December 11, 2023

What is Proof of Reserves?

dYdX
What is Proof of Reserves?What is Proof of Reserves?

When the centralized crypto exchange (CEX) FTX crashed in 2022, it wiped out $8.9 billion in funds and tarnished the trustworthiness of crypto trading websites. It also left traders wondering, if such a prominent exchange didn't have the funds to meet clients' withdrawal requests, could other exchanges be equally risky? 

And it's not just centralized crypto platforms traders expressed concerns over. They also worried whether there were tests to prove protocols in decentralized finance (DeFi) take proper precautions with their users' assets.

In response, some of the world's top crypto exchanges stepped forward with a solution to rebuild trust with traders called "proof of reserves" (PoR). Although PoR is a relatively new metric, it has become a significant consideration when evaluating the trustworthiness of centralized crypto exchanges. 

Here, we’ll explain PoR, how it's measured, and how traders use it to find a safer trading platform.

What is PoR in Crypto?

Proof of reserves is an audit that analyzes a crypto platform's finances to ensure it has enough funds to meet the demands of its customers. Auditors gather data on an exchange's current holdings (aka assets) and obligations (aka liabilities) to see if they have the crypto on hand in case every trader requests their money simultaneously. A healthy (or “solvent”) PoR shows an exchange maintains at least a 1:1 ratio of assets-to-liabilities. 

Although PoR reports are closely associated with tracking the solvency of CEXs, they are used on blockchain-native protocols such as decentralized finance (DeFi) programs or wrapped token issuers. For example, the crypto custodian BitGo releases PoRs on its current Bitcoin (BTC) holdings relative to the Wrapped Bitcoin (wBTC) tokens it issues. wBTC is a synthetic version of BTC compatible with the Ethereum blockchain, and each wBTC in circulation must have one BTC in reserve.

How Does a Proof of Reserves Crypto Audit Work? 

PoRs typically use a cryptographic verification technology called "Merkle trees" to collect data on an exchange's liabilities without compromising customer privacy. Also called "hash trees," Merkle trees organize balance data from each user into smaller units moving from "branches" to individual "leaves," all of which link to a unique and verifiable "Merkle root" hash function. The Merkle root contains the total value of liabilities on an exchange and specific details on each account’s crypto without revealing traders' personal information. Auditors take a snapshot of an exchange's liabilities, or they use real-time tracking software to provide constant updates on trading balances. 

Since Merkle trees are tamper-proof and compatible with decentralized blockchains, they are easy for crypto analytics firms to incorporate into a liabilities screening, and they've become the standard in PoR reporting due to their accessibility and transparency. 

After determining an exchange's liabilities, auditors focus on the assets a crypto exchange holds in reserve. Typically, CEXs provide the public key addresses for their crypto wallets, and auditors scan the virtual currencies in these CEX accounts. If a CEX has non-crypto assets like fiat currency, precious metals, or cash equivalents, they add them to their PoR report. 

With this information, auditors compare a CEX's current assets to their liabilities and rate each exchange's safety based on this balance. The more assets a CEX holds compared to its current obligations, the higher its safety score. 

Limitations to Proof of Reserves Reports 

PoR seems like a foolproof solution to verifying the trustworthiness of crypto exchanges and stablecoin issuers, but there are weaknesses to this strategy. Although PoRs often reveal valuable info to traders, these reports don't always tell the whole story. 

  • Relies on an auditor's trustworthiness: Exchanges and crypto protocols hire third-party auditing firms to remove bias from their PoR reporting procedures. In theory, PoR auditors have an incentive to be truthful to maintain their reputation, but not all auditing companies are created equal. Traders must trust the integrity and competency of the auditor who carried out a PoR. 
  • Lack of clear regulatory rules: Since cryptocurrency is a new industry, the "standard" procedures for completing a PoR are still in flux. Although some technologies like Merkle trees have become widely adopted, there aren't official rules or regulations to confirm a PoR ticks all of the official boxes for a "valid" test. 
  • Snapshots capture limited data: It's easier to conceal information on a snapshot versus real-time tracking technologies. For example, bad actors might use borrowed funds to hide a hole in their balance sheet or two exchanges transfer cryptocurrencies to each other for a snapshot and send the funds back after the test is complete. To gain credibility on a PoR, snapshots must be frequent and taken at random intervals. 
  • Difficult to trace off-chain assets and liabilities: There's no way for exchanges to hide on-chain data once they create Merkel trees and share public key addresses, but it's challenging to see non-blockchain transactions in real time. Traders need to trust the info exchanges provide about their off-chain accounts, including cash funds in a bank and investment activities.  

How to Find Proof of Reserve Crypto Audits

As the push for PoR picks up steam in the crypto market, it's getting easier for traders to find reports from multiple exchanges and DeFi protocols. Taking the time to scan online sources helps traders decide which exchange they feel comfortable entrusting with their assets. 

  • Exchange websites: More cryptocurrency exchanges voluntarily publish their PoRs, and some advertise these reports as a key selling point for the trustworthiness of their platform. If users can't find a tab for a PoR report on an exchange's homepage, check the "Security" or "About" sections for more information. Some traders also request these details from a CEX by contacting a customer service representative. 
  • Crypto price aggregator sites: Crypto price aggregators like CoinMarketCap and CoinGecko specialize in showing real-time price feeds for virtual currencies, but they also keep track of PoRs. To find a list of these crypto audits, click the "Exchanges" icon on CoinMarketCap or CoinGecko and review the reserve data on file. For more specific details on each company's reports, select an exchange and find the "Reserves" button to look through more information. 
  • Blockchain explorers: For open-source cryptocurrency networks like Bitcoin and Ethereum, traders use search engines called blockchain explorers to monitor the assets different projects have in their wallets. As long as people know the public wallet for a CEX or crypto protocol, it's possible to paste this blockchain address into an explorer and see what's in their holdings. Sometimes, exchanges or big crypto projects list their name with a specific wallet address on blockchain explorers like Etherscan for greater transparency. 
  • Public earnings calls: If a cryptocurrency exchange is a publicly traded company, it needs to hold earnings calls every quarter to share its latest profits or losses with stockholders. For example, the American CEX Coinbase offers equity on the U.S. stock market, so it is legally responsible for releasing annual earnings reports. If the CEX a trader uses offers shares on a stock market, review the most recent earnings reports to verify the assets and liabilities on an exchange's balance sheet.  

Eligible Traders Enjoy Perpetual Swaps on dYdX 

At dYdX, we take extreme care to provide eligible traders a safe derivatives trading experience in DeFi. Since our launch in 2018, dYdX has never lost or put users' funds at risk, and we consistently publish open-source third-party code audits with the firms PeckShield and Zeppelin Solutions. Furthermore, there's no need to solely rely on proof of reserves because you can audit the dYdX smart contract in real time by visiting Etherscan. This allows you to see exactly how much and where all funds are on dYdX in real time. For more details on dYdX's latest features and security measures, visit our blog. Also, remember to check out dYdX Academy for more helpful tips on Web3 safety, including how to use a hardware wallet, how to transfer cryptocurrencies, and the common warning signs of scams

Eligible traders can start trading on dYdX today!

Legitimacy and Disclaimer

Crypto-assets can be highly volatile and trading crypto-assets involves risk of loss, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be adequate for retail investors. Do your own research and due diligence before engaging in any activity involving crypto-assets.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as in other restricted jurisdictions. The dYdX Foundation does not operate or participate in the operation of any component of the dYdX Chain’s infrastructure.

The dYdX Foundation’s purpose is to support the current implementation and any future implementations of the dYdX protocol and to foster community-driven growth in the dYdX ecosystem.

The dYdX Chain software is open-source software to be used or implemented by any party in accordance with the applicable license. At no time should the dYdX Chain and/or its software or related components be deemed to be a product or service provided or made available in any way by the dYdX Foundation. Interactions with the dYdX Chain software or any implementation thereof are permissionless and disintermediated, subject to the terms of the applicable licenses and code. Users who interact with the dYdX Chain software (or any implementations thereof) will not be interacting with the dYdX Foundation in any way whatsoever. The dYdX Foundation does not make any representations, warranties or covenants in connection with the dYdX Chain software (or any implementations and/or components thereof), including (without limitation) with regard to their technical properties or performance, as well as their actual or potential usefulness or suitability for any particular purpose, and users agree to rely on the dYdX Chain software (or any implementations and/or components thereof) “AS IS, WHERE IS”.

Nothing in this post should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act by anyone.  Users should conduct their own research and due diligence before making any decisions. The dYdX Foundation may alter or update any information in this post in the future at its sole discretion and assumes no obligation to publicly disclose any such change. This post is solely based on the information available to the dYdX Foundation at the time it was published and should only be read and taken into consideration at the time it was published and on the basis of the circumstances that surrounded it. The dYdX Foundation makes no guarantees of future performance and is under no obligation to undertake any of the activities contemplated herein.

Resources
Help CenterBlogAcademyMarketsBrandTerms of UsePrivacy Policy
Ecosystem
dYdX LabsdYdX FoundationdYdX Operations subDAOdYdX Grants subDAOAPINew iOS App
Market Pages
API3-USDBERA-USDNIL-USDNC-USDGAS-USD
Learn More
How To Purchase DYDXHow To Start TradingTrading Competition2024 Annual ReportDYDX BuybackExchangeCommunity
© 2025 dYdX Foundation. All rights reserved.

dYdX is a decentralised, disintermediated and permissionless protocol, and is not available in the U.S. or to U.S. persons as well as in other restricted jurisdictions. The dYdX Foundation does not operate or participate in the operation of any component of the dYdX Chain's infrastructure.

Nothing in this website should be used or considered as legal, financial, tax, or any other advice, nor as an instruction or invitation to act in any way by anyone. You should perform your own research and due diligence before engaging in any activity involving crypto-assets due to high volatility and risks of loss.

Depositing into the MegaVault carries risks. Do your own research and make sure to understand the risks before depositing funds. MegaVault returns are not guaranteed and may fluctuate over time depending on multiple factors. MegaVault returns may be negative and you may lose your entire investment.

The dYdX Foundation does not operate or has control over the MegaVault and has not been involved in the development, deployment and operation of  any component of the dYdX Unlimited software (including the MegaVault).

Crypto-assets can be highly volatile and trading crypto-assets involves risk of loss, particularly when using leverage. Investment into crypto-assets may not be regulated and may not be adequate for retail investors. Do your own research and due diligence before engaging in any activity involving crypto-assets.

Leaving site

Leaving site. By clicking ‘Continue’, you will be leaving the dYdX Foundation (“dYdX Foundation”) website and accessing a website made available by a third party using dYdX v4 open-source software that is independent from and unaffiliated with the dYdX Foundation. The dYdX Foundation does not deploy or run dYdX v4 software for public use, nor does it operate or control any such infrastructure. The dYdX Foundation is not responsible for any action taken by independent third parties or for content on any third-party websites, including the one you would access by clicking ‘Continue’.

The dYdX Foundation services and products are not available to persons who are residents of, are located or incorporated in, or have a registered office in the U.S., Canada or a Restricted Territory.  More details can be found in our Terms of Use. Learn more about dYdX v4 third-party front end options here.

Continue