Why is proof-of-reserves not enough to trust exchanges?

What is proof-of-reserves?

Proof-of-reserves is a way for an exchange to publicly show that it actually holds its users’ coins. This is most often done using cryptographic proofs and onchain data that anyone can verify.

At first, that sounds enough. If every exchange office can publish a PoR report, then why are payments delayed or even stopped in crises?

The problem is that proof-of-reserves is not a guarantee of trust. It shows the state of the property at one time. It says nothing about whether the platform is liquid, whether there are enough funds for withdrawals at all times, or whether there are hidden risks behind it.

In other words, you see how many coins there are, but you don’t see debts. If an exchange has more liabilities than assets, the PoR itself does not reveal this.

Another problem is that PoR is often just a snapshot. The condition may look good at one point, but you don’t know what happened before or what will happen after that.

Without a clear view of the liabilities, proof-of-reserves cannot prove solvency. And that’s exactly what users need when they all start withdrawing funds at once.

Interestingly, at the end of 2025, the CEO of Binance announced that user funds verified through proof-of-reserves reached about $162.8 billion.

Source: cointelegraph

What does PoR actually prove and how is it done?

In practice, proof-of-reserves has two parts: assets and, ideally, liabilities.

When it comes to property, it’s pretty simple. The exchange shows that it controls certain wallet addresses. It does this by publicly announcing addresses or signing a message with a private key. By doing so, he proves that he really has access to these coins onchain.

Obligations are much more complicated. Most exchange offices take a snapshot of the balance of user accounts and write it down in the so-called Merkle tree, often a merkle-sum variant. In this way, the data can be verified without revealing all the details.

The user can then check if their balance is included in that snapshot. This is done through the so-called inclusion proof. In other words, you can confirm that you are accounted for, but you do not see someone else’s balance.

When everything is done right, PoR can show that the onchain asset covers the user’s balance at that one point.

But then again, this is only true for that snapshot. It does not say anything about the situation before or after, nor does it guarantee that funds will be available when everyone starts withdrawing.

Source: cointelegraph

How can an exchange "pass PoR" and still be risky?

Proof-of-reserves can increase transparency, but it shouldn’t be the only signal that everything is fine.

If you only see assets, without complete liabilities, you don’t know if the company is really solvent. Wallets may look strong, but appointments may be incomplete or selectively displayed. Things such as loans, derivatives, legal risks or offchain debts are often missing here. In short, you see that coins exist, but you don’t know if the exchange can cover everything it owes.

The second problem is that snapshot moment. One report does not say what the situation looked like last week or what happens the day after. In theory, funds can be temporarily borrowed to make the image look better, and then later removed.

There are also the so-called encumbrances, i.e. restrictions on property. PoR usually does not indicate whether coins are pledged as collateral, borrowed on, or in some way already “reserved”. This means that they may not really be available when a larger rush of withdrawals begins.

Liquidity is another problem. It is not the same to have assets and be able to sell them quickly without a big drop in price. If a large part of the reserves is in coins with a small volume, then in stressful situations this becomes a serious risk. PoR doesn’t cover that. This requires additional risk and liquidity data.

The conclusion is simple. An exchange may look good on paper and pass PoR, but in reality it still has serious weaknesses in the background.

Source: cointelegraph

PoR is not the same as auditing

Much of the trust problem comes from false expectations.

Many users look at PoR as a kind of “security certificate”. In reality, most PoR reports are closer to the so-called agreed-upon procedures. This means that someone checks certain things and just writes what they have found, without any conclusion about the overall financial condition of the company.

Classic revision is something else. It gives an opinion within a clearly defined framework and tries to answer the question of whether business is healthy. With the AUP approach, there is no such thing. You get a list of what has been tested and what has been found, and the interpretation remains up to you.

Regulators have also warned about this. The Public Company Accounting Oversight Board emphasized that PoR reports are limited and should not be treated as proof that the exchange can cover all liabilities. The problem is that there is no single way to work and present PoR.

As a result, the whole story came under more focus after 2022. Mazars even paused its cooperation with crypto clients because there were concerns about how PoR reports are displayed and how the public interprets them.

The point is simple. PoR can provide some insight, but it is not the same as a real audit and cannot be viewed as such.

Source: cointelegraph

PoR helps, but it's not enough

Proof-of-reserves is better than nothing, but it’s still limited and only gives a narrow view of the situation at one time, although it’s often presented as something much more secure.

PoR itself does not prove solvency, liquidity or the quality of controls, so it should not be seen as a sign that everything is “safe” without additional checks. It is important to know whether liabilities are also included in the report or only assets are shown, because without liabilities there is no real picture of solvency. You should also be careful what is covered, as some reports omit margin, yield products, loans or offchain liabilities, which can significantly change the risk picture.

It is also important to understand whether it is a single snapshot or continuous monitoring, because the situation for one day can be presented as better than it really is, while continuity gives a much more realistic insight. In addition, it should be checked whether the reserves are really available or are already tied up somewhere as collateral or borrowed further, because “held” does not necessarily mean “available” in a situation where everyone starts withdrawing funds.

Finally, the type of report itself should be taken into account, as most PoR reports have a limited scope and do not provide an opinion as a true audit.

The conclusion is simple: PoR is a useful signal, but it is not enough on its own and should always be viewed in a broader context.