Don't Trust, Verify.
When the black swan appeared, major centralized exchanges rushed to publish PoR (Proof of Reserves, PoR for short). PoR is a cryptographic verification mechanism used to prove that the assets held by the exchange on the chain are sufficient to cover the total amount of user assets 1:1, which not only ensures transparency but also protects user privacy. It is mainly to prove that they have not misappropriated user assets and have the ability to accept payments.
The difference between the exchange's PoR verification method and traditional finance is that PoR generates publicly verifiable proofs based on cryptography and supports user self-verification; while traditional audits rely on third-party sampling and reporting, which users can only passively trust and have relatively limited transparency.
In theory, PoR is to give users peace of mind, but currently only a few leading exchanges represented by OKX are still releasing PoR on a monthly basis, and many are already in a "slack" or "stagnant" state. But even with a PoR report, it cannot guarantee that our assets stored in the exchange are safe. In other words, publishing a PoR report does not mean absolute security. We also need to understand the details of each exchange behind the PoR, which reflects the security level of different exchanges.
Blockchain expert Nic Carter once commented that OKX represents the highest level of PoR quality among mainstream exchanges. Next, we will use OKX as a sample to discuss PoR from a deeper perspective: no longer just asking "is there?", but to find out how it is done and what level of security is OKX at?
Start with these three steps
When many friends open the PoR report, the first thing they see is the rows of tables or data: BTC reserve rate 104%, ETH reserve rate 101%, USDT reserve rate 103%... Seeing that they are all greater than 100%, they subconsciously feel relieved: this platform should be quite reliable. But don't worry, there are actually many hidden tricks in the PoR report, and just looking at the reserve rate is far from enough.
To quickly grasp the key points and risks of PoR, you can follow the following three main steps and ideas.
The first step is to look at the overview : open the report and find the total user assets, total platform liabilities and reserve ratio. Different exchanges may call them differently, such as OKX uses account assets and OKX wallet assets, but in essence they all refer to the assets and liabilities of users and exchanges. Don't just focus on the size of these numbers, but see whether the reserve ratio is equal to or greater than 100%. For example, in the PoR released by OKX in April, the BTC reserve ratio is 104%, which not only meets the daily withdrawal needs of users, but also reserves redundancy, indicating a stronger ability to resist risks.
The second step is to check the currency details : not all currencies are equally "stable". First, check whether mainstream currencies (BTC, ETH, USDT, USDC, etc.) are included. These currencies usually account for the bulk of user assets and are core indicators of exchange liquidity, payment capabilities, and risk control levels. Secondly, you have to click on the detailed list of each currency to see whether the total assets of the exchange match the total assets of the user. For example, if there are 10,000 USDT in the wallet and the total user assets are 9,000, then there is no problem. But if it is the other way around, pay attention to whether abnormal withdrawals have occurred or the reserve ratio has dropped.
The third step is to identify common tricks : In order to show off security, a wave of "fund allocation" is directed and performed through the associated address, and then transferred back after the PoR is announced; a large number of false "liability accounts" are created to reduce the platform's debt, thereby proving the solvency at a certain moment, and then returning to the original form in the next period, etc. OKX uses zk-STARK technology and opens the code globally. On the one hand, it effectively prevents the false "liability account" routine, and on the other hand, users can verify it themselves to prevent this kind of "PoR report P-picture".
If you don’t have time to look at all the data, it is recommended to focus on three indicators:
Whether the reserve ratio remains stable > 100%;
Whether to support user self-verification;
Whether the report is updated regularly and covers mainstream assets and pledged assets.
We must remember: the good-looking PoR data is not the point; the key is to understand the exchange’s solvency and security capabilities.
Focus on these six data
First, understand the most core security data: whether PoR exceeds 100%. This is like when you deposit money in a bank, the most basic requirement is of course that the bank has enough money to pay you back. This logic also applies to crypto exchanges. We need to see whether the on-chain assets of the exchange can cover the user's account assets 1:1. This ratio is the so-called "reserve ratio" (PoR = platform assets / user assets × 100%).
Equal to 100% : It means that the platform just holds enough assets to cover user assets; higher than 100% : It means that the platform has more sufficient repayment funds and has a certain ability to resist risks. But it should also be noted here that a larger reserve ratio does not mean a safer exchange, and the two cannot be directly equated. For example, a sudden surge in the reserve ratio of a certain currency may be caused by the recent activities of the platform; lower than 100% : This is a red light warning! It means that the assets of the currency held by the platform are not enough to repay all users. Continuously lower than 100% may mean that the platform has a run, or even deliberately conceals liquidity problems. But because of this, many platforms may experience reporting interruptions at this time, which is itself a risk signal.
Second, which coins are covered by PoR: Are all mainstream coins included? After all, our assets are not just in one coin. Mainstream coins such as BTC, ETH, USDT, and USDC generally account for 80% or even 90% of user positions. The number of coins covered by PoR is an important indicator for evaluating the transparency and asset management capabilities of exchanges. Take OKX as an example. From the earliest 3 coins to the current public PoR of 22 coins, the main assets of users are basically put on the table. BTC, ETH, USDT, and USDC alone account for more than 66 % of the platform assets, and the 22 coins announced by PoR account for more than 90% of the platform assets. In other words, just looking at these four coins, you can basically understand whether the selected platform is safe or not.
Third, the cleanliness of the reserve: that is, the proportion of non-platform currency assets in the total reserve, rather than relying on the platform currency to "fill the number". Cleanliness is an important dimension to measure the quality of exchange assets. It directly reflects the true value, liquidity and risk resistance of the reserve - only by maintaining sufficient reserves without relying on its own tokens can it be proved that the exchange has real robustness. But when evaluating the quality of the exchange's reserves, we can divide "cleanliness" into two categories:
Proof by currency - The exchange publishes a PoR report for each major currency (such as BTC, ETH, USDT, USDC, etc.). As long as the reserve rate of a single currency is greater than 100%, it means that the currency has the ability to accept. Whether to include its own platform currency at this time will not affect the judgment of the solvency of each mainstream currency.
Proof by total assets - the exchange combines all assets (including platform coins) to give a total reserve rate. In this way, if the platform coin accounts for a high proportion, once its price or liquidity is frustrated, it may lead to the risk of non-payment of the overall reserve. Therefore, special attention must be paid to the proportion of non-platform coin assets in the total assets, that is, "cleanliness". At present, most exchanges have included platform coins in PoR. Taking OKX as an example, although its PoR for a single mainstream coin remains above 100% and is not affected by OKB price fluctuations; but if calculated according to the latest overall asset method, its non-platform coin "cleanliness" is about 70% . This means that relying solely on the most liquid mainstream assets such as BTC, ETH, USDT, USDC, etc., more than 70% of the total user liabilities can be supported, truly achieving high transparency and risk resistance.
Fourth, there is another point that is often overlooked: the changing trend of the reserves of mainstream currencies such as BTC and ETH. It is highly likely that users or institutions are optimistic about the security and liquidity of the platform. Recently, the reserves of mainstream currencies such as ETH and BTC of OKX have shown an upward trend. For example, as of April 7, 2025, the OKX PoR report shows that the ETH in the account has increased from 1,556,932 on October 8, 2024 to 1,770,686, an increase of about 13.7%; BTC has increased from 126,082 on January 10, 2025 to 133,151, an increase of about 5.6%, which indirectly reflects the user's confidence in the security of the platform.
Fifth, the proportion of the top 10 mainstream coins: Don't let unpopular coins hold the overall situation. The higher the proportion of the top 10 mainstream coins, the healthier the PoR, because such assets have strong liquidity and high stability, and can support the platform's capital security in extreme cases. According to various PoR reports, in the current reserve structure of mainstream exchanges, the top 10 mainstream currencies by market value account for more than 80%, and the proportion of unpopular coins is controlled between 10% and 20%. The overall asset structure is healthy and meets users' expectations for high solvency. For example, as of April 7, 2025, the total value of OKX's top 10 mainstream coins accounted for approximately 88.8% of PoR.
Sixth, the frequency of PoR report release is also important: is it "exposed occasionally"? PoR reports usually reflect the status of assets at a specific point in time. The higher the frequency of PoR release, the more difficult it is to cover up short-term liquidity or security risks in the exchange. Since the first release of PoR at the end of 2022, OKX has always insisted on monthly releases, and has released 30 consecutive issues as of April 2025. At the same time, each report will be audited and verified by the blockchain security agency Hacken. This also explains why leading platforms such as OKX have repeatedly emphasized "monthly disclosure" - only high-frequency and reliable audit updates can truly enhance user confidence and maintain platform integrity.
When evaluating the asset security of an exchange, we must link data and cannot rely solely on the PoR report released by the platform itself. We can combine multiple data sources for cross-validation to form a more comprehensive and objective judgment. For example, DeFiLlama's CEX Transparency module provides an overview of the on-chain asset reserves of major centralized exchanges, which can serve as an important external reference. In Nansen's "CEX Token Flow" section, you can view the inflow/outflow of funds including Coinbase, OKX and other exchanges in real time to capture the dynamics of on-chain funds.
Previously, there was a short-term abnormality in OKX's asset data on DeFiLlama. It was later found that the third-party data capture was delayed due to the address upgrade. Such incidents remind us that although third-party platforms are independent, they are also limited by the timeliness and completeness of on-chain address identification . In addition, the PoR data of some small and medium-sized exchanges is significantly different from the data of third-party on-chain monitoring platforms. If this difference cannot be reasonably explained, it is necessary to further carefully investigate the reasons behind it.
PoR data cannot be interpreted in isolation, and we should not take it lightly when we see numbers like "100%". Only by combining on-chain tracking, third-party platform verification, and the exchange's own public mechanism can we make a more scientific judgment on asset security.
A small tool that allows users to verify exchange data
The platform itself has “posted” PoR , but it does not mean that it is absolutely credible. When faced with the ultimate question of “ you put money in, is it really there? ”, users need to verify it. Taking the verification logic provided by OKX as an example, only two points need to be proved: first, prove that the total amount of user assets (account assets) is correct; second, the total amount of assets on the platform chain (wallet assets) is correct, and finally the “reserve rate” is obtained.
For example, two users deposit assets into the exchange, one deposits 100U and the other deposits 200U, and the total liability of the platform is 300U. The exchange's PoR needs to prove two things: the total deposit of all (two) users is 300U, and the exchange wallet does have 300U.
The first step is to verify the total deposit of users . OKX uses a zero-knowledge proof algorithm called "zk-STARK" to prove and verify all OKX account assets held by the exchange. OKX will take a "snapshot" of all user accounts and "constrain" them according to the "zk-STARK" algorithm. The first is the "balance sum constraint", which requires that the total amount of assets is equal to the sum of the account asset balances; the second is the "non-negative constraint", which does not allow the inclusion of negative asset accounts to inflate the book value; the third is the "inclusive constraint", which requires that no account is left out.
The second step is to verify the exchange wallet assets . OKX publishes a set of wallet addresses and signs a message "I am an OKX address" with a private key, and proves ownership of these addresses. Then anyone can check the balances of these addresses on the blockchain browser. Adding up these on-chain balances gives the total amount of real assets held by OKX.
Whether it is the above three constraints or the asset verification of the exchange wallet , OKX not only provides a detailed user self-verification tutorial, users can verify at any time ( https://www.okx.com/zh-hans/proof-of-reserves ), but also open source the PoR code for verification and use by the technical community ( https://github.com/okx/proof-of-reserves/releases/tag/v3.1.4 ).
The PoR solution itself still has room for iteration
OKX has been exploring more secure underlying technical support to prevent PoR report data from being tampered with or forged. Since launching PoR based on the standard Merkle Tree in November 2022, OKX upgraded to the full-view Merkle Tree V2 in March 2023, and then pioneered the introduction of self-developed zk-STARK zero-knowledge proof in April 2023, integrating sum constraints, inclusion and non-negative constraints to make the verification process lighter and open source. Therefore, when evaluating the PoR report of any exchange, in addition to paying attention to the reserve rate and user self-verification, its underlying technical implementation and evolution path should also be comprehensively considered to prevent ignoring potential tampering or audit vulnerabilities based solely on data indicators.
Why upgrade to zk-STARK technology? The traditional Merkle tree proof scheme has loopholes, which makes it possible for CEX to do evil. The Merkle tree is a common data structure. When it is used for reserve proof, it hashes the balance of each account and organizes it into a tree structure to verify whether a certain account balance is included in the total liabilities of the exchange. However, the traditional Merkle tree has a key flaw : it cannot prevent negative value nodes. If a centralized exchange (CEX) wants to do evil, it can create fake accounts and set the balances of these accounts to negative values, making the reserves appear to match the liabilities, even if they are not actually.
zk-STARK uses advanced encryption technology to generate proofs that are mathematically verifiable and can be verified by anyone. Most importantly, zk-STARK does not require a trusted setup . A trusted setup means that in some cryptographic systems (such as zk-SNARK), a special process is required to generate initial secret parameters , and all initial secret parameters need to be destroyed after the trusted setup is completed. If this initial secret parameter is leaked or manipulated, the security of the entire system may be compromised.
But zk-STARK avoids this risk. It is based on transparent encryption technology. The entire process does not rely on any secret information or external trust and is completely decentralized. Users do not need to worry about the platform's shady operations or potential vulnerabilities during setup. zk-STARK provides a truly "trustless" security guarantee and is currently the safest solution in PoR.
How does zk-STARK solve this problem? zk-STARK provides a strong mathematical guarantee to verify that the balance of each account is real and legal. There are no hidden negative nodes, and zk-STARK ensures that the net balance of all accounts is greater than or equal to zero. In addition, the total amount of reserves cannot be manipulated, and CEX cannot forge the illusion of reserve matching by artificially tampering with data. zk-STARK completely eliminates the possible loopholes in traditional reserve proofs, truly guarantees the security of user funds, and prevents exchanges from maliciously deceiving users.
OKX continues to lead in credibility and transparency
In addition to using advanced zk-STARK zero-knowledge proof technology, OKX also introduced a third-party independent auditing agency HACKEN for certification to provide users with additional trust protection. Currently, Hacken's audit team verifies OKX's reserves every month to ensure that its on-chain assets fully cover user liabilities, that is, the reserve ratio is at 100% or higher, and will publish audit reports for users to review at any time.
PoR is only one aspect of CEX security and cannot fully prevent potential risks. When choosing a CEX, users must rely on the on-chain asset verification capabilities provided by PoR, and also need to consider governance structure, capital liquidity, technical strength and other aspects. It is precisely by relying on the continuous and stable PoR release rhythm, industry-leading zk-STARK innovative technology and third-party independent audit collaboration that OKX has built a more reliable security line of defense, truly making it transparent and visible, and verifiable by users.
With its continued leading credibility and transparency, OKX is gaining the trust and choice of more and more users around the world.
Don't Trust, Verify.
