Proof of Reserves Is Not Proof of SolvencyA Standard for Verifiable Custody Attestation

Proof of reserves became prominent after failures in which holders discovered, too late, that the assets they believed were there were not. The response was a mechanism to demonstrate, cryptographically, that an entity controls the assets it claims to hold. This was a genuine advance over taking the claim on faith, and it has been widely adopted and widely misunderstood. The misunderstanding is in the name. A proof of reserves proves reserves. It does not prove solvency, and the two are routinely conflated in a way that gives holders false comfort.

Solvency is a relationship between two quantities: the assets an entity holds and the liabilities it owes. An entity is solvent when its assets exceed its liabilities and insolvent when they do not. A proof of reserves speaks only to the first quantity. It can establish, more or less rigorously, that assets exist and are controlled. It says nothing, on its own, about the liabilities those assets must cover. An entity can hold exactly the assets it claims, prove them perfectly, and still owe far more than it holds, which is to say it can be insolvent while displaying a valid reserve proof. The proof was true and the comfort it gave was false, because it answered a question the holder was not actually asking.

This report sets out what reserve proofs, liability attestation, and independent assurance can and cannot establish, and what a credible standard for custody attestation would require. The argument is that a reserve proof is a useful component of assurance and a dangerous substitute for it, that the liability side and the treatment of encumbrance are the parts that actually determine solvency, and that assurance which can be staged for a known moment is far weaker than assurance which cannot be predicted. An institution or a holder relying on a reserve proof should know precisely what it establishes, which is less than its name suggests, and should insist on the components that turn evidence about assets into a statement about solvency.

To use a reserve proof correctly, be precise about what it actually demonstrates, because the gap between what it shows and what people take it to show is where the false comfort lives. In its common form, a proof of reserves establishes that an entity controls a set of assets, often by demonstrating control of the addresses holding them, at the moment the proof is produced. Some implementations add a way for individual holders to confirm that their balances are included in the total the entity claims to back, which strengthens the link between the reserve and the obligations to holders.

What this establishes is real and worth having. It shows that the assets are not simply asserted but demonstrably controlled, which defeats the crudest failure, claiming to hold assets that do not exist. For a holder, knowing that the entity can actually demonstrate control of the assets backing their balance is meaningfully better than knowing only that the entity says so. The cryptographic demonstration is a genuine improvement in the asset side of the picture.

What it does not establish is almost everything else that determines whether the holder is safe. It does not show the liabilities the assets must cover, so it cannot speak to solvency. The control it demonstrates is usually fixed to the instant the proof was taken, which leaves the times before and after unaddressed. And in its basic form it is silent on whether the assets are encumbered, pledged, or borrowed, which means it can display holdings that are already promised elsewhere. Each of these is a gap between what the proof shows and what a holder needs to know, and each is routinely papered over by presenting the proof as if it were a clean bill of health. The honest reading of a basic reserve proof is narrow: these assets were controlled at this moment. Everything beyond that narrow statement requires more, and the more is where solvency actually lives.

The grid sets out the components that together make up genuine custody assurance, what each establishes, what it cannot, and what is needed to close the gap. A reserve proof supplies the first row and is often mistaken for the whole table.

Read together, the components show how far a basic reserve proof sits from genuine solvency assurance. It supplies asset existence at a moment and none of the rest, and the rest is where the question of whether holders are safe is actually answered.

Even confined to the assets, a reserve proof has limits worth understanding, because the asset side is not as settled as a valid proof makes it look. The proof demonstrates control of assets at the moment it is produced, and that moment is usually known in advance, which creates room for the assets to be present for the occasion and not at other times.

The clearest version of this is borrowing for the proof. An entity that does not actually hold sufficient assets can, in principle, borrow them shortly before a scheduled proof, demonstrate control of the borrowed assets at the appointed moment, and return them afterward. The proof is cryptographically valid: the entity did control those assets when the proof was taken. It is also deeply misleading, because the control was temporary and arranged for the demonstration. A point in time proof on a known schedule is vulnerable to exactly this staging, and the vulnerability is inherent in proving control at a predictable moment rather than continuously.

The asset side also depends on completeness. A proof shows control of the addresses it includes, and an entity controls the scope of what it includes. If the proof covers only some of the relevant assets, or if the link between the proven assets and the actual obligations is loose, the proof can be valid for what it covers and silent about what it omits. None of this makes reserve proofs worthless; demonstrating control of assets is better than asserting it. It means the asset side of a reserve proof should be read with its limits in mind: control was shown for the included assets at the proven moment, which is not the same as those assets being genuinely and durably held, free and clear, in the amount the obligations require. The asset side is the part reserve proofs do best, and even there the proof shows less than its confidence suggests.

The decisive omission in most reserve proofs is the liability side, and it is decisive because solvency is impossible to assess without it. Knowing that an entity controls a billion in assets tells a holder nothing about safety if the entity owes two billion. The assets are real, the proof is valid, and the entity is insolvent, because the question was never how much it holds but whether what it holds exceeds what it owes.

The reason the liability side is usually missing is that it is genuinely hard to prove. Assets can be demonstrated cryptographically, because controlling an address is something a ledger can attest to. Liabilities are not on the ledger in the same way. What an entity owes depends on its obligations to holders, its borrowings, its off chain commitments, and its contingent liabilities, and most of these live in agreements and books rather than in verifiable on chain form. There is no cryptographic proof of what you owe in the way there is of what you control, because owing is a relationship recorded off chain, and an entity could always have obligations that no proof reveals. This asymmetry is the heart of the problem: the asset side is provable and the liability side is attestable at best, and an honest assurance has to grapple with that asymmetry rather than ignore the side that resists proof.

Because liabilities cannot be proven cryptographically, assessing them requires the older tools of assurance: a rigorous account of obligations, examined by a competent and independent party, against a defined standard. This is closer to an audit than a cryptographic proof, and it is exactly the part that reserve proofs were sometimes marketed as replacing. The marketing had it backward. The cryptographic proof handles the easy side, the assets, and the hard side, the liabilities, still requires the kind of independent examination that finance has always used to assess what an entity owes. A solvency statement that rests on a cryptographic reserve proof and no rigorous liability account has automated the easy half and skipped the half that actually determines the answer.

Two further problems sit between a reserve proof and a solvency statement, and both are ways that assets which exist and are controlled can still fail to back what they appear to back. The first is encumbrance. Assets can be controlled by an entity and simultaneously promised to someone else, pledged as collateral, lent out, or otherwise claimed. An asset that is controlled but encumbered is not freely available to meet the entity's obligations to its holders, because it is already spoken for. A reserve proof that demonstrates control without addressing encumbrance can show full backing for assets that are wholly or partly committed elsewhere, which is a kind of double counting: the same assets backing both the holders and whoever holds the encumbrance. Genuine assurance has to establish not just that the assets exist and are controlled but that they are free of competing claims, and that establishing requires disclosure and verification of encumbrances, which a basic proof does not provide.

The second problem is the point in time trap, which compounds everything else. A reserve proof produced at a known moment establishes a fact about that moment and nothing about any other. Holders are exposed to the entity continuously, not just at the moments proofs are taken, so a position that is sound at the moment of each scheduled proof and unsound in between leaves holders exposed exactly when no one is looking. Scheduled, point in time proofs invite the staging described earlier, because they tell the entity precisely when it needs to look solid. A reserve verified at predictable moments is a reserve that only needs to exist at predictable moments.

The defense against both problems points in the same direction: assurance that is continuous or unpredictable rather than scheduled, and that addresses claims against the assets rather than only their existence. Assurance that cannot be predicted is far harder to stage, because the entity cannot know when it must look solid and so must actually be solid throughout. Assurance that accounts for encumbrance cannot be satisfied by assets that are already promised away. These are demanding requirements, and they are the requirements that separate a reserve proof, which shows controlled assets at a chosen moment, from genuine assurance, which shows that unencumbered assets sufficient to cover obligations are held continuously. The gap between the two is the gap between what holders are usually given and what they actually need.

A credible standard for custody attestation can be described by assembling the components the previous sections established, and the description is useful because it lets a holder or an institution judge any given attestation against what genuine assurance requires. The standard is demanding by design, because the thing it assures, that holders' assets are safe, is the thing that matters most and is hardest to fake under a rigorous scheme.

A credible attestation establishes four things together. It establishes asset existence verifiably, using the cryptographic control demonstration that reserve proofs do well, with completeness over the relevant assets and a clear link to the obligations. It establishes the liability side rigorously, through an independent account of what the entity owes, conducted with the seriousness of an audit because the liabilities cannot be proven cryptographically. It establishes that the assets are unencumbered, through disclosure and verification of any claims against them, so that the assets backing holders are genuinely free to do so. And it provides assurance that is continuous or unpredictable rather than scheduled, so that the position must hold throughout rather than only at known moments. An attestation with all four is a statement about solvency. An attestation with only the first is a statement about assets that is often dressed as a statement about solvency.

The practical use of this standard is as a measuring stick. Presented with any reserve proof or attestation, a holder can ask which of the four components it actually includes. Most will include the first and little else, and recognizing that is the point: the holder then knows the attestation establishes controlled assets at a moment and has not addressed liabilities, encumbrance, or continuity, and should be relied on accordingly. Where an attestation includes all four, conducted by a credible independent party against a defined scope, it is genuine assurance and can be relied on as such. The standard does not make weak attestations strong; it makes their weakness visible, which is exactly what a holder needs, because the danger was never the reserve proof itself but the belief that a reserve proof was more than it is. An attestation honestly scoped to what it establishes is useful. An attestation presented as proof of solvency when it proves only reserves is the failure this report exists to prevent.

Proof of reserves

A demonstration, often cryptographic, that an entity controls a set of assets at the moment the proof is produced.

Solvency

The condition of an entity's assets exceeding its liabilities, which a reserve proof alone cannot establish.

Liability

An obligation an entity owes, which must be set against its assets to determine solvency and which cannot be proven cryptographically.

Encumbrance

A claim against an asset, such as a pledge or loan, that makes a controlled asset unavailable to meet other obligations.

Point in time proof

An attestation that establishes a fact at a single, often scheduled, moment and nothing about other times.

Continuous assurance

Assurance that holds over time rather than at chosen moments, much harder to stage than a scheduled proof.

Independent assurance

An attestation conducted by a competent, independent party against a defined scope and standard.

Liability attestation

A rigorous, independent account of what an entity owes, the part of assurance that actually determines solvency.

Staging

Arranging assets to be present for a known proof moment, for example by borrowing, without holding them durably.

Citation slots below mark claims and context that require source verification before this document is treated as externally citable. They are placeholders by design. This library does not assert sourced facts without sources.

1. 01

   Technical descriptions of proof of reserves schemes, including inclusion proofs that link holder balances to attested totals.

   Citation pending[Citation needed: proof-of-reserves scheme documentation]

2. 02

   Assurance and audit standards for examining liabilities and producing solvency opinions.

   Citation pending[Citation needed: applicable assurance and audit standards]

3. 03

   Analyses of failures in which valid asset claims coexisted with insolvency due to liabilities or encumbrance.

   Citation pending[Citation needed: documented case studies of reserve and solvency failures]

4. 04

   Approaches to continuous or unpredictable attestation and their resistance to staging.

   Citation pending[Citation needed: research on continuous attestation methods]

For adjacent BlockHedge work, see The Custody Control Plane and Omnibus or Segregated for the custody arrangements an attestation speaks to, and The Oracle and Off-Chain Data Problem for the data dependency that reserve attestations feed into on chain logic.