Understanding the Limitations of Proof-of-Reserves

What is Proof-of-Reserves?

At its essence, proof-of-reserves serves as a public assertion that a custodian possesses the assets it claims to hold for its users. This is typically done using cryptographic methods and transparency on the blockchain.

If every crypto exchange can produce a proof-of-reserves (PoR) report, then why do withdrawals sometimes experience delays or are halted altogether during crises?

The reality is that proof-of-reserves does not guarantee trust. It indicates whether verifiable assets exist at a particular moment but fails to verify the platform’s solvency, liquidity, or whether it operates under controls that mitigate hidden risks.

Even well-executed, PoR often represents a snapshot in time, potentially omitting critical events that occurred before or after the reporting moment. Without a trustworthy account of liabilities, PoR cannot provide the assurance of solvency that users require during withdrawal stresses.

Proof of Reserves

Did you know? On December 31, 2025, the CEO of Binance disclosed that the platform’s user asset balances, confirmed through proof-of-reserves, had reached $162.8 billion.

What PoR Validates and the Common Methods

In practical terms, PoR involves two checks: one for assets and ideally another for liabilities.

On the asset side, exchanges demonstrate control over certain wallets by either publishing addresses or signing messages.

Liabilities pose a greater challenge. Most exchanges create a snapshot of user balances and transfer it into a Merkle tree structure, often a Merkle-sum tree. Users can then independently verify their balance’s inclusion without making everyone’s balances publicly accessible.

When executed effectively, PoR reveals if on-chain assets sufficiently cover customer balances at a specific moment in time.

Did you know? Binance allows users to independently verify their presence in its PoR snapshot through a verification page that generates a cryptographic proof based on a user balance Merkle tree, enabling account confirmation without exposing other users’ data.

The Risks Remain Even with PoR

Though PoR can increase transparency, it should not be the sole metric for assessing the financial health of an organization. A report showing assets without comprehensive liabilities does not validate solvency. Even if on-chain wallets appear robust, liabilities might be inadequate or selectively defined, omitting elements such as loans, derivatives exposure, legal obligations, or off-chain payables. This can create an illusion of funds existing without confirming the business’s capacity to fulfill all obligations.

Additionally, a solitary attestation does not reveal how the balance sheet appeared in the prior week or what it might look like after the report. Assets could theoretically be borrowed to inflate the snapshot, only to be withdrawn afterward.

Furthermore, encumbrances frequently go unreported. PoR typically does not clarify if assets are pledged as collateral, lent out, or otherwise restricted, which could entail unavailability during withdrawal spikes.

Liquidity and valuations can also be misleading. Possessing assets doesn’t guarantee the ability to liquidate them rapidly and at a large scale during times of stress, especially if reserves are concentrated in cryptocurrencies that are not regularly traded. PoR fails to address this issue; clearer risk and liquidity disclosures could.

PoR is Not an Audit

Many trust issues arise from mismatched expectations regarding PoR. Many users view it as a safety certification. In truth, many PoR activities are akin to agreed-upon procedures (AUPs), where practitioners conduct certain checks and report their findings without an audit-style opinion on the company’s overall welfare.

On the other hand, audits or reviews aim to deliver a conclusion based on assurance within structured frameworks. AUP reporting is limited in scope. It tallies what was examined and what was observed, leaving it to the reader’s interpretation. Under the International Standard on Related Services (ISRS) 4400, AUP engagements do not express an opinion.

Regulatory bodies have pointed out this discrepancy. The Public Company Accounting Oversight Board has warned that PoR reports are inherently limited and should not be perceived as evidence that an exchange possesses sufficient assets to meet its liabilities, particularly given the inconsistency in how PoR work is conducted and portrayed.

This scrutiny also increased following 2022. Mazars halted its collaboration with crypto clients citing concerns over how PoR reports were presented and how the public might misconstrue them.

What Constitutes a Reliable Trust Framework?

While PoR can be a useful starting point, actual trust arises from combining transparency with solvency evidence, robust governance, and precise operational controls.

Start with solvency; demonstrable assets must outweigh a complete set of liabilities. Merkle-based proofs of liabilities, coupled with innovative zero-knowledge proofs, aim to bridge this gap without exposing individual balances.

Next, inject assurance regarding the operational methods of the exchange. A mere snapshot provides no insight into whether a platform maintains disciplined procedures, such as key management, access permissions, change management, incident response protocols, segregation of responsibilities, and custody workflows. This is why institutional due diligence often relies on reporting in line with System and Organization Controls (SOC) that gauge controls over time, not solely a static balance.

Make both liquidity and encumbrances transparent. Solvency on paper does not assure that an exchange can endure a rush. Users require clarity regarding whether reserves are unencumbered and how swiftly assets can convert to liquid cash at scale.

Finally, embed trust within governance and disclosure. Credible oversight necessitates transparent custody frameworks, conflict resolution mechanisms, and consistent disclosures, particularly for operations that introduce supplementary obligations such as yield, margin, and lending.

PoR Strengthens but Cannot Substitute Accountability

Proof-of-reserves is certainly better than nothing; however, it serves as a limited, point-in-time verification method, often advertised as a safety certificate. Alone, PoR fails to validate solvency, liquidity, or control quality. Hence, prior to accepting a PoR badge as “safe,” it’s crucial to consider the following:

1. Are liabilities included, or is it only assets? Asset-only reporting fails to demonstrate solvency.
2. What is included? Are margin products, yields, loans, or off-chain obligations excluded?
3. Is it a snapshot or ongoing? A single date’s report can be misleading. Consistency is important.
4. Are reserves unencumbered? “Held” does not equate to “accessible during stress.”
5. What kind of engagement is it? Many PoR reports are limited in scope and should not be interpreted as an audit opinion.

This article does not provide investment advice or recommendations. All investment and trading activities carry risks, and all readers should do their own due diligence. While every effort is made to ensure accurate and timely information, Cointelegraph does not guarantee the precision, completeness, or reliability of the information in this article. Forward-looking statements may be present, which are subject to risks and uncertainties. Cointelegraph cannot be held responsible for any losses or damages arising from reliance on this information.