The Core Concept
The collapse of FTX in November 2022 sent shockwaves through the cryptocurrency industry, exposing a fundamental flaw in how exchanges verify their holdings. In the aftermath, proof of reserves emerged as the supposed solution — a cryptographic method allowing exchanges to demonstrate they hold sufficient assets to cover customer deposits without revealing individual account details. By December 19, 2022, however, this concept was already unraveling. Mazars Group, the global accounting firm that had been conducting proof-of-reserves audits for major exchanges including Binance, Crypto.com, and KuCoin, abruptly suspended all crypto audit work and deleted the relevant pages from its website. The move left the industry scrambling for answers and raised serious questions about whether any existing verification method could truly guarantee exchange solvency.
Proof of reserves relies on a combination of Merkle tree data structures and cryptographic signatures. In theory, an exchange constructs a Merkle tree where each leaf node represents a user account balance. The root hash serves as a compact commitment to all balances. An independent auditor then verifies that the total liabilities represented in the tree are covered by the exchange’s known on-chain addresses. Users can independently verify their own balance is included without exposing other users’ data. It sounds elegant on paper. In practice, the implementation has proven far more problematic.
How It Works Under the Hood
At its core, a Merkle proof of reserves involves three distinct components. First, the exchange must construct a complete liability snapshot — a Merkle tree containing every customer obligation. Second, the auditor verifies that the root hash of this tree corresponds to the claimed total liabilities. Third, the auditor checks that the exchange controls on-chain addresses holding at least that amount of cryptocurrency. The critical weakness lies in what this process does not verify. Proof of reserves is a point-in-time snapshot. It says nothing about where those assets were an hour before the audit, nor whether the exchange has undisclosed liabilities on other chains or in off-chain arrangements.
The technical infrastructure supporting these audits involves API endpoints that allow users to query their own leaf in the Merkle tree and verify the hash path from their node to the root. Exchanges like Binance implemented this through dedicated verification pages where users could input their account ID and receive cryptographic proof of inclusion. However, security researchers quickly pointed out several limitations. The process does not account for borrowed funds that could be temporarily moved to pass an audit. It also does not address liabilities denominated in fiat currencies or stablecoins issued on less transparent blockchains.
With Bitcoin trading at approximately $16,440 and Ethereum at $1,168 on December 19, 2022 — both near their bear market lows — the stakes were extraordinarily high. Billions of dollars in customer funds had been lost in the FTX collapse, and trust in centralized exchanges had reached its lowest point since the Mt. Gox disaster of 2014.
Real-World Applications
Before its withdrawal, Mazars had completed proof-of-reserves reports for several major exchanges. Binance’s report, published on December 7, claimed the exchange held 101% of Bitcoin liabilities for its covered addresses. Crypto.com received a similar attestation. But the reports came with significant caveats that many retail users overlooked. The Mazars reports were not full financial audits — they were agreed-upon procedures engagements, a far less rigorous standard. They did not express an opinion on the completeness of the data provided by the exchanges.
The distinction matters enormously. In a traditional financial audit, auditors independently verify transactions, confirm balances with third parties, and assess internal controls. Mazars’ crypto work involved taking the exchange’s own data at face value and performing limited cryptographic checks. When Mazars deleted its proof-of-reserves page on December 16, it effectively invalidated all the confidence those reports had been meant to inspire. The firm gave no public explanation beyond confirming it had paused all work for crypto clients globally.
On-chain analytics firms like Glassnode and Nansen had reported that Binance experienced net outflows of approximately $3.7 billion in the week following the FTX collapse, with a further spike occurring after the Mazars withdrawal. While large outflows do not necessarily indicate insolvency — they can reflect legitimate risk management by users — the optics were devastating for an industry desperate to restore credibility.
Scalability and Limitations
The fundamental limitation of proof of reserves is its inability to provide continuous assurance. Even if conducted perfectly, a snapshot audit only verifies solvency at one specific moment. An exchange could move assets through different wallets or use short-term borrowing to manipulate the results. More sophisticated approaches, such as real-time reserve monitoring using on-chain oracles or zero-knowledge proofs, remain largely theoretical or in early testing phases as of late 2022.
The scalability challenge is also significant. For an exchange with tens of millions of users, constructing and verifying a complete Merkle tree is computationally intensive. The tree must be regenerated for each audit cycle, and the process must be carefully designed to prevent timing attacks where assets are shuffled between audits. Additionally, cross-chain assets present a verification nightmare — an exchange holding reserves across Ethereum, Bitcoin, Solana, Tron, and various layer-2 networks requires a unified proof that spans fundamentally different blockchain architectures.
The collapse of Mazars’ crypto auditing practice also highlighted the talent and expertise gap in the accounting profession. Very few established accounting firms have the technical capability to verify cryptographic proofs, understand blockchain data structures, and navigate the operational complexities of cryptocurrency exchanges. The Big Four firms had largely avoided the sector entirely, leaving a vacuum that smaller firms like Mazars attempted to fill — until the reputational risk proved too great.
The Future Horizon
The proof-of-reserves crisis of December 2022 may ultimately accelerate the development of more robust verification systems. Several projects were exploring zero-knowledge proof systems that could provide continuous, trustless verification of exchange liabilities. Ethereum’s growing layer-2 ecosystem, including solutions like zkSync and StarkNet, offered the computational primitives needed for such systems. The total crypto market capitalization had fallen to approximately $807 billion by December 19, down dramatically from its peak — but the bear market was also forcing the industry to confront its structural weaknesses.
Regulatory pressure was mounting as well. The Fear and Greed Index had climbed to 29 from its lows of 20 during the FTX crisis, suggesting that while sentiment was improving, deep fear still dominated the market. US Senators Elizabeth Warren and Roger Marshall had introduced new anti-money-laundering legislation targeting crypto, and the Federal Reserve had indicated further interest rate increases were coming. Binance’s move to join the Chamber of Digital Commerce to help shape regulatory frameworks suggested the industry was beginning to accept that self-regulation through tools like proof of reserves was insufficient on its own.
Looking ahead, the path from point-in-time Merkle tree snapshots to continuous, trustless verification will likely require a combination of zero-knowledge cryptography, on-chain oracle networks, and standardized reporting frameworks enforced by regulators. The technology exists in pieces. What the events of December 2022 demonstrated is that assembling those pieces into a system worthy of public trust remains the central challenge facing the cryptocurrency industry.
Disclaimer
This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk, including the potential loss of principal. Always conduct your own research and consult with a qualified financial advisor before making investment decisions.
Merkle trees are mathematically sound but the exchange still controls what balances go into the tree. Its like asking a bank to audit itself
merkle_skep nailed it. PoR without liability disclosure is a magician showing you one hand while the other is empty
magician analogy is perfect. FTX showed that the real danger was never what was on the balance sheet but what was deliberately left off
FTX had $8 billion in hidden liabilities that no PoR would ever catch. the entire exercise was security theater from day one
Mazars suspending all crypto work and deleting their reports within weeks of publishing them. The whole PoR era lasted maybe a month
exactly, and Binance was pushing PoR hardest while refusing to disclose liabilities. assets without liabilities tells you nothing
Mazars deleting their own reports is such a bad look. like why even bother publishing if you bail in 3 weeks
Mazars deleting their own audit reports should have been the nail in the coffin for PoR as a concept. instead exchanges just stopped pretending
they stopped pretending because nobody held them accountable. BTC withdrawals resumed and everyone forgot within a week
Mazars bailing in 3 weeks proved more than any audit could. when the auditor doesnt trust their own work, why should anyone else
Mazars lasted 3 weeks before nuking their own reports. the real question nobody asked was why Binance specifically needed a fresh audit every quarter if nothing was wrong
the fundamental problem with PoR was never the merkle tree math. its that exchanges control both the inputs and the verification process
exchanges controlling inputs AND verification means the whole thing is circular. you cant audit yourself and call it transparency