Our Top Pick: Revolut — Best overall crypto bank for most users Open Account ↗ (affiliate)

Proof of Reserves Explained

What PoR actually verifies — and what it doesn't.

SK
Reviewed by Stephan Kulik · Last updated: · How we rank

Short answer

Proof of Reserves uses a Merkle tree to let users verify that a platform's on-chain custody holdings match customer liabilities at a point in time. It catches the worst failure mode ("we claim to hold your crypto but the wallets are empty") but does not prove solvency, does not account for off-chain liabilities, and does not verify that customer crypto is not loaned out elsewhere. Treat PoR as one input among several, not as an insurance policy.

Why PoR exists

In November 2022, FTX collapsed with an estimated $8B+ gap between claimed customer liabilities and actual on-chain assets. The entire custody proposition — "your crypto is here, untouched" — was fiction. No independent check existed; the platform simply said the numbers and everyone believed them.

PoR is a post-FTX response: a way for users to independently verify, without trusting the platform's word, that at least the on-chain side is legitimate at the moment of the attestation.

How a Merkle-tree PoR works

  1. Platform snapshots all customer account balances at time T.
  2. Each customer's balance is hashed into a leaf of a Merkle tree. The tree is balanced upward into intermediate hashes and a single root hash.
  3. The platform publishes the Merkle root and, for each customer, the Merkle path from their leaf to the root.
  4. Each customer can verify: "my balance, combined with the path, produces the published root". This proves their balance was included.
  5. Separately, the platform signs messages from its custody wallet addresses proving control of those wallets, and publishes the addresses + balances.
  6. The sum of on-chain wallet balances should meet or exceed the sum of Merkle-tree leaf balances.

What PoR proves

  • At time T, the platform's wallets hold at least X assets.
  • At time T, the sum of customer balances in the Merkle tree equals X.
  • Your specific balance was correctly included in the Merkle tree.

What PoR does NOT prove

Solvency

PoR shows assets ≥ customer crypto liabilities. It does not show assets ≥ all liabilities. A platform can have PoR-compliant crypto custody and still be insolvent if it owes $5B to unsecured bondholders, has lost money on trading operations, or faces regulatory penalties.

Continuity of custody

PoR is a snapshot. Between snapshots, the platform could have moved funds in and out, loaned to counterparties, or briefly been undercapitalised. A 90-day gap is a 90-day trust window.

Wallet ownership authenticity

A platform could, in principle, briefly borrow crypto for the snapshot ("repo the reserves"). Sophisticated auditors check for this via ongoing signature verification and by checking the wallets for signs of temporary inflow before the snapshot. This is a layer of review that simple PoR does not automatically provide.

Rehypothecation

If customer funds are used for lending or trading, they may be both "on the balance sheet" and "owed to a counterparty". PoR shows current on-chain position, not the total claim structure. This was a core Celsius and BlockFi failure — crypto was loaned to market-makers and institutional borrowers.

Liabilities accuracy

The customer-liability Merkle tree is built from the platform's own account-balance data. If the platform has understated liabilities (e.g., undisclosed customer accounts), PoR will not catch this. A "Proof of Liabilities" counter-check (published account count, sampling) helps but is less common.

How to evaluate a PoR attestation

  1. Who performed the attestation? Named audit firm (Mazars, Armanino, Deloitte, BDO) or blockchain-specific auditor is better than self-published.
  2. How often? Monthly is strong. Quarterly is acceptable. Annual or ad-hoc is weak.
  3. What methodology? Look for explicit description of the snapshot technique, wallet-signature verification, and liabilities counter-check.
  4. Is Proof of Liabilities included? Sampling of customer accounts to verify none were omitted.
  5. Is the Merkle root publicly downloadable? And can you verify your own account in it?
  6. What assets are covered? BTC, ETH, stablecoins usually covered; long-tail altcoins may not be.

PoR vs traditional financial audit

A traditional financial audit (e.g., Coinbase as a SEC-registered public company) covers solvency, off-chain obligations, corporate cash, revenue recognition, and more. It is slower (annual) and more expensive. PoR is faster (monthly/quarterly) and cheaper but narrower. Platforms with both (Coinbase) provide stronger transparency than platforms with only one or the other.

Which platforms publish PoR

  • Monthly: Binance (Merkle tree)
  • Quarterly: Crypto.com (Armanino), Kraken (Armanino historically), Bitfinex, OKX, Bybit
  • Annual audited financials instead of PoR: Coinbase (SEC-registered), Revolut (Lithuanian banking supervision)
  • Neither well-documented: some offshore exchanges — walk away

Related reading

Frequently asked questions

What is Proof of Reserves? +
Proof of Reserves (PoR) is a cryptographic technique that lets a custodial platform demonstrate, at a point in time, that its on-chain crypto holdings are at least equal to its reported customer liabilities. The standard technique uses a Merkle tree: the platform sums all customer balances, publishes a Merkle root, and users can verify their individual balance is included. Simultaneously, the platform publishes signed wallet addresses holding ≥ that sum.
What does PoR prove? +
PoR proves, at the snapshot timestamp: (a) the platform's on-chain custody wallets hold at least X assets, (b) the sum of customer liabilities in the Merkle tree equals X, (c) your individual balance is correctly included. It is useful because it catches the worst failure mode — "we claim to hold your crypto but the wallets are empty" — which was the core FTX failure.
What does PoR NOT prove? +
PoR does not prove: (1) solvency — it does not account for off-chain liabilities (owed to creditors, counterparties), (2) ongoing custody — only the snapshot moment, (3) ownership of the wallet addresses — a platform could briefly borrow assets for the snapshot (though sophisticated auditors check for this via "Proof of Liabilities" counter-checks), (4) that customer funds are not loaned out or rehypothecated, (5) corporate financial health — cash reserves, profitability, regulatory capital.
How often should PoR be published? +
Quarterly minimum for credible attestation. Monthly is better. Real-time PoR (recomputed per transaction) is the gold standard but requires specific blockchain architecture. The gap between snapshots is a trust window — a 90-day gap between snapshots means a platform could have been insolvent for up to 90 days between attestations.
Who performs PoR audits? +
Reputable PoR attestations are performed by audit firms (Mazars historically, Armanino more recently) or blockchain-specific auditors (Proof-of-reserves.io, Archblock). Look for named-firm attestations on official letterhead, with methodology described. A "self-verified" PoR without external attestation is weaker than an independent attestation.
Which platforms publish PoR? +
Among platforms we review: Binance (monthly, Merkle tree), Crypto.com (quarterly, Armanino), Kraken (quarterly, Armanino historically), Coinbase (reporting in SEC-registered financials as a public company — a stronger standard). Bitfinex, OKX, Bybit, and several others publish as well. Revolut, Nexo, and traditional bank-based crypto services typically use audited financial statements rather than Merkle-tree PoR, which can be a stronger but slower disclosure.
Legal & editorial
esc
↑↓ navigate ↵ open esc close