Bitcoin.de announced in March 2014 that it wanted to verify its customers’ bitcoin balances. To ensure valid results, bitcoin.de sought an acknowledged audit firm. After months of searching, negotiating and planning it is now going ahead: bitcoin.de is the first bitcoin trading centre to verify customer account balances via an external and acknowledged audit firm. The verification started on Monday, September 1st. Many customers have been approached by email and asked to confirm their balances.
Bitcoin.de has been in talks with a number of large and well-respected audit firms since March this year. The talks have been drawn out, and have raised doubts about the audit firms’ ability to execute such an audit effectively – and whether they would be allowed to do so with respect to their legal accountability. The internet is no longer a new area, but bitcoin is. Whilst it is common practice to allow banks to verify the balances of their accounts, bitcoin lacks equivalent authorities. The blockchain is public and there is no ‘administrator’ who can certify and sign any kind of confirmation. In ‘RLT IT- and Systemprüfung GmbH Wirtschaftsprüfergesellschaft’, bitcoin.de finally found a partner who could accept the challenge of becoming the first audit firm to verify bitcoin balances.
Of course, it was necessary to discuss various issues such as cold wallets, the blockchain and other aspects of the bitcoin ecosystem. But within a few weeks bitcoin.de and RLT developed a procedure to verify that bitcoin.de does indeed hold its customers’ bitcoin balances. One major strand of such an audit is to consider and eliminate any possibility that bitcoin.de might mislead the auditor. The audit was carried out using control samples, because a complete verification was not practical. The creation of the sample was made in a way that takes into account the risk factors and guarantees a solid outcome.
RLT is auditing both the desired and actual state of the balances. The desired state is the balances that are used by the databases of bitcoin.de. The actual state is the balances that can be found in the blockchain and that are owned by bitcoin.de (who hold the private keys). The audit consists of three parts that started on Monday, September 1, after initial tests.
First, the auditors check the desired balance state. Bitcoin.de has made available data about all of their customers, which has of course been completely anonymised. RLT checks this data by verifying a representative sample. For this process, the users are divided into active and passive groups. The active users are asked to confirm their account balances (as at 23:59 on 27 August, 2014) or to enter a reasonable objection. They are informed by email to prevent misunderstandings. The passive users receive the expected account balance by email. If they do not enter an objection within two weeks then the balance is confirmed, though they may also confirm the balance actively. The result of the confirmation will be send to RLT – again, anonymised and encrypted.
Does the blockchain confirm what bitcoin.de’s databases claim? To audit the actual state of the balances, RLT received the addresses of both hot and cold wallets for bitcoin.de. Around 98 percent of the balances are saved in ‘cold storage’, meaning they are not connected to the internet and are distributed in several secure places in a way that makes it impossible for a single person to access them. RLT received these addresses and checked their balances in the blockchain.
Finally, to verify that bitcoin.de has access to these addresses, RLT takes a significant sample of them. The auditors then write short texts for them, that have to been signed by bitcoin.de with the appropriate private key. To make sure that bitcoin.de does not borrow the private keys, RLT is present when bitcoin.de signs the messages for the cold wallets. More details about the storage of the cold wallets cannot be made due to security considerations.
The result of the audit will be the verified desired and actual balances of our customers’ bitcoins.