Posted February 27, 2025 at 7:19 pm EST.
After North Korean hackers stole 400,000 ether from the crypto exchange Bybit on Friday, CEO Ben Zhou and the rest of his team quickly moved to reassure clients that their money was safe and the exchange is solvent.
In a Twitter Spaces held on February 22nd, one day after the attack, Zhou said that his chief financial officer told him, “Yes, we have enough treasury to cover this [the loss].” Zhou went on to say in the interview, he was “not sure how much of our “how much liquidity [was] in which tokens” and “if we have enough ethereum” to process the coming wave of withdrawals.
However, the actual story is a bit more complicated. It appears that the company could have been left with a $385 million hole in its exchange wallets before remedying it with loans from industry partners. While it is commendable that Bybit was able to temporarily plug the gap so quickly, this initial shortage reveals why current industry standards for transparency, particularly Proofs of Reserves, are lacking for crypto exchange customers.
(Insufficient) Proofs of Reserves
The collapse of FTX in 2022 was a wakeup call for the entire crypto industry. It showed millions of crypto traders around the world that they could not trust what their computer and phone screens were showing them. The displayed balances turned out to be an illusion when news broke that Sam Bankman-Fried raided billions of dollars in customer funds for his own purposes.
The best way to solve this problem is through an audit, a comprehensive process managed by an accounting firm that looks at monetary inflows and outflows over time and also considers any liabilities or liens that a company may have that would reduce recoverable assets by customers. Such an audit is particularly important in the world of crypto since there is no such thing as FDIC insurance, which guarantees U.S. bank deposits up to $250,000 per account.
Because of crypto’s risky reputation, it has been difficult for many firms to get audits, and those that do hardly ever make them public. This means that customers have little choice but to rely on an alternative way for an exchange to demonstrate solvency, a Proof of Reserves (PoR).
These reports, which are offered by virtually every major exchange on their websites, aim to do two things.
- Show crypto balances at certain moment in time at a particular exchange for each of the tokens offered for trading
- Offer a way through a cryptographic mechanism called Merkle Trees to let customers see that their particular balances are included in the totals displayed on the website
PoRs are a great advancement, but they are insufficient. In a 2022 interview with Forbes, Kraken founder Jesse Powell highlighted the differences between an audit and a PoR. “You don’t know if we just borrowed 100,000 bitcoin from some one of our investors or something to do this snapshot. And then, you know, we sent it back five minutes later.”
Additionally, for a company like Bybit, which only updates its regular PoR once a month, it puts more onus on the customer to trust that funds in the report will stay there. The goal should be more regular readouts, perhaps in real time. “If you do this [release attestations] more frequently, those kinds of things are less likely to happen and more likely to be spotted,” said Powell. “Say for instance you see 100,000 coins moving, you know, on the 30th of every month on chain.”
A Bybit spokesperson told Unchained that the exchange is audited, but did not reveal the name of the auditor or share any additional details.
Bybit’s Last PoR Before the Hack
Coincidentally, Bybit published a PoR on February 20th, one day before the hack. According to the data, which is presented in the table below, the company had approximately $17.47 billion worth of assets on the platform at that time. Of that total, $16.3 billion were liabilities in the form of customer deposits. This leaves a surplus of $1.15 billion in assets spread across everything from stablecoins to bitcoin, ether, and more esoteric tokens like Decentraland’s MANA—unless the company has additional reserves not included in its proof of reserves.
But, when North Korea’s Lazarus Group took $1.5 billion worth of ether on February 21st, it left a $385 million total hole in the company’s posted PoR.
In the ensuing days Bybit worked diligently with partners like crypto exchanges MEXC and Bitget, as well as the prime broker Antalpha to get the PoR recapitalized. In an announcement this morning, the company said that it has restored “77% of its Assets Under Management (AUM) to pre-incident levels” and its ether collateralization level is back up to 102%.
This rapid action has calmed the markets, but it does not indicate whether any of the ether received by Bybit post-hack is encumbered in any way, or what conditions Bybit agreed to for the funds. The answer cannot be found in a PoR.
How an Audit Completes the Picture
For a publicly traded exchange like Coinbase, anyone can quickly look at its audited balance sheet to see its full financial picture. The company’s balance sheet from Q42024, which was released on February 13, 2025 shows that the firm has $1.5 billion in assets held for investment under assets, meaning that they are separate from any customer liabilities. Interestingly, this number is only $385 million more than Bybit’s pre-attack surplus.
But the more important part of the balance sheet is the company’s $10.28 billion in stockholder equity. This can be thought of as excess capital that can be deployed for general business purposes or as an emergency fund. There are two main components of stockholder equity: retained earnings of $4.96 billion, meaning profits that have not been taken out the company by shareholders, and $5.4 billion of additional paid-in capital, which means money paid by investors above par value of the stock $0.00001 over various sales directly from the company. Specific timelines for the sales can be seen in the below balance sheet.
For a private company like Bybit, knowing its retained earnings would be particularly helpful, regardless of whether it is in the form of crypto, stablecoins, or fiat. But that information is not publicly available.
How Bybit Can Make Up the Difference
Bybit is the world’s second largest crypto exchange by trading volume, and although the company did not provide any additional details about its financial standing, industry insiders believe that there are multiple ways for the company to plug the gap. One business partner said on the condition of anonymity that the company likely had retained earnings not counted in the PoR but could not elaborate.
The CEO of a rival exchange, who also agreed to speak on the condition of anonymity said that the company could make up the deficit in a few months and the entire loss in a couple of years. However, he also cautioned that a lot goes into the costs of operating an exchange. “My baseline guess for a good exchange business would be a 50% profitability rate,” he said, adding that bloating marketing and regulatory compliance budgets can quickly cause expense ratios to sky-rocket. Assuming that the $1.5 billion hack could account for a year’s worth of revenue for Bybit, “then it would take at least two years for the exchange to make up the money that was lost.” That said, the price of ether has already fallen from $2,800 to $2,300 since the attack, so that could lessen the amount of time that it takes to make up the difference assuming that there is not an offsetting decline in trading volume.
Another way to plug the gap would be recovering the stolen funds. Many groups have offered to freeze assets if or when it becomes possible. The company has lost a bounty program worth up to $140 million for assistance in freezing and recovering the funds. So far the company has paid out $4.23 million, with the largest bounty going to Mantle who froze 15,000 mETH ($34 million).
So there are plenty of ways for Bybit to recover. But as crypto enters a new age of legitimacy in 2025 it is important to keep pushing on the transparency element as well.
