The cascade of centralized crypto platform failures throughout 2022 and into 2023, culminating most recently in the CoinLoan asset freeze on April 25, 2023, has created an urgent need for advanced techniques to verify the solvency of custodial platforms. While beginners focus on basic security practices, experienced crypto users need sophisticated tools and methodologies to assess whether an exchange or lending platform actually holds the assets it claims. This tutorial walks through the technical process of verifying platform solvency using on-chain data, proof-of-reserves reports, and independent auditing techniques.
The Objective
The goal is to independently verify, to the greatest extent possible, that a centralized crypto platform holds sufficient assets to cover all user deposits. This involves cross-referencing on-chain data with published proof-of-reserves reports, analyzing withdrawal patterns for signs of liquidity stress, and constructing a risk assessment framework that accounts for both on-chain and off-chain factors.
With Bitcoin at approximately $28,307 and Ethereum near $1,866, even small discrepancies between claimed and actual reserves can represent significant financial exposure. The collapse of FTX demonstrated that seemingly solvent exchanges can be operating with massive undisclosed deficits, making independent verification not just prudent but essential.
Prerequisites
This tutorial assumes familiarity with blockchain explorers such as Etherscan and Blockchain.com, basic understanding of cryptographic hash functions, and comfort using command-line tools. You will need access to a block explorer with API capabilities, a spreadsheet application for data analysis, and optionally, a Python environment for automating verification tasks.
Understanding of Merkle tree data structures is helpful but not required. The key concept is that proof-of-reserves implementations typically use Merkle trees to allow users to verify that their specific balance is included in the total claimed reserves without revealing the balances of other users.
Step-by-Step Walkthrough
Step one: Obtain the exchange published proof-of-reserves report. Major exchanges like Binance, Kraken, and Bitfinex periodically release these reports, typically prepared by third-party auditing firms. Download the most recent report and note the date, the total assets claimed, and the specific wallet addresses provided.
Step two: Verify the on-chain balances of the published wallet addresses. Using a blockchain explorer API, query the current balance of each address listed in the proof-of-reserves report. For Bitcoin, you can use the Blockchain.com API endpoint to check address balances. For Ethereum and ERC-20 tokens, Etherscan provides a comprehensive API. Record each address and its balance in your spreadsheet.
Step three: Calculate the total on-chain reserves and compare them to the total claimed reserves in the report. If the on-chain total is significantly less than the claimed total, this is a major red flag. Note that some discrepancy is expected because exchanges may hold assets in cold storage addresses not included in the report, or may have moved funds between addresses since the report was generated. However, the on-chain total should not be substantially less than the claimed total.
Step four: Verify your personal inclusion in the Merkle tree. Most proof-of-reserves implementations provide a way for individual users to verify that their specific balance is included in the total. This typically involves providing your account ID and balance, then receiving a Merkle proof that your data is a leaf in the tree. Use the verification tool provided by the auditor or, for maximum confidence, implement the Merkle proof verification yourself using a cryptographic library.
Step five: Analyze historical on-chain behavior. Use blockchain analytics to track the flow of funds into and out of exchange wallet addresses over time. Look for patterns such as large transfers to unknown addresses, gradual depletion of reserves, or unusual interactions with DeFi protocols that might indicate the exchange is using deposited funds for proprietary trading or lending.
Step six: Cross-reference withdrawal behavior with reported data. If an exchange has been gradually reducing withdrawal limits, as CoinLoan did from July 2022 through April 2023, this should correlate with decreasing on-chain reserves. If the exchange claims high reserves while simultaneously restricting withdrawals, the discrepancy warrants further investigation.
Troubleshooting
If you encounter addresses in the proof-of-reserves report that show zero or very low balances, this may indicate that the exchange has rotated addresses since the report was generated. Contact the exchange or auditor for clarification, but treat unexplained discrepancies seriously. If the Merkle proof verification fails for your account, this could indicate an error in the report or, more concerning, that your balance was not actually included in the audited total.
Some exchanges do not publish proof-of-reserves reports at all. In these cases, on-chain analysis becomes your primary tool. Track known exchange addresses using community-maintained lists and monitor for significant changes in total holdings. The absence of a proof-of-reserves program should itself be considered a risk factor.
Mastering the Skill
Advanced exchange solvency verification is an ongoing practice, not a one-time task. Set up automated monitoring using blockchain explorer APIs to track exchange wallet balances on a weekly basis. Build a dashboard that aggregates data across multiple exchanges and highlights significant changes. Join the crypto security community on platforms like GitHub and security-focused forums to share findings and collaborate on identifying emerging risks before they result in platform failures.
The ultimate protection is self-custody. No amount of auditing can guarantee that an exchange will not fail, but rigorous verification allows you to make informed decisions about how much risk you are willing to accept by keeping assets on a third-party platform.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always conduct your own research before making investment decisions.
proof of reserves is better than nothing but its a snapshot, not real-time. an exchange could be insolvent 5 minutes after publishing one
exactly. the FTX proof of reserves was literally published days before they collapsed. snapshots are theater
snapshots can be gamed. the real test is whether you can withdraw right now, today, at whatever amount. everything else is theater
exactly this. a real-time reserve system would need continuous attestation not snapshots. nobody wants to build that because then the gaps become obvious
the withdrawal pattern analysis is the most actionable part of this. if withdrawals start slowing down on a platform, get out immediately. CoinLoan showed us that
^ the $5k/day limit CoinLoan had was basically them screaming ‘we dont have your money’ and people still kept funds there
withdrawal speed is the canary in the coal mine. celcius started with 24h delays and within a week it was total freeze
24h delays were the warning sign for celsius too. once an exchange starts processing withdrawals instead of sending them, your money is already gone
the merkle tree proof of reserves method has so many loopholes. negative balances, borrowed funds for the snapshot, excluded liabilities. its a starting point not a solution
juliana is spot on about negative balances. a merkle proof shows you have an account but says nothing about whether you owe the platform money elsewhere. liabilities are the black box