Binance Holds 155B in Reserves and Coinbase Relies on SEC Audits Instead of Merkle Trees - Three Years After FTX We Still Have Not Fixed Exchange Transparency

Three years and two months after FTX collapsed and vaporized $8 billion in customer funds, I want to have an honest conversation about where the crypto industry actually stands on exchange transparency. The answer is not encouraging.

I am a security researcher who has audited DeFi protocols and studied exchange infrastructure for years. The current state of proof of reserves across the industry ranges from “genuine effort with significant limitations” to “security theater” to “we do not even bother.” Let me lay out the landscape.

The Current PoR Landscape: January 2026

CoinMarketCap published its latest exchange reserve rankings on February 4, 2026. Here is what the data shows:

That is $220 billion across six exchanges. The rest of the industry – hundreds of smaller exchanges – has either minimal PoR or none at all.

What Binance’s PoR Actually Proves (and What It Does Not)

Binance deserves credit for implementing Merkle tree-based proof of reserves after FTX. Their system allows individual users to verify that their balance is included in the tree, and third-party attestations confirm that on-chain assets match or exceed reported liabilities.

But there are critical limitations that the industry glosses over:

1. Point-in-time snapshots. Binance’s PoR shows reserves at the moment of the snapshot. It does not prevent the exchange from moving funds immediately after. Two exchanges could theoretically transfer assets to each other for their respective snapshots and send them back afterward. This is not hypothetical – it is a known gaming vector that PoR’s design does not prevent.

2. Off-chain liabilities are invisible. PoR reports focus on on-chain assets versus user deposit liabilities. They do not capture off-chain obligations: loans, derivatives positions, corporate expenses, or legal liabilities. An exchange could be technically “PoR-compliant” while being insolvent once off-chain debts are factored in.

3. Asset quality is unaddressed. Holding $155 billion in reserves sounds impressive, but what is the composition? If a significant portion is in illiquid tokens, proprietary exchange tokens, or assets with concentrated counterparty risk, the headline number overstates actual solvency. Binance’s 30.5% stablecoin allocation is healthy, but the composition of the remaining 69.5% matters enormously.

Coinbase’s Contrarian Approach

Coinbase presents an interesting contrast. CEO Brian Armstrong has explicitly stated that Coinbase will not provide Merkle tree-based proof of reserves. Instead, Coinbase relies on:

• SEC-mandated audited financial statements (Deloitte as auditor)
• Key signing ceremonies where auditors randomly sample cold storage addresses and require Coinbase to demonstrate ownership by moving funds
• Public company reporting requirements with quarterly filings

There is a legitimate argument that this approach is actually more rigorous than crypto-native PoR. SEC-audited financials are comprehensive – they cover assets, liabilities, revenue, expenses, and contingent obligations. A Merkle tree only proves “we have at least X in crypto assets.” An audited balance sheet proves “here is our complete financial picture.”

The counterargument is that quarterly SEC filings are backward-looking and infrequent. A lot can change between filing dates. And key signing ceremonies, while valuable, are not user-verifiable – you trust that the auditor did their job correctly.

The Uncomfortable Truth

The Public Company Accounting Oversight Board (PCAOB) has explicitly warned that PoR reports should not be treated as proof of solvency. Mazars, the accounting firm that was performing PoR attestations for Binance and others, paused all crypto work in December 2022, citing concerns about how the industry was interpreting their reports.

The fundamental problem is that proof of reserves and proof of solvency are different things, and the industry has been conflating them. Reserves prove you have assets. Solvency proves you can meet all obligations. FTX had plenty of reserves – the problem was that those reserves were lent out, encumbered, or misappropriated.

What Would Actually Work

From a security engineering perspective, here is what a credible exchange transparency system would require:

1. Real-time or near-real-time verification – not monthly or quarterly snapshots
2. Liability completeness – all obligations, on-chain and off-chain, must be included
3. Asset quality assessment – weighted by liquidity, concentration, and counterparty risk
4. Independence – verification by parties with no financial relationship to the exchange
5. User verifiability – every user should be able to independently verify their inclusion

The technology exists. Chainlink Proof of Reserve enables automated on-chain verification. Zero-knowledge proofs can prove solvency without revealing individual balances. But adoption remains minimal because exchanges have little economic incentive to implement stronger transparency unless regulators force them to.

Every line of code is a potential vulnerability, and every financial report is a potential misrepresentation. Trust but verify – then verify again. What does the community think is the realistic path forward here?

Sophia, thank you for this thorough analysis. As a former SEC attorney who now consults on crypto compliance, I want to add the regulatory dimension that makes this picture even more complicated.

The Regulatory Patchwork Problem

The fundamental issue is that there is no unified global standard for exchange reserve verification. What we have instead is a patchwork of jurisdictions with wildly different requirements:

United States: Public companies like Coinbase must file audited financials with the SEC. Private exchanges have no federal PoR requirement, though individual state regulators (like New York’s DFS) impose their own standards. The GENIUS Act mandates monthly independent attestations for stablecoin issuers, but exchanges are not covered by the same provision.

European Union: MiCA (Markets in Crypto-Assets Regulation), which becomes fully enforceable by July 2026, requires crypto-asset service providers to maintain organizational requirements including adequate systems and controls, but does not mandate a specific PoR methodology. The details are left to national competent authorities.

Singapore: The Monetary Authority of Singapore requires custody segregation and regular audits for licensed exchanges, but the specifics of what “regular audits” means in practice vary.

Dubai/UAE: VARA (Virtual Assets Regulatory Authority) has arguably the most progressive framework, requiring quarterly proof of reserves and segregated custody, but enforcement mechanisms are still developing.

Why Mandatory PoR Has Not Happened

There are three primary reasons regulators have not mandated specific PoR standards for exchanges:

1. No consensus on methodology. Regulators cannot agree on whether Merkle tree-based PoR, traditional audits, real-time on-chain monitoring, or some combination is the appropriate standard. The PCAOB’s warning that PoR reports are inherently limited makes regulators reluctant to endorse a methodology that could create false confidence.

2. Jurisdictional arbitrage. Any jurisdiction that imposes strict PoR requirements risks driving exchanges to more permissive jurisdictions. This race-to-the-bottom dynamic is real – we have already seen exchanges relocate in response to regulatory pressure.

3. Industry lobbying. Let us be direct: major exchanges have lobbied against mandatory PoR standards because compliance is expensive and potentially reveals competitive information about their reserves and business operations.

The Stablecoin Precedent

The GENIUS Act’s approach to stablecoins is instructive. It requires:

• Monthly attestation reports from independent public accounting firms
• Verification that reserves at least match outstanding supply 1:1
• High-quality liquid assets as reserves (US Treasuries, cash, cash equivalents)

This is more rigorous than anything required of exchanges. The question is whether this framework will eventually be extended to exchange custody. My prediction: it will, but not until after the next major exchange failure forces regulatory action. That is the depressing pattern – we regulate after catastrophe, not before.

A Practical Path Forward

I think the most realistic path is a tiered system:

1. Tier 1 (large exchanges, >$10B reserves): Quarterly independent audits with PoR component, real-time on-chain monitoring, mandatory liability disclosure
2. Tier 2 (mid-size, $1-10B): Semi-annual attestations with Merkle tree PoR
3. Tier 3 (small, <$1B): Annual attestation with basic reserve verification

This graduated approach balances transparency with the compliance burden that Sophia correctly identified as a barrier. Legal clarity unlocks institutional capital, and right now the lack of standardized exchange transparency is one of the biggest barriers to institutional adoption.

Sophia and Rachel both make excellent points, but I want to push back on one framing: the idea that PoR is fundamentally broken. As someone who trades on these exchanges daily and has real money at stake, I think the current system is imperfect but far better than what existed three years ago.

The Trader’s Perspective on Exchange Risk

When I was at Wall Street, counterparty risk assessment was a daily exercise. You evaluated your exposure to each broker, clearinghouse, and custodian. In crypto, we have essentially replicated this practice through:

1. Exchange diversification – no serious trader keeps more than 20-30% of assets on any single exchange
2. PoR monitoring – I check CoinMarketCap’s reserve rankings monthly
3. On-chain flow analysis – watching for unusual outflows that might signal problems
4. Stablecoin reserve ratios – exchanges with higher stablecoin percentages are generally considered safer

The PoR data is imperfect, but it provides a useful signal. Before FTX, we had nothing. Now we have Binance showing $155B with 30.5% in stablecoins, which tells me they have significant liquid reserves. That is actionable information even if it is not comprehensive.

The Market Has Already Priced This In

Here is what I think Sophia and Rachel are missing: the market has already created its own transparency premium. Exchanges with robust PoR programs attract more users and more institutional capital. Exchanges without PoR are losing market share.

Look at the concentration data: Binance holds more reserves than the next seven exchanges combined. Part of this is brand recognition and product quality, but a significant factor is trust derived from transparency. Users migrate toward exchanges they trust, and PoR – even imperfect PoR – is a trust signal.

The Bybit hack earlier this year is a relevant case study. Despite losing significant funds, Bybit’s PoR data helped demonstrate that they had sufficient reserves to cover the loss without affecting user funds. Without PoR, that hack could have triggered an FTX-style bank run.

What I Actually Want as a Trader

Rather than perfect solvency proofs (which may be technically impossible in real-time), I want:

1. Reserve-to-liability ratios above 100% – simple, clear, updated at least monthly
2. Insurance fund transparency – how large is the insurance fund and what does it cover?
3. Withdrawal processing metrics – average withdrawal time and any processing delays
4. Incident response transparency – how quickly and honestly does the exchange communicate during crises?

These are pragmatic signals that help me assess risk without requiring a PhD in cryptography. The perfect should not be the enemy of the good.

The Investment Angle

For those thinking about this from a portfolio perspective: exchange tokens (BNB, OKB) essentially embed counterparty risk on the issuing exchange. Robust PoR reduces this risk premium. As PoR standards improve, I expect exchange tokens with strong transparency to outperform those without – creating a market-driven incentive for better transparency.

Sophia, you asked about the realistic path forward. I think market pressure is actually more effective than regulation here. Exchanges that resist transparency will lose users to those that embrace it. The question is whether this market-driven process is fast enough to prevent the next catastrophe.

This thread is hitting close to home. I am building a Web3 startup, and exchange transparency directly affects my fundraising conversations and product strategy. Let me share the founder’s perspective.

The Fundraising Impact

Every investor meeting I have had in the past six months includes some version of this question: “What happens if the exchange your users deposit on goes down?” Post-FTX, this is not a theoretical concern – it is a due diligence checkbox.

Exchanges with strong PoR programs make my life easier. When I can point to Binance’s $155B in verified reserves or Coinbase’s SEC-audited financials, investors are reassured. When I have to explain that a smaller exchange partner “publishes monthly reports” without independent verification, the conversation gets uncomfortable.

The Compliance Cost Barrier

Rachel’s tiered regulatory framework sounds sensible in theory, but let me share what compliance actually costs from the startup side:

• Basic Merkle tree PoR implementation: $50-100K initial setup, $20-30K/year ongoing
• Independent audit engagement: $200-500K/year for a small-to-mid-size exchange
• Real-time monitoring infrastructure: $100-300K/year for tooling and personnel
• Legal and regulatory counsel: $150-250K/year to navigate multi-jurisdiction requirements

For a startup exchange trying to compete, these costs are substantial. The result is that PoR becomes another barrier to entry that benefits incumbents. Binance can easily afford comprehensive PoR at $155B in reserves. A new exchange with $100M in deposits? That compliance cost is eating into margins that barely exist.

The Self-Custody Alternative

Here is the elephant in the room that nobody in this thread has mentioned: the best proof of reserves is self-custody. If users hold their own keys, exchange solvency becomes irrelevant.

The rise of non-custodial exchanges (dYdX, Hyperliquid), on-chain trading aggregators, and smart contract-based custody solutions is partly a market response to the PoR problem. Users are voting with their feet – Hyperliquid is processing $40B weekly without holding custody of user funds.

As a startup founder, this informs my product strategy. We are building with a hybrid custody model: users can choose between custodial (convenient but counterparty risk) and self-custodial (more friction but no trust required). The market is clearly moving in this direction.

What Would Actually Move the Needle

Chris makes a good point that market pressure is more effective than regulation. But I think both are needed. Here is what I would advocate for:

1. Open-source PoR standards that reduce implementation costs for smaller exchanges
2. Regulatory safe harbors for exchanges that voluntarily adopt strong PoR programs
3. Insurance requirements scaled to reserves (similar to FDIC insurance for banks)
4. Self-custody incentives – regulatory frameworks that make it easier, not harder, for users to hold their own keys

The goal should not be eliminating counterparty risk from centralized exchanges – that is impossible as long as they are custodial. The goal should be making the risk transparent, manageable, and eventually optional through better self-custody infrastructure.

Excellent thread. Let me add the protocol engineering perspective on what a technically robust proof-of-solvency system would actually look like, because Sophia is right that the current PoR implementations are fundamentally limited.

Why Merkle Tree PoR Is Necessary but Not Sufficient

The Merkle tree approach that most exchanges use (Binance, OKX, Bybit, etc.) solves one specific problem: proving that the exchange’s claimed liabilities include your specific account balance. You can verify your leaf in the tree and confirm you are included. This is valuable – it prevents the exchange from understating liabilities by omitting accounts.

But Merkle tree PoR has three structural limitations that cannot be fixed within the current framework:

1. The liability tree only contains what the exchange chooses to include. There is no mechanism to detect omitted accounts. If an exchange has 10 million users but only includes 9.5 million in the Merkle tree, the tree looks valid. The omitted 500,000 users simply do not know they have been excluded unless they independently verify.

2. Asset verification relies on address ownership proofs at a single point in time. The exchange signs a message from addresses it claims to own, proving control at that moment. But cryptographic signing proves key possession, not asset availability. The exchange could have those assets encumbered by smart contract locks, used as collateral in DeFi protocols, or committed to derivatives positions.

3. The proof does not capture velocity. Even if assets and liabilities balance at the snapshot, the exchange might be running a fractional reserve between snapshots – lending out user deposits for yield, then recalling them before the next proof. This is literally what FTX did, and Merkle tree PoR would not have caught it.

What a Real Proof-of-Solvency Would Require

From a protocol design perspective, here is the architecture I would build:

Layer 1: Continuous on-chain monitoring. Use Chainlink Proof of Reserve (or similar oracle infrastructure) to continuously track exchange wallet balances. This eliminates the point-in-time snapshot problem. Any significant outflow triggers an automatic alert.

Layer 2: Zero-knowledge liability proofs. This is where ZK technology becomes essential. A ZK proof can demonstrate that the total liabilities in a dataset (all user balances) sum to a specific number without revealing any individual balance. The exchange commits to the liability total, and any user can verify their inclusion. This runs continuously, not in snapshots.

Layer 3: Asset encumbrance detection. Smart contract analysis to detect whether exchange-controlled addresses have assets locked in DeFi protocols, used as collateral, or otherwise encumbered. This is technically challenging but not impossible – Chainalysis and similar firms already do this for law enforcement.

Layer 4: Mandatory reserve buffers. Instead of proving 1:1 reserves, require 1.05:1 or 1.1:1 reserves to account for operational needs, potential losses, and the limitations of any verification system.

The Adoption Problem

The technology exists to build this. Chainlink Proof of Reserve is production-ready. ZK libraries for range proofs and sum verification are mature. On-chain monitoring infrastructure is robust.

The problem is adoption. Exchanges have no competitive incentive to implement stronger transparency unless all their competitors do the same – classic collective action problem. And regulators, as Rachel noted, cannot agree on standards.

Steve’s point about self-custody being the ultimate solution is technically correct but practically limited. Most users – especially institutional users – want custodial solutions. The question is not “should we eliminate custodial exchanges” but “how do we make custodial exchanges provably safe.”

I would love to hear from the ZK researchers in this community about where zero-knowledge proof-of-solvency implementations stand. Are we months or years away from production-ready systems?