Author: Steven Ehrlich Source: unchainedcrypto Translation: Shan Oppa, Golden Finance

FTX The lesson that the collapse of FTX gives us is that the words of cryptocurrency giants can never be based on belief alone. So when Bybit executives launched a coordinated PR campaign to assure the outside world that everything was normal and that they had enough financial reserves to make up for the losses, I decided to investigate. The exchange's reserve certificate released on February 20 (the day before the hack) helped me with the analysis. It shows a surplus – which means total funds exceed $1.15 billion in customer deposits. So once $1.5 billion of Ethereum is stolen, the company may have a $385 million asset vulnerability.

How Bybit responds to and ensures the security of customer funds

The Ethereum gap has been filled through a series of loans, but the overall financial situation of Bybit remains unclear due to the lack of knowledge of the loan terms. Important lessons can be learned from this incident and make the industry more transparent in the future.

After North Korean hackers stole 400,000 Ethereum from cryptocurrency exchange Bybit on Friday, CEO Ben Zhou and his team took quick action to assure customers that their funds are safe and that the exchange is still solvency.

At Twitter Spaces on February 22 (one day after the attack), Zhou Xiaoping said his CFO told him, "Yes, we have enough funds to cover this loss." Zhou Xiaoping continued in the interview that he was "not sure how many tokens are in our liquidity" and "whether we have enough Ethereum" to handle the upcoming withdrawal wave.

However, the actual situation is more complicated. It looks like the company's exchange wallet may have already seen a $385 million gap before it gets loans from industry partners to make up. While Bybit is commendable for being able to temporarily fill this gap so quickly, the initial shortage reveals why current industry transparency standards, especially proof of reserves, are inadequate for cryptocurrency exchange customers.

(Insufficient) Reserve Proof

The 2022 FTX collapse sounded a wake-up call for the entire cryptocurrency industry. It made millions of cryptocurrency traders around the world realize that they can'tTrust the content displayed on the screens of your computer and mobile phones. When the news broke that Sam Bankman-Fried misappropriated billions of dollars in customer funds, the balance originally displayed turned out to be an illusory number.

The best way to solve this problem is through audit, a comprehensive process managed by an accounting firm, which looks at inflows and outflows and takes into account any liabilities or lien that the company may have, which reduce the assets that customers can recover. This kind of audit is particularly important for the cryptocurrency industry because there is no insurance coverage similar to that provided by the Federal Deposit Insurance Corporation (FDIC), which guarantees deposits up to $250,000 per account for Bank of America.

Because of the high-risk reputation of cryptocurrencies, many companies have difficulty in conducting audits, and those that conduct audits hardly disclose audit reports. This means that customers can only rely on other ways to make the exchange prove its solvency, namely the "Proof of Reserves" (PoR).

Nearly every major exchange is available on its website, with the aim of two things:

1. Displays the cryptocurrency balance of an exchange at a certain moment, covering all tradable tokens.

2. Through an encryption mechanism called the Merkle tree, let customers see that their specific balance is included in the total balance displayed on the website.

Stores proved to be a great progress, but still not sufficient. In an interview with Forbes in 2022, Kraken founder Jesse Powell emphasized the difference between audit and reserve certificates. "You can't know if we just borrowed 100,000 bitcoins from an investor to take this snapshot. Then, you know, we returned it back five minutes later."

In addition, for companies like Bybit, regular proof of reserve updates are only once a month, which makes customers need to rely more on the trust that the funds will remain there for a long time. "If you publish (verification reports) more often, these things will be less likely to happen and are more likely to be discovered in time," Powell said. "For example, on the 30th of a month you see 100,000 coins moving on the chain."

A Bybit spokesperson told Unchained, the exchange has undergone audit, but has not disclosed the name of the audit company or provided other details.

The last proof of reserves before the Bybit hacker

Coincidentally, Bybit released the proof of reserves on February 20 (the day before the hacker incident). According to the data in the table below, the total assets on the company's platform at that time were approximately US$17.47 billion. Of this total, approximately US$16.3 billion is liability for client deposits. This means the remaining assets are $1.15 billion, covering stablecoins, Bitcoin, Ethereum and some of the more unpopular tokens, such as Decentraland's MANA - unless the company also has other additional reserves not included in the proof of reserves. However, when North Korea's Lazarus Group stole $1.5 billion worth of Ethereum on February 21, Bybit's reserve certificate left a $385 million vacancy.

In the next few days, Bybit worked closely with partners such as cryptocurrency exchanges MEXC and Bitget, as well as major broker Antalpha, in an effort to recapitalize Proof of Reserves (PoR).

In a statement this morning, the company said it had restored "77% of asset management scale (AUM) to its pre-event level" and its Ethereum collateral rate has returned to 102%.

This rapid action stabilized the market, but did not indicate whether the Ethereum received by Bybit after the hacker attack was any burden or what the conditions agreed by Bybit for these funds. This answer is not found in the reserve proof.

How audits complement the full blueprint

For listed exchanges like Coinbase, anyone can quickly view their audited balance sheet to see their full financial position. The fourth quarter of 2024 financial statements were released on February 13, 2025, and data showed that the company held $1.5 billion in investment assets, meaning they are separate from any customer liabilities. Interestingly, this number is only $385 million more than Bybit's surplus before the attack. But the more important part is the company's $10.28 billion shareholder equity. This can be considered as excess capital that can be used in general business or as an emergency fund. Shareholder's equityThe two main components are: a retained surplus of $4.96 billion, meaning profits not yet withdrawn by shareholders, and an additional paid-in capital of $5.4 billion, meaning investors pay more than $0.00001 in the face value of the stock, obtained directly from the company's sales. The specific sales schedule can be seen in the balance sheet below.

For private companies like Bybit, it will be especially helpful to know that their retained surplus is present, whether it exists in cryptocurrency, stablecoin or fiat currency. But this information is not disclosed.

How Bybit bridges the gap

Bybit is the world's second largest cryptocurrency exchange, and although the company does not provide any additional details about its financial situation, industry insiders believe that the company has multiple ways to bridge the gap. A business partner who asked not to be named said the company may have a retention surplus that was not included in the reserve certificate, but he failed to elaborate further.

A CEO of a competitor exchange also agreed to speak anonymously, saying the company could make up for the gap within months and make up for the entire loss within a few years. However, he also reminded that the cost of operating an exchange is quite high. “My basic guess for a good exchange business is a 50% profit rate,” he said, adding that over-inflated marketing and regulatory compliance budgets could quickly lead to a surge in expense ratios. Assuming a $15 billion hacker theft is equivalent to Bybit’s revenue for a year, “then it will take at least two years for the exchange to make up for the lost funds.” He said, however, Ethereum’s price has dropped from $2,800 to $2,300 since the attack, so assuming that trading volumes have not dropped accordingly, this may reduce the time it takes to bridge the gap.

Another way to make up for the gap is to recover stolen funds. Many organizations have said they are willing to freeze assets and help recover funds if possible. The company missed a reward program worth up to $140 million to help freeze and recover funds. Currently, the company has paid $4.23 million, with the biggest reward being paid to Mantle, which has frozen 15,000 mETH (worth $34 million).

So, Bybit has many ways to recover funds. But as cryptocurrencies enter a new era of legalization in 2025, it remains crucial to drive transparency.