UNIVERSITY
Security
What Is Proof of Reserves (PoR)? How Crypto Audits Work

What Is Proof of Reserves (PoR)? How Crypto Audits Work

What is Proof of Reserves, how is it conducted, and why does it matter? Find out more in this beginner’s guide.

Key Takeaways:

  • Reserves refer to assets held by an institution. Proof of Reserves (PoR) is a way to verify that an institution (e.g., a crypto exchange) holds sufficient reserves backing all customer balances. It is ideally conducted by an independent third-party auditor.
  • PoR is intended to allow customers a means of assessing an institution’s solvency and liquidity. In the context of recent developments in the crypto industry, PoR aims to improve transparency and customer trust.
  • Generally, PoR in the crypto industry involves a snapshot of customer balances in the form of a Merkle tree. This data structure allows customers to independently verify that their assets are included in the snapshot balance.
  • Crypto.com believes that publicly sharing PoR audited reports are vital in upholding transparency commitments. Find out more about Crypto.com’s PoR.

What Is Proof of Reserves (PoR)?

In finance, reserves commonly refer to assets held by a company that could serve various purposes, including fully matching customer deposits. Proof of Reserves (PoR) is a term to describe an independent audit to verify that the audited party holds enough reserves to back all of its customer balances.

For crypto asset PoR, this means an auditor verifies that the on-chain assets held by the company are no less than 100% matching customer assets as shown in their balance at the time of the audit. This can help reassure customers that the company is sufficiently liquid and solvent, and that the funds are accessible to the customers should they choose to withdraw.

In light of recent developments in the crypto industry, PoR is crucial to: 

  • Provide transparency to customers on the availability and backing of funds.
  • Enhance trust by allowing each customer to independently and cryptographically verify that their account balances are included in the PoR.

How Is a PoR Conducted?

PoR consists of several steps:

  1. Verifying that the audited company owns the assets they claim to control on behalf of their customers.
  2. Verifying the assets held by the audited company against the exact amount of total customer assets per their aggregated account balances for each of the audited assets.
  3. Constructing a verification tool that allows each customer to individually verify that their account balances were indeed included in the PoR.

The most common way to verify that customer balances are fully backed in the crypto industry is by constructing a data structure called a Merkle tree (using a snapshot of individual customer balances). 

Thanks to their security and privacy-friendly features, Merkle trees have been adopted in many Distributed Ledger Technology (DLT) projects, including Bitcoin.

 See How Do Bitcoin Transactions Work to learn more about Merkle trees.

Leaves and Roots — The Make-Up of a Merkle Tree

Simply put, a Merkle tree is a data structure constructed by repeatedly hashing a set of data (i.e., two or more pieces of data). With every layer of hashing, the number of data pieces (Merkle leaves) is exponentially reduced (e.g., halved if two pieces of data are hashed each time) until, eventually, a single hash — also referred to as the Merkle root — remains, sitting at the top of the Merkle tree. 

Hashing is a computation to transform a value into another value that is hard to reverse engineer. For example, if given a value, it is easy to compute what its hash is; yet given the hash of a value, one could not reversely work out what the original value is. Therefore, hashing (or repeated hashing) is frequently used as a ‘one-way’ function to protect privacy and avoid exposing the values of the underlying data.

In the context of PoR, applying a Merkle tree allows the auditor to aggregate the data of all customers’ account balances into a single Merkle root without publicly exposing the account balance of any individual customer, thereby preserving privacy. 

Merkle Tree Example

  • Layer 0: A snapshot of each customer’s account balance is taken. This data is not publicly exposed to protect user privacy.
  • Layer 1: The account balance of each customer is first concatenated by other information (e.g., adding certain modifier numbers to protect privacy) before being hashed once to form the Merkle leaves at the bottom of the tree.
  • Layer 2 to Layer N: Every pair of hashes is repeatedly hashed, exponentially reducing the number of Merkle leaves at each layer of the Merkle tree.
  • Merkle root: A single hash that sits at the top of the tree.
Example of a Merkle tree

Each customer is given a Merkle leaf constructed by hashing their account balances. This allows them to verify that the leaf matches the same Merkle root that was disclosed. 

Any tampering with a customer’s account balance would result in a change that cascades up the tree, resulting in a different Merkle root. Throughout this process, customers cannot see the account balances of others, thus preserving privacy.

How to Access Crypto.com’s Proof of Reserves

Crypto.com customers who opened an account on or before the PoR attestation can independently verify that their account balances for audited tokens have been included in PoR. For a step-by-step guide on how to find your Merkle leaf, please visit https://crypto.com/proof-of-reserves.

In addition to PoR, Crypto.com continues to strengthen our security and data privacy, which we believe are the foundations of achieving mainstream adoption of crypto. For more information on Crypto.com’s certifications, assessments, and security-related practices, please visit https://crypto.com/security.

Due Diligence and Do Your Own Research

There are no formally accepted rules or procedures that define a Proof of Reserves audit. This article includes specific procedures by way of example only. All examples listed in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation.

Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.

Share with Friends

Ready to start your crypto journey?

Get your step-by-step guide to setting upan account with Crypto.com

By clicking the Submit button you acknowledge having read the Privacy Notice of Crypto.com where we explain how we use and protect your personal data.

Crypto.com Mobile App