The Critical Limitations of Proof-of-Reserves for Cryptocurrency Exchange Security

The Critical Limitations of Proof-of-Reserves for Cryptocurrency Exchange Security

While proof-of-reserves demonstrates asset holdings at a specific moment, it fails to establish solvency, available liquidity, or effective governance structures. Discover the gaps in PoR methodology and the components of genuine trustworthiness.

What is proof-of-reserves?

Fundamentally, proof-of-reserves represents a publicly verifiable demonstration that a custodial entity possesses the digital assets it purports to hold for its users, generally utilizing cryptographic techniques and blockchain-based transparency.

When crypto platforms have the capability to release a proof-of-reserves (PoR) attestation, what explains the persistence of withdrawal delays or freezes when market conditions deteriorate?

The reality is that proof-of-reserves should not be interpreted as an absolute trust mechanism. It provides evidence that confirmable assets are present within a platform during one specific moment in time, yet it fails to validate whether that platform maintains solvency, possesses adequate liquidity, or operates under governance structures that mitigate concealed vulnerabilities.

However, even under optimal implementation conditions, PoR frequently represents merely a temporal snapshot that fails to capture what transpired immediately before or following the attestation timestamp.

In the absence of a trustworthy accounting of liabilities, PoR falls short of demonstrating solvency, which represents what customers genuinely require when facing withdrawal pressure scenarios.

Did you know? On Dec. 31, 2025, Binance's CEO wrote that the platform's user asset balances publicly verified through proof-of-reserves had reached $162.8 billion.

What PoR proves and how it is usually done

When implemented, PoR encompasses two verification components: the asset verification and, optimally, the liability accounting.

From the asset perspective, a cryptocurrency exchange demonstrates control over specific blockchain wallets, typically through publishing wallet addresses or executing cryptographic message signatures.

The liability component presents greater complexity. The majority of exchanges capture a timestamp-specific snapshot of customer account balances and encode this information into a Merkle tree structure, frequently utilizing a Merkle-sum tree variant. Individual users can subsequently validate that their personal balance appears within the dataset through an inclusion proof mechanism, all while preventing public disclosure of other users' financial information.

Under proper execution conditions, PoR establishes whether blockchain-recorded assets provide adequate coverage for customer balance obligations at that particular timestamp.

Did you know? Binance lets each user independently verify their inclusion in its PoR snapshot. Through its verification page, Binance generates a cryptographic proof based on a Merkle tree of user balances, allowing users to confirm that their account was counted without revealing anyone else's data or balances.

How an exchange can "pass PoR" and still be risky

PoR can improve transparency, but it shouldn't be relied on as the sole measure of a company's financial health.

Naturally, an attestation focused exclusively on assets while omitting comprehensive liabilities cannot establish true solvency. Even when blockchain wallet holdings appear robust, liability accounting may remain incomplete or strategically selective, overlooking elements including outstanding loans, derivatives market exposure, pending legal obligations, or off-blockchain accounts payable. This scenario can validate that funds exist while failing to prove the organization possesses capacity to satisfy its complete obligation portfolio.

Furthermore, a singular attestation provides no insight into the balance sheet composition from the previous week or its status immediately following report publication. Theoretically, assets could be temporarily acquired through short-term borrowing to enhance the snapshot appearance, then subsequently transferred elsewhere once reporting concludes.

Additionally, asset encumbrances typically remain invisible. PoR methodology generally cannot disclose whether holdings are committed as collateral security, deployed in lending operations, or otherwise restricted, indicating they may prove unavailable when withdrawal demand intensifies.

Liquidity considerations and valuation assessments can similarly prove deceptive. Asset possession differs fundamentally from the ability to convert those assets rapidly and at substantial scale during stress periods, particularly when reserves concentrate in tokens with limited trading volume. PoR does not confront this challenge; more transparent risk disclosure and liquidity reporting frameworks might.

PoR isn't the same as an audit

A lot of the trust problem comes from a mismatch in expectations.

Numerous users interpret PoR as equivalent to a safety certification. In actuality, the majority of PoR engagements function more like agreed-upon procedures (AUPs). Under these arrangements, the examining practitioner executes designated verification procedures and documents findings without delivering an audit-style professional opinion regarding the organization's comprehensive financial condition.

An audit engagement or even a review engagement is structured to produce an assurance conclusion operating within an established professional framework. AUP reporting operates with narrower boundaries. It documents which procedures were executed and observations made, subsequently delegating interpretation responsibility to report readers. According to International Standard on Related Services (ISRS) 4400, an AUP engagement is not an assurance engagement and does not express an opinion.

Regulatory authorities have identified this disconnect. The Public Company Accounting Oversight Board has warned that PoR reports are inherently limited and should not be treated as proof that an exchange has sufficient assets to meet its liabilities, especially given the lack of consistency in how PoR work is performed and described.

This explains why PoR attracted heightened regulatory examination following 2022. Mazars paused work for crypto clients, citing concerns about how PoR-style reports were being presented and how the public might interpret them.

What's a practical trust stack, then?

PoR can be a starting point, but real trust comes from pairing transparency with proof of solvency, strong governance and clear operational controls.

Begin with establishing solvency. The genuine advancement involves demonstrating assets measured against a comprehensive accounting of liabilities, validating that assets meet or exceed total liability obligations. Merkle-based liability verification protocols, combined with emerging zero-knowledge computational approaches, work toward bridging this verification gap without compromising individual balance privacy.

Subsequently, incorporate assurance mechanisms surrounding the exchange's operational execution. A balance snapshot fails to reveal whether the platform maintains disciplined operational controls such as key management, access permissions, change management, incident response, segregation of duties and custody workflows. This is why institutional due diligence often relies on System and Organization Controls (SOC)-style reporting and similar frameworks that measure controls over time, not just a balance at a single moment.

Establish transparency regarding liquidity and encumbrance status. Theoretical solvency on financial statements provides no guarantee that an exchange possesses capacity to withstand a customer withdrawal rush. Users require clarity concerning whether reserve holdings remain unencumbered and the velocity at which asset positions can convert into liquid instruments at meaningful scale.

Ground everything in governance structures and disclosure practices. Legitimate oversight depends on clear custody frameworks, conflict management and consistent disclosures, especially for products that introduce additional obligations such as yield, margin and lending.

PoR helps, but it can't replace accountability

PoR is better than nothing, but it remains a narrow, point-in-time check (even though it's often marketed like a safety certificate).

Independently considered, PoR cannot establish solvency, liquidity adequacy, or control environment quality. Therefore, before interpreting a PoR certification badge as representing "safety," evaluate the following considerations:

1. Are liabilities included, or is it assets only? Assets-only reporting cannot demonstrate solvency.

2. What is in scope? Are margin, yield products, loans or offchain obligations excluded?

3. Is it reporting a snapshot or ongoing? A single date can be dressed up. Consistency matters.

4. Are reserves unencumbered? "Held" is not the same as "available during stress."

5. What kind of engagement is it? Many PoR reports are limited in scope and should not be read like an audit opinion.