In July 2020, Shakepay engaged CipherBlade to conduct a Proof of Reserves and Security Review1. This review was comprehensive, and included independently verifying Customer Assets2 as well as verifying Customer Balances3 as a ‘Proof of Reserves’, and whether or not they could be deemed to have the requisite Customer Assets to account for Customer Balances.
In the review, CipherBlade evaluated and scrutinized Shakepay’s security protocols and procedures, including precisely how Shakepay stores customer funds. One of the main goals was to identify any possible breach vectors that could result in customer funds becoming compromised or stolen, whether by an external actor (e.g. hacker) or internal actor (including the possibility of the Shakepay founders themselves doing so).
CipherBlade independently verified any claims Shakepay made as much as possible. For example, when verifying cryptocurrency Customer Assets, after observing applicable wallet balances in the wallet interfaces utilized, CipherBlade cross-referenced this data with data found on the blockchain to ensure accuracy. But just as importantly, we independently verified that Shakepay controlled these wallets as well through a variety of mechanisms depending on the wallet in question, which included Satoshi tests4, UTXO consolidations5, blockchain forensic analysis (and interaction with other known wallets), smart contract functionality, as well as a direct attestation from the storage provider they utilize for cold storage.
Reasons for this Report
Shakepay commissioned CipherBlade to conduct this Proof of Reserves and Security Review for 2 main reasons:
- Digital currency businesses deal in coins and tokens that can be publicly verified on blockchains, but their own operations don’t have transparency. Shakepay retained CipherBlade to inspect its internal processes and systems and then publish this report so that users can have more insight into the steps the company takes to ensure that it’s a trusted supplier of digital currency to Canadians.
- Shakepay anticipates that technical security will become an increasingly important reason for customers to select a digital currency dealer and this report explains some of the measures the company has voluntarily adopted to help keep customers safe.
The full report, which can be found here, is summarized as follows:
- All customers funds and all Shakepay funds held by Shakepay, were verified via an online view-only access account with Shakepay’s financial institution, who also directly provided CipherBlade with a statement of their account, and were also accurately reflected in Shakepay’s back-end systems.
- All fiat Customer Balances were verified via a combination of records found in back-end systems, in conjunction with a historical record of past transactions and past data, and show that as of the date of this report, all Customer Balances as per Shakepay’s records match6 fiat Customer Assets held in segregated bank accounts.
- All customer cryptocurrency held with a cold storage provider was verified through account statements (for cold storage wallets, which the cold storage provider directly attested to CipherBlade for) and via the multi-signature wallet interface that Shakepay utilizes (for their hot wallets). This was further independently verified through a combination of Satoshi tests, a UTXO consolidation, and ample transaction data found on the Bitcoin and Ethereum blockchains. This methodology provided a full Proof of Reserves of Shakepay’s cryptocurrency Customer Assets.
- All cryptocurrency Customer Balances were verified through back-end systems, in conjunction with historical records of past transactions and past data, and show that as of the date of this report, all cryptocurrency Customer Balances as per Shakepay’s records match7 cryptocurrency Customer Assets held in different wallets from company-owned cryptocurrency.
- There was a 100% match between transaction data found in back-end systems and amounts credited to user accounts accordingly relative to actual transaction amounts observed on the Bitcoin and Ethereum blockchains (for cryptocurrency transactions) and bank account records (for fiat transactions) in all transactions observed.
- Based on the setup procedures and security protocols necessary to access cryptocurrency Customer Assets, cryptocurrency holdings held in hot wallets are unlikely to be compromised, while cryptocurrency holdings held in cold wallets with a cryptocurrency cold storage provider are extremely unlikely to be compromised in any way, while at the same time having adequate redundancy measures in place.
- CipherBlade was provided with criminal background checks of all Shakepay employees, including the founders, and Shakepay claimed past referenced checks had been conducted on all personnel prior. There is no evidence to suggest any employee would elect to compromise Shakepay operations, nonetheless, tiered access measures have been implemented effectively to both prevent or mitigate a breach of Shakepay’s systems, customer data, and cryptocurrency Customer Assets.
1. CipherBlade defines ‘Proof of Reserves’ as verifiably having enough customer cryptocurrency assets to cover cryptocurrency Customer Balances.
2. CipherBlade defines ‘Customer Assets’ as customers’ fiat and/or cryptocurrency held by Shakepay.
3. CipherBlade defines ‘Customer Balances’, as the financial obligations from Shakepay to its customers, involving either customers’ fiat and/or cryptocurrency assets held in storage and which correspond to customers’ account balances.
4. The spending of a small amount of Bitcoin, in some cases as little as 0.00000001 BTC (1 Satoshi) but more often multiple Satoshi from a given wallet address(es) as a way of proving ownership or control of the wallet address.
5. Unspent Transaction output. Effectively, a Bitcoin UTXO is any output of a Bitcoin transaction that has not already been spent i.e. that has an (unused) balance.
6. Very minor differences are observed, which are accounted for by normal day-to-day operations.
7. Very minor differences are observed, which are accounted for by normal day-to-day operations.