Proof-of-Reserves & Custody Risk: How to Judge Exchange Safety

Why Solvency Proofs Matter

Exchanges are powerful—but they’re also single points of failure. Proof-of-Reserves (PoR) aims to show that customer assets are actually held and not over-leveraged.

What Proof-of-Reserves Is—and Isn’t

• Is: Cryptographic or auditor-verified evidence that reserves exist on-chain or in custody.

• Isn’t: A full proof of solvency unless liabilities are also verified.

The Two Sides: Assets vs. Liabilities

• Assets: Coins controlled by the exchange (addresses, custody accounts).

• Liabilities: What the exchange owes customers.

• Gap: A strong PoR shows assets ≥ liabilities (with method clarity).

Good PoR Hygiene (What to Look For)

• Independent verification: Third-party auditors or verifiable Merkle proofs.

• Regular cadence: PoR should be updated frequently, not once per year.

• Public methodology: Clear docs on how assets and liabilities were measured.

• Chain coverage: Major assets + networks are included, not cherry-picked.

• Customer verification: Ability to check your own included balance in the proof.

Beyond PoR: Operational Safeguards

• Cold storage ratio: Majority of funds offline with multi-sig policies.

• Withdrawal controls: Whitelisting, time-locks, and human review for large outflows.

• Incident transparency: Clear status pages and communications during disruptions.

• Segregation of funds: Corporate vs. customer balance separation.

Your Role in Reducing Custody Risk

• Use self-custody for long-term holdings (hardware wallets).

• Diversify venue risk: Don’t keep all assets on a single platform.

• Set alerts: Withdrawal notifications, login alerts, and anti-phishing codes.

• Test withdrawals: Small test transactions before moving size.

Key Takeaways

• PoR is helpful but incomplete without liabilities.

• Operational controls + your own self-custody habits matter just as much.

FAQs

Q1: Is proof-of-reserves the same as an audit?
Not necessarily. Some PoR methods are auditor-assisted; others are cryptographic. Scope varies.

Q2: How often should exchanges publish PoR?
The more frequent, the better—ideally with customer verifiability each time.

Q3: If PoR looks strong, is my money safe?
It reduces risk, but no system is risk-free. Use best-practice self-custody.