?Are you trying to figure out which crypto exchanges publish proof-of-reserves this year and how to use that information to keep your assets safer?
Introduction
You probably know that proof-of-reserves (PoR) became a much more discussed topic after a number of high-profile exchange failures. You want to know which exchanges are transparent about their reserves, how the various PoR methods work, and how to verify claims yourself. This article walks you through the concepts, common implementations, what PoR can and cannot prove, how to verify proofs, a snapshot of major exchanges’ PoR practices (with an important date caveat), and practical tips for using PoR as one of several safety checks.
Note: My factual snapshot reflects publicly available information up to mid-2024. Exchanges’ policies and practices may have changed since then, so you should always confirm current status directly with the exchange’s website, blog, or verified announcements.
What is proof-of-reserves?
Proof-of-reserves is a transparency technique used by custodial crypto platforms to show that they hold on-chain assets equal to or greater than customer balances. The goal is to give you confidence that the exchange is not insolvent or hiding a shortfall. PoR methods range from on-chain proofs (directly verifiable) to third-party attestations (auditors confirming custody or reserve amounts).
You should treat PoR as one tool among many: it provides valuable information, but it rarely tells the full story about liabilities, liquidity, or off-chain risks.
Why exchanges started offering PoR
After episodes where customers discovered their funds were missing or inaccessible, many exchanges started providing PoR or similar transparency reports to rebuild trust. You want to know whether an exchange has a PoR program, how frequent it is, and how verifiable the proof is.
Technical approaches to proof-of-reserves
There are several technical methods exchanges use to demonstrate reserves. Each has strengths and weaknesses in terms of verifiability, privacy, and the extent of what it proves.
Merkle-tree proofs
Merkle-tree proofs are a common privacy-friendly technique. The exchange builds a Merkle tree whose leaves represent individual customer balances (often anonymized or hashed). It publishes the Merkle root on-chain or via its website and provides per-user Merkle proofs so you can cryptographically verify that your balance is included in the published root.
You can verify the proof locally using your account data, the supplied Merkle proof, and the published root. This method proves inclusion of your balance in the snapshot, and that the total of reported reserves (if on-chain) covers the sum of leaves — but it requires trust in how liabilities were calculated and whether assets for other obligations exist off-chain.
On-chain balance proofs and attestations
Some exchanges publish addresses they control and provide signed attestations indicating the balances in those addresses. They might also publish transactions where they move assets to multi-sig or custody providers and show on-chain holdings that correspond to their liabilities.
On-chain proofs are very strong for proving custody of specific assets at a specific time because anyone can query the blockchain. You still need to confirm that the assets cover total customer liabilities and that the exchange didn’t artificially exclude certain liabilities.
Third-party audits and attestations
Exchanges sometimes hire accounting firms or crypto auditors to produce attestations or reports confirming reserves. These reports can be full audits or more limited attestations (for example, confirming custody of specific cold-wallet addresses).
An auditor’s reputation matters. Audits increase credibility but are not themselves cryptographic proofs — they rely on audit procedures and access provided by the exchange.
Hybrid approaches
Many exchanges use a combination: publish on-chain addresses, provide Merkle proofs for users, and commission third-party attestations. The hybrid approach attempts to balance verifiability, user privacy, and comprehensive reporting.
What proof-of-reserves proves — and what it doesn’t
PoR is useful, but it has limits. You should know both the strengths and the blind spots.
What PoR can prove
- That certain on-chain addresses hold the claimed assets at a snapshot time (if published on-chain).
- That your account balance was included in a published Merkle root or snapshot.
- That an auditor or third party examined reserves or specific wallets and produced an attestation.
These proofs give you more confidence about custody of assets and inclusion of customer balances in the exchange’s snapshot.
What PoR cannot prove by itself
- Completeness of liabilities: Many PoR presentations show assets but do not comprehensively disclose all customer liabilities, off-chain obligations, or illiquid assets.
- Real-time solvency: Snapshots are momentary. You cannot assume funds remain fully covered after the snapshot.
- Access or withdrawal ability: Custody can exist on-chain but might be restricted, frozen, or otherwise encumbered.
- Off-chain assets or debts: Loans, margin positions, or directed OTC trades may create obligations not captured in simple PoR reports.
You should combine PoR with other checks (regulatory filings, insurance disclosures, proof-of-liabilities, withdrawal tests) to get a fuller picture.
Which exchanges offer proof-of-reserves this year?
You want a concrete, actionable list. Below is a snapshot table summarizing major exchanges’ PoR practices as of publicly available information up to mid-2024. Use it as a starting point, and always check the exchange’s current resources for the latest status.
| Exchange | PoR Offered? (mid-2024) | Typical Method | Frequency / Notes | How you can verify |
|---|---|---|---|---|
| Kraken | Yes | Merkle-tree and public reports | Periodic snapshots and Merkle proofs since 2020 | Use Kraken’s PoR page, retrieve your Merkle proof and verify locally |
| Coinbase | Partial / Attestations | Auditor attestations, reserves disclosures | Periodic reports and regulatory filings | Review Coinbase’s audit/attestation reports and published reserve addresses |
| Binance | Partial | Public wallet addresses, periodic reports | Published wallets and statements; practices debated | Check Binance’s blog & on-chain addresses; look for third-party attestations |
| Gemini | Yes (historically) | Custody confirmations and attestations | Public statements and attestations; regulator filings | Review Gemini’s attestation reports and disclosures |
| Bitstamp | Partial | Auditor attestations / statements | Periodic reconciliations | Check Bitstamp’s announcements and audit reports |
| Bitfinex | Partial | On-chain snapshots and auditor reports | Published periodic info | Look for published proofs and third-party attestations |
| Crypto.com | Yes / Partial | Auditor attestations and reserve statements | Published proof-of-reserve efforts with auditors | Check official blog and auditor statements |
| OKX (OKEx) | Partial | On-chain addresses / reports | Public wallet disclosures | Verify wallet addresses on-chain |
| Huobi | Partial | Public address listings / reports | Historical wallet disclosures | Verify published addresses on-chain |
| Bittrex | Partial | Audit statements / reserve disclosures | Audit or attestation records | Review published statements |
| Gemini Earn / BlockFi-type custody | Varies | Custodial attestations / proofs or regulatory filings | Depends on product | Review product-specific disclosures |
Important: this table reflects public information through mid-2024. Since practices can change, you should verify current status on the exchange’s verified website, blog, or official communications before relying on any claim.
How to verify an exchange’s PoR claim yourself
You want practical steps you can follow to independently verify proofs. The exact steps depend on the type of PoR used by the exchange.
Verifying a Merkle-proof (high-level steps)
- Locate your account’s Merkle proof: the exchange should provide a downloadable proof or a way to retrieve it from your account page.
- Obtain the published Merkle root: the exchange should publish the root on a publicly accessible page or on-chain.
- Gather the leaf data: the leaf will typically be a hash of your account identifier and balance (or an anonymized representation). Confirm the exact leaf structure the exchange uses (they should document this).
- Use a Merkle verification tool: use a local script or an open-source verifier that recomputes the path from your leaf to the root and confirms equality to the published root.
- Confirm snapshot timestamp: ensure the published root has a timestamp or on-chain transaction linking it to a specific time.
If the recomputed root matches the published root, your balance was included in the snapshot used to compute that root.
Verifying on-chain wallet balances
- Get the wallet addresses the exchange claims to control (often published with signatures or via auditor report).
- Query the blockchain for balances at the snapshot time using a block explorer or node.
- Confirm that the sum of the published on-chain balances covers the exchange’s declared asset totals (if the exchange publishes those totals).
- Look for multi-sig or custody control details: some exchanges publish signatures proving control of addresses (signed messages). Verify signatures using the claimed public keys.
On-chain verification is powerful. It shows custody at a given time, but you must still confirm that assets cover liabilities.
Reviewing auditor attestations
- Read the full audit or attestation report — not only the executive summary. Look for scope limitations and whether the auditor verified liabilities or just assets.
- Confirm the auditor is reputable and independent.
- Check the date and whether subsequent material events might have affected reserves.
Audits are useful but require careful reading of scope and limitations.
Limitations and common pitfalls you should know
You want to use PoR intelligently. Here are common pitfalls to watch for so you don’t get a false sense of security.
Snapshot timing and stale information
A single snapshot can be true at one moment and misleading later. If you rely on an infrequent PoR and the exchange experiences outflows or losses after the snapshot, the proof no longer reflects present solvency.
Always check snapshot timestamps and prefer exchanges with frequent or continuous proofs.
Omissions and narrow scope
Exchanges sometimes publish proofs covering only certain assets (e.g., BTC and ETH) or exclude liabilities like margin loans, rehypothecated assets, or OTC positions. You should check scope and ask whether stablecoins, tokenized assets, or custodial claims are included.
Auditor limitations and disclaimers
Read auditor reports carefully. Many attestations include disclaimers about scope (e.g., “we verified the custody of specific wallets as of a date” rather than a full audit of liabilities). A reputable auditor helps, but you must understand what they verified.
Privacy vs. transparency trade-offs
Merkle proofs balance transparency and user privacy by including hashed or anonymized data. That’s good for you and other users, but it means you must rely on your local verification rather than inspecting every user’s balance.
Self-reported or unverifiable claims
Be cautious with press releases that claim “fully backed” without verifiable proof. If an exchange claims full backing, check for published proofs or third-party attestations you can verify.
Questions you should ask an exchange (or look for answers to)
You want to evaluate PoR claims quickly. Ask or look for these items in their PoR documentation:
- What is the scope of the proof? Which assets and liabilities are included or excluded?
- What is the snapshot timestamp and how frequently are snapshots taken?
- Is the Merkle-tree construction documented (format of leaves, hashing algorithm)?
- Are the published wallet addresses signed or attested by an auditor?
- Has an independent auditor reviewed the proof? What exactly did they audit?
- Are on-chain proofs tied to immutable timestamps (e.g., published in a blockchain transaction)?
- How do you retrieve and verify your personal Merkle proof?
If the documentation lacks answers, treat PoR claims with skepticism.
Practical tips for users relying on PoR
You want pragmatic guidance that improves your safety when using exchanges.
Use PoR as one signal, not the only one
Combine PoR with other indicators: regulatory oversight, insurance coverage, withdrawal history, transparency reports, and community reputation. No single metric guarantees safety.
Prefer on-chain proofs and signed attestations
On-chain addresses and cryptographic signatures are more directly verifiable than narrative statements. When possible, favor exchanges that publish control of wallets with verifiable signatures and frequent snapshots.
Keep records and verify periodically
If you rely on an exchange, download your Merkle proof or save auditor reports for your records. Re-verify when the exchange publishes new snapshots or reports.
Withdraw to self-custody for large holdings
Proof-of-reserves doesn’t eliminate counterparty risk. For long-term storage of significant amounts, you should consider self-custody using hardware wallets or reputable custody providers with segregated assets.
Monitor community and regulator signals
Regulatory actions, frozen withdrawals, or sudden leadership changes can affect solvency and access. Use PoR as part of ongoing monitoring.
Example: How you would verify a typical Merkle PoR step-by-step
You want a clear sequence you can follow. Here’s a high-level, non-code example that applies to many exchanges:
- Log into your exchange account and locate the “Proof of Reserves” or “Proof” section.
- Download the Merkle-proof file for your account or copy the proof data from the UI.
- Note the published Merkle root and the snapshot ID or timestamp — and whether it’s recorded in a blockchain transaction or on the exchange’s public page.
- Confirm the hashing scheme and leaf format from the exchange’s documentation (e.g., SHA-256 of account ID + balance).
- Use a trusted Merkle proof verifier (open-source or provided by the exchange) to recompute the path from your leaf to the root.
- If you get a match, your balance is included in the snapshot. Save the proof, timestamp, and root in case of future disputes.
If the exchange provides signed messages proving control of wallet addresses, verify the signature with the provided public key and check on-chain balances at the snapshot block height.
Regulatory context and global trends
You want to understand how regulation affects PoR uptake and usefulness.
Regulators and standardization efforts
After major exchange failures, regulators in several jurisdictions increased scrutiny of custody practices. There are ongoing initiatives to establish standards for PoR, proof-of-liabilities, and asset segregation. Standardization helps you compare proofs between exchanges and makes audits more meaningful.
Industry-driven transparency standards
Industry groups and open-source projects have proposed standardized formats for Merkle proofs, signed wallet lists, and on-chain attestations. If an exchange adopts standard formats, you’ll find it easier to verify proofs using common tooling.
Case studies and historical context (what to learn from past incidents)
You want to learn lessons: historical exchange collapses show PoR gaps.
- Cases where exchanges claimed full backing but later collapsed often involved missing liabilities, rehypothecation, or undisclosed loans. These incidents taught the industry to demand both asset proofs and transparent liability reporting.
- Merkle proofs reduced certain classes of fraud by allowing users to verify inclusion of their balances, but they don’t prevent an exchange from excluding liabilities or manipulating internal accounting.
The takeaway: PoR increased overall transparency but requires careful, skeptical evaluation.
Frequently asked questions
You want quick answers to common concerns.
Q: If an exchange publishes a Merkle proof, does that mean my funds are safe? A: Not automatically. It means your balance was included in a snapshot. Safety depends on the completeness of liabilities, frequency of snapshots, custody access, and operational risks.
Q: Can PoR be faked? A: Some elements can be manipulated if an exchange provides only self-reported data. Cryptographic proofs tied to on-chain data and independent auditor attestations are harder to fake. Always verify signatures and on-chain balances.
Q: Should I only use exchanges that publish PoR? A: PoR is a meaningful signal but not the only one. Prefer exchanges with PoR, strong governance, regulatory compliance, and a history of reliable withdrawals.
Final checklist before trusting an exchange’s PoR claim
You want a short checklist to run through quickly.
- Is the PoR method documented (Merkle, on-chain addresses, audit)?
- Is the published proof tied to an immutable timestamp or blockchain transaction?
- Can you independently verify your inclusion (Merkle proof) or the asset custody (on-chain balances)?
- Does the proof include a complete description of liabilities or only asset custody?
- Is there an independent auditor, and what is the scope of their engagement?
- How frequently are proofs or attestations produced?
- Are there clear signatures or keys proving control of published addresses?
Conclusion
You now have a clear framework for understanding proof-of-reserves: what it proves, how exchanges implement it, how to verify it, and what its limitations are. Use PoR as part of a broader approach to safety — verify proofs yourself when possible, ask the right questions, and combine PoR with regulatory and operational signals before entrusting large sums to any custodial platform.
If you’d like, I can:
- Help you draft specific verification steps for a particular exchange (just tell me which one and I’ll use the latest public resources up to mid-2024 as a starting point).
- Walk you through verifying a Merkle proof with sample commands (I can provide an annotated example).
- Provide a checklist tailored to the regulatory environment where you live.
Which option would help you most?