the concept of signing a transaction to unlock the UTXO and send it to another address.
What are the challenges of auditing multi-signature wallets?
Jeremy Nau:
So practically, in the best-case scenario, things happen as we discussed, but the real world is often more complex. From the auditor's perspective or the client's perspective, okay, they can sign messages and provide them to us, and we can verify them. However, there are multi-sigs, smart contracts, or funds deposited into a DeFi protocol. In those cases, you’re not proving ownership of the USDC deposited into Aave; you’re proving ownership of the aUSDC, which is the receipt token from Aave. That’s a small wrinkle, not a big challenge.
Multi-sig wallets, however, can be very complicated, especially in Bitcoin. The Bitcoin scripting language isn’t very easy to work with. What usually happens is a two-step process. First, you have to understand the addresses used to compile the multi-sig, and then confirm they actually make up that multi-sig. After that, you have to prove ownership of the keys that make up a quorum of the multi-sig. It’s a bit more complex, but these are some of the challenges from both the client and auditor sides.
What tools are available for streamlining crypto audits?
Jeremy Nau:
We’ve built all these tools and exposed them for other auditors to use. It's called Ledger Lens, a suite of crypto auditor tools. Essentially, it automates the verification process and facilitates the signing process for clients. It also provides the tools and templates needed to streamline these tasks. The goal is to help auditors prove ownership and gather point-in-time balances for assets, like checking balances at balance sheet dates.
Ledger Lens works hand in hand with crypto sub-ledgers. These sub-ledgers are internal tools used by the audited company, but the auditor needs to independently validate the data. This is where the tools come in, allowing the auditor to match and verify transactions, either by signatures or other means.
Why is proof of reserves important for exchanges?
Jeremy Nau:
Proof of reserves is the idea that any custodian or issuer holding customer assets should be able to demonstrate they are fully reserved. This concept takes a few different shapes, but it’s typically about proving that an exchange or custodian has enough assets to cover their liabilities.
For example, when you deposit funds into an exchange, you might deposit one Bitcoin, and your account gets credited with that one Bitcoin. That’s an entry in their database that says, "You have one Bitcoin." But in the backend, they might move that Bitcoin to a different Omnibus wallet or hold it elsewhere. The idea of proof of reserves for exchanges is that when you sum up all the customer account credit balances from their database, the liabilities should be less than the assets they hold on behalf of those customers.
What role do internal controls play in crypto audits, and how do auditors handle startups that lack them?
Jeremy Nau:
We see this often, especially with startups. When you’re worried about surviving and need an audit for regulatory or investor requirements, you’re just trying to check all the boxes. Internal controls often take a backseat because there’s not external pressure, like being a public company, to enforce them.
For startups, you can get through audits with substantive testing, which is essentially testing without relying on internal controls. However, internal controls are extremely important, especially in private key management. If you’re holding customer funds, poor custody controls could result in losing your business quickly. In many cases, startups will have some controls in place, but they may not be documented. This leads to a need for formalizing those processes during the audit.
If the client has absolutely no controls or is not being careful, then we have to worry about bigger issues. In those cases, it’s not just about checking boxes—it’s about avoiding potential disaster.
How do exchanges handle proof of reserves across multiple blockchains and assets?
Jeremy Nau:
It’s extremely technically challenging for them. They’re dealing with many different blockchains, each with their own way of pulling data and creating wallets, along with different methods for signing and proving ownership of these wallets. An exchange might be handling hundreds of blockchains, and each one requires a different process to verify ownership or balances.
Let’s say the exchange has funds on Bitcoin, Ethereum, Cosmos, and even long-tail assets on smaller blockchains. Auditors need to go through all these blockchains, understanding their unique protocols, wallet setups, and transaction verification methods. It becomes very technically intensive, and there’s no turnkey solution to manage it all. It’s one of the biggest challenges for both auditors and the exchanges themselves.
Talk to an Expert
Streamline crypto accounting to move your business faster