Why trusting proof-of-concept crypto exchanges is not enough
What is backup verification?
Essentially, proofs of authentication are a public demonstration that a custodian holds the assets it claims to hold on behalf of users, typically using cryptographic methods and onchain transparency.
If every crypto exchange can publish a proof of proof (PoR) report, why can withdrawals be delayed or stopped during a crisis?
In fact, seized documents are not a guarantee of trust. It demonstrates that verifiable assets exist on a platform at one time, but does not ensure that the platform is solvent, liquid, or governed by controls that prevent hidden risks.
But even when implemented correctly, PoR is often a point-in-time snapshot that may miss what happened before and after the reporting period.
Without an honest view of liabilities, PoR cannot ensure challenge, which is what users need in times of stress.
Did you know this? As of December 31, 2025, Binance's CEO wrote, the platform's user asset balances officially verified by verifications reached $162.8 billion.
What PoR verifies and how it is usually done
In practice, PoR includes two checks: assets and, ideally, liabilities.
On the property side, the exchange shows that it controls some wallets, usually by publishing addresses or signing messages.
Responsibilities are more difficult. Most exchanges take a snapshot of user balances and submit them to a Merkle tree, often a Merkle-sum tree. Users can verify that their balances are included using Inclusion Verification without making everyone's accounts public.
If done correctly, PoR shows whether onchain assets cover customer accounts at a given moment.
Did you know this? Binance allows each user to verify their inclusion in their own PoR snapshot. Through the verification page, Binance generates Merkle tree-based cryptographic verification so that users can verify that their account has been verified without revealing other people's data or balances.
How can an exchange “pass the PoR” and still be dangerous?
PoR can improve transparency, but should not be relied upon solely as a measure of a company's financial health.
Of course, a report on assets without full debt doesn't show efficiency. While onchain wallets may appear robust, liabilities may be incomplete or selectively defined, missing items such as loans, derivatives exposures, legal claims, or off-chain payments. The business may demonstrate the availability of funds without proving that it is able to meet all of its obligations.
Also, a single confirmation does not tell what the balance sheet looked like last week or what it looked like the day after the report. In theory, assets can be temporarily borrowed to update the snapshot, then returned later.
Next, restrictions are often not seen. PoR typically can't tell you whether assets are held as collateral, borrowed or otherwise tied up, which means they may not be available when withdrawals increase.
Liquidity and speculation can be misleading. Holding assets is not the same as being able to liquidate quickly and extensively in times of stress, especially if reserves are accumulated in thin trading stocks. PoR does not address this issue; A more transparent risk and amount of money can be disclosed.
A PoR is not the same as an audit.
A lot of the trust problem comes from a mismatch of expectations.
Many users see PoR as a security certificate. In fact, many PoR engagements resemble agreed upon procedures (AUPs). In these cases, the practitioner performs certain checks and reports the findings without providing an audit-type opinion on the overall health of the company.
Indeed, an audit or review is designed to provide an assurance conclusion within a formal framework. AUP reporting is narrow. He explains what has been examined and observed, and then leaves the interpretation to the reader. In International Related Services (ISRS) 4400, AUP engagement is not an endorsement engagement and does not express an opinion.
Regulators have highlighted this gap. The Public Company Accounting Regulatory Board has warned that PoR reports are limited in nature and should not be taken as proof that the company has sufficient assets to meet its financial obligations, especially because there is no consistency in how the PoR work is done and defined.
This is why PoR has attracted more scrutiny after 2022. Mazars has temporarily suspended its work for crypto clients, citing concerns about how PoR-style reports will be presented and how the public will interpret them.
So what is a functional trust stack?
PoR may be a starting point, but real trust comes from combining transparency with problem proofing, strong governance and clear operational controls.
Start by solving. The correct step is to show assets against the full set of liabilities, ensuring that assets are greater than or equal to liabilities. Merkle-based accountability verifications, along with new zero-knowledge approaches, aim to close the gap without exposing individual scales.
Next, add validation around how the exchange actually works. A snapshot does not show that the platform has disciplined controls such as key management, access permissions, change management, incident response, segregation of duties and security workflows. This is why institutional due diligence often relies on System and Organizational Control (SOC)-reporting and similar frameworks that measure control over time rather than at a single point in time.
Allow fluidity and compression to appear. Resolution on paper does not guarantee that an exchange will survive the run. Users need clarity on whether reserves are outstanding and how quickly holdings are converted into liquid assets.
Anchor it in management and description. Credible control depends on clear safeguards frameworks, conflict management and consistent disclosures, especially for products that introduce additional obligations such as yield, margin and credit.
PoR helps, but cannot replace accountability.
PoR is better than nothing, but it remains narrow and time-tested (although often marketed as a security certificate).
By itself, PoR does not regulate efficiency, liquidity or quality. So before you consider the PoR badge as “safe”, consider the following:
Are liabilities included or just assets? Asset-only reporting cannot demonstrate efficiency.
What is in scope? Margin, products, loans or chain obligations excluded?
Is it snapshot reporting or continuous? Can be worn single day. Consistency issues.
Are backups unregistered? “Possessed” is not the same as “available during stress.”
What kind of participation? Many PoR reports are limited in scope and should not be read as an audit opinion.
