Why Proof-of-Reserves Isn’t Enough to Trust Crypto Exchanges
What is proof-of-reserves?
At its core, proof-of-reserves is a public demonstration that a custodian holds the assets it claims to hold on behalf of users, typically using cryptographic methods and onchain transparency.
If every crypto exchange can publish a proof-of-reserves (PoR) report, why can withdrawals still be delayed or halted during a crisis?
The truth is that proof-of-reserves is not a trust guarantee. It shows whether verifiable assets exist on a platform at a single point in time, but it does not confirm that the platform is solvent, liquid or governed by controls that prevent hidden risk.
But even when executed properly, PoR is often a point-in-time snapshot that can miss what happened before and after the reporting moment.
Without a credible view of liabilities, PoR cannot prove solvency, which is what users actually need during periods of withdrawal stress.
Did you know? On Dec. 31, 2025, Binance’s CEO wrote that the platform’s user asset balances publicly verified through proof-of-reserves had reached $162.8 billion.
What PoR proves and how it is usually done
In practice, PoR involves two checks: assets and, ideally, liabilities.
On the asset side, an exchange shows that it controls certain wallets, usually by publishing addresses or signing messages.
Liabilities are trickier. Most exchanges take a snapshot of user balances and commit it to a Merkle tree, often a Merkle-sum tree. Users can then confirm that their balance is included using an inclusion proof, without everyone’s balances being made public.
When done properly, PoR shows whether onchain assets cover customer balances at a specific moment.
Did you know? Binance lets each user independently verify their inclusion in its PoR snapshot. Through its verification page, Binance generates a cryptographic proof based on a Merkle tree of user balances, allowing users to confirm that their account was counted without revealing anyone else’s data or balances.
How an exchange can “pass PoR” and still be risky
PoR can improve transparency, but it shouldn’t be relied on as the sole measure of a company’s financial health.
Of course, a report on assets without full liabilities does not demonstrate solvency. Even if onchain wallets appear strong, liabilities can be incomplete or selectively defined, missing items such as loans, derivatives exposure, legal claims or offchain payables. That can show funds exist without proving the business can meet all of its obligations.
Also, a single attestation does not reveal what the balance sheet looked like last week or what it looks like the day after the report. In theory, assets can be temporarily borrowed to improve the snapshot, then moved back out afterward.
Next, encumbrances often do not show up. PoR typically cannot tell you whether assets are pledged as collateral, lent out or otherwise tied up, meaning they may not be available when withdrawals spike.
Liquidity and valuation can also be misleading. Holding assets is not the same as being able to liquidate them quickly and at scale during periods of stress, especially if reserves are concentrated in thinly traded tokens. PoR does not address this issue; clearer risk and liquidity disclosures might.
PoR isn’t the same as an audit
A lot of the trust problem comes from a mismatch in expectations.
Many users treat PoR like a safety certificate. In reality, many PoR engagements resemble agreed-upon procedures (AUPs). In these cases, the practitioner performs specific checks and reports what was found without providing an audit-style opinion on the company’s overall health.
Indeed, an audit or even a review is designed to deliver an assurance conclusion within a formal framework. AUP reporting is narrower. It explains what was tested and what was observed, then leaves interpretation to the reader. Under International Standard on Related Services (ISRS) 4400, an AUP engagement is not an assurance engagement and does not express an opinion.
Regulators have highlighted this gap. The Public Company Accounting Oversight Board has warned that PoR reports are inherently limited and should not be treated as proof that an exchange has sufficient assets to meet its liabilities, especially given the lack of consistency in how PoR work is performed and described.
This is also why PoR drew increased scrutiny after 2022. Mazars paused work for crypto clients, citing concerns about how PoR-style reports were being presented and how the public might interpret them.
What’s a practical trust stack, then?
PoR can be a starting point, but real trust comes from pairing transparency with proof of solvency, strong governance and clear operational controls.
Start with solvency. The real step up is showing assets versus a complete set of liabilities, ensuring assets are greater than or equal to liabilities. Merkle-based liability proofs, along with newer zero-knowledge approaches, aim to close that gap without exposing individual balances.
Next, add assurance around how the exchange actually operates. A snapshot does not reveal whether the platform has disciplined controls such as key management, access permissions, change management, incident response, segregation of duties and custody workflows. This is why institutional due diligence often relies on System and Organization Controls (SOC)-style reporting and similar frameworks that measure controls over time, not just a balance at a single moment.
Make liquidity and encumbrance visible. Solvency on paper does not guarantee that an exchange can survive a run. Users need clarity on whether reserves are unencumbered and how quickly holdings can be converted into liquid assets at scale.
Anchor it in governance and disclosure. Credible oversight depends on clear custody frameworks, conflict management and consistent disclosures, especially for products that introduce additional obligations such as yield, margin and lending.
PoR helps, but it can’t replace accountability
PoR is better than nothing, but it remains a narrow, point-in-time check (even though it’s often marketed like a safety certificate).
On its own, PoR does not prove solvency, liquidity or control quality. So, before treating a PoR badge as “safe,” consider the following:
Are liabilities included, or is it assets only? Assets-only reporting cannot demonstrate solvency.
What is in scope? Are margin, yield products, loans or offchain obligations excluded?
Is it reporting a snapshot or ongoing? A single date can be dressed up. Consistency matters.
Are reserves unencumbered? “Held” is not the same as “available during stress.”
What kind of engagement is it? Many PoR reports are limited in scope and should not be read like an audit opinion.
