Quadriga Initiative

2022 Canadian Cryptocurrency Exchange Audit / Transparency Report

Please enjoy the fourth annual transparency "bash" of Canadian cryptocurrency exchange platforms. Past year’s threads can be found here: 2019, 2020, 2021.

2022 Year In Review

October - CoinFloor, likely the oldest UK-based exchange, and the only UK exchange with Proof of Reserves, is acquired. As you may guess, the proof goes poof. The aptly-named acquiring party CoinCorner calls it “part of the inevitable”.
February - IRA Financial executives generously decide to give $38m USD worth of customer funds to a certain Benjamin Choe. And yes, the funds were stored in Gemini, which “is regulated and insured against theft, so your cryptos are protected.” "It’s not clear who may end up being responsible for the lost funds.” (In other words, insurance is not paying out.) Said CEO Adam Bergman, “money - IRA Financial’s here to solve that problem for you”.
June - After their executive team withdrew tens of millions of dollars, Celsius succeeds in declaring Chapter 11 bankruptcy, (a form of bankruptcy specifically not for investment companies). The court requests them to publicly disclose the names and balances of all their customers. Feel free to use celsiusnetworth.com to look up how much you lost (and definitely not to find the personal information of rich people to rob).
August - TornadoCash, one of the only privacy protocols on the Ethereum blockchain, is “sanctioned”. Hundreds of users are blocked from using their funds anywhere in the Western world. The developer is arrested and will face trial. “[T]hose with USDC deposited on TornadoCash cannot withdraw their funds.” Dust attacks and a CoinBase lawsuit are underway.

In Canadian news:

Canadian platforms silently move customer funds south of the border. Almost all Canadian funds are now centralized in just three American custodians. CoinBerry and WealthSimple had already been using Gemini. BitBuy moved custodians from Canadian-based Knox to BitGo. Bitvo, CoinSmart, and NetCoins are also now using BitGo. Newton moved from Canadian-based Balance to CoinBase Custody. Other platforms now using CoinBase Custody include CoinSquare, Newton, ShakePay, and VirgoCX.
Multiple Canadian platforms lose independence this year including BitBuy, CoinBerry, CoinSmart, and BitVo. Two of these are by a certain Mr. Wonderful who is certainly well loved, and the last one is by FTX.
But fear not. Ontarians continue to use KuCoin despite it being banned and not paying the OSC “fine”. KuCoin also has new customers from Binance.
In June, CoinBerry finally discloses some details of customer funds lost - in 2020. The 17-hour period where withdrawals were off? Turns out they actually made a minor slip-up where 120 bitcoin (worth only $3m) were taken by “[accidentally let[ting] people buy bitcoin with Canadian dollars that had yet to be properly transferred to their accounts”](https://financialpost.com/fp-finance/cryptocurrency/software-glitch-allowed-users-to-acquire-3-million-in-bitcoin-without-paying-coinberry-alleges-in-lawsuit). CoinBerry and regulators agreed the best way to notify users of this slip-up was 2 years later via a lawsuit in the obscure court of Brampton (presently hidden behind a paywall).
CoinSquare (which was previously fined millions of dollars for inflating volume on their website) became the first platform with full IIROC membership. Their service now prominently displays the “most traded” coin as bitcoin with an impressive “volume” of “CA$34.40B”.
WealthSimple opens their platform up for deposits and withdrawals, but only if you have a personal tracker. “Withdrawing crypto is currently only available through the Wealthsimple app.”
After many years of ShakePay marketing as commission-free and not publicly disclosing their profit margins on buying/selling digital assets, may face a class action lawsuit. WealthSimple is also included in the lawsuit.

Past Canadian Exchange Disasters

FlexCoin - As “the world's first bitcoin bank” that’s “not a true bank”, FlexCoin provides “a central location for all of your bitcoins”. “Bitcoins deposited with flexcoin will be stored on [thei]r secure servers” so you can “send bitcoins to non-technical individual[s] via e-mail”. Unlike blockchain, “flexcoin to flexcoin transfers are free”.

MapleChange - “A swift, reliable and to-the-point trading platform for veterans and newbies alike.” “One of [their] primary concerns is security for [their] customers'' which is why “keys are cryptographically encrypted”. "[W]ithdraws(sic) are next to instantaneous", "rel[ying] solely on the aspect of swiftness"!

CoinTrader/NewNote - A “meticulously engineered Bitcoin Exchange” “focused on security and tak[ing] these risks seriously”. “[Y]ou don’t have to worry”, they have “90+% cold storage” and their “cold storage is fully insured by Xapo”. Plus, as “a registered Canadian corporation” they “leverage the good guys to fight the bad guys”.

QuadrigaCX - Operating since 2013, with “vast cryptocurrency reserves” right up to the end. "Bitcoins that are funded in QuadrigaCX are stored in cold storage, using some of the most secure cryptographic procedures possible." Even today most of the funds remain “100% secure” (including to customers)!

Einstein - You can get “your money deposited and withdrawn faster than any other exchange”. As one customer said "With so many hacks and exit scams, it gives me confidence knowing Einstein is backed by hard-working people just like me." Just check the user experience on their subreddit from their "220,000+ satisfied customers".

EZ-BTC - As the world’s “most user friendly and bespoke crypto currency management platform”, they have “strong security”. “All your coins are kept in cold storage. They’re safe.” The presence of physical ATMs was one of the strategies to build customer confidence for their promised 9% annual return on stored funds.

CoinBerry - "Practicing due diligence is paramount. Research and continuous education of cryptocurrencies and the markets will arm you with the highest protection level possible." "After the hack occurred (on 8/24), there were no withdrawals processed from Coinberry's hot wallet for about 17 hours.” And we learn more!

CoinRise - Become financially independent! “A pioneer in the field of cryptocurrency trade and exchange, Coinrise has been leading the industry for over 20 years.” "It was clear for us, as a reputable investment brand, that our clients are going to benefit from this decision taken by the government just as much as us."

Are Your Funds Safe Today?

Americans are uniquely suited to safeguard your assets because they have powerful lethal weapons, a high degree of political stability, and rock solid property laws. All HSMs will be made through underpaid overseas factory workers, passed through a predictable multi-national supply chain that hasn't ever been breached (yet), and compiled, programmed, and tested once or twice by a small team of developers and engineers who haven't done anything criminal (yet). Don't worry though. They won't be that much of a target with only multiple billions or trillions of dollars on the line as a reward, and surely the bitcoin community won't mind forking the blockchain when all the funds go missing.

As of this writing, all Canadian exchanges appear to have "relocated" temporarily to one of just 3 US-based custodians. Take your pick of how you'd like your assets withdrawn. Will it be you, "you", your exchange, "your exchange", your custodian, or "your custodian"? From deepfake videos, speech synthesis, spearphishing, DNS rerouting, identity theft, a weak password, or social engineering - rest assured every single layer of experts in the setup is fully and completely versed in absolutely every single type of way they might be fooled into releasing your funds now or in the future.

Are Your Funds Backed Today?

IIROC, CSA, and the OSC would surely tell you right away if there was a shortage of backing. Just like with CoinBerry, where millions of dollars were just revealed to be missing.

Every other exchange in Canada is surely fully and absolutely backed. They just happen unfortunately to not know how to provide a blockchain-based proof. But your assets are "definitely" there.

Publicly traded exchanges even go a layer further. A single public accountant (who might even know how to spell ethereum) takes a look at numbers that are provided by the exchange and/or custodian, and then takes a look at other numbers (liabilities) provided by the exchange. They add up the numbers, and then sign a long document with a lot of disclaimers.

Kraken even goes a step further with a fancy Proof of Reserve. This is where they promise you they did a proof, and all the "proofy" parts are neatly hidden for your convenience. They definitely generated you a unique account ID, their auditor definitely looked at the blockchain wallets that they aren't sharing with you, and the Merkle tree definitely exists behind the scenes even if you can't see it. Progress!

Are Your Funds Insured Today?

Insurance providers study massive amounts of data to most definitely cover the situations which happen often and have the greatest impact (as part of their extreme for-profit altruism). They're eager to pay you instead of using the funds to attract more clients with marketing or sales, or covering the legal fees of occasional lawsuits (who would sue such a wonderful group of people anyway). Why fight in court to wear down the claimant when you can generously paying out a massive claim? Insurance companies which have survived and thrived keep their clients happiest by paying out claims. They love giving generously.

The entire history of cryptocurrency going missing on centralized platforms is full of wonderful heartwarming stories. For the very first case where bitcoins were defrauded from BitPay back in 2015, right through to the lost funds in IRA Financial (from a custodial account), insurance has been there every step of the way to help you feel protected, loved, and safe and give you renewed meaning and purpose during your tough times.

How Could We Have Safe, Backed, Insured Exchanges?

Multi-signature with a diversity of methods and a properly trained / background checked team? Nah... That's too simple. We must have 100 pages of rules! There need to be multiple layers of lawyers and accountants and compliance staff. If it isn't written in a confusing way that the average person won't understand it, how can it possibly keep them safe? Everyone knows the best way to secure a system is if it's so complicated that the engineers who built it can't understand it! The more layers, third party dependencies, and staff members, the better!

Proof of Reserves? Why bother? Public audits by multiple auditors on a rotating basis? Let people validate they were included? Nah... The public prefers vague promises and pretty pictures of locks and vaults. Surely the best way to assure customers that funds are fully backed is simply by saying they are. Everyone knows that buzzwords, public relations, fancy logos, and expensive lawyers will protect us.

Pooling insurance together? A multi-sig of different platforms? Reducing fraud while simultaneously having an aligned incentive to cover loss events? Nah... Let's leave it up to the generosity of for-profit third parties. Big numbers and buzzwords are where it's at! What happens will definitely not be excluded somewhere in the hundreds of clauses of that large and hidden legal contract. Besides, the insurance is just a backup and won't need to be actually used since everything is perfect with all the other parts already.

Canadian Platform Transparency Rankings

Without further ado, here are the statuses of Canadian platforms for this year. There is one main metric - the level of visibility to fund backing. We have 7 categories:

No External Verification - A platform that doesn’t appear to give any indication of any external auditing or verification. You may want to avoid these platforms, but sometimes these are just because this information is not available easily.
Outside Verification Claim - There is some claim that they are being verified externally. Most of these don’t mention who is performing the audit/verification, what is actually being checked, or all that much about the verification process.
Publicly Traded Audits - Through the SEDAR website you can find audits of any publicly traded company. These are their own category. While auditing was performed by a CPA, it actually lacks sufficient clarity to attest cryptoasset liability backing.
Outdated Attestation - These platforms have undergone a process where full backing of customer assets was verified by a third party. That third party published a report to indicate such, but it happened more than a year ago. Things change.
Third Party Attestation - Third party verification within the past year. While these are pretty compelling, they don’t stop a platform from excluding customers, tricking the verification process, or colluding with the third party in various ways.
Proof of Liabilities - In addition to the third party validation, the platform also made available a means by which customers can confirm with the third party that their balances were considered liabilities of the platform (ie. not excluded).
Full Proof of Reserve - Full Proof of Reserve generally include public wallet addresses, digital signatures, and a public hash list or Merkle tree so customers can independently validate the ongoing asset backing of all participating customers.

Lots of platforms have been moving around this year! Exciting! There are also two new platforms added to the reviews - WealthSimple and VirgoCX.

No External Verification

CoinField - The CoinField website has hardly changed over the year, with the exception of a pitch video for their new “CFC Coin”. Apparently they plan on “creating [their] own CoinField blockchain consisting of D.E.X. and DeFis” If you like investing in projects that can’t even get English grammar right, you can “[b]ecome an early CFC investor.”

CoinField’s security page hasn’t changed. CoinField is still the "most secure trading platform in Canada", because “[m]ultiple layers of gateways are required to allow access to data and to conduct transactions”. They “use Multi-sig wallets that require more than one key to authorize a digital transaction” and “[c]old storage wallets [which] are kept offline in a secure safety deposit box”. However, funds are “only retrievable only if the two founders are present at the same time” - creating an opportunity for one founder to force or hack the other to withdraw, and the lack of redundancy may create a systematic risk if one founder dies, gets arrested, or is incapacitated. Of additional concern is using a “one of a kind secret vault that’s been built from scratch”. Developing a custom cryptographic solution, without consulting multiple experts, may result in a less secure solution than the widely used best practices. “Coinfield.com will not be liable, in any event whatsoever, for any loss or damage of any kind incurred as a result of the use of this site or the services found at this site.”
“CoinField employs a vibrant mix of 30+ experts from a wide range of backgrounds, and a variety of different skill sets.” CoinField is apparently based in Estonia and may not have a Canadian office. As of 2 years ago, they were “fully regulated” in “193+ countries”, except for the period between October 2019 and June 2020, when they weren’t even registered as an MSB. They are presently “[a]vailable in 186 countries.” There still does not appear to be any mention of audits or validation being performed, internally or externally.

I was unable to locate any agreement between the CoinField platform and regulators at the Canadian Securities Agency or Ontario Securities Commission.

Recommendations: Obviously, we would like to see some sort of evidence that funds are fully backed, or at least that regular audits are being done. We would also recommend improving the multi-signature setup to require at least 3 signatures to access funds.

Coinut - The Coinut platform hasn’t changed. It’s still “[t]rusted by 1,000,000+ global users”, and claims to be "the most secure cryptocurrency exchange". According to the front of the website, they perform a “[r]eal-time internal audit”, however the details are not public for users and there does not appear to be any evidence of any third party involvement. Users have no way to know that they were included, nor the results of the audit. While they have a "[s]emi-manual process of big withdrawals'', it’s unclear if this involves a multi-signature wallet or if they could be vulnerable to an attack involving lots of smaller transactions. From the details observed on a previous version of the site last year, they protect customer assets “by storing cryptocurrencies offline” in a single “offline computer” and "not us[ing] USB drives, as the online computer may be infected with virus". In addition to removing that page, they’ve added a disclaimer on the website: “Please note that you may not be able to recover all the money you paid to Coinut Pte Ltd if Coinut Pte Ltd's business fails.”
I was unable to locate any agreement between the Coinut platform and regulators at the Canadian Securities Agency or Ontario Securities Commission.

Recommendations: We would recommend that Coinut store cold storage funds within a multi-signature wallet requiring at least 3 signatures. They should get a third party to attest that all customer funds are backed on the blockchain or in company accounts. A full hash list would enable all customers to confirm that their assets were provided to the validator.

NDAX - “Start building your crypto portfolio on Canada’s most secure trading platform.” So secure that internet archive can’t even visit. Apparently not even a single other platform is more secure. But also “NDAX’s security standards are among the highest in the Canadian FinTech industry.” I suppose technically the “most secure” platform is also “among the highest”. Or is it the “most secure trading platform”, but there’s another “Canadian FinTech” that isn’t a trading platform with higher security? I mean, they have gone from “set[ting] the standard for the Canadian cryptocurrency industry” (2020) to instead “[s]et[ting] the [s]tandard for Canadian [c]ryptocurrency [t]rading”.

It’s good to see that “[t]ransferring funds out of cold storage requires multiple approvals from NDAX’s senior management team”. This supposedly “effectively protect[s] the user's assets and safeguard[s] their crypto wallets”. I would hope this means at least 3 approvals, but we may never know. “NDAX’s Ledger Vault is whitelisted” providing additional protection, if we assume the thief doesn’t also change or access the “warm storage”. In 2020 they stated they store “95-98% of user funds in an offline, multi-signature wallet”. Today it remains holding “a majority of user funds in an offline, multi-signature wallet.” That’s right. Up to 50% of the funds may be in “warm storage”.

“NDAX has implemented Multi-Party Computation (MPC) technology recognized by industry experts”. We can hope there is no point of centralization. “Both NDAX’s hot and cold wallet service providers are System and Organization Controls (SOC) 2, type 1 certified.” However, they’re also “the first Canadian crypto platform to receive SOC2 Type II certification”. They can’t seem to make up their mind which type of SOC 2 they are. SOC 2 is a framework which “defines criteria for managing customer data”. Type 1 certification determines “whether their design is suitable to meet relevant trust principles” and does not indicate anything about “the operational effectiveness of those systems”. The difference between Type 1 and Type II is largely how long a system has been running for. Up to half of the customer assets on the NDAX platform could be in hot storage wallets, subject to live withdrawals at the request of the NDAX system, operators, or contractors.

“Due to our robust compliance regime, we were able to secure banking services provided by a Canadian-based financial institution.” Which one? All customer funds are “in a [single] segregated bank account” and there is no indication of CDIC insurance. While “[d]aily reconciliation of financial assets on and off the platform is performed to record assets’ integrity”, no third party validation appears on any of the pages, and no customers have an ability to know whether they were included in this validation. Existing funds are protected against “insurable incidents”, which include cold wallet “internal theft and Hardware Security Module (HSM) malfunction”. Details of insurable events in the “hot wallets” or “general business liability” are not provided. Without reviewing the top secret insurance contract line by line, it’s nearly impossible to evaluate what level of protection is offered, what stipulations may apply, and the solvency of the insurance provider.

I was unable to locate any agreement between the NDAX platform and regulators at the Canadian Securities Agency or Ontario Securities Commission. However, I was able to locate feedback provided by NDAX to regulators which suggests they are in contact.

Recommendations: While internal validation is better than no validation, it’s certainly not the same as external validation. There is a concern that too much customer funds may be in their warm wallet storage, which doesn’t have the same level of security as the cold storage. The multi-signature of the cold storage should be at least 3 of 4 signatures.

Outside Verification Claim

Bitvo - The Bitvo website changed slightly from being an “exchange” to a “trading platform” in the past year. Whether “Canada's premier cryptocurrency trading platform” or merely “on a mission to become Canada’s premier cryptocurrency trading platform”, the Bitvo team has “come together to provide Canadians with the best experience in cryptocurrency trading.” (Yes, that typo is finally fixed.) Bitvo’s cold storage “policies and procedures includ[e] its utilization of [an] offsite, third party, air-gapped cold storage that is only accessible with multiple signatures, provided by BitGo Trust Company, a licensed trust company with the South Dakota Division of Banking”. (Yes, funds have now been moved south of the border.) “Bitvo holds 95% to 100% of customers’ funds in Cold Storage.”

Bitvo assures customers that they operate “on a full-reserve basis”, and the first point on their website talks about how “[s]ecurity and transparency are important in your financial transactions.” As per the fee structure of Bitvo, where users only pay for withdrawals and are thus incentivized to keep maximal funds on the platform. All fiat funds are held in a single bank account, which means that any CDIC coverage would be extremely limited. “The Filer holds at least 80% of the total value of Client Assets in a cold storage custody account (the Custody Account) provided by BitGo Trust Company (the Custodian) and the remainder in online "hot" wallets secured by software licensed from BitGo Inc., the parent company of the Custodian.”

“The securities regulatory authority or regulator in Alberta and Ontario (the Dual Exemption Decision Makers) have received an application from the Filer (the Dual Application) for a decision under the securities legislation of those jurisdictions (the Legislation) exempting the Filer from:” “(b) the requirement in subsection 12.10(2) of National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) to deliver annual audited financial statements to the regulator (the Audited Financial Statements Relief);” However, “The Filer has unaudited financial statements and is working with the auditor to prepare audited unconsolidated financial statements. The Filer anticipates that it will be able to obtain audited financial statements for the Filer's 2022 financial year end.” And “The Filer will deliver its 2021 annual audited financial statements in accordance with subsection 12.10(2) of NI 31-103 by June 30, 2022.” Moved to apparent verification.

Bitvo’s trading platform was (and may still be) a whitelabel of AlphaPoint, a service which was previously breached in May of 2019. The Bitvo platform has now been acquired by FTX. Sam Bankman-Fried, CEO of FTX, commented on the news, “We are delighted to enter the Canadian marketplace and continue to expand FTX’s global reach. Our expansion into Canada is another step in proactively working with cryptocurrency regulators in different geographies across the globe.” “The acquisition is expected to close in the third quarter of 2022, subject to regulatory approval and customary closing conditions.” “FTX Trading LTD is incorporated in Antigua and Barbuda, and headquartered in The Bahamas.”

Recommendations: Obviously, we would like to see some sort of evidence that funds are fully backed, or at least that regular audits are being done. There are also limited details about the level of security on the cold storage multi-sig such as how many signatories.

CoinBerry - “Welcome to Canada's best crypto exchange.” They’ve now declared themselves “Canada’s #1 platform”. Is it because they “use cookies to ensure you get the best customer experience”? Perhaps it’s because they’re one of the few platforms to still advertise Terra (LUNA). “[T]he only insured, OSC & FINTRAC registered, and PIPEDA-compliant crypto-trading platform trusted by Canadian municipalities.” PIPEDA is a privacy standard. The trust by Canadian municipalities is as a payment method for taxes in Innisfil. So it appears to be just one “municipalities”.

CoinBerry has finally “come clean” about some of the details of what happened to them in 2020. “Coinberry in 2020 underwent a software upgrade and accidentally let people buy bitcoin with Canadian dollars that had yet to be properly transferred to their accounts.” “Customers could initiate an Interac e-transfer, get the amount credited to their Coinberry accounts, buy bitcoin and transfer the coins out, and then cancel the original e-transfer, retaining their own funds and getting free bitcoin,”

“Coinberry contacted all of the said 546 affected registered users by email and demanded return of the misappropriated bitcoins,” the lawsuit read. “Coinberry also immediately contacted Binance.” “That loss of about 120 bitcoins, which has not been previously disclosed, is detailed in a recent lawsuit by Coinberry, filed in Brampton, Ont., west of Toronto.” “[T]he largest amount misappropriated by a single user and not returned was $385,722.31, valued in April 2022. That is attributed to two people — Jordan Steifuk and Connor Heffernan — that Coinberry says are actually the same person.” “That person, whether he is Steifuk or Heffernan, could not immediately be reached for comment.”

Despite that screw-up, and their lack of any transparency for over 2 years while customers panicked, CoinBerry was the first to be approved by the OSC, Details of the OSC arrangement can be found here. CoinBerry "has provided and will continue to provide audited annual financial statements in accordance with section 12.10 of NI 31-103." Past audits appear to have been conducted by the accounting firm MNP. CoinBerry, with a stated goal of “demonstrating a rigorous commitment to trust, security and transparency” also agreed to provide a slew of other data once every 3 months to the OSC.

CoinBerry now has a “Financial Institution Bond”, of which details are sparse, but it apparently protects against “financial losses due to dishonest acts and unethical behavior from Coinberry employees”. There is no indication it provides protection against much more common attack vectors of behaviour of owners, contractors, system security breaches, or impersonation attacks. There is also “200M in insurance coverage” provided by “Gemini Trust Company LLC™”, to whom CoinBerry has generously transferred cryptographic ownership of “not less than 80% of the total value” of customer funds. Insurance is provided by “Nakamoto, Ltd. (Nakamoto), a captive insurance company licensed by the Bermuda Monetary Authority (BMA)”. Without being able to evaluate specifics of the insurance contract, it’s impossible to know what’s actually protected against.

CoinBerry has always stored funds offline in multi-signature wallets. Previous iterations of their system required only 2 staff signatures and it’s unclear what the present requirement is. Cold storage funds are now stored in “institutional-grade crypto storage”. “The majority of your crypto is held in [an] offline, air-gapped Cold Storage system.” They “use a multisignature digital signature scheme (multisig)”. While it’s unclear how many signatures are required, they feel the need to specifically mention that “[their] CEO (Tyler Winklevoss) and President (Cameron Winklevoss) are unable to individually or jointly transfer cryptocurrency out of [their] Cold Storage System.” In addition, “[a]ll employees undergo criminal and credit background checks and are subject to ongoing background checks throughout their employment.”. Of greater concern would be the 20% of funds remaining hot on the platform. As per their terms of service, “We cannot and do not guarantee or warrant that the Site or the content on the Site are compatible with your computer systems or that the Site or the content will be free of viruses, worms, trojan horses or disabling devices or other code that manifests contaminating or destructive properties.”
CoinBerry has publicly expressed agreement that you should not store funds on cryptocurrency exchanges including their own. “You agree to indemnify and hold us, and our subsidiaries, affiliates, officers, agents, co-branders or other partners, and employees, harmless from any claim or demand”.

Recommendations: CoinBerry provides limited details about their custody setup on their website, and more detail about the multi-sig would confirm it requires at least 3 of 4 signatures at all levels. Obviously, we would also like to see transparent audit reports, ideally with a greater level of visibility to customer fund backing.

CoinSquare - “Founded in 2014 with the mission to create the go-to crypto trading platform, Coinsquare has grown to become one of Canada’s largest Crypto trading platforms.” “Coinsquare is now Canada’s first fully-regulated crypto-native IIROC broker dealer and ATS.” “Canada's best cryptotrading platform” is now complete with a CEO, COO, CTO, CFO, CLO, CCO, and CRO! And a graphic of checkmarks in the sky!

“Making a quick trade has never been easier.” “Start your crypto journey in less than 5 minutes.” Just be sure to read through and agree to the Relationship Disclosure (12 pages), the Risk Statement (9 pages), the Client Account Agreement (19 pages), the Terms of Use (19 pages), and the Privacy Policy (7 pages). Everyone here can read 7,377 + 3,781 + 3,149 + 6,821 + 2,766 = 23,894 words in “less than 5 minutes”, right?

CoinSquare has grown a lot past the stage of going mysteriously offline, suffering data breaches involving thousands of customers, and paying millions of dollars in fines for massively inflating trading volume. In fact, the “most traded” coin listed on CoinSquare’s homepage right now is bitcoin with an impressive “volume” of “CA$34.40B”.

“We believe financial products should be easy to use, open and transparent.” Great… Let’s see the audited financial statements! (Allegedly done by a “national accounting firm” whose identity was protected under an NDA.) Oh and “[c]ertain assets on Coinsquare are trade-only, which means they are only available for buying, selling and holding.”

CoinSquare recently reached a milestone agreement to become a member of IIROC. As part of that agreement, “Each year CCML will provide IIROC with a copy of the annual audited financial statements prepared for Coinbase.” “Each year CCML will provide IIROC with a copy of the annual audited financial statements prepared for Tetra.” Nowhere in that agreement are any statements about CoinSquare required to be submitted. The OSC’s decision on CoinSquare also appears to lack any requirement to submit financials.

"Canada's trusted platform." “[W]e take your trust”. “Your assets, held in trust.” “All client assets are held in trust.” “The Digital Assets … will be securely held in trust … at Coinbase Custody Trust Company, LLC, a trust company …, at Tetra Trust Company, a trust company, … in trust.” “COINSQUARE ACTS AS TRUSTEE ... COINSQUARE AGREES TO ACCEPT SUCH TRUST” In summary, trust. A lot of trust.

Recommendations: It would be nice to see proof that customer assets are fully backed and more details about how they’re protected with a proper multi-sig setup.

Newton - “The crypto trading platform you can trust” “Canada's trusted low-cost crypto trading platform.” “We live our value of transparency daily” “We will be brutally honest with our customers and with each other in the pursuit of truth.” “We will show leadership by doing, rather than by talking about doing.” Trust and transparency sound great. I like doing. Let’s throw a big party about it! “Oops, someone got snacky.” That’s weird...

“A platform built for crypto's unique risks.” “We keep 80% of our assets offline to limit the exposure to unforeseen issues and risks.” Newton was one of the first to announce “[t]hird-party custody” through Balance. Newton’s custody page doesn’t exist anymore, nor does their blog post on enhanced custody but the old version is here. They used to mention “[i]nstitutional-grade storage for your digital assets”, which was provided through the Canadian custodian Balance. Now their mention of “Institutional grade storage.” seems to talk about “customers' data”. Balances website is mysteriously absent any testimonial from Newton, which existed on June 15th, 2022 but vanished with a site upgrade as of June 28th, 2022. Seems like someone got snacky again!

In discussions in 2020, Newton was working on a feature “allowing you to login to Balance directly to verify your balance and move funds independently of Newton”. Now, aside from one quote in the security FAQ that “We rely on trusted-third party custodians to store the vast majority of our customer crypto assets in secure locations with no access to the internet (aka “cold storage”).” there’s now literally nothing to even indicate where the funds are stored. They “maintain various forms of insurance” but not much detail provided.

And “Newton is now also registered with the Ontario Securities Commission (OSC) and the securities regulatory authorities in all Canadian provinces, Yukon, and Northwest Territories.” In that agreement in August, “The Filer primarily uses Coinbase Custody Trust Company LLC as custodian (the Custodian) and will use other custodians as necessary after reasonable due diligence.” Now we see what happened.

I was able to locate an agreement between the Newton platform and regulators at the Ontario Securities Commission. However, I was unable to locate any mention of financial audits being provided within the report. It’s unclear if that indicates that providing financial audits wasn’t an issue for Newton or if it simply didn’t come up in discussions. Note that Dustin has since responded to indicate that auditing is being done by "KRP Group" which we can assume is most likely "Kingston Ross Pasnak LLP".

Recommendations: Publicly disclose where you are storing customer funds and more about what security is in place. What actual scenarios does the insurance protect? Who’s checking that funds are backed? Why is there no available report for this information?

VirgoCX - “Founded in 2018, VirgoCX is a cryptocurrency trading platform that supports Bitcoin, Ethereum, Litecoin, and more.” “We make crypto trading safe, easy, and affordable.” “[W]e are your trusted crypto trading partner that supports you throughout your journey.” “Virgo Group said it aims to launch an NFT Web3 Liquidity Aggregator to help users instantly complete the sale of their NFTs at competitive prices. Virgo Group said it also plans to introduce more innovative services, such as staking and DeFi yield farming.”

“Safe Trading Begins with Best-in-Class Security Systems” “Your cryptocurrency is safe with our 2FA and SSL protocols.” Really? You have both two-factor-authentication and SSL (the S in HTTPS)? What a revolution! “Your information is secure. Your funds are secure. Our system is secure.” If you say so. PIPEDA is great. CoinBerry take note.

“It is our highest priority to protect your assets and privacy. As a result, we deploy all efforts to secure our systems to create a safe trading environment for you.” “We enforce institutional-grade control on all transactions.” “Your money is safe, accessible, and you have total control.” “We only keep a small amount of cryptocurrencies on our platform for trading purposes. The rest is in our offline storage and secured by a qualified custodian, Coinbase Custody.” Total control? Really? Not mentioned: Multi-signature, anywhere.

“We engage trusted third parties to conduct routine audits such as proof of reserve audit and we monitor for suspicious activities.” Well, let’s see your “proof of reserve” then. Audits are also not mentioned anywhere in the OSC agreement and of course not on SEDAR as they’re not publicly traded.

Recommendations: If you want to claim a proof of reserve audit, publish it. A key part of the proof (and why it’s a proof not just an attestation) is the proof of liabilities. You really need to work on your explanations of security if you want to demonstrate being “best in class”. A multi-signature wallet would be a great starting point.

WealthSimple - “Buy, sell, and earn crypto.” “Trade and stake coins with confidence on Canada’s first regulated crypto platform.” “Get up to $5,000 instantly” Oh yay, free money! (Thought only CoinBerry offered that.) WealthSimple was included in the recent potential class action lawsuit over hidden fees. According to the lawsuit, WealthSimple provides “statements [which] are false and misleading (under Quebec law and the Competition Act) because they give the general impression that there are no fees or out-of-pocket costs for buying or selling crypto on these Defendants’ platforms when, in reality, they charge their customers some of the highest fees in the industry.”

“As of November 10, the company has added the ability for users to deposit cryptocurrencies from external wallets into Wealthsimple Crypto.” “This is an important step in taking our crypto platform from a closed-loop system, to a platform that gives our clients the ability to explore the different applications and opportunities of crypto,” Wealthsimple noted in a statement to BetaKit. “For many people, having direct control over their digital assets is a huge part of cryptocurrency’s value proposition. They want the autonomy to control their assets directly, without needing to trust centralized intermediaries. And the only real way to have that autonomy is with a crypto wallet.” “Withdrawing crypto is currently only available through the Wealthsimple app.” (So PC users are out of luck.) “We suspect this level of freedom will be really attractive to clients as new crypto ecosystems emerge.”

“Wealthsimple Crypto’s assets are custodied at Gemini Trust Company, a popular cryptocurrency exchange and custodian created by the Winklevoss brothers, and regulated by the New York State Department of Financial Services.” Thus, Insurance is provided by “Nakamoto, Ltd. (Nakamoto), a captive insurance company licensed by the Bermuda Monetary Authority (BMA)”. Without being able to evaluate specifics of the insurance contract, it’s impossible to know what’s actually protected against.

“Wealthsimple has been in the crypto trading space since 2020, and has received conditional approval from the Canadian Securities Administrators (CSA), through its Sandbox program, to test its crypto trading platform for a period of two years.” Reviewing the OSC agreement, “[u]ntil such time as the Filer can deliver annual audited financial statements in accordance with subsection 12.10(2) of NI 31-103, the Filer will deliver annual unaudited financial statements of the Filer and the annual audited financial statements of WFC for each financial year to the Principal Regulator as soon as they are available.” “The Filer anticipates that it will be able to obtain audited financial statements for the Filer’s 2021 financial year end.” No public audits could be located on SEDAR through a search for either “wealthsimple” or “wfc”.

“Wealthsimple wallets are safer than other kinds of wallets, then? We’re trying to be extra careful. When we built our crypto platform (the first regulated way to trade crypto in Canada), we worked closely with regulators to try to make sure it was as dependable as possible.” As they’ll note, “any bitcoin purchased is at risk to a whole host of different attacks, from hackers installing crypto miners onto your computer, to dubious crypto exchanges sweeping your investments into private accounts.” Check that page for a (very basic) example of some common scams and advice. “How to avoid bitcoin scams” “Take funds off exchanges”.

Recommendations: Please provide transparent public audits to assure customers that assets are fully backed. Ideally, provide a way for customers to independently verify that their balances were included with the auditor. Improve the details about what is covered by insurance. Make sure you have set up a proper multi-signature wallet with Gemini.

Publicly Traded Audit

CoinSmart - CoinSmart aims to build “a Crypto Trading Platform you can actually understand”. It’s “[d]esigned for beginners and built for experts”. They “have you all covered”. So if you like being all covered and using tools that are built for experts but designed for beginners, then you can “[g]et verified instantly”, “get verified in minutes”, and get “verified the same day”. What other platform offers so many simultaneous verifications?

“Industry Leading Security” Security is such a high priority, they devoted one whole panel of their front page. You know they mean business when they have a nice picture of a vault. “Cold storage? Yep.” “Cold Storage is a cluster of cryptocurrency wallets held away from internet access.” “Multi-signature access to the wallets, so in the event of emergencies, the wallets can be accessed by multiple sources.” Hooray! Lots of ways to access the wallets! “The Filer primarily uses BitGo Trust Company as custodian (the Custodian)”

“CoinSmart is able to prevent fraud by running a comprehensive identity verification process that is able to detect fake addresses and dates of birth using a database offered by data collection agencies. By using these agencies, CoinSmart is able to verify a person’s identity and also keep personal user information secure.” Apparently all you have to do to keep personal information secure and prevent fraud is detect fake addresses and dates of birth.

They include the standard wording, “[t]he digital currencies held in trust in your Crypto Account are fully-paid assets beneficially owned by you and not by CoinSmart.” They will not “loan, hypothecate, pledge, or otherwise encumber any digital currencies in your Account”. According to their about page, they are “accountable to [their] customers, community and to each other” and “committed to being open and transparent with [their] customers”.

The financial audit of the CoinSmart platform was put together by Shawn Rozansky of Richter LLP. “Shawn has significant experience in a variety of industries.” (He’s worked the same place for 11 years, since before bitcoin was even a thing.) “AGREEABLE” “affable nature” “Truly relatable, wonderfully down-to-earth and very polite.” Is this really the person who would have the experience to challenge the accuracy of client liabilities and digital assets on a company balance sheet? There didn’t even appear to be a breakdown of customer liabilities by digital asset, so it isn’t even possible to know each asset is claimed to be fully backed.

"The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control."

In any case, CoinSquare "has entered into a definitive agreement dated September 22, 2022 (the “Purchase Agreement”) with CoinSmart Financial Inc. (“CoinSmart”) to acquire all the issued and outstanding shares of its wholly-owned operating subsidiary Simply Digital Technologies Inc. (“Simply Digital”), which owns and operates the CoinSmart trading platform." I will certainly miss writing future reviews!

Recommendations: Get an audit or validation from someone with a blockchain background who can confirm the assets exist. Include a way that customers can be sure they were considered in the validation, such as a hash list.

NetCoins - Formerly "Canada's easiest, most trusted way to buy and sell crypto." Founder Mitchell Demeter has now been fully replaced. Guess his history founding CoinTrader and losing people’s funds was too much. (Apparently he’s off to the Cayman Islands.) “We’re human and you’ll see that quickly as you chat with us through our various channels.”

“We're also fully regulated and registered with the Canadian Securities Administrators (CSA) and BCSC.” By that they mean being a “restricted” dealer and having applied for special exemptions to certain regulations. That’s right. Even this already publicly traded company still needs special exemptions from regulators. 27 pages of stipulation in their temporary relief aren’t even enough to satisfy regulators.

“Netcoins is owned by BIGG Digital Assets, a publicly traded company on the OTCQX under BBKCF.” TYVM FYI. I did manage to locate an audit on SEDAR - after double checking the year wasn’t 1998, solving a captcha (what do you know I’m human too), and reading through a 10 page agreement (most surely also written by humans). “The Filer primarily uses BitGo .. BitGo as custodian”

The “engagement partner on the audit” report was “Jonathan Wong”. You can see a video about his experience at KPMG. While he has worked with KPMG for 4 years, his background on LinkedIn doesn’t appear to include much in the way of blockchain. As you may figure, no blockchain addresses are provided, nor is there any indication of a proof of ownership over the funds on the blockchain. There is also no breakdown of customer digital asset liabilities, though there is one with broken down CAD values for the assets. You could presumably reverse-engineer to find the amount held using CoinMarketCap.

"The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control."

Recommendations: The audit should include a breakdown of assets with native values (ie how many bitcoin, etc) for faster understanding. There should be a breakdown of client liabilities as well. Customers should receive a hash of their balance information that they can then confirm with KPMG directly to know they were included. The audit team should include someone with blockchain experience and a proof of ownership. More information should be provided on how customer funds are secured.

Outdated Attestation

BitBuy - Moving up! Last year, Bitbuy called themselves “Canada's trusted choice”. This year they’re “Canada’s most secure and trusted platform”. As in, more secure, and more trusted, than any other Canadian platform. As they put it, “[t]he crypto destination of investors.” While the platform has operated since 2016, and was the first to get a “Proof of Reserve and Security Audit Report”, this is still quite a claim to make. (Interestingly, it appears they’ve removed the report from their site.)

While the site states that “99% of your crypto is kept secure in our Cold Storage, and covered by a comprehensive insurance policy.”, this contradicts the June 2021 report by Blockchain Intelligence Group, stating backing levels as low as 96.29% on some crypto-assets and the latest BitBuy validation offers no visibility for customers to validate their balances were included, similar to previous validations. BitBuy has not published a subsequent third party validation since July 2021. None of the validations provided any way for customers to be sure that balances were included, although CipherBlade did do some tests to at least check the database was “live”. “Bitbuy backend account balance changes reflected all user account balance changes with each step of this process for both fiat deposits and withdrawals.”

BitBuy used to store customer assets in Canada using Knox, which they called an “industry leading push for best practices”. However, even last year the mentioned of Knox were disappearing from the BitBuy website. According to the OSC decision, BitBuy is now storing all funds with BitGo. “The Filer has assessed the risks and benefits of using BitGo and, has determined that in comparison to a Canadian custodian (as that term is defined in NI 31-103) it is more beneficial to use BitGo, a U.S. custodian, to hold client assets than using a Canadian custodian.”

Recommendations: It would be beneficial to publish another audit or report to back up the full backing of customer assets, ideally with an assurance to customers that their accounts were included and provided to the auditor. Additional information on the BitGo wallet setup and the insurance policy would also be useful.

ShakePay - “We have always put transparency at the forefront of everything we do.” While other platforms are typically upfront about the fees or spread charged, ShakePay lists only one price and promotes the service as “commission-free”. The profit model can only be found by clicking through to a separate page. Spread and pricing information is only available within a registered account. ShakePay is now facing a potential class-action lawsuit over their pricing practices, which you can read details of here. While ShakePay offers the “easiest way for Canadians to buy and sell bitcoin”, they don’t appear to recommend selling your bitcoin there. ShakePay provides “a mailing address only. There are no Shakepay employees at this location.” And according to the security recommendations on ShakePay’s own blog, you should [never “[s]end crypto to anyone that you do not personally know or have met in real life”](https://blog.shakepay.com/keeping-yourself-safe-impostors/).

ShakePay previously described customer funds as stored with a “trust company registered under the NYDFS”. Last November they either moved or finally revealed who that was - Coinbase Custody. “Shakepay holds an insurance policy on the digital currencies held in cold storage. This policy covers most damages, theft, and loss of private keys.” Like almost every insurance policy, specific details aren’t public. It will be interesting to see which “quite unlikely” events “the cold storage provider’s policy and Shakepay’s own policy” would cover. It doesn’t appear it would include events like Coinbase’s insolvency, and Coinbase’s previous information about their insurance appears to have been removed from their blog.

ShakePay also completed a SOC II Type I security attestation in April this year. While details of the multi-sig setup aren't included, the previous report by CipherBlade (now 2 years old) showed “[m]ultiple people are required to authorize transactions. Neither of the two founders, Jean or Roy, are able to perform withdrawals from our cold storage wallets.” “CipherBlade can confidently conclude that Shakepay controls these cold wallets” even though “they are controlled by [the] cold storage provider” and “the cold storage provider ultimately holds the private keys”. Of course, SOC II reports aren’t public, so the only details we have are from ShakePay’s blog that they “exceed the requirements in most categories”.

According to the terms of use, “The Shakepay Platform enables you to buy and sell Digital Currency but it is not intended to be a storage facility for your Digital Currency. Shakepay strongly believes that everyone should control their Digital Currencies. The Shakepay Platform provides convenient functionality for you to initiate a transaction on a blockchain ("Blockchain Transaction") to move Digital Currency and you agree to use this functionality promptly, and no later than 28 days after buying Digital Currency from Shakepay.”

Recommendations: While ShakePay isn't designed to custody funds, more public validation on the security setup would be beneficial.

Third Party Attestation

There are no platforms with third party attestations in the past year, that include sufficient details to validate a claim of full backing on all customer digital assets. Check “Publicly Traded Audit”, “Outdated Attestation”, or “Proof of Liabilities”.

Proof of Liabilities

Kraken - In last report, Kraken had just achieved the momentous accomplishment of becoming the first cryptocurrency exchange to be a regulated bank by completing a charter in the state of Wyoming. Late last year, Kraken achieved another first in becoming the first major exchange platform in North America to undergo a third party attestation including a Proof of Liabilities Merkle tree on a select number of assets.

"Don’t Trust, Verify." "Transparency is the Key." “[W]e’re working to maximally leverage the transparency of the open-source blockchains." And yet there’s no method for a customer to actually checking the funds on the blockchain.

"Any client can independently verify that their balance was included in the Proof of Reserves audit by comparing select pieces of data with the Merkle root." How does an independent verification work when the actual Merkle tree data doesn’t appear to be available? Access seems to be limited to an audit page that requires a Captcha and account details only available on a specific page of the Kraken website. Even the other nodes of the Merkle tree are hidden.

Luckily, Armanino makes available source code which you can “Inspect”. It states "this repository is specific to a Merkle Tree Generator and Verifier that ingests a user identified with 4 customer platform account balances". Yet, more than 4 balances are parsed, so at best this is an old version they aren’t using anymore. Kraken similarly offers fancy code in your choice of Python, Rust, Go, or Bash, but all it does is generate your original leaf of the tree, which you can then only take to Armanino.

"The audit details on kraken.com also include an "Account Code", another code unique to your account and this particular audit, which avoids any identifying code from being reused across audits." In addition to trusting Kraken supplied a complete client list and didn’t swap around or borrow assets prior to the “proof”, we also need to trust that Kraken has supplied unique Account Codes. Since nothing identifies the user, any users with the same balance could easily be given the same Account Code.

It’s true that "[t]here are no formally accepted rules of procedures that define a proof of reserves audit" and also true that we can find some definitions of “proof” which merely have to “compel the mind to accept an assertion as true”. So I suppose, technically if anyone is compelled to accept the assertion we could call that a “proof”. But then, so was Mt. Gox also “proven” to be in good standing, since Roger Ver himself “proved” that.

If we trust Armanino fully to have done the procedures as outlined, we can conclude that a select group of assets on the Kraken platform existed on the blockchain at a particular point in time, so as to add up to the client list supplied by Kraken, minus any accounts that may be duplicates. And if we trust Kraken fully, they already assure users that “[w]e keep full reserves so that you can always withdraw immediately on demand.” But then maybe we should also trust one of the former employees for Kraken alleging wrongful dismissal and that the bank accounts of Kraken are actually running millions of dollars short of where they should have been. Of course that was back when Kraken operated illegally in the state of New York and was using tactics to legally silence employees.

Recommendations: There are basically two paths to go as far as this “proof “ is concerned.

(1) For a third party validation, it should be done by multiple entities on a rotating basis. All customers should be given the information they need to check inclusion without having to announce intent to your platform by visiting a particular section of their account. The hash needs to include enough information to prove uniqueness. A mix of non-sensitive data such as first name, city, part of an email address, partial IP address, and/or time of sign-up could be used. There’s not really any benefit to the Merkle tree in this approach. A simple list of hashes would be easier to understand.

(2) If you want to go with the trustless proof route, publish blockchain wallet addresses and pseudonymous balance information. Allow users to validate for themselves. Hashing a large salt along with any unique customer data can prove uniqueness. Less technical customers would trust one of several third party proof services with their hash, or more technical could run the proof themselves using the publicly available information on open source software.

Full Proof of Reserves

A key idea behind proof of reserves is allowing customers to prove that their funds are backed through a proof which can be run independently of the platform. Customers check their inclusion without necessarily having to notify the platform of their decision to do so, which could easily be abused by a platform to exclude inactive or less diligent customers.

We hope to be able to put a Canadian exchange in this category in the future.

Summary Conclusions

Canadians are far too polite to be trusted as custodians. Regulators and exchanges have made sure to protect us by giving all our exchange assets to Americans, protected by words. They have also helped to shield us from worry by keeping audits secret. They've even shielded us from the awful stress of knowing millions of dollars of funds went missing. Platforms continue to move forward with the next logical evolution after zero-knowledge snarks - proof-less proofs. Logos, paperwork, and vague insurance promises. Why prove something when you can merely say you did and get the same outcome?

Please feel free to leave any feedback below or drop by our Thursday meetup if these topics interest you! You can also check out case study research if you don't like losing your money to scammers.

Any feedback, please send us an email or join the discussion!

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT