Ethena Engineering Blog: Proof of Reserves
Ethena Labs
0xF99d
April 11th, 2025

TL;DR

Today, Ethena Labs launches a Proof of Reserves (PoR) system for USDe, Ethena’s synthetic dollar, to cryptographically prove its backing - transparently reserved, governance-approved, and USD-delta-neutral.

Built on AWS Nitro Enclaves, it pulls data from custodians, exchanges, and the blockchain, processes it in a tamper-proof environment, and generates signed proofs. Independent attestors - geographically diverse audit firms - verify these weekly outputs, ensuring transparency without relying on Ethena’s word. It’s engineered to scale securely, adapt to new dependencies, and build trust across users, partners, and the broader ecosystem.

Summary of the Proof of Reserves System

USDe is Ethena’s synthetic dollar - a crypto-native alternative to stablecoins, built on Ethereum and backed by a mix of Bitcoin, Ethereum, and Solana, hedged with futures contracts, plus stablecoins like USDT, USDC, and USDtb for on-demand liquidity and risk management.

Our goal with the Proof of Reserves (PoR) system is to prove that USDe reserves are held by the protocol, restricted to approved assets, and delta hedged. Rolled out publicly in April 2025, it gathers data from over a dozen sources - custodians like Copper, exchanges like Binance, and blockchain records - processes it in an AWS Nitro Enclave, and produces a proof that attestors validate weekly. Compared to our monthly custodian reports, since April 2024, this offers more frequency, independent verification, and a design that’s secure, extensible, and trustworthy by default.

At a high level, it works like this: the enclave - a sealed, hardware-isolated box - ingests data from our partners, runs logic to check the reserves, and spits out a signed, verifiable report. Proof of Reserve Attestors can join easily, validate & accept proofs fast, and the whole thing scales without breaking security or integrity.

How It Works: Engineering the Pipeline

This system tackles a big challenge: securely compiling data from a number of sources to prove USDe’s backing, without compromising on security. Here’s the breakdown:

Data Aggregation

We pull asset balances and derivatives positions directly from custodians (Copper, Ceffu), exchanges (Binance, Bybit, Okx, Deribit, Bitget), and the blockchain (Ethereum), totaling over a dozen unique feeds. Pyth price feeds are used to value the spot backing assets of USDe. Each source brings its own quirks - rate limits, shifting APIs, downtime risks - making this a dependency jungle that demands robust engineering. API credentials used are linked to the accounts of the backing assets of USDe. The integrity of the accounts has been independently verified with each Proof of Reserve Attestor and the integrity of each API credential is validated with each proof.

Nitro Enclave Execution

The data flows into an AWS Nitro Enclave - a hardware-isolated environment no one, not even AWS, can tamper with. A proxy on an EC2 instance handles API calls and relays responses into the enclave over a secure channel. Inside, our application:

  • Calculates the USD value of backing assets using real-time price feeds.

  • Compares that total to USDe’s circulating supply.

  • Verifies only governance-approved assets (e.g., BTC, ETH) are included.

  • Confirms the neutral USD delta of the backing assets.

Running this in an enclave keeps it secure and extensible - new custodians, exchanges, or assets can be added without risking integrity or raising the bar for attestors to join. It’s a balance of flexibility and lockdown.

Auditor Access and Code Verification

Our Proof of Reserve Attestors - independent traditional & crypto audit firms - get the source code, verifying that it is robust and produces tamper-proof results. Each proof carries a cryptographic fingerprint from the enclave, letting them verify it matches the code they’ve reviewed, no tweaks allowed. This happens without us exposing sensitive API keys or system access, ensuring provable results don’t compromise security.

Proof Construction

The enclave outputs a JSON report, signed and attested for trust. Here’s a simplified version:

{
  "por_answers": {
    "backing_assets_usd_value": 5000000000,
    "exceeds_usde_supply": true,
    "approved_assets_only": true,
    "delta_neutral": true
  },
  "request_metadata": [
    {"cert_fingerprint": "ace74c8fd2f...", "hostname": "api.binance.com", "ts": "2025-03-30T21:47:12Z", ...}
  ],
  "timestamp": "2025-03-30T21:47:59Z",
  "signature": "base64_kms_signature",
  "attestation": "base64_attestation_doc"
}

  • por_answers: The core findings.

  • request_metadata: Proof the data is from legitimate sources (e.g., Binance’s servers).

  • signature: Locks it all in (a KMS operation signing por_answers and request_metadata).

  • attestation: Proves the code that generated the file was the same code that has been reviewed and that it ran on AWS’ Nitro enclave (the Nitro attestation doc, see AWS docs).

Attestor Verification

Attestors check four cryptographic markers to trust the proof:

  1. The signature confirms the PoR results and meta data hasn’t been tampered with since it was generated.

  2. The attestation both ties the results to the reviewed code and proves it was generated on the enclave

  3. A binding links the two.

  4. Metadata validates the sources.

Updates, like adding a new exchange or fixing an API shift, are transparent to the Proof of Reserve Attestors, who have access to the codebase. The PoR system ties every proof to a specific version of the code through the attestation document’s cryptographic fingerprint (the PCR0 value), which the attestors can independently verify. This design lets us move fast - rolling out changes as needed - while keeping every proof’s integrity intact and traceable, even after the fact.

Technical Dive

For the curious, here’s how the proof is built and why it’s airtight. The enclave assembles a JSON payload with reserve results (por_answers) and source details (request_metadata) - data fetched from custodians, exchanges, and blockchains. The enclave itself initiates these requests using end-to-end SSL encryption, verifying each partner’s server certificate inline during the connection to block spoofing or tampering. It sends these requests over a vsock channel to a secure proxy outside, which handles the external communication, and only accepts responses if the SSL handshake confirms the server’s authenticity. Metadata, like certificate fingerprints and timestamps, gets logged for every call, giving attestors a clear audit trail.

The enclave then signs this payload with AWS Key Management Service (KMS). It hashes the results and metadata with SHA-256, signs that hash with an ECDSA signature, and encodes it in base64 - a seal no one can break without the private key. Next, the Nitro Security Module (NSM) generates an attestation document, embedding this signature in its user_data field along with a hash of the running code (PCR0). This creates a transitive chain: the signature locks the por_answers and request_metadata, and the attestation ties it all to the exact code version auditors have, linking everything in one verifiable swoop.

Attestors check this with three steps. First, they use the KMS public key to verify the ECDSA signature, ensuring the data’s untouched. Second, they validate the attestation—matching the PCR0 hash to one they compute from the codebase (a deterministic build keeps it consistent) and confirming the certificate chain to AWS’s root CA, proving it’s from a legit Nitro Enclave. Third, they check that the user_data field holds the correct signature, tying it to the enclave’s run and, transitively, the full payload.

Key Takeaways for Readers

This system is more than a technical solution - it’s a foundation for trust, carefully engineered. Here’s why it stands out:

Proof Over Assumptions

Cryptography lets third party attestors verify USDe’s backing themselves, no blind trust required. Compared to our monthly reports, it’s more frequent, involves more independent parties, and delivers greater confidence.

Robust Security

The enclave’s isolation ensures no one can tamper with the process. It scales to handle new data sources while protecting sensitive information - ours and our partners’ - from exposure.

Flexible and Responsive

Managing over a dozen dependencies is complex, but the system adapts smoothly to new custodians, exchanges, backing assets, or API changes. Attestor oversight combined with cryptographic proofs keeps it reliable and swift, avoiding delays.

Trust That Scales

Proofs are permanent and verifiable, letting new attestors join and review past results anytime. The design welcomes more participants without adding friction, broadening oversight.

Aligned with Our Commitments

What we state publicly - about custody, control, and management - matches what this system proves, down to the dollar. It’s transparency you can rely on.

Conclusion

Our PoR system backs USDe with hard, verifiable truth - secure, scalable, and transparent enough to match its DeFi ambitions. Weekly proofs starting in April 2025, with more frequent proofs possible in the future, enable rapid adaptation to new governance-approved exchange partners or backing assets as required without operational delay.

It’s a showcase of confidential computing systems design meeting real-world needs.

Subscribe to Ethena Labs
Receive the latest updates directly to your inbox.
Nft graphic
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
f4CLKRPrD6McFog…k3nQFzRykvKSfg0
Author Address
0xF99d0E4E3435cc9…74DfaB3e2721341
Nft Address
0x67E14fF9D1849B2…2338791bb34B09c
Content Digest
ueG9ISjqpHrGN6V…dGgpVQikpJRg104
More from Ethena Labs
View All

Skeleton

Skeleton

Skeleton