Are your digital assets secure on the exchange? Interpreting the differences between exchanges and traditional banks

Deposit insurance is a problem that exchanges, regulators, and depositors must face.

Author: Nic Carter, Founder of cryptocurrency data provider Coin Metrics
Translated by: Jian Juan

This article was originally published in the English paid e-magazine "Bankless" focusing on open finance. The Chinese version of this article is jointly released by Bankless and Chain News. The subscription address for Bankless is: bankless.substack.com

Advertisement - Please scroll down for more content

Over the past 18 months, some functions traditionally provided by banks have taken root in the crypto industry. When these functions are combined with minimization of trust, people call it Decentralized Finance (DeFi), most of which happen on Ethereum, with some exceptions.

There have been many articles detailing the points and potential of DeFi before, so I won't elaborate further. I want to discuss an unexplored topic: Can trust be minimized in savings institutions or crypto banks? (I fully understand that discussing banks in a newsletter called "Bankless!" sounds quite ironic!)

Let's quickly review the services provided by commercial banks, ranked from most to least important:

• Accepting personal deposits (banks usually do not hold full reserves, only a relatively small portion, and lend based on reserves). These deposits receive government protection in many jurisdictions, but only up to a certain limit;
• Paying interest on these deposits depending on the account type;
• Serving as a source of credit for consumers needing credit cards, small business loans, overdrafts, and mortgages;
• Acting as a transaction interface and agent for users wanting to send wire transfers, receive checks, and pay bills;
• Issuing debit cards and credit cards;
• Allowing consumers to exchange electronic deposits for cash, either at branches or through ATMs. This service is effectively a subsidy (or loss leader) as it is usually (but not always) free for account holders;
• Providing physical storage space for various items, such as valuables (even your private keys!).

Not all current cryptocurrency exchanges offer these services, but I often refer to them as "banks" because they do cover the use case of accepting deposits and are increasingly involved in other functions.

I won't reiterate an article that Hasu once wrote about the various services exchanges ("crypto banks") provide, which is a good summary of the industry's direction. My concern is: If crypto banks are already established and users continue to seek the services of such institutions, is it possible to minimize the required trust? Is cryptocurrency deposit more susceptible to this trust minimization compared to fiat deposits?

In my opinion, the main focus of the crypto industry, both now and in the future, is how to enable users to obtain and trade various financial assets under a range of trust models.

The birth of Bitcoin has given rise to a new ownership model: a powerful ownership of portable digital assets. For every transaction on the blockchain, its settlement is (probabilistically) final. This means that transactions are not subject to the conventional issues related to payment and final settlement delays that arise from digital transfers. However, Bitcoin and all subsequent cryptocurrencies have introduced a new problem: requiring users to self-custody their assets.

Carefully storing information is quite challenging for many people. As a result, custodians for cryptocurrencies emerged. Since people primarily acquire cryptocurrencies from exchanges, many choose these exchanges as their custodians. Over time, the industry has developed full-reserve banks, commonly referred to as exchanges (although there are also non-exchange specialized custodial institutions). These crypto banks now control a significant portion of the mainstream cryptocurrency supply, and the proportion is continuously increasing. With the rise of staking, lending, and interest-bearing tools, many users have chosen to try these new products through centralized custodial institutions.

Thanks to address labeling and a bit of detective work, we can estimate the distribution of Bitcoin between custodied and non-custodied supplies. My calculations also include the supply that has been inactive for a long time, with many early coins likely lost.

The estimated lost BTC and custodied BTC data sources are found below, and the data originally appeared on Macro.WTF, with corrections made here

As shown in the chart above, the number of custodied bitcoins (shown in dark blue in the chart) is rapidly increasing, accounting for at least 20% of the total mined supply. If we exclude assumed lost bitcoins, this proportion would be even higher.

In the chart below, I have roughly segmented the shares held by various custodial institutions (exchanges) (please note that some are rough estimates):

Data sources: Coin Metrics, Grayscale, XBT Supplier, Meltem Demirors/Coinshares, Japan Virtual Currency Exchange Association

It should be acknowledged that the historical estimates in the chart above include some inferences, as I do not have high-quality data like that of exchanges such as Mt. Gox or historical data from Coinbase, Xapo, and others. Japanese exchanges are particularly good, as they have implemented self-regulation and disclosed their coin holdings truthfully.

I admit that this is just a lower bound estimate of custodied bitcoins, and many smaller exchanges have not been included in the calculation. However, I believe this is generally the case. The trend is quite astonishing: the growth rate of custodied bitcoins is significantly faster than the supply rate of bitcoins. Who knows what proportion the custodied part will ultimately reach?

With data obtained from Coin Metrics, I am able to conduct a similar analysis on Ethereum.

Data sources: Coin Metrics, DefiPulse

The portion of coins from the genesis block that have been inert from genesis refers to ETH distributed during the crowdfunding phase that has never left the genesis block for any reason. The proportion of this part in the supply is surprisingly high. You can also see that, although the scale of DeFi is still relatively small, it is beginning to occupy an increasingly larger share. Additionally, we can see the situation of ETH held by exchanges, although this estimate is only a lower bound.

Below is the data categorized by exchanges:

Data sources: Coin Metrics, Japan Virtual Currency Exchange Association

We must once again thank the Japanese Exchange SRO for their information disclosure, which has been very helpful. All other balances were discovered through on-chain estimation.

Unlike the chart of Bitcoin exchange shares above, I have more confidence in the entire historical situation of ETH, thanks to on-chain methods (although I still rely on publicly available disclosures from GBTC and other publicly available information related to Bitcoin). Of course, many smaller exchanges are not included, so we are only looking at a partial sample. We also miss data from Coinbase (which deliberately hides its balances). I believe Coinbase has deposits of hundreds of millions of ETH. (ChainNews note: GBTC, or Grayscale Bitcoin Trust, is the investment tool closest to a Bitcoin ETF, allowing investors to invest in Bitcoin without worrying about storage or custody issues.)

About 20-25% of the total supply of Bitcoin and Ethereum is held in custodial form, which may be either encouraging or discouraging depending on your perspective. In a random survey I conducted, most people predicted that a significant portion of the total supply of these two blockchains is held in custodial form. In my view, the demand for custodial exposure, whether for Bitcoin or Ethereum, is stable and continuously growing. Once this proportion approaches a certain threshold, will it harm both systems? This is an interesting question, but it is beyond the scope of this article.

What exactly sets traditional banks apart from exchanges that look like banks? Let's briefly review the essence of commercial banks.

Commercial banks are interesting institutions that, for political reasons, are not allowed to completely collapse. They hold the trust of society by holding deposits from families and individuals, even though banks engage in inherently risky activities (such as lending money). The consequences of a bank collapsing are unacceptable to society (everyone's deposits would be lost). Therefore, the government actually guarantees the safety of deposits.

In the United States, the Federal Deposit Insurance Corporation (FDIC) guarantees that if a member bank goes bankrupt, each depositor can still claim their deposit, but the limit is $250,000. Banks used to be allowed to fail in the past, leaving depositors with nothing. However, bank failures often have a domino effect: depositors immediately panic and rush to withdraw their assets. This happened in the United States, which is why the FDIC was established in 1933, and commercial banks have been under federal supervision since then.

Therefore, in commercial banks today, there are both unprotected stakeholders (bank shareholders and creditors) and clearly protected stakeholders (depositors). If a bank were to fail, investors would be wiped out, but depositors would (up to a certain limit) be protected.

In the crypto field, this established model has not been completely replicated. Globally, exchanges are not considered banks or institutions that absorb deposits and are regulated. In the United States, no new bank charters have been issued recently. Most exchanges also do not wish to be regulated as banks. Many have simply opted for a patchwork approach: applying for money transfer licenses state by state, registering as a New York limited purpose trust company in some cases, or seeking to obtain a New York BitLicense. Many non-U.S. exchanges are not regulated at all. As a result, if problems arise, it is difficult for exchange customers to know their exact situation. Creditors of exchanges like Gox and Quadriga have learned this lesson well.

It is widely believed in the industry that if you do not hold your private keys, then you do not truly own your coins. I support this view, and I believe that cryptocurrencies are best utilized when users are the sole owners of their coins. If everything ends in custody, custodial institutions can claim control over all transactions, putting the entire system back into a permissioned mode, which would weaken the censorship resistance we value.

However, I also recognize the fact that some people tend to store their cryptocurrencies with a third party. Custody of private keys is technically cumbersome and exposes the holder to risks of extortion or theft. While I do not endorse storing cryptocurrencies with a custodial institution, I acknowledge that this is a very popular method, especially when exchanges offer various staking rewards, debit card features, interest payments, and other auxiliary services.

There is a perspective in the crypto industry that if an institution cannot be "mechanized," then there is no hope of providing protection to users. However, I believe that it may be worthwhile to take a middle ground. Can trust in crypto banks be reduced? One key area is deposit insurance. Since exchanges act as custodians, and in some cases even extend to other banking services, but are not considered banks and regulated as such, what happens to user deposits in the event of bankruptcy or insolvency?

Obviously, the treatment of depositors will vary depending on the laws of the regulatory jurisdiction where each institution is located. Let's start with partially or fully regulated crypto exchanges. I am not an expert in this area, so I consulted individuals with firsthand experience in compliance departments of institutions dealing with crypto deposits.

In the United States, there are no unified federal standards regarding the regulation of exchanges. Most exchanges must register as Money Services Businesses (MSBs) under FinCEN. What is required of exchanges is to create an anti-money laundering plan, report large cash transactions, report suspicious activities, and strive to comply with the Bank Secrecy Act. The MSB license actually does not cover the behavior of exchanges in absorbing deposits.

Exchanges also tend to register as money transmitters state by state. The requirements of each state vary, but generally, exchanges need to prove to the state auditing agency that they have enough reserve funds to be considered solvent. Through consultations with various parties, the consensus seems to be that state regulatory agencies are not particularly keen on regulating cryptocurrencies, except for individual states. Therefore, the MSB licensing system does not exert particularly strong constraints on exchanges' misconduct.

A stronger regulatory framework is the New York limited purpose trust license, which some exchanges and intermediaries, such as Gemini, Paxos, and ItBit, have opted to obtain. The trust license does not require these entities to be insured by the Federal Deposit Insurance Corporation (FDIC), but it allows these institutions to hold USD deposits in banks insured by the FDIC on behalf of customers. This means that the deposits paid in exchange for stablecoins like Paxos, Gemini Dollar, and Binance Dollar (managed by Paxos) have FDIC insurance.

There is a question I do not have an answer to. Suppose a crypto exchange is hacked and ends up insolvent, or if the BTC and ETH of depositors are reduced to a small fraction. Before the hack, suppose this exchange issued a large amount of debt. In a normal capital structure, creditors are considered to have "priority" — they have the first claim on the company's assets in liquidation, before other stakeholders. What will happen in the bankruptcy process? Will creditors be paid first, leaving depositors with nothing?

Apart from this extreme scenario, to some extent, you should believe that regulators tend to require exchanges to have full reserves, especially when exchanges must comply with more complex state regimes or obtain a New York trust license. Through this investigation, I found it very difficult to obtain the following information: which exchanges have performed what kind of audits; whether exchanges have structural limitations that prevent mixing customer funds and operational funds; and the position of depositors in the liquidation process. Regulated exchanges can actually do more in these areas to provide protection to users.

For unregulated exchanges, the protection is even weaker. When insurance companies or investors demand audits, unregulated exchanges do not have the pressure to prove their solvency to a third party or to separate deposits from operational funds by definition. In fact, we have seen a lot of chaotic behavior from such exchanges over the years. It is in this context that I believe Proofs of Reserve are particularly important. This is not a perfect solution, but in the absence of regulatory oversight of exchanges, providing evidence to depositors that their deposits are fully reserved is the next best option. More importantly, the process of regularly proving reserves will constitute good internal management and serve as an early warning system for depositors before problems become fatal.

During this investigation, I was surprised to find that I knew very little about how exchanges view reserves. This is not a personal concern of mine, as I have never used third-party institutions to custody my cryptocurrencies. But this is a concern in the industry, and I rarely see discussions on this topic. I asked several professionals about the regulatory requirements in the United States that cover reserves or audit requirements for crypto exchanges and whether depositors have priority in liquidation, and the more I asked, the more confused I became.

Regarding minimal trust, we have had many discussions, usually in the context of crypto protocols. But what does minimal trust mean in the context of custodial institutions? The existence of bank regulation is to safeguard the accounts of fiat currency depositors. However, due to the lack of federal standards, most exchanges do not seek to be regulated like banks (in fact, exchanges that take the regulatory path actually seek looser regulation). In many cases, we only get an implicit commitment that user deposits are treated separately and that full reserves are maintained.

However, exchanges cannot control everything, especially when it comes to cryptocurrencies. In some cases, certain events on the blockchain will somehow affect the quality of reserves. In 2017, Coinbase mishandled UTXO set management, meaning they had many "stuck" UTXOs that would cost more to spend than their value. Does this mean they are technically insolvent? There have also been some vulnerabilities or hard forks that have altered the ownership of assets in some way. What happens if a mainstream exchange is staking a token, gets penalized, and the coins are seized?

These are issues that exchanges, regulators, and depositors must face. As I write this article and converse with professionals who delve deeper into these issues, I am struck by a strange paradox inherent in the crypto industry: while we (rightly) prioritize minimal trust in considering open protocols, we tend to ignore this issue once assets are held in custody and assume that the risk of funds is quite high (and primarily blame users for trusting exchanges).

Of course, exchanges vary in quality, and they follow diverse security and regulatory practices. There are gray areas, and there are ways to minimize our trust requirements for crypto banks. Although providing a reserve proof from an exchange like Kraken is more troublesome than simply checking Maker's CDP (Collateralized Debt Position) on-chain (and not as reliable), I believe that we should still strive to hold exchanges accountable and better understand the position of depositors. In an industry filled with contradictions, this is undoubtedly the most enlightening.

This article is reprinted with permission from ChainNews, source: ChainNews (ID: chainnewscom)

Related Reading

• One of Telegram's Investors, Taiwan Startup Nogle Injects into Virtual Asset Custody Business Again

• Four Possible Reasons for Bitcoin's Sharp Drop from $9,200 to $7,600

Join Telegram now for the most accurate blockchain news and cryptocurrency updates!