Stay connected with BizTech Community—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
Proof-of-reserves (PoR) is now one of the most well-known ways in the cryptocurrency world to show that exchanges and custodians really do have the assets they say they do. Publishing cryptographic proofs that show control over on-chain wallets is usually part of the procedure. These proofs are generally supplemented with Merkle-tree promises of user balances. Users can then independently verify that their own balance is included in the snapshot without exposing everyone else’s data. This looks like a strong way to make things more open on paper. But in actual life, PoR is far more limited than most people think, and using it as the main sign of safety can make you feel safer than you really are.
The main issue is that proof-of-reserves only answers one question: Are there verifiable assets on the platform at that time? It doesn’t address the most important issue amid a crisis: Is the platform still in business? Are the assets free and clear? If things go tough, can the custodian handle withdrawal requests? These loopholes are why exchanges can pass a PoR check and still stop or slow down withdrawals when people want to leave quickly.
What PoR Really Shows and What It Doesn’t
A well-done PoR report shows two things. First, the custodian has control over some on-chain addresses, which is commonly shown by signing a message with the right private keys. Second, a cryptographic commitment, usually a Merkle tree, includes user balances. This way, people may check that their money was tallied without everyone else knowing how much they had. For example, Binance lets customers provide inclusion proofs using its verification portal, which lets each account holder check that their balance was part of the snapshot.
That is useful information. It gets rid of the “black box” problem, which means that consumers can’t verify to see if their money is really there. But it also has very few options.
PoR is usually always a snapshot of a specific period. It illustrates what the balance sheet looked like at a certain time, like a day or hour. “Window dressing” is the practice of temporarily borrowing assets to make the reported number look bigger, then moving them out right away. The picture doesn’t indicate anything about what happened the day before or the day after the report, even if it was done on purpose.
Liabilities are often not fully defined or are only partially defined. Many PoR engagements just look at spot balances and leave out margin positions, loan books, derivatives exposure, off-chain payables, or contingent claims. An exchange can have substantial on-chain assets and still be underwater when all of its debts are taken into account.
Encumbrances don’t happen very often. PoR usually doesn’t say if reserves are being used as collateral, lent out, or otherwise limited. You can “hold” assets on paper, but they won’t be available during a run. Another thing that people don’t see is liquidity risk. Having an asset is not the same as being able to swiftly and easily sell it when withdrawals go up, especially if most of the reserves are in tokens that are hard to sell.
These limits are why PoR might exist alongside delayed withdrawals, closed accounts, or even bankruptcy. The report may be correct on the day it comes out, but it doesn’t show that the company is still able to pay its bills or keep running.
PoR Is Not an Audit
A lot of the uncertainty over proof-of-reserves comes from people having different ideas about what it should be. A lot of people think of a PoR report as a safety certificate or an audit opinion. In practice, most PoR engagements are limited-scope processes, which are sometimes called “agreed-upon procedures” in standards like ISRS 4400. The practitioner does certain checks and summarizes what they find without giving a general assessment on the company’s financial condition.
This difference is important. A real audit or review engagement gives you peace of mind in a formal way. On the other hand, PoR reports are more limited. then talk about what was tested and what was seen, and then let the reader decide what it means. The Public Company Accounting Oversight Board has frequently said that these kinds of reports are limited by nature and should not be used as proof of solvency.
The failure of various centralized platforms in 2022 made this problem very clear. Mazars, one of the companies that had been giving PoR-style attestations to crypto clients, stopped working in the field because it was worried about how the reports were being promoted and understood. The event made it clear that being open about assets is helpful, but it doesn’t mean that the business is healthy overall.
A More Complete Trust Framework
Proof of reserves can be a good place to start, but real trust needs further evidence. The first and most important layer is solvency. A full balance sheet should show that assets are greater than liabilities. This should include not only spot balances, but also margin positions, loans, derivatives, and off-chain obligations. New zero-knowledge approaches like Merkle-based liability proofs are starting to reduce this gap. They let customers validate coverage without giving over personal information.
Operational controls are just as crucial. A snapshot can’t indicate if the platform has good key management, access controls, change management, incident response, separation of roles, and custody routines. Institutional investors commonly use SOC-style reporting or other frameworks that look at controls over time, not just at one point in time.
Visibility of liquidity and encumbrance adds another layer. Just because a company is solvent on paper doesn’t mean that it can easily sell off its assets when things go tough. It is important to be clear about whether reserves are free of liens and how quickly they can be used.
Lastly, governance and consistent disclosure are important. For products that involve yield, margin, or lending commitments, credible oversight needs clear custody procedures, conflict management, and regular reporting.
The Way Ahead
PoR is better than opacity, but it’s still a small check. People who use it as a full safety signal are perhaps depending too much on a limited instrument. A stronger approach includes:
– Full solvency proofs that include all of the assets and debts
– Ongoing assurance regarding governance and operational controls
– Clear disclosure of the condition of liquidity and encumbrance
– Clear communication during emergencies instead of silence or delay
Trust in centralized platforms will stay weak until these things are always in place. Decentralized protocols that don’t employ custody at all avoid a lot of these problems, but they have their own problems with user experience and regulatory clarity.
The lesson from the last few years is clear: tools that make things clear are useful, but they don’t replace accountability. Building confidence in a place where it is the most fragile asset takes more than one image; it takes a full picture of solvency, operations, and risk management.
