Proof of Reserves in 2026: What It Proves, What It Hides, and How to Verify Your Balance
Proof of reserves became the phrase every exchange executive learned to say after November 2022. FTX collapsed, billions vanished, and the immediate public demand was straightforward: show us the money. Three and a half years later, the industry has settled into a pattern of regular attestations, Merkle tree snapshots, and dashboards that surface wallet addresses. The question is whether any of this actually protects depositors -- or whether proof of reserves has become a compliance ritual that creates comfort without delivering safety.
What a Merkle Tree Attestation Actually Proves
A proof-of-reserves attestation built on a Merkle tree proves one narrow claim: that a specific set of user balances existed in the exchange's database at a single point in time, and that those balances sum to a total that matches or falls below the assets held in identified on-chain wallets.
The Merkle tree is a data structure where every user's balance is hashed into a leaf node, pairs of nodes are hashed together moving upward, and the process repeats until a single root hash sits at the top. An auditor -- or in many cases, a less rigorous "attestation provider" -- checks that the root hash matches the underlying data, that the on-chain wallet balances meet or exceed the total, and publishes the result.
What this proves is limited but real. It confirms that, at the snapshot moment, the exchange controlled wallets holding at least as much of each asset as the sum of user claims. It does not prove that those wallets were not borrowed for the snapshot. It does not prove that the exchange has no outstanding liabilities that offset those assets. It does not prove that the same assets are not pledged as collateral elsewhere.
The Merkle tree itself is a clever piece of cryptography, but it only validates internal consistency of the data the exchange chooses to include. Garbage in, cryptographically verified garbage out.
The Mazars Lesson and the FTX Aftermath
When Binance published its first proof-of-reserves report through Mazars Group in late 2022, the accounting firm went out of its way to note that the engagement was not an audit. Mazars performed an "agreed-upon procedures" engagement -- a narrower scope where the firm checks specific items the client defines, rather than forming an independent opinion on financial statements.
Within weeks, Mazars paused all crypto proof-of-reserves work, citing concerns about how the public interpreted the reports. The firm understood what most observers missed: users were treating attestations as audits, and the gap between those two concepts is enormous.
An audit involves an independent assessment of financial statements under established standards (GAAP or IFRS), including verification of liabilities, review of internal controls, and professional judgment about whether the statements present a fair picture. An attestation under agreed-upon procedures does none of that. The attestor checks what they are asked to check, reports findings, and disclaims everything else.
FTX never published a proof of reserves. But the lesson from FTX was not simply "exchanges should publish PoR." The lesson was that an exchange can appear solvent on the asset side while running a massive liability deficit that no Merkle tree snapshot would catch -- because the liabilities were hidden in a related entity, and no attestation scope included them.
How Proof of Reserves Evolved After 2022
The post-FTX evolution of proof of reserves followed a predictable arc. In the first phase, exchanges rushed to publish wallet addresses and basic attestations. Quality varied wildly. Some exchanges showed Bitcoin holdings while ignoring stablecoin liabilities. Others published snapshots without any third-party verification.
The second phase, through 2023 and 2024, saw consolidation around more standardised approaches. Several exchanges adopted regular monthly attestations through firms like Armanino (before it exited the space), Grant Thornton, and smaller crypto-native auditing practices. The scope expanded to cover multiple assets, and some exchanges began including negative balances -- accounts that had borrowed on margin -- in their liability calculations.
By 2025, the better-resourced exchanges had moved toward what the industry calls "proof of reserves plus proof of liabilities," though calling it proof of liabilities is generous. What actually happens is that the attestor reviews the exchange's internal ledger for the total of user claims and confirms the Merkle tree construction matches. True liability verification would require access to all off-balance-sheet obligations, intercompany loans, and contingent liabilities. No exchange PoR programme includes that scope.
In 2026, the state of play is incrementally better but structurally unchanged. The core limitation remains: proof of reserves is a point-in-time asset check against a self-reported liability number, wrapped in cryptographic verification that makes it look more definitive than it is.
Attestation vs Audit: The Distinction That Matters
The difference between an attestation and an audit is not academic. It determines what legal liability the reviewing firm accepts, what standards govern the work, and what conclusions users can reasonably draw.
An audit under PCAOB or IAASB standards requires the auditor to assess risk of material misstatement, test internal controls, verify transactions on a sample basis, confirm balances with third parties, and issue an opinion. The auditor is professionally liable for negligence. The audit covers a full reporting period, not a single moment.
An agreed-upon procedures attestation requires the attestor to perform only the specific procedures listed in the engagement letter. If the engagement letter says "verify that wallet addresses X, Y, and Z hold at least N bitcoin at timestamp T," then that is all the attestor checks. They issue a report of factual findings, not an opinion, and their liability is limited to whether they performed the listed procedures correctly.
Most exchange proof-of-reserves reports fall into the attestation category. When an exchange says "we are audited," check the actual report. The word "audit" appears far less often than "agreed-upon procedures" or "assurance engagement."
A small number of exchanges have begun pursuing full financial statement audits from recognised accounting firms. This is a genuinely higher bar, but it comes with its own limitations -- the audit covers a fiscal period ending on a specific date, and the exchange's financial position can change materially between audit completion and publication.
How to Verify Your Inclusion in a Merkle Tree
If an exchange publishes a Merkle tree proof of reserves, you can verify that your account balance was included. The process varies by exchange, but the general mechanism is consistent.
First, log into your exchange account and locate the proof-of-reserves verification page. The exchange provides you with a record ID (sometimes called a leaf hash or audit ID) and a set of intermediate hashes that form your "Merkle path" from your leaf to the root.
Second, independently hash your balance data using the same algorithm the exchange specifies (typically SHA-256). Your leaf should consist of your anonymised account identifier and your balance at the snapshot time.
Third, walk up the Merkle path. Take your leaf hash, combine it with the sibling hash provided, hash the pair, and repeat until you reach the root. If the root you calculate matches the published root hash, your balance was included in the tree.
Fourth -- and this is the step most users skip -- consider what this verification tells you. It confirms your balance was in the dataset. It does not confirm that the exchange actually holds assets equal to the total of all included balances. That requires checking the on-chain wallet addresses separately, which brings its own complications: you need to verify that the exchange actually controls those wallets, not just that the wallets exist.
Some exchanges have begun using cryptographic signing from their published wallet addresses to prove control. This is a meaningful improvement, but it still only proves control at the moment of signing.
Which Exchanges Publish Proof of Reserves and What Gaps Remain
As of early 2026, the major exchanges publishing regular proof-of-reserves reports include Binance, Kraken, OKX, Bitget, Crypto.com, and Bybit, among others. The frequency, scope, and quality differ significantly.
Kraken has historically provided the most rigorous attestations, engaging established accounting firms and covering a broad range of assets. Binance publishes frequent snapshots with Merkle tree verification but has faced ongoing questions about the scope of liabilities included. OKX offers a self-service verification tool and publishes monthly, though the attestation scope has been criticised for excluding certain product lines.
The gaps that persist across the industry are consistent. Derivatives liabilities are often excluded or poorly defined. Intercompany balances -- where an exchange lends to a proprietary trading desk or affiliated entity -- are rarely in scope. Off-chain liabilities such as legal settlements, tax obligations, or vendor payables are never included.
The most fundamental gap remains the absence of comprehensive liability disclosure. Until proof of reserves evolves into a genuine balance sheet verification -- assets minus all liabilities equals positive equity -- it will remain a partial picture marketed as a complete one. For a broader view of exchange risk indicators, the Exchange Watch section tracks structural concerns across platforms.
On-Chain Monitoring vs Accounting Snapshots
One of the more promising developments in exchange transparency is real-time on-chain monitoring. Platforms like Nansen, Arkham, and DefiLlama track known exchange wallet addresses continuously, providing a live view of asset flows.
This approach has genuine advantages over point-in-time snapshots. Large outflows become visible immediately. Unusual wallet activity -- such as moving assets to unfamiliar addresses shortly before a snapshot -- is detectable. The community can observe whether an exchange's visible reserves are trending up or down over time.
However, on-chain monitoring has its own blind spots. It can only track assets on public blockchains. Fiat reserves, which make up a significant portion of some exchanges' customer deposits, are invisible to on-chain tools. Off-chain transactions -- including OTC deals, intercompany transfers, and banking movements -- leave no on-chain trace. An exchange could have deteriorating fiat solvency while on-chain reserves look stable.
The relationship between on-chain monitoring and proof-of-reserves attestations is complementary, not substitutive. On-chain data provides continuous visibility into one dimension of solvency. Attestations provide periodic third-party checks against a broader (though still incomplete) picture. Neither alone is sufficient.
Common Misconceptions About Proof of Reserves
Several misconceptions persist in how users interpret proof-of-reserves reports, and they create a false sense of security worth addressing directly.
"The exchange passed its proof of reserves, so my funds are safe." A PoR attestation confirms asset holdings at a moment in time against self-reported user balances. It says nothing about what happens in the hours after the snapshot, whether the exchange has undisclosed debts, or whether the assets are legally encumbered.
"A Big Four accounting firm signed off, so it must be thorough." Check the engagement type. An agreed-upon procedures engagement from a Big Four firm carries the firm's brand but not the rigour of a full audit opinion. The scope is defined by the client, not the firm.
"The Merkle tree is cryptographically secure, so the data cannot be manipulated." The Merkle tree validates internal consistency. If the exchange submits a dataset that excludes certain user accounts or understates balances, the Merkle tree will faithfully validate the manipulated dataset. Cryptographic security protects data integrity, not data completeness.
"Proof of reserves covers all exchange products." Most attestations cover spot balances. Margin positions, futures contracts, options, earn products, and staking balances are frequently outside scope. If your funds are in an earn programme, the PoR may not include them.
"If I can verify my leaf in the tree, the exchange is solvent." Your leaf verification confirms your balance was included. It tells you nothing about the aggregate solvency position. The exchange could include every user's balance perfectly while still being insolvent due to liabilities the PoR does not cover.
Understanding these limitations is not a reason to dismiss proof of reserves entirely. It is a reason to treat it as one data point among many when evaluating exchange risk. Our Research section covers the broader analytical framework, and the Methodology page details how we evaluate platform risk indicators.
FAQ
What is the difference between proof of reserves and a financial audit?
Proof of reserves is a narrow check confirming that an exchange holds assets equal to or greater than user balances at a specific moment. A financial audit is a comprehensive review of an entity's financial statements over a reporting period, including all assets, liabilities, revenue, and expenses, conducted under professional auditing standards with the auditor issuing an opinion on the statements' accuracy.
Can an exchange fake its proof of reserves?
Outright fabrication of the Merkle tree data is detectable if users verify their own leaf nodes. However, an exchange can manipulate the process in subtler ways: temporarily borrowing assets for the snapshot, excluding certain product balances from the liability total, or omitting off-balance-sheet liabilities. These manipulations would not be caught by Merkle tree verification alone.
How often should exchanges publish proof of reserves?
Monthly attestations have become the informal standard, though some exchanges publish more frequently. The ideal cadence depends on what is being attested. On-chain wallet balances can be verified in real time, making frequent checks feasible. But if the attestation includes third-party accounting review, monthly is likely the practical minimum given the cost and effort involved. More important than frequency is scope -- a quarterly attestation that covers all products and liabilities is more valuable than a daily snapshot that covers only spot balances.
Do proof-of-reserves reports cover fiat deposits?
This varies by exchange and by attestation scope. Some exchanges include fiat balances in their PoR, with the attestor confirming bank statement balances. Others cover only crypto assets. Fiat verification is inherently harder to do publicly because bank balances cannot be checked on-chain. Users should read the specific attestation report to determine whether their fiat deposits are included.
What should I do if I cannot verify my balance in an exchange's Merkle tree?
If the exchange offers a verification tool and your balance does not verify correctly, document the discrepancy with screenshots and contact the exchange's support team. It could be a timing issue -- your balance may have changed between the snapshot and when you checked. But if the exchange does not offer individual verification, or if your verified balance does not match your actual account, treat it as a warning signal. An exchange that cannot accurately represent your balance in its own PoR system has either a technical failure or something worse.