Free shipping when you buy a Ledger Nano. Only until Oct. 3

Shop Now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

Crypto Proof of Reserves – A Guide

Read 6 min
A bust of a person covered in currency
— Proof of reserves (PoR) refers to independent audits that verify that a custodian (like centralized exchanges) possesses all client funds in its reserves.

— Third-party auditors or decentralized blockchain oracles like Chainlink tally an exchange’s assets and liability to prove its solvency.

— Although PoR reduces the risk of insolvency in centralized platforms, the best way to store your crypto is a self-custodial hardware wallet where you can control your assets.

Centralized exchanges are an essential part of the crypto ecosystem, some dealing with billions of dollars in user assets. You may use a centralized exchange yourself, but have you ever wondered about what they actually do with your funds?

Well, you wouldn’t be the first. To understand where your funds are being stored, let’s first explore how centralized exchanges work.

A centralized exchange lets you use an account with the premise that, unlike the bank, they will not lend or use customer assets. However, it’s not that simple. Users of centralized exchanges do not own their own private keys at all and have little idea of whether an exchange can cover withdrawals from one moment to the next. Instead, the exchange has ownership of those private keys, and therefore any crypto at any address on its platform.

While that may not seem immediately concerning, it means if the exchange fails, you lose your funds. You may think that sounds like a worst-case scenario, but unfortunately, it’s more frequent than you might think.  As a result, customers are demanding centralized exchanges go through the appropriate methods of auditing.

Enter: The Proof Of Reserves audit. This crypto audit allows centralized institutions –  like many crypto exchanges – to prove their trustworthiness to their customers. With crypto proof of reserves audits, unmanaged protocol risks and ecosystem dependencies are out in the open.

But what exactly is a proof of reserves audit and how does it work?

Let’s dig in and find out.

What is Proof of Reserves?

‘Proof of Reserves’ is a specific audit for crypto institutions wherein a third party assesses the assets they own against their debt, also known as “liabilities”. The third party will count up every asset an institution can prove they own. These types of assets may include fiat assets, such as dollars or euros, or crypto assets, such as bitcoin and ETH. Following that, the auditor will collect the data on the same institution’s debt and tally up the total.

To verify individual account balances without the danger of exposing personal or sensitive information, a proof of reserves audit uses a data structure called a Merkle tree. Without getting too technical, this data structure is a way of validating information, whilst obscuring its sensitive contents. The main idea of the audit is to verify that platforms actually have the funds they claim to have, therefore reassuring users that their funds are in safe hands.

Proof of Reserve in Traditional Finance

The idea behind a proof of reserves audit is not new. Audits of this nature were popular long before crypto’s inception. The objective of any audit is to provide an impartial assessment of an institution’s financial health. Thus, registered financial organizations are legally bound to conduct audits regularly. 

Much like their crypto counterparts, financial institutions use a third-party auditor to verify their reserves.

However, the results are slightly different. While the whole aim is to become more transparent, tradFi institutions will only share this important information with stakeholders and board members. While customers may have access to some information about an institution’s financial health – such as its general performance – the majority of tradFi audit reports remain completely confidential and unavailable to the general public. 

Unfortunately, this poses a problem: trusting the third-party auditor.  Even if an institution releases a public report, these reports only provide summary-level information, leaving the user with little idea of how their funds are being kept.

Of course, it’s no surprise that customers appreciate transparency, especially on developing platforms and in nascent industries. How else is an everyday user meant to get an idea of a firm’s investment strategies and risk appetite?  

With this in mind, crypto audits – such as Proof of Reserves – are conducted with increased transparency. 

So let’s see how crypto proof of reserves really works:

Proof of Reserves in Crypto

Crypto proof of reserves audits also use a third party. However, the blockchain allows for more transparency in the process. A crypto auditing company tallies the on-chain holdings of the company with the client assets on its balance sheet. 

Since wallet holdings on the blockchain are public, users can easily verify the audit report via blockchain explorers. 

Furthermore, the blockchain allows anyone to track the exchange’s wallet transactions — flagging any suspicious activity, such as transfers of large volumes of data, without waiting for another audit. Some exchanges also offer “self-assessment” audits within their platform, instead of using block explorers. Through these self-assessment audits, users can validate if the exchange still holds their funds at any given time.

Proof of Reserves: Increasing Transparency for Centralized Platforms

Proof of Reserves audits give crypto exchanges the chance to be more transparent. And many centralized exchanges welcome the opportunity to clarify their financial situation to their customers. However historically, not all exchanges have been so open. 

Since all centralized exchanges can keep their financial sheets private, the customer has no idea what’s happening to their funds. While many exchanges are champions of transparency, others have ended up down a darker path of using customer funds and not having the assets to cover them. 

So, how does a proof of reserves audit help you to know if an exchange might stand the test of time?

How Does a Proof of Reserves (PoR) Audit Work?

A proof of reserves audit has two possible outcomes; an institution is pronounced solvent or it isn’t. 

To get this accreditation, the audit goes through 3 distinct stages.

Proof of Reserves: How an Exchange Shows Ownership of Assets

Some of an exchange’s assets will be stored as cryptocurrency on-chain. The blockchain is transparent, meaning everyone can track every transaction in that account’s history. Accordingly, the only thing an exchange must do to prove ownership of its assets is to prove ownership of its wallets. 

Exchanges can prove ownership of these specific wallets simply by signing a transaction.

Doing so proves an exchange has access to the wallet. Thus the corresponding private key. The auditors then use the data from this verified wallet to form a part of their report.

This part of the audit enables an exchange to show the assets it owns in its reserves. However, it tells us nothing about its debt. If an exchange has debt worth more than the assets it holds, customer funds could be at risk. Therefore, assessing an exchange’s debt is important to get a complete picture of a company’s financial health. To assess this important information, there’s another part of the audit: Proof of Liabilities (PoL).

Proof of Liabilities (PoL) 

Proof of Liabilities (PoL) addresses an institution’s financial debts and obligations. Carrying out this audit means processing a lot of data – some of which may be sensitive. Since the blockchain is so transparent, there’s one problem: How do you keep customer information private?

To solve this problem, proof of reserves audits use a data structure called a Merkle tree to establish a firm’s debt without publishing anything customers might not want to share.

Much like a regular tree, a Merkle tree has many branches and a root. The root stores all of the data – in this case the wallet and transaction data. At the end of each branch, there is a node – with each node capable of storing information. 

However, in this data structure, no single node stores the information for any single wallet. Instead, the data is split across the whole tree, with each node inheriting a piece of information from its parent.

Then, to protect the data from human eyes, the structure records information using a unique string of numbers and letters called a hash. Every node in the Merkle tree has a unique hash, representing a portion of the information as a whole.

This way, if just one transaction is modified, the hash will change – not just for that specific node – but also its parent and grandparent nodes, all the way up to the Merkle root. This makes the system unhackable, secure, and a reliable, real-time account of a platform’s holdings. 

So what if an exchange has more debt than the value of its assets?

Proof of Solvency: Why it Matters

Only exchanges that have more assets in reserve than they have debt (or liabilities) can achieve Proof of Solvency. If all of an exchange’s users try to withdraw their funds and it can process every single request simultaneously, an exchange will pass the audit. If an exchange fails this test, it’s running on fractional reserves, meaning it’s using customer funds.

Put simply, an institution showing Proof of Solvency, via the audit of its assets against its liabilities, can guarantee users access to their assets.

Blockchain Oracles: Decentralized Proof of Reserves Audit

Even though crypto audits are more verifiable than their TradFi counterparts, they still depend on third-parties. Letting a third party compute assets and liabilities leaves room for human error and bias.

On the other hand, blockchain oracles can conduct these audits in a completely decentralized manner.

Oracles are systems that can provide smart contracts with real-world data from off-chain sources. For example, if you want a smart contract to execute an action when a specific real-world event occurred, you would need an oracle.

Blockchain oracles can also conduct decentralized proof of reserves audits for exchanges. The PoR from decentralized services such as these guarantees an institution cannot transfer more tokens than it has assets in reserve.

While it’s not the only blockchain oracle that offers this solution, Chainlink calls itself the “largest decentralized collection of security-reviewed and Sybil-resistant node operators in the industry”. Many DeFi protocols already use Chainlink audits to show the details of their debts and deposits.

This opens up more opportunities for optimal transparency for centralized and decentralized entities.

Understanding Proof of Reserves and Why They Matter 

Proof of Reserves audits allow crypto institutions, such as centralized exchanges, to improve transparency in the unregulated market.

User & Platform-level Benefits of PoR

For users, proof of reserves allows them to analyze which exchange would keep their funds safer. For instance, if a PoR audit showed an exchange’s reserves consist primarily of its own coin or token, a user could deem this a risk. On the other hand, if the PoRs show that the exchange’s holdings are well-diversified and over-collateralized, users can have confidence in the exchange.

Therefore, transparent exchanges have a more loyal user base.

Benefits and Limitations of PoR

Many things could go wrong in an audit — the third-party auditor might not be the best, an exchange might have undisclosed liabilities, or they could fail to keep customer funds safe from hacks. As explained by Vitalik in his blog, PoR is more of a quick fix than a long-term solution. 

Exchanges are an integral part of onboarding newcomers to the space, but when they fail it has a ripple effect on the ecosystem. Regular audits will minimize risk and establish global crypto standards for security. With increased transparency, ecosystem growth will be easier.

Anytime you trust a 3rd party with your assets, you introduce a point of failure. Always remember — not your keys, not your crypto.

How Self-custody Mitigates Your Risk

While a Proof of Reserves audit helps centralized platforms become more transparent, it doesn’t make them any more secure. To explain, when using a centralized exchange, you don’t actually control your private keys. Unfortunately, this means you don’t really own the assets stored at the corresponding address. Instead, the centralized exchange keeps control of the private keys on their platform, meaning they can revoke access to your account at any time. 

If you can’t control the access to your own funds, are they really yours?

The answer is: No, they aren’t. If you want to keep full ownership of your assets, you’ll need to take control of your own private keys, which is known as self-custody. The best way to do so is using a hardware wallet, such as a Ledger device. Using your Ledger device, you can interact with decentralized exchanges, eliminating any third-party control over your funds. 

Self Custody: No Need for Proof of Reserves

The safest way to store your crypto is and will always be self-custody — where you can take control of your funds. With self-custody, you don’t need to trust anyone, accessing the entire decentralized crypto ecosystem directly.

Ledger’s hardware wallets are the prime example of safety and accessibility. Your private keys are safely stored on a physical device only you can access. Further, Ledger’s secure element chip ensures your assets are safe from physical and software hacks.

Besides that, self-custody allows you the freedom to be your own bank. With you at the helm, your private keys, and therefore your assets, are on course for smooth sailing.

Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our

New coins supported, blog updates and exclusive offers directly in your inbox

Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.