Proof of Reserves Is Broken — Here’s How to Read One Correctly
Coinvestopedia4 min read·Just now--
Published by Coinvestopedia | Institutional Crypto Research & Data coinvestopedia.com
FTX published proof of reserves. Voyager published proof of reserves. Celsius published proof of reserves.
All three collapsed. All three had customer funds missing.
The problem isn’t that proof of reserves (PoR) is a bad idea — it’s that the term has been diluted to the point where a passing PoR audit and a fraudulent one are nearly indistinguishable to a retail depositor. This guide explains what a real PoR proves, what it cannot prove, and the specific red flags that separate credible attestations from marketing theater.
What Proof of Reserves Actually Proves
A PoR audit has one narrow claim: at the time of the snapshot, the exchange held on-chain assets equal to or greater than its recorded liabilities.
Nothing more.
It does not prove:
- That liabilities are accurately recorded
- That assets haven’t been pledged as collateral elsewhere
- That the snapshot reflects normal operating conditions
- That the situation hasn’t changed since the audit date
This is why an exchange can pass a PoR audit and still be insolvent. FTX’s balance sheet showed assets — they were just illiquid, self-issued tokens counted at fictional valuations.
The Three Components of a Credible PoR
1. Merkle Tree Verification
A credible PoR uses a Merkle tree structure that allows any individual user to verify their own account balance is included in the total liabilities figure — without exposing other users’ data.
Without Merkle tree inclusion proofs, the audit is an exchange self-reporting its own liabilities. The auditor only checks the asset side. This is the most common PoR format and the least meaningful.
Verification steps:
- Download your inclusion proof from the exchange’s PoR page
- Run it against the published Merkle root hash
- Confirm your balance appears in the liability total
- Exchanges that don’t offer this step are not publishing a real PoR
2. Liability Completeness
The liability figure must account for all user balances across all products — spot, margin, futures, staking, earn, and any custodial sub-accounts.
Common manipulation: exclude margin liabilities, futures positions, or institutional sub-accounts from the snapshot. The asset side looks healthy because a large portion of what the exchange owes isn’t counted.
Red flags:
- PoR covers “spot accounts only”
- Margin or derivatives balances excluded with no explanation
- Institutional client balances listed separately or omitted
3. Independent Auditor — and Which One
Not all auditors are equal. A PoR attestation from a Big Four firm (Deloitte, PwC, KPMG, EY) carries different weight than one from a small firm with no crypto track record.
More importantly: auditors can issue attestations with limited scope. A limited-scope attestation means the auditor verified what they were shown — not that they independently discovered all liabilities. Always read the scope section of the audit letter.
What to look for:
- Named auditor with verifiable crypto audit history
- Scope section explicitly stating liabilities were independently sourced
- Frequency — quarterly minimum; monthly is best practice
- Public audit letter, not just an exchange-designed dashboard
The Liability Gap Problem
The most exploited gap in PoR: an exchange with $1B in user assets and $1B in customer liabilities passes the audit. But if the exchange also has $500M in undisclosed debt — loans, bonds, or inter-company transfers — it’s effectively insolvent while holding a clean PoR certificate.
PoR only proves assets ≥ liabilities as reported. It cannot catch hidden liabilities unless the auditor independently sources liability data from the exchange’s full accounting system, not just the customer balance database.
This is why some researchers consider proof of solvency — full balance sheet audits including all liabilities and debt instruments — the only meaningful standard. No major exchange currently publishes this.
On-Chain Verification — What You Can Check Yourself
Regardless of auditor quality, on-chain assets are publicly verifiable. Steps:
- Find the exchange’s published cold and hot wallet addresses (most post these on their PoR page)
- Cross-reference balances on a block explorer (Etherscan, blockchain.com, Solscan)
- Check that wallet addresses are actually controlled by the exchange — some exchanges have listed third-party custodian addresses as their own
For Bitcoin specifically: check whether the exchange signed a message with the private key of the wallet, proving ownership. An address balance without a signed message proves nothing — anyone can point to a whale wallet and claim it as theirs.
Exchange PoR Frequency — What’s Acceptable
Snapshot timing matters too. An exchange that chooses its own audit date can temporarily consolidate assets from multiple custodians to pass the snapshot, then redistribute. Real-time or randomized audits prevent this.
Summary: The PoR Checklist
Before treating a PoR as meaningful assurance, verify:
- Merkle tree inclusion proof available for your account
- Liabilities include all product types — spot, margin, futures, earn, institutional
- Named auditor with published scope letter
- Scope letter confirms independent liability sourcing
- Cold wallet addresses published and verifiable on-chain
- Signed message proving exchange controls the wallets
- Audit frequency: monthly or better
- Most recent audit within 60 days
If an exchange fails more than two of these, treat their PoR as marketing, not assurance.
Coinvestopedia tracks PoR methodology, frequency, and auditor quality as part of the Security & Transparency categories in our exchange research database.
Follow: X Coinvestopedia
This article is for informational purposes only. Not financial or investment advice.
