Proof of Assets specification and Javascript implementation.
Proof of Assets (PoA) is a scheme designed to let entitites (operators) prove that they control a given amount of Bitcoin or other blockchain based cryptocurrency.
The Proof of Assets scheme can be used as part of the broader Proof of Solvency scheme.
Table of Contents
WORK IN PROGRESS:
Beer fund: 1ECyyu39RtDNAuk3HRCRWwD4syBF2ZGzdx
npm install -g aproof
Generate asset proof
$ aproof signall -h "localhost" -p 8332 --user "rpcuser" --pass "rpcpass" "MtGox.com BTC assets" > btc-asset-proof.out.json
Verify signatures
$ aproof verifysignatures btc-asset-proof.out.json
Verify signatures and show total balance of all addresses
$ aproof balance -h "localhost" -p 8332 --user "rpcuser" --pass "rpcpass" btc-asset-proof.out.json
Browser build:
$ browserify ./lib/index.js --standalone aproof > build/aproof.js
WORK IN PROGRESS...
The assets proof is done by signing a message with all the private keys of a Bitcoin wallet or alternatively, with the private master key of an HD wallet and published alongside its chain code.
The message to sign is blockhash + '|' + message. Where + represents
concatenation.
blockhash represents the latest block hash (with at least 6
confirmations) of the currency's blockchain.
This block hash can be used by verifiers to determine how long ago the PoA was produced. A PoA that was produced a long time ago could indicate that an operator lost the keys of its cold wallet for example.
Verifiers should issue warnings if a PoA is more than X (to be determined) days old or if the blockhash was omitted.
message is an arbitrary message (Proof of Solvency requires it to be
the domain for which the proof is valid).
{
"blockhash": "",
"message": "",
"currency": "BTC",
"signatures": [
{ "signature": "" },
{ "signature": "", "chain": "" }
]
}
See https://github.com/etotheipi/BitcoinArmory/pull/184/files
./extras/asset-proof.py your.wallet "EmptyGox Btc Assets" emptygox-btc-assets.json
See olalonde/proof-of-solvency.
TODO... (you could convince someone else to signmessage for you?) There could be an online wallet which allows you to signmessage without revealing the private key, etc. etc. Might be interesting to explore the "make transaction"/"far future lock time" solution. Maybe combine multiple solutions together?
FAQs
Proof of Assets (PoL) library and CLI
The npm package aproof receives a total of 1 weekly downloads. As such, aproof popularity was classified as not popular.
We found that aproof demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
Security News
Socket CEO Feross Aboukhadijeh discusses open source security challenges, including zero-day attacks and supply chain risks, on the Cyber Security Council podcast.
Security News
Research
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.