Like cash, digital assets are typically “bearer” assets, meaning the asset confers ownership to whoever physically “holds” the asset. However, digital assets are well… digital, so how can we prove a party “holds” it? How can we fulfill our assertion of Rights & Obligations in the context of a financial statement audit?
From Physical Control to Digital Control
In the digital realm, the equivalent of physically “holding” the assets, is the ability to exert control over the associated private key controlling the assets. “Control” in this case generally means the ability to send assets held at a specific public key (or address).
In the context of a Financial Statement Audit or Proof of Reserve Attestation, this concept of control is important, because only assets that a company can demonstrably control should be on it’s balance sheet. Otherwise, a fraudulent actor could simply select any publicly visible address on a blockchain and claim it as their own!
Proving “Control” Method 1: “Send to Self” Transactions
The first method auditors used to demonstrate control, was to direct a party to send funds from a certain address. By sending funds from an address, the party is proving that they can exert control over the private key related to that address.
In this scenario, an auditor would give their client a specific and small number of assets to send from the address. After executing the transaction, the client would provide the auditor with the transaction hash. Then, the auditor would be able to navigate to a blockchain explorer, search for the transaction, and validate that the transaction was sourced from a specific address and completed with the communicated parameters, proving the client could exert control of the source address.
However, this method is doesn’t scale very well. This method may be sufficient if the scope of an audit or PoR included less than 25 addresses… but what if a company had 25 million addresses (like most exchanges or custodians). “Send to Self Transactions” won’t scale!
Proving “Control” Method 2: Signing a Message
The next method employed by auditors entailed using the public and private key cryptography inherent to blockchains.
Auditors would provide a unique message to their clients (i.e. FS Audit 2024 for Client XYZ). The client would then use the private keys that controlled their assets to “sign a message.” The output of the signature process would output a random character of strings, called a “signature output.” Then, using the public key, message, and signature output, an auditor can “verify” that the signature output was signed by the associated private key, thus demonstrating control of the assets held at that address.
The bad news is that this method can be confusing to those new to digital assets and cryptography. The good news, however, is that this method can scale extremely well. Using tools like LedgerLens, auditors can verify millions of addresses within minutes!
More Multi-Sigs, More Problems
The outlined methods offer the most straightforward approaches for auditors to verify their clients’ control over assets. Yet, as your experience with digital asset clients deepens, you’re increasingly likely to navigate intricate custodial setups, including Multi-Signature wallets, Threshold Signature Schemes (TSS), and layered smart contracts. As your proficiency in auditing digital assets grows, we encourage you to explore our Multi-Signature ownership tools. Your feedback is invaluable to us, and we’re eager to hear your suggestions for new tools to enhance our platform!
