What Is a Proof of Reserve Audit and How Does It Work?

Proof of Reserve (PoR) audits leverage cryptographic methods like Merkle trees and zero-knowledge proofs to provide transparency and security in cryptocurrency exchanges.

Key Takeaways

• Proof of Reserve (PoR) Audit: A cryptographic verification used by crypto exchanges to prove they hold sufficient assets to cover customer deposits.
• Methods: Utilizes Merkle trees and zero-knowledge proofs for transparency, akin to capital reserve requirements in traditional finance.
• Case Example: Coinbase’s cbBTC employs PoR to verify 1:1 backing of wrapped Bitcoin by reserves held in custody.
• Limitations: PoR verifies asset holdings but excludes liabilities, potentially misleading users about an exchange’s solvency.

Introduction

PoR audits have emerged as a critical tool for transparency post-FTX collapse, though they share similarities with traditional banking’s capital adequacy frameworks. However, PoR has limitations, such as the inability to verify liabilities and reliance on periodic snapshots.

This article explores PoR audits, their role in crypto, and evolving models for robust solvency assurance.

What Is a Proof of Reserve Audit?

Cryptocurrency exchanges adopt PoR audits to validate sufficient asset coverage for user deposits. These cryptographic audits—using Merkle trees and on-chain verification—serve as transparency mechanisms, mirroring traditional finance’s capital reserve requirements.

Traditional Finance Parallels

Post-2008 crisis, Basel III introduced stringent measures like:

1. CET1 Ratio: Minimum equity against risk-weighted assets.
2. Leverage Ratio: Limits on capital utilization.
3. Liquidity Coverage Ratio (LCR): Ensures 30-day liquidity resilience.
4. Net Stable Funding Ratio (NSFR): Promotes long-term stability.

In crypto, PoR audits verify exchanges’ asset holdings without exposing sensitive data, aiming to prove solvency and meet withdrawal demands.

How Does a Proof of Reserve Audit Work?

PoR audits cryptographically verify exchanges’ assets but do not prove solvency due to unaddressed liabilities.

Process Overview:

1. Asset Verification: Exchanges disclose wallet addresses or use Merkle trees to hash user balances into a root node for independent verification.
2. Third-Party Audits: Assess whether reserves match reported holdings.
3. Liabilities Gap: Traditional PoR lacks liability checks, risking hidden debts.

Advancements: Zero-Knowledge Proofs

ZK-proofs enable exchanges to mathematically prove reserve adequacy without revealing sensitive data, paving the way for solvency-proof audits.

👉 Explore how ZK-proofs enhance PoR transparency

| Method | Merkle Tree PoR | ZK-Proof PoR |
|------------------|---------------------|------------------|
| Transparency | High | High (Private) |
| Liability Check | No | Yes |
| Adoption | Widely Used | Emerging |

Did You Know? After a 2025 hack, Bybit underwent a PoR audit by Hacken, confirming 1:1 asset coverage for 40+ tokens.

Case Study: Coinbase’s cbBTC and PoR

cbBTC is a Bitcoin-backed token (1:1) for cross-chain DeFi use.

How PoR Ensures Trust:

• 1:1 Backing: Each cbBTC is backed by Bitcoin held in Coinbase custody.
• Audits: PoR verifies reserve adequacy against circulating cbBTC.
• Security: Reserves are never sold or leveraged.

Availability: Supported in the US (ex-NY), UK, EEA, Australia, Singapore, and Brazil.

👉 Learn more about cbBTC’s compliance

Note: Wrapping/unwrapping cbBTC isn’t a taxable event per IRS—consult a tax professional.

Limitations of PoR Audits

Critical Gaps:

1. Excludes Liabilities: FTX’s collapse highlighted how undisclosed debts distort solvency.
2. Snapshot Nature: Lack of real-time monitoring (e.g., Binance’s 2022 one-time audit).
3. Auditor Dependence: Mazars Group’s exit from crypto audits raised reliability concerns.

Industry Need: Standardized, real-time solvency frameworks.

Conclusion

PoR audits are a progressive step but imperfect. Future iterations must integrate liability checks and real-time validation to build robust trust in crypto exchanges.

FAQs

Q1: Can PoR audits guarantee an exchange’s solvency?
A: No—they verify assets but ignore liabilities.

Q2: How often are PoR audits conducted?
A: Varies; some are one-time, while others (like Nexo’s discontinued system) offered real-time checks.

Q3: What’s the advantage of ZK-proofs over Merkle trees?
A: ZK-proofs enable private solvency verification without exposing user data.

Q4: Is cbBTC safe to use?
A: Yes, if Coinbase’s PoR audits confirm 1:1 backing—always verify latest reports.

Q5: Will PoR work for tokenized traditional assets?
A: Potentially, as the framework evolves to include diverse asset classes.

Q6: Why did Mazars stop crypto audits?
A: Concerns over methodological reliability and industry risks.