Proof of Reserves (PoR) Audit

Independent verification of asset backing, solvency integrity, and operational trust.

ITSEC provides independent Proof of Reserves audits designed to verify that a platform's on-chain and off-chain assets properly back customer liabilities, while maintaining user privacy and operational security. Our methodology is structured for regulated and institutional environments where trust must be earned through evidence, not assertion.

Consult Cyber Experts
Independent, third-party verification
Privacy-preserving methodology
Reports for regulators & partners

What Proof of Reserves Means

Proof of Reserves is a mechanism to demonstrate solvency and asset backing. It confirms that customer balances held on a platform are supported by verifiable reserves—whether on-chain assets, fiat holdings, or other instruments. PoR does not replace full financial audits, but it strengthens transparency and confidence by providing cryptographic evidence that a platform holds what it claims to hold.

PoR must be executed carefully. Poorly designed attestations can mislead stakeholders about actual risk exposure. Proper PoR includes clear methodology, defined limitations, and honest disclosure of what is—and is not—being verified.

Poorly executed PoR creates false confidence. Proper PoR builds real trust.

Who This Audit Is For

Proof of Reserves is relevant for any platform where customer assets are held in custody and trust is a business requirement.

Centralized crypto exchanges

Virtual Asset custodians

Broker-dealers and OTC desks

Lending and borrowing platforms

Stablecoin or asset-backed token issuers

Platforms seeking institutional partnerships

Platforms operating in or connected to regulated jurisdictions

Particularly relevant for VARA-aligned operations and platforms seeking institutional credibility in regulated environments.

Scope of the PoR Audit

Client

On-chain asset verification

Wallet ownership and control validation

Wallet ownership and control validation

Snapshot methodology definition

Liability Assessment

Customer balance aggregation

Treatment of internal, omnibus, and cold wallets

Handling of pending, locked, or margin balances

Clear definition of inclusions/exclusions

Methodology Integrity

Cryptographic techniques (e.g. Merkle tree-based approaches)

Privacy-preserving balance proofs

Reconciliation logic and verification rules

Assumption disclosure and limitations

Methodology transparency is non-negotiable. We disclose how verification is performed.

How ITSEC Conducts Proof of Reserves

A structured, repeatable process designed for independence and defensibility.

Step 01
Scoping & Architecture Review

Define asset types, liability model, snapshot timing, and system boundaries. Establish verification parameters and agree on methodology constraints.

Step 02
Data Collection & Verification

Validate on-chain reserves, wallet control, and off-chain data inputs. Confirm asset ownership through cryptographic proof of control.

Step 03
Cryptographic Proof Construction

Build privacy-preserving proofs linking reserves to liabilities. Apply Merkle tree or equivalent techniques to enable verifiable claims without exposing individual balances.

Step 04
Independent Validation & Reporting

Verify consistency, document assumptions, and prepare audit deliverables. Ensure findings are defensible and methodology is transparent.

What You Receive

Proof of Reserves Audit Report

Description of methodology and assumptions

Reserve coverage statement (snapshot-based)

Limitations and exclusions disclosure

Executive summary for stakeholders

Optional public-facing summary (controlled disclosure)

Optional regulator-facing version

Continuous solvency guarantees are not provided unless explicitly scoped for real-time or recurring verification.

What Proof of Reserves Does Not Do

Honesty about limitations is essential to credibility. PoR is a specific verification—not a guarantee.

PoR is not a full financial audit

PoR does not guarantee future solvency

PoR is time-bound to a specific snapshot

PoR does not replace governance, risk, or custody controls

This transparency differentiates professional assurance from marketing-driven claims.

Why ITSEC

ITSEC approaches Proof of Reserves as a security and assurance exercise—not a public relations tool. Our methodology is designed for environments where stakeholders expect evidence, not marketing. We bring experience from regulated virtual asset operations and apply the same discipline to reserve verification: clear scope, documented methodology, honest limitations, and defensible conclusions.

Independent cybersecurity-led assurance
Regulator-aware reporting discipline
Clear assumptions and limitations

Engagement Models

One-time PoR Audit

Snapshot-based verification at a defined point in time. Suitable for initial attestation or investor due diligence.

Recurring PoR Audits

Periodic verification on agreed schedule (monthly, quarterly). Demonstrates ongoing commitment to transparency.

PoR + Security Posture Review

Combined engagement covering reserves verification and platform security assessment. Comprehensive assurance for regulated environments.

Typical Timelines

Honesty about limitations is essential to credibility. PoR is a specific verification—not a guarantee.

1–2 weeks

Simple asset structures

2–4 weeks

Complex platforms

Scoped

Custom architectures

Timeline depends on system complexity and data readiness.

Frequently Asked Questions

Get answers to common questions about our VAPT services.

Does PoR expose customer balances?
No. We use privacy-preserving cryptographic techniques that allow verification of aggregate reserves against liabilities without exposing individual customer balances. Merkle tree-based proofs enable users to verify their inclusion without revealing their specific holdings.
Can PoR be shared publicly?
Yes, with appropriate controls. We can prepare public-facing summaries that communicate reserve coverage without disclosing sensitive operational details. The scope of public disclosure is agreed during engagement scoping.
Do you verify wallet ownership?
Yes. We validate wallet control through cryptographic proof—typically requiring the platform to sign a message from each claimed wallet address. This confirms the platform controls the private keys for stated reserves.
Is PoR accepted by regulators?
Regulators increasingly recognize PoR as a transparency mechanism. However, acceptance varies by jurisdiction and regulator. PoR is typically viewed as supplementary to—not a replacement for—required financial audits and compliance reporting.
How often should PoR be performed?
Frequency depends on operational context. Quarterly is common for regulated platforms; monthly for high-volume exchanges. Some platforms opt for real-time or near-real-time reserve dashboards backed by periodic formal audits.
Do you sign NDA and protect sensitive data?
Yes. We execute NDAs as standard practice. All data is handled in controlled environments with strict access controls. Wallet addresses, balance data, and internal system details are treated as confidential and securely deleted after engagement completion.
What cryptocurrencies can you verify?
We can verify reserves for all major cryptocurrencies including Bitcoin, Ethereum, stablecoins (USDT, USDC, DAI), and ERC-20 tokens. We also support Layer 2 assets, wrapped tokens, and cross-chain holdings.
How do you handle off-chain assets like fiat?
For fiat reserves, we coordinate with qualified third-party auditors or attestation providers. Our scope clearly defines which assets are cryptographically verified vs. reliant on traditional audit methods.
Can PoR be performed for stablecoins?
Yes. Stablecoin issuers are a key audience for PoR. We verify both the on-chain token supply and the backing reserves, whether held in crypto, fiat, or other instruments.
What's the difference between PoR and a financial audit?
PoR focuses on cryptographic verification of asset backing at a point in time. It's faster and more transparent than traditional audits but doesn't replace comprehensive financial audits for regulatory compliance. Many platforms use both.
ITSEC - Security Assessment
World Map

Ready to Secure Your Digital Assets?

Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.

Consult Cyber Experts
NDA Protected
24hr Response
Global Coverage
×
ITSEC AI Security Agent
Secure
Encrypted
Online
Welcome to ITSEC — the UAE's first AI-augmented cybersecurity firm.

With 15+ years of excellence and 50+ certified experts, we protect enterprises across finance, government, and crypto sectors.

How can I secure your organization today?
Powered by ITSEC Security Solutions • ISO 27001 Certified