Key Points to Remember
- Proof-of-reserves (PoR) audits serve as cryptographic validations employed by cryptocurrency exchanges to demonstrate they possess enough assets to meet customer deposits.
- Through techniques such as Merkle trees and zero-knowledge proofs, PoR guarantees a level of transparency akin to the capital reserves required in traditional finance for stability.
- Coinbase’s cbBTC utilizes PoR to confirm that for every wrapped Bitcoin, a corresponding amount is securely held in Coinbase’s custody.
- While PoR audits can affirm asset holdings, they do not factor in liabilities, potentially misleading users regarding an exchange’s financial health.
PoR audits have emerged as an essential mechanism in the cryptocurrency realm to foster transparency and security, particularly after notable exchange failures like FTX.
Though they share a conceptual foundation with traditional banking’s capital adequacy standards, PoR audits possess certain restrictions, especially their inability to verify liabilities and dependence on periodic assessments.
This discussion delves into PoR audits, their significance in the crypto space, and their advancement towards more reliable models for ensuring exchange solvency.
What are Proof-of-Reserves Audits?
Cryptocurrency exchanges are increasingly implementing PoR audits to verify that they maintain enough assets to cover user deposits. These cryptographic validations, which employ Merkle trees and onchain confirmations, act as a transparency mechanism in the crypto landscape, much like capital adequacy requirements do in conventional finance.
Is the PoR concept influenced by traditional finance?
In the realm of traditional banking, regulators have long required financial institutions to uphold a certain level of capital reserves to shield against potential risks. This framework guarantees that banks can absorb unforeseen losses and maintain operations during economic downturns, a lesson underscored by the 2008 financial crisis.
This crisis exposed the vulnerabilities of many banks to significant losses from high-risk positions, triggering a global economic slump. In response, international regulatory groups introduced stricter guidelines to reinforce the resilience of financial entities.
Among these measures is the Basel III framework, developed by the Basel Committee on Banking Supervision, which established thorough reforms aimed at enhancing regulation, supervision, and risk management within the banking sector.
- Common equity tier 1 (CET1) capital standards require financial services institutions to retain a minimum level of common equity relative to their risk-weighted assets, ensuring a robust capital foundation to manage potential losses.
- The leverage ratio functions as a safeguard against the risk-based capital requirements, capping the level of leverage a bank can apply to its capital base.
- The liquidity coverage ratio (LCR) guarantees that banks hold enough high-quality liquid assets to support a stressed funding situation over a 30-day timeframe.
- The net stable funding ratio (NSFR) encourages resilience over an extended period by mandating that banks finance their operations with stable funding sources.
These measures are designed to enhance the banking sector’s capacity to withstand shocks from financial and economic pressures, thereby lowering the risk of systemic crises.
A related concept known as PoR audits has surfaced in the cryptocurrency domain to enhance transparency and trust among digital asset platforms. PoR audits act as cryptographic confirmations verifying whether a cryptocurrency exchange or custodian truly possesses the assets it claims to hold for its users.
Using Merkle trees and onchain confirmations, these audits function as a transparency tool in the crypto space. The primary aim is to assure users that these platforms are solvent and capable of fulfilling withdrawal requests. Some audits express reserves in dollar values, while others use prominent cryptocurrencies like Bitcoin (BTC) and Ether (ETH).
How Do PoR Audits Function?
PoR audits leverage cryptographic techniques such as Merkle trees to confirm that exchanges retain sufficient assets to cover user deposits; however, they do not ascertain solvency since they overlook hidden liabilities.
The audit process generally commences with asset verification, where platforms disclose wallet addresses or utilize cryptographic proofs, like Merkle trees, to validate holdings without revealing sensitive account information.
A Merkle tree allows user balances to be hashed and compiled into a single “Merkle root,” which auditors and users can independently verify. Moreover, a third-party auditor might be engaged to evaluate whether the reserves reported by the exchange align with its stated holdings. Additionally, verifying customer liabilities ensures that aggregate deposits do not surpass available reserves, bolstering the exchange’s asserted financial health.
While traditional PoR audits depend on Merkle trees, they carry limitations, such as failing to establish solvency (i.e., determining if an exchange has undisclosed liabilities or outstanding loans). To counter this, zero-knowledge proofs are being assessed as a more private and secure way of verifying reserves.
Zero-knowledge (ZK) proofs represent an advanced solution by permitting exchanges to mathematically confirm they are fully backed without disclosing sensitive data, thereby paving the way for proofs of solvency audits.
A ZK-proof-based PoR system could enable an exchange to mathematically demonstrate that its reserves exceed its liabilities without revealing specific account balances or wallet addresses, thus protecting sensitive user information while still providing robust cryptographic assurances of solvency. Some blockchain projects and exchanges are trialing ZK-proofs for PoR, although wider adoption is still developing.
In essence, PoR audits represent a crucial advancement in enhancing transparency within crypto markets, particularly following historical exchange failures like FTX, which misrepresented its reserves. By integrating Merkle trees with ZK-proofs, the sector could transition to proof-of-solvency audits that not only validate reserves but also ascertain that an exchange does not harbor undisclosed debts.
Here are the distinctions between Merkle tree-based PoR and zero-knowledge proof-based PoR:
If embraced widely, these methodologies could foster greater trust in centralized exchanges while safeguarding user privacy, offering a regulatory-compliant yet decentralized framework for financial accountability in crypto.
Below is a summary of various exchanges and their PoR audit information.
Did you know? After a cyber attack in February 2025, Bybit underwent a thorough PoR audit by the cybersecurity firm Hacken, which confirmed that Bybit’s holdings fully matched user liabilities, maintaining a 1:1 ratio for all applicable assets. The audit included a complete verification of wallets containing 40 different types of assets, ensuring transparency and security for all users.
What is cbBTC, and How Does It Ensure Trust Through PoR?
cbBTC is a token offered by Coinbase that represents Bitcoin (BTC) with a 1:1 ratio on-chain, fully backed by an equivalent amount of Bitcoin held within Coinbase’s custody. By converting BTC into cbBTC, users can use it within decentralized applications (DApps) across different blockchains, including Ethereum, Solana, and Base, while retaining its Bitcoin value.
Coinbase employs PoR to maintain transparency and verify that the wrapped cbBTC tokens are entirely supported by actual Bitcoin reserves stored by Coinbase. PoR audits affirm that Coinbase retains adequate Bitcoin in its reserves to match all issued cbBTC, sustaining trust and security for users who engage with wrapped or redeemed BTC.
PoR Audit and Transparency for cbBTC
- 1:1 Backing of cbBTC by Bitcoin: Coinbase guarantees that for every cbBTC token issued, an equal amount of Bitcoin is securely held in its custody, ensuring the integrity and security of cbBTC, allowing users to use their wrapped tokens confidently in decentralized finance (DeFi) and across various blockchain platforms.
- PoR for User Assurance: PoR audits assist in validating Coinbase’s claims by matching its Bitcoin reserves with the circulating cbBTC tokens. This auditing process ensures that users’ wrapped tokens are perpetually fully backed, providing added security and transparency. As part of its PoR commitment, Coinbase has published audit reports that confirm its reserves.
- Secure Management of Bitcoin Reserves: Coinbase maintains that the Bitcoin supporting cbBTC is not sold, transferred, or utilized for any other purpose. The Bitcoin is securely held to uphold the 1:1 backing for cbBTC, assuring users they can redeem their wrapped tokens for Bitcoin at any time.
cbBTC is available to Coinbase customers with verified accounts in selected regions, including the US (excluding New York), the UK, the European Economic Area (EEA), Australia, Singapore, and Brazil. Moreover, users can acquire cbBTC through Coinbase Wallet or other third-party exchanges that support it.
Did you know? While Coinbase offers transparency through PoR, you should be informed that the process of wrapping or unwrapping cbBTC does not trigger a taxable event for the IRS, as clarified by Coinbase. It is advisable to consult tax professionals for personalized advice.
Limitations of the PoR Approach
Although proof-of-reserves audits confirm that exchanges hold assets, they do not take liabilities into account, leading to a misleading sense of security. Additionally, PoR audits provide only snapshots in time, lacking ongoing oversight.
Even though PoR audits improve transparency by confirming exchanges possess adequate assets, they have critical limitations that can result in a false sense of security.
- Concerns Regarding Liability Exclusion: A major concern is the exclusion of liabilities. PoR audits only verify the assets an exchange holds, not whether they have outstanding debts, obligations, or hidden leverage.
This was a significant issue for FTX, which misleadingly portrayed itself as solvent by showcasing its assets without disclosing substantial liabilities owed to creditors and users. Without a simultaneous proof-of-liabilities (PoL) audit, an exchange may appear well-capitalized while being deeply insolvent. Both assets and liabilities must be included in any meaningful assessment.
- Snapshot Audits and Ongoing Solvency Risks: Another notable limitation is the snapshot nature of these audits, which validate financial standing at a single moment but do not guarantee continuing solvency. An exchange could pass a PoR audit today and deplete reserves by the next day through fund movements or new liabilities.
For instance, when Binance released its initial PoR audit in December 2022, it faced criticism since it was merely a one-time report rather than an ongoing solvency assessment. Unlike in traditional finance, where banks undergo continuous regulatory monitoring and stress testing, crypto PoR audits lack ongoing oversight, leaving potential for manipulation during audit intervals. Some firms, like Nexo, attempted to implement real-time PoR in 2021 but ceased efforts in 2024 as their auditors could no longer support the capability.
- Dependence on Third-Party Auditors: Finally, PoR audits heavily rely on third-party auditors, meaning their effectiveness is tied to the credibility and independence of the auditing firm. Some exchanges have opted for internal audits, which raises questions around objectivity and transparency.
An example is Mazars Group, the auditing firm that performed PoR reports for Binance and Crypto.com in 2022; it subsequently withdrew from crypto audit services due to concerns about reliability in the process. This situation highlighted the urgent need for stronger, independent, and standardized auditing protocols in the industry to ensure PoR audits accurately reflect an exchange’s financial state rather than simply serving public relations objectives.
Proof-of-Reserves as an Advancement, Not a Perfect Solution
While PoR represents a positive step forward, it is not without its imperfections. However, we should not let the pursuit of perfection hinder progress. Many recent advancements in the cryptocurrency space offer encouraging prospects, where PoR could not only serve native crypto assets but also aid traditional finance as they explore tokenization of their assets and liabilities.
In an ideal scenario, PoR should be utilized to evaluate the solvency of any counterparty, whether in decentralized finance (DeFi), centralized finance (CeFi), or traditional finance (TradFi), strengthening the future of finance with its incorporation.