Proof of reserves is a cryptographic attestation a centralized exchange publishes to show that the assets it controls on-chain match or exceed what it owes its users. The standard form pairs a Merkle tree of hashed user balances with on-chain wallet ownership proofs, so any depositor verifies their balance is counted and any observer verifies the published totals.
The practice became standard exchange behavior after the FTX collapse in November 2022: an $8 billion shortfall between FTX's stated reserves and customer claims proved public assurances were no substitute for verifiable accounting. Vitalik Buterin's November 2022 post on safer centralized exchanges set out the modern framing: proof of liabilities plus proof of assets equals proof of solvency (source: Vitalik on Having a Safe CEX).
What is proof of reserves and why did it become standard?
Proof of reserves is a method for an exchange or custodian to prove on-chain that it holds cryptocurrency at least equal to what it owes its users at a snapshot in time. The proof has two parts: a cryptographic commitment to the sum of user balances, and on-chain evidence that the exchange controls wallets holding at least that sum.
The need was not new in November 2022. The 2014 Mt. Gox collapse had already shown that customer claims and stated reserves could diverge silently for years. FTX forced the issue mainstream because the dollar amount was large and the failure fast enough that regulators, journalists, and competing exchanges all reached the same conclusion: a public attestation cadence had to exist.
PoR answers a narrow question: "does this exchange control assets at least equal to what it owes its users, for the assets in scope, on this date?" It does not answer "is this exchange solvent across all liabilities including off-chain debts" and it does not answer "will this exchange still be solvent next week." Reading any PoR badge correctly starts with that scope.
The mechanism predates FTX by nearly a decade. A cryptographic proof of liabilities using a summation Merkle tree was first proposed in 2013, well before any exchange shipped a production system. What changed in late 2022 was not the cryptography; it was the willingness of the largest exchanges to publish on a recurring schedule and of users to ask.
How does a Merkle tree proof of reserves actually work?
A Merkle tree PoR works in three steps. The exchange snapshots every user balance into the leaves of a tree, hashes pairs upward until it reaches a single root, then publishes that root with on-chain proof its wallets hold at least the sum of those balances. The Merkle root is a tamper-evident fingerprint of the full liabilities set.
The data structure is a binary tree where every leaf carries a cryptographic hash of one user's account state (the user's record identifier plus their per-asset balances). Each non-leaf node is the hash of its two children concatenated. The root depends on every leaf: changing any balance changes the leaf hash, the parent, and the cascade reaches the root.
Two verifications become possible once the root is published. A user can request an inclusion proof (the sibling hashes from their leaf to the root) and re-compute the root to confirm it matches. An outside observer can verify the asset side by checking that on-chain balances of the published wallet addresses meet or exceed the sum of claimed leaves.
A user verifying inclusion does not learn other balances; the sibling hashes on their own path reveal nothing about individual accounts. The full liabilities set is committed to by one 32-byte hash, but no individual balance is exposed.
The historical foundation comes from Greg Maxwell's 2013 summation Merkle tree proposal, which extended the basic structure to carry subtotal sums at every internal node. That summation property is what lets an outside observer verify total liabilities equal the published sum without trusting the exchange's claimed total.
Basic Merkle has a known weakness: an exchange can include synthetic accounts with negative balances to artificially shrink the total it must back, because the commitment does not by itself prove every leaf is non-negative. zk-SNARK enhancements close that gap, as the next section explains.
What different proof-of-reserves methods are exchanges using in 2026?
Four distinct PoR methods are in production use across major exchanges in 2026: pure Merkle tree commitments, Merkle plus zk-SNARK proofs, third-party auditor attestations against agreed-upon procedures, and oracle-driven real-time on-chain reserve feeds. Most exchanges combine two or more of these methods rather than relying on any single approach.
Pure Merkle tree. The original Maxwell-style design. Publish a Merkle root, users verify inclusion, outside observers verify wallet sums. Cheap, but vulnerable to the negative-balance trick described above. Some smaller exchanges still publish in this format only.
Merkle plus zk-SNARK. Binance launched Merkle-only PoR in November 2022 and added zk-SNARK proofs in February 2023 (source: Binance on zk-SNARK PoR). The zk-SNARK proves every leaf is non-negative and leaves sum to the published total, without revealing individual balances. Vitalik Buterin's November 2022 post put this direction on the industry agenda.
Third-party auditor attestation. A registered accounting firm runs an "agreed-upon procedures" engagement, verifying the Merkle root, sampling records, and confirming wallet ownership through signed-message proofs. Armanino LLP pioneered this with Kraken starting in 2022 through its TrustExplorer service.
Oracle-driven real-time feeds. Chainlink's Proof of Reserve product publishes continuously updated on-chain reserve data for stablecoins, wrapped assets, and tokenized real-world assets (source: Chainlink Proof of Reserves). DeFi protocols like Aave use the feeds as circuit breakers that halt minting or borrowing if reserves fall below liabilities. The method fits asset-specific backing better than aggregate exchange custody.
Each method addresses a different threat. Merkle commits to the dataset; zk-SNARKs close the negative-balance loophole; auditor attestation provides external corroboration; real-time feeds remove snapshot-age. The strongest 2026 implementations stack multiple methods.
PoR methodology comparison. Side-by-side reading of the four methods on the dimensions that determine which one (or which stack) fits a given asset and exchange model.
Method | What it proves | Negative-balance protection | Privacy of individual balances | Cadence model | Best-fit context | Reference |
|---|---|---|---|---|---|---|
Pure Merkle tree | Wallet sums ≥ committed leaf sum | None (negative leaves trick possible) | Hashed leaves only | Per-snapshot (typically monthly) | Smallest exchanges or first-generation deployments | |
Merkle + zk-SNARK | Wallet sums ≥ committed leaf sum AND every leaf is non-negative | Yes (SNARK enforces non-negative) | Hashed leaves; SNARK reveals nothing extra | Per-snapshot (typically monthly) | High-volume exchanges where privacy + correctness both matter | |
Third-party auditor attestation | Wallet ownership + Merkle root + sampling, signed by an accounting firm | Indirect (firm tests for it during engagement) | Depends on engagement; aggregate disclosure typical | Per-snapshot, scheduled engagement | Exchanges seeking external corroboration for institutional clients | |
Oracle real-time on-chain feed | Reserve totals continuously visible on-chain | Not applicable (asset-backing, not user-balance, model) | Aggregate-only by design | Continuous (block-by-block) | Stablecoins, wrapped assets, tokenized RWAs where asset is the unit |
Stacked implementations are the 2026 baseline: Binance pairs Merkle + zk-SNARK; Kraken pairs Merkle + auditor attestation; tokenized-asset issuers like BUIDL pair custodian disclosure + Chainlink feed. The single-method row exists in the table for completeness, but it is no longer competitive for exchanges holding meaningful user assets.
What does proof of reserves not prove?
Proof of reserves does not prove solvency, does not catch off-chain liabilities, does not prevent intra-snapshot fund movement, and does not guarantee assets stay in place after the snapshot. The proof is narrower than marketing implies, and reading the fine print on each published attestation is the difference between informed reliance and false reassurance.
The liabilities-side gap. A Merkle commitment proves on-chain wallets hold at least the sum of user-deposit balances in the proof. It does not prove the exchange has no other liabilities: undisclosed loans, derivative obligations, fiat debts, or commitments to investors. An exchange could publish a clean PoR while being structurally insolvent on liabilities never represented in the tree (source: CoinTracker on Proof of Reserves).
The snapshot problem. PoR is a photograph, not a video. Between snapshots, an exchange can move assets out of audited wallets, borrow against them, or experience theft, and the next snapshot is the first time that movement becomes visible. Cadence is a primary quality signal: monthly is baseline, weekly is better, and continuous on-chain feeds eliminate snapshot lag entirely for covered assets.
Intra-snapshot fakery. An exchange that does not control the assets it claims could in principle borrow funds across the snapshot, demonstrate ownership, and return the borrowed funds the next day. This is hard to detect from any single attestation, which is why auditor engagements include steps to test for it.
Coverage gaps within the proof. Many exchanges publish PoR for only their most popular assets. Kraken's December 31, 2025 snapshot covered seven assets: Bitcoin, Ethereum, Solana, USDC, USDT, XRP, and Cardano (source: Kraken Proof of Reserves). Long-tail tokens, futures collateral, and staked balances are often excluded, so the headline "proof of reserves" can apply to a fraction of the actual book.
PoR reduces the risk an exchange is silently insolvent on the in-scope assets on the snapshot date. It does not turn a centralized exchange into a substitute for the self-custody alternative, and treating it that way is a category error.
Which exchanges publish proof of reserves and how do their approaches compare?
Most large exchanges now publish PoR attestations in some form, but methodologies vary across Merkle design, audit-firm involvement, snapshot frequency, and asset scope. Five 2026 implementations get cited most: Binance, Kraken, Coinbase, Crypto.com, and Bitget. Smaller exchanges generally follow one of these templates rather than designing their own.
Binance. Production Merkle plus zk-SNARK since February 2023, published monthly, covering a broad asset list. The zk-SNARK layer is the strongest negative-balance protection in the market and the most-cited reference implementation.
Kraken. Semi-annual Merkle attestations with third-party auditor engagement. Armanino LLP's TrustExplorer service performed Kraken's early audits beginning in 2022; the live Kraken page now references an unnamed independent third-party accountant. The December 31, 2025 snapshot covered seven assets (BTC, ETH, SOL, USDC, USDT, XRP, ADA) with staking, margin, and futures collateral included.
Coinbase. Transparency leans on SOC 1 and SOC 2 Type II custody audits and public-company financial disclosures rather than per-snapshot Merkle PoR for the general spot exchange (source: Coinbase Proof of Reserves Glossary). Coinbase does publish on-chain PoR for wrapped assets like cbBTC.
Crypto.com and Bitget. Both publish Merkle-tree PoR with auditor attestation; Bitget on a monthly cadence covering BTC, ETH, USDT, and USDC with self-check inclusion tools, and Crypto.com publishing on a comparable cadence after Mazars' withdrawal.
The auditor-firm side has been more turbulent than the cryptography. Mazars, which had certified Binance's first Merkle attestation, paused all crypto PoR work in mid-December 2022, citing concerns about how attestation reports were being interpreted by the public (source: TechCrunch on Mazars pausing Binance audit). The pause forced exchanges to find replacement firms or bring the attestation in-house. The result by 2026 is a fragmented landscape where the cryptographic primitive is roughly standardized but the attestor varies by exchange.
For users comparing exchanges, four practical questions decide quality: which methodology, what cadence, which assets are in scope, and whether a named third party attests. In-house attestation is weaker than external, but a sound in-house proof beats no proof at all.
What are the risks and limits of proof-of-reserves attestations?
Beyond what PoR mathematically proves, the attestation process itself carries operational and trust risks. Auditor firms withdraw mid-cycle, snapshot dates get quietly skipped, methodology shifts in hard-to-compare ways, and even a sound attestation can be misread by users who assume it covers more than it does.
Auditor withdrawal risk. The Mazars pause in December 2022 left several exchanges without a continuous attestation chain. PoR history is only as continuous as the auditor that signs it; mid-cycle withdrawals leave gaps users notice but cannot themselves close.
Methodology drift. An exchange can change its methodology between snapshots, expanding or shrinking the in-scope asset list or modifying how it handles staked balances and futures collateral. Each change is defensible in isolation, but the cumulative effect makes snapshot-to-snapshot comparisons unreliable.
Wallet-control attestation gap. Signing a message with the wallet's private key proves control of that key on the day of signing, not that the key remains under exchange control afterward, and not that no other party has a copy. Multi-signature and MPC custody scheme implementations make this cleaner because no single party holds the full key.
User-comprehension gap. Users see "audited" or "proof of reserves" in marketing and conclude the exchange is safe. The proof covers what it covers and excludes what it excludes, and that information lives in methodology notes most retail users never read. PoR is a transparency mechanism, not a custody substitute, which is why the broader what self-custody means discussion still matters.
From Blofin's operational perspective, every PoR snapshot is a live coordination test across treasury, compliance, and engineering: signing keys have to be controlled and demonstrable on the same date, wallet labels have to match the attestor's spreadsheet, and publication has to happen on a fixed cadence. The signal that matters is not any single snapshot; it is the discipline a credible cadence forces over many cycles, because the patterns that show up only across snapshots are what actually constrain operator behavior.
How can a user verify their own balance is included in a proof of reserves?
A user verifies their own inclusion by logging in to the exchange's PoR portal, downloading their inclusion proof (the sibling hashes from their leaf to the root), and either running the exchange's verification tool or computing the root themselves to confirm it matches the published Merkle root. The process is identical in concept across Merkle exchanges.
The walkthrough has four steps that apply to any production Merkle PoR exchange.
Step 1: Find your record identifier. Log in to your exchange account, open the PoR or audit-verification page, and locate the snapshot to verify. The page shows your record ID (a long hash unique to your account) and your per-asset balances at the snapshot timestamp.
Step 2: Download the inclusion proof. The exchange provides your Merkle path: the sibling hashes from your leaf up to the root. The path has roughly log-2 entries (about 25 hashes for an exchange with tens of millions of users), so it is small enough to handle directly.
Step 3: Verify the path produces the published root. Concatenate your leaf hash with the first sibling, hash the result, concatenate with the next sibling, hash, repeat until the top. Compare that final hash to the Merkle root the exchange has published.
Step 4: Cross-check the wallet side. Optional, but anyone with the published wallet addresses can use a block explorer to verify the wallets held at least the claimed total at the snapshot block height. Independent researchers typically publish this within hours of each snapshot.
Most exchanges ship a verification tool inside the portal that does the path calculation. If verification fails or the portal does not provide the inputs you need, that is itself useful information about transparency. Hands-on verification is not common practice among retail users; the realistic value of PoR is that a non-trivial population of researchers running the checks puts a floor under exchange behavior between snapshots. The crypto wallet glossary covers the underlying terminology.
Frequently asked questions
Is proof of reserves the same as a financial audit?
No. A PoR attestation is narrower. It covers the relationship between user-deposit liabilities and on-chain wallet balances for the assets in scope on a snapshot date. A financial audit opines on the full balance sheet under GAAP or IFRS, covers all liabilities including off-chain debt, and carries regulator-recognized professional standards. Conflating the two is the most common reader-side error.
Can an exchange fake a proof of reserves attestation?
A pure-Merkle PoR can be gamed by including synthetic negative-balance accounts that shrink apparent liabilities; zk-SNARK enhancements address that by proving every leaf is non-negative. Remaining risks are operational: borrowing assets across the snapshot, omitting categories of liabilities, and shifting methodology in ways that hide regressions.
How often should an exchange publish a new proof of reserves?
Monthly is the current industry baseline. Weekly or continuous publication is stronger practice. Quarterly or longer gaps are warning signs because snapshot-age grows with time between attestations. Asset classes covered by on-chain oracle feeds can be published continuously.
Does proof of reserves cover stablecoins and wrapped assets the same way it covers Bitcoin?
Usually no. Stablecoins and wrapped tokens raise different questions because the asset on the exchange is itself a claim against another issuer. PoR for an exchange's USDT proves the exchange holds USDT; it does not prove the underlying USDT is fully backed by Tether's reserves, which is a separate attestation. For wrapped assets, on-chain real-time feeds fit asset-specific backing better than aggregate custody snapshots.
If my exchange publishes proof of reserves, do I still need to self-custody?
That depends on your threat model. PoR reduces the risk the exchange is silently insolvent on in-scope assets on the snapshot date. It does not eliminate counterparty risk, does not protect against hacks or sanctions, and does not cover off-chain liabilities. For balances you cannot afford to lose if the exchange froze withdrawals, self-custody via a hardware-wallet workflow, a software wallet, or air-gapped signing is the only path not reliant on any third party's continuing solvency.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include Vitalik Buterin's November 2022 post on safer centralized exchanges, the Binance engineering blog on zk-SNARK enhancements to its proof of reserves, Kraken's published Proof of Reserves methodology, Chainlink's Proof of Reserves education materials, Coinbase's PoR glossary, and contemporaneous reporting from TechCrunch on the Mazars audit-firm pause in December 2022. All facts independently verified against cited documentation current as of May 2026.
This article is for informational purposes only and does not constitute financial advice, investment guidance, or a recommendation to buy, sell, or hold any digital asset. Cryptocurrency markets involve significant risk and you should conduct your own research and consult qualified professionals before making investment decisions. Blofin Academy content reflects the state of public information at time of publication; protocol parameters, fees, and ecosystem data change frequently.