Proof of Reserves Audit Crypto: How Custodians and Exchanges Prove Solvency
On-chain snapshots, Merkle tree proofs, and BDO/PwC attestations: how proof of reserves audits work post-FTX and what HNW investors should look for before delegating custody.
alt.co Team
May 28, 2026
A proof of reserves (PoR) audit is a verification process that demonstrates a centralized exchange (CEX) or custodian holds the digital assets it claims to hold on behalf of its users. The audit combines an on-chain snapshot of wallet balances, a Merkle tree cryptographic proof of user liabilities, and an attestation report by an independent third party (BDO, PwC, KPMG, Mazars). After the FTX collapse, PoR became the standard transparency mechanism for crypto custodians and exchanges, with cold storage segregation and bankruptcy remote structures as the underlying protection. For HNW investors, understanding PoR is essential before delegating custody of any meaningful position.
| Proof of Reserves Audit Component | Purpose for Investors |
|---|---|
| On-chain wallet snapshot | Verify the custodian controls claimed wallets at a specific block height |
| Merkle tree of user liabilities | Aggregate user deposits into a cryptographic proof structure |
| Independent attestation report | Third-party auditor (BDO, PwC) signs off on the procedure and conclusion |
| Agreed-upon procedures (AUP) | Defined scope and methodology used by the auditor |
| Solvency ratio (assets vs liabilities) | Confirms reserves cover or exceed user deposits (1:1 or higher) |
| Fund segregation evidence | Client assets held separately from corporate balance sheet |
| User self-verification | Each user can confirm their balance is included via Merkle proof |
What Is a Proof of Reserves Audit?
A proof of reserves audit is a periodic verification that a centralized exchange or a regulated custodian holds the crypto assets equivalent to or greater than the user deposits it has on its books. The verification combines two cryptographic primitives. First, an on-chain proof: the auditor confirms the custodian controls specific wallet addresses at a defined snapshot block height, by either watching a signed test transaction or by verifying a message signature from each address. Second, a liabilities proof: user deposits are aggregated into a Merkle tree, allowing each user to verify their balance is included in the total liabilities figure without seeing other users' balances.
The combined output is a solvency statement: total reserves are equal to or greater than total user liabilities at the snapshot date. An attestation report by an independent auditor under agreed-upon procedures (AUP) wraps the whole verification, giving regulators, investors, and counterparties a third-party signed document. The methodology was popularised in 2022 after FTX collapsed and revealed that user funds had been misused, and it has since been adopted by Kraken, Binance, Bybit, Crypto.com, OKX, and most large CEX operators. For deeper context on why this matters in compliance dossiers, see our note on blockchain forensics reports for private banks.
The Role of Independent Third-Party Auditors
The credibility of a PoR audit depends entirely on the independence and reputation of the auditor. The audit is not a financial audit in the traditional sense (it does not produce an opinion on financial statements), but an attestation under AUP. Major firms involved in crypto PoR include BDO, PwC, KPMG, Mazars, Crowe, and Armanino, with regional firms also active in specific jurisdictions.
The auditor's role is to:
- Define the agreed-upon procedures: scope, snapshot date, asset coverage, exclusions.
- Verify wallet ownership: through signed messages, test transactions, or HSM-attested signatures.
- Take the on-chain snapshot: balances at the defined block height across all chains in scope (Bitcoin, Ethereum, stablecoins, and other digital assets).
- Verify the Merkle tree of liabilities: confirm the cryptographic construction, validate the root hash, and check user-side verification works.
- Compare assets to liabilities: produce the solvency ratio.
- Issue the attestation report: signed document with conclusions, scope, and limitations.
The limitations matter. PoR is a point-in-time snapshot, not a continuous audit. Between two snapshots, the custodian could move funds. PoR also does not cover liabilities owed to non-user creditors (loans, derivatives, off-balance commitments). It does not certify the regulatory standing or the operational integrity of the platform. For full assurance, PoR must be combined with regulatory licensing, segregated bankruptcy remote custody, insurance, and continuous transparency.
Financial Transparency and User Trust After FTX
Why is proof of reserves crucial for exchange transparency?
Proof of reserves is crucial because it provides cryptographic, third-party verifiable evidence that a centralized exchange or custodian holds the digital assets it claims. Before FTX, users had to trust marketing claims and audited financial statements that often lagged the reality. PoR closes the gap with a snapshot anyone can verify on-chain, combined with a Merkle tree where each user confirms inclusion of their own balance. It does not replace regulation but creates a baseline of transparency that did not exist before 2022.
Three lessons emerged from the FTX collapse and shaped current PoR practice:
- Off-balance liabilities matter: a 1:1 reserve ratio means nothing if the custodian has hidden lending books, derivatives exposure, or related-party flows. Modern PoR increasingly includes liabilities scope expansion.
- Snapshot windows must be unpredictable: pre-announced snapshots can be window-dressed. Best practice is rolling random snapshots or continuous attestation systems such as ChainLink PoR feeds.
- User self-verification is essential: a Merkle root signed by the auditor is only useful if each user can run the proof on their own balance. Without user-side tooling, the cryptographic proof remains theoretical.
For HNW investors, PoR is one of several signals to evaluate before delegating custody. It works best alongside regulatory status (FINMA banking licence, NYDFS BitLicense, OCC trust charter, VQF SRO), bankruptcy remote structure, insurance coverage, and the audit firm's reputation. Our note on cold storage vs custodian covers these signals in detail.
Verification Mechanisms: On-Chain Snapshot, Merkle Tree, ChainLink PoR
The technical mechanics of PoR rely on three pillars that have stabilised since 2022.
How does the proof of reserves verification process work?
The verification process works in three steps. First, the custodian generates a list of wallet addresses and proves control through signed messages or test transactions verified by the auditor. Second, all user balances are aggregated into a Merkle tree where each leaf is a user account hash and the root is a single 32-byte fingerprint covering the entire user base. Third, the auditor compares the on-chain wallet sum to the Merkle tree root sum and signs an attestation. Users can independently verify by running their account hash up the tree to confirm inclusion.
The three pillars in detail:
- On-chain wallet snapshot: at a specific block height, the auditor records the balance of every custodian-controlled address. Wallet ownership is verified through cryptographic proof (signed message or HSM attestation), ensuring the custodian cannot claim wallets it does not control.
- Merkle tree of liabilities: each user account becomes a leaf in a binary hash tree. The tree is constructed so that any user can verify their balance is included by computing a hash path from their leaf to the root. This preserves privacy (no other user's balance is revealed) while proving aggregation correctness.
- Continuous PoR via ChainLink: ChainLink PoR feeds publish on-chain reserve data continuously, allowing smart contracts and counterparties to verify reserves in real-time rather than at periodic snapshots. Used by stablecoin issuers (USDC reserves) and tokenised assets.
Exchanges and Custodians Using Proof of Reserves
Major centralized exchanges and custodians publishing regular PoR include Kraken, Binance, Bybit, Crypto.com, OKX, Coinbase, and BitGet. Swiss FINMA-licensed banks (Sygnum, AMINA Bank, Crypto Finance) operate under stricter banking-grade audits that include PoR principles plus full financial audits and prudential supervision. Stablecoin issuers (Circle for USDC, Paxos for USDP) publish monthly attestation reports on their reserve composition.
For HNW investors evaluating a custodian, three checks should be done before any onboarding:
- Latest PoR report: read the auditor name, date of snapshot, scope, conclusion, and any limitations or qualifications. Check that user self-verification tooling exists and works on your account.
- Regulatory status: confirm the custodian holds an active licence with the relevant regulator. PoR alone is not regulation; it is a transparency layer that complements regulation.
- Cold storage segregation: confirm client assets are held in segregated wallets, separate from the custodian's corporate balance sheet, and ideally in bankruptcy remote trust structures.
For Swiss-resident HNW investors, the combination of a FINMA-licensed crypto bank for primary custody with a VQF-supervised intermediary for execution provides the strongest assurance: regulatory supervision, bankruptcy remote structure, periodic PoR, external auditor (BDO, PwC), and full AML compliance. See our note on Swiss crypto brokers for the regulatory landscape.
Proof of Funds vs Proof of Reserves: Two Different Audits
Proof of reserves is sometimes confused with proof of funds. They are different audits with different purposes. PoR proves that an exchange or custodian holds enough assets to cover user liabilities. Proof of funds (PoF) proves that an individual investor has the assets they claim to have, typically used during private bank onboarding, real estate transactions, or KYC reviews.
For an HNW investor cashing out crypto into a Swiss private bank, both concepts come into play but at different layers:
- The custodian or intermediary holding your assets publishes its own PoR demonstrating overall solvency.
- You as the investor produce a proof of funds combined with a source-of-funds narrative, supported by on-chain history, off-chain documents (bank statements, exchange exports), and a forensics report.
The custodian PoR gives you confidence in the platform. Your own PoF and source-of-funds file gives the bank confidence in you. Both are required for a clean settlement of fiat into your Swiss private bank account. We coordinate both for institutional clients converting Bitcoin, Ethereum, and other digital assets into fiat. See our note on how crypto source-of-funds audits work.
Frequently Asked Questions
What is proof of reserves in crypto?
Proof of reserves (PoR) is a cryptographic verification that a centralized exchange or custodian holds digital assets equivalent to user liabilities. It combines an on-chain wallet snapshot, a Merkle tree of user balances, and an independent auditor attestation. After FTX collapsed in 2022, PoR became standard practice for major exchanges and custodians, including Kraken, Binance, Bybit, OKX, and Crypto.com.
Which exchanges have proof of reserves?
Major exchanges publishing regular proof of reserves include Kraken, Binance, Bybit, Crypto.com, OKX, Coinbase, and BitGet. Swiss FINMA-licensed banks (Sygnum, AMINA Bank, Crypto Finance) operate under banking-grade audits that include PoR principles plus full financial audits. Stablecoin issuers like Circle (USDC) and Paxos (USDP) publish monthly attestation reports.
How is a proof of reserves audit verified?
Verification combines an on-chain snapshot of custodian wallets at a specific block height, a Merkle tree of user liabilities allowing each user to confirm inclusion of their balance, and an independent auditor attestation under agreed-upon procedures (AUP). The auditor signs the methodology and the solvency conclusion. Users can verify their own balance is in the tree by running their hash path to the root.
Is proof of reserves a real audit?
Proof of reserves is an attestation under agreed-upon procedures, not a full financial audit under PCAOB or IFRS standards. It verifies a specific scope (assets vs user liabilities at snapshot) but does not certify the entire balance sheet or the regulatory standing of the platform. For full assurance, PoR must complement regulatory licensing, bankruptcy remote custody, and continuous reporting.
What is the difference between proof of reserves and proof of funds?
Proof of reserves verifies that an exchange or custodian holds enough assets to cover user liabilities. Proof of funds verifies that an individual investor has the assets they claim, typically required during private bank onboarding or real estate transactions. PoR protects the user from custodian insolvency. PoF demonstrates the user's own wealth to a bank or counterparty.
Related Topics
Need help with your crypto compliance?
Book a free consultation with our Swiss-regulated compliance team.
alt.co is a Geneva-based, Swiss-regulated financial intermediary (Altcoinomy SA) supervised by VQF and audited by BDO SA. We help crypto holders access private banking in Switzerland and Monaco.
Continue Reading
Bank Asking for KYC Info When Cashing Out Large Amounts?
Cashing out large crypto positions can be surprisingly difficult even for legitimate holders. Here's what you need to know about bank compliance.
Opening a Swiss Private Bank Account With Crypto-Origin Wealth
Can you open a Swiss private bank account if your wealth comes from crypto? Here's what the process actually looks like today.
Trying to Cash Out Crypto to Fund Your Interactive Brokers Account?
The crypto to bank to Interactive Brokers path seems simple, but it's where most compliance headaches begin. Here's what actually happens.