OKX Safety Special Issue｜PoR: Understand the Exchange's "physical examination report" in 5 minutes

Don't Trust, Verify.

When the black swan appeared, major centralized exchanges rushed to post PoR (Proof of Reserves, referred to as PoR) reports. PoR is an encryption verification mechanism used to prove that the assets held by the exchange on the chain are sufficient to cover the total user assets 1:1, which not only guarantees transparency but also protects user privacy. It is mainly to prove that it has not misappropriated user assets and acceptance capabilities.

The difference between the exchange PoR verification method and traditional finance is that PoR is based on password-based proof that can be publicly verified and supports users' independent verification; while traditional audits rely on third-party sampling and reporting, users can only passively trust, and their transparency is relatively limited.

Logically speaking, PoR is to make us users feel at ease, but at present, only a few leading exchanges represented by OKX are still releasing PoRs monthly, but many are already in a state of "slobbing" or "stagnation". But even with PoR reports, it cannot guarantee that our assets on the exchange will be foolproof. In other words, posting PoR reports does not mean absolute security. We also need to understand how each exchange is doing behind PoR, which reflects the security level of different exchanges.

Blockchain expert Nic Carter once commented that OKX represents the highest level of quality of PoR on mainstream exchanges. Next, we will use OKX as a sample to talk about PoR from a deeper perspective: no longer just asking "whether there is," but finding out how it is doing and what level of safety of OKX is at?

Start with these three steps

Many friends opened the PoR report and saw the rows of tables or data at first glance: BTC reserve rate 104%, ETH reserve rate 101%, USDT reserve rate 103%... They all seemed to be greater than 100%, and they subconsciously felt relieved: this platform should be quite reliable. But don’t worry, in fact, there are quite a lot of hidden tricks in the PoR report, and the reserve rate is far from enough just looking at it.

If you want to quickly grasp the key points and risks of PoR, you can follow the following three main steps and ideas.

The first step is to look at the overview : Open the report and find the total user assets, total platform liabilities and reserve ratio. Different exchanges may be called differently. For example, OKX uses account assets and OKX wallet assets, but they essentially refer to the assets and liabilities of users and exchanges. Don't just focus on the size of these numbers, but see if the reserve ratio is equal to or greater than 100%. For example, in the PoR released by OKX in April, the BTC reserve rate was 104%, which not only meets users' daily withdrawal needs, but also reserves redundancy, indicating that it has stronger risk resistance.

The second step is to check the details of the currency : not all currencies are equally "stable". First, we need to check whether mainstream currencies are included (BTC, ETH, USDT, USDC, etc.). These currencies usually occupy the majority of user assets and are the core indicators of exchange liquidity, redemption ability and risk prevention and control level. Secondly, you have to click on the detailed list of each currency to see if the total assets of the exchange and the total assets of the user match. For example, if there are 10,000 USDT in the wallet and the total user assets are 9,000, that is no problem. But if it is the other way around, you should pay attention to whether an abnormal withdrawal or the reserve rate has decreased.

The third step is to identify common routines : in order to show off your security, you will direct and act in a wave of "fund dispatch" through associated addresses, and then turn them back after PoR is announced; create a large number of false "debt accounts" to reduce platform liabilities, thereby proving the solvency at a certain moment, and returning to the original shape in the next period, etc. OKX uses zk-STARK technology and opens the code globally. On the one hand, it effectively prevents false "debt account" routines, and in addition, users can also verify themselves to prevent this "PoR report picture P".

If you don't have time to look at all the data, it is recommended to focus on three indicators:

1. Whether the reserve rate continues to be stable >100%;

2. Whether it supports user self-verification;

3. Whether the report is updated regularly and covers mainstream assets and pledged assets.

We must remember: good PoR data is not the key, the key is to understand the exchange's solvency and security capabilities.

Focus on these six data

First, understand the most core security data: Is PoR more than 100%. It's like you put money in the bank. The most basic requirement is of course that the bank must have enough money to pay you back. This logic is also true on crypto exchanges. We need to see whether the on-chain assets of the exchange can cover the user's account assets 1:1. This ratio is the so-called "reserve rate" (PoR = platform assets/user assets × 100%).

Equal to 100% : It means that the platform just holds enough assets to cover user assets; it is higher than 100% : It means that the platform has more repayment funds and has a certain ability to resist risks. But it should also be noted here that the larger the reserve ratio does not mean the safer the exchange, and the two cannot be directly equated. For example, the sudden increase in the reserve ratio of a certain currency may be caused by the platform's recent activities; below 100% : This is a red light warning! It means that the currency assets held by the platform are not sufficient to repay all users. Continuously below 100% may mean that a bank run occurred on the platform, or even deliberately concealed liquidity problems. But for this reason, many platforms may report interruptions at this time, which is itself a risk signal.

Second, which coins does PoR cover: Are you counting all the mainstream coins? After all, our assets are not just one currency. Mainstream coins such as BTC, ETH, USDT, and USDC generally account for 80% or even 90% of user positions. The number of currencies covered by PoR is an important indicator for evaluating exchange transparency and asset management capabilities. Taking OKX as an example, from the earliest 3 coins to now, the PoR of 22 coins has been disclosed, basically putting all the users' main assets on the table. The four coins of BTC, ETH, USDT and USDC alone account for more than 66 % of the platform's assets, and the 22 coins announced by PoR account for more than 90% of the platform's assets. In other words, just look at these four coins and basically understand whether the selected platform is safe or not.

Third, reserve cleanliness: that is, the proportion of non-platform currency assets to total reserves, rather than relying on the "recharge" of their own platform coins. Cleanness is an important dimension to measure the quality of exchange assets. It directly reflects the true value, liquidity and risk resistance of reserves - only by maintaining sufficient reserves without relying on their own tokens can the exchange be proved to be truly robust. But when evaluating the quality of the exchange's reserves, we can divide "cleanness" into two categories:

Proof by currency separately - the exchange publishes PoR reports for each major currency (such as BTC, ETH, USDT, USDC, etc.). As long as the reserve ratio of a single currency is greater than 100%, it means that the currency has acceptance capacity. Whether to include your own platform coins at this time will not affect your judgment of the solvency of the mainstream currencies.

Proof of the overall assets - the exchange merges all assets (including platform coins) and gives a total reserve rate. In this way, if the proportion of platform coins is high, once its price or liquidity is set, it may lead to the risk of the overall reserve being unpaid. Therefore, special attention must be paid to the proportion of non-platform coins assets in total assets, that is, "cleanness". Currently, most exchanges include platform coins in PoR. Taking OKX as an example, although its PoR for a single mainstream currency remains above 100% and is not affected by OKB price fluctuations; however, if calculated according to the latest overall asset method, its non-platform currency "cleanness" is about 70% . This means that relying solely on mainstream assets with the strongest liquidity such as BTC, ETH, USDT, and USDC can support more than 70% of the total user liabilities, truly achieving high transparency and risk resistance.

Fourth, another thing that is often overlooked: the changing trend of reserves of mainstream currencies such as BTC and ETH. It is highly likely that users or institutions are optimistic about the platform's security and liquidity. Recently, OKX's reserves of mainstream coins such as ETH and BTC have shown an upward trend. For example, as of April 7, 2025, the OKX PoR report showed that ETH in the account has increased from 1,556,932 on October 8, 2024 to 1,770,686, an increase of about 13.7%; BTC has increased from 126,082 on January 10, 2025 to 133,151, an increase of about 5.6%, indirectly reflecting users' confidence in platform security.

Fifth, the proportion of the top 10 mainstream coins: Don’t let unpopular coins support the overall situation. The higher the proportion of the top 10 mainstream coins, the healthier the PoR, because this type of asset has strong liquidity and high stability, and can better support the platform's capital security in extreme cases. According to PoR reports from various PoR, among the current reserve structure of mainstream exchanges, the top 10 mainstream currencies with market value account for about 80%, and the proportion of unpopular coins is controlled between 10% and 20%. The overall asset structure is healthy and meets users' expectations for high solvency. For example, as of April 7, 2025, the total value of OKX Top 10 mainstream coins accounted for about 88.8% of the PoR.

Sixth, the frequency of PoR reports is also very important: whether to "show it out occasionally." PoR reports usually reflect the asset status at a specific point in time. The higher the frequency of PoR releases, the harder it will be to cover up when short-term liquidity or safety hazards occur on the exchange. Since its first release of PoR at the end of 2022, OKX has always insisted on releasing every month, and has released 30 consecutive issues as of April 2025. At the same time, each report will be audited and verified by blockchain security agency Hacken. This also shows why leading platforms such as OKX repeatedly emphasize "monthly disclosure" - only high-frequency and reliable audit updates can truly enhance user confidence and maintain platform integrity.

When evaluating the security of an exchange 's assets, we must conduct data linkage. We cannot rely solely on the PoR report released by the platform itself. We can combine multiple data sources for cross-verification to form a more comprehensive and objective judgment. For example, DeFiLlama's CEX Transparency module provides an overview of on-chain asset reserves for major centralized exchanges, which can be used as an important external reference. In Nansen's "CEX Token Flow" sector, you can view the inflow/outflow of funds including exchanges such as Coinbase and OKX in real time to capture the on-chain capital dynamics.

Previously, there was a short-term abnormality in asset data on OKX on DeFiLlama. It was later found that it was because of the address upgrade that the third-party data crawling was lagging. Such events remind us that although third-party platforms are independent, they are also limited by the timeliness and integrity of on-chain address recognition . In addition, the data gap between the PoR data of some small and medium-sized exchanges and the data of third-party on-chain monitoring platforms is obvious. If this difference cannot be reasonably explained, it is necessary to further carefully investigate the reasons behind it.

PoR data cannot be interpreted in isolation, and you cannot take it lightly as soon as you see numbers such as "100%". Only by combining on-chain tracking, third-party platform verification and the exchange's own disclosure mechanism can we make a more scientific judgment on asset security.

Widgets allow users to verify exchange data

The platform "showed" PoR itself , but it does not mean that it is absolutely credible. When facing the ultimate question of " You put the money in, is it really there? " , users need to verify it. Taking the verification logic provided by OKX as an example, there are only two points that need to be proved: First, prove that the sum of user assets (account assets) is correct; second, the total amount of assets on the platform chain (wallet assets) is correct, and finally the "reserve rate" is obtained.

For example, two users deposit assets on the exchange, one deposited 100U and the other deposited 200U, and the total liabilities of the platform are 300U. The exchange's PoR needs to prove two things: the total deposit amount of all (two) users is 300U, and the exchange wallet does have 300U.

The first step is to verify the total deposit of the user. OKX uses a zero-knowledge proof algorithm called "zk-STARK" to prove and verify all OKX account assets held by the exchange. OKX will take "snapshots" of all user accounts and "constraints" according to the "zk-STARK" algorithm. The first is "sum balance constraint", requiring the total amount of assets to be equal to the total balance of the account assets; the second is "non-negative constraint", and there is no inflated book incorporation into the negative asset account; the third is "inclusive constraint", requiring no account to be left out.

The second step is to verify the exchange wallet asset . OKX discloses a set of wallet addresses and signs with a private key with a message "I am an OKX address", and proof of ownership of these addresses. Then anyone can find the balance of these addresses on the blockchain browser. Adding these on-chain balances will result in the total amount of real assets held by OKX.

Whether it is the above three constraints or the asset verification of exchange wallets , OKX not only provides a detailed user self-verification tutorial, but users can verify it at any time ( https://www.okx.com/zh-hans/proof-of-reserves ) and open source the PoR code for verification and use by the technical community ( https://github.com/okx/proof-of-reserves/releases/tag/v3.1.4 ).

There is still room for iterativeness in the PoR solution itself

OKX has been exploring safer underlying technical support to prevent PoR reporting data from being tampered with or forged. OKX has been upgraded to the full-view Merkle Tree V2 in March 2023 since launching the standard Merkle Tree V2 in November 2022, and then in April 2023, it was the first to introduce self-developed zk-STARK zero-knowledge proof, integrating sum, inclusion and non-negative constraints, making the verification process lighter and open source. Therefore, when evaluating PoR reports on any exchange, in addition to focusing on reserve rates and user self-verification, the underlying technology implementation and evolution path should also be comprehensively considered in order to prevent potential tampering or auditing vulnerabilities from being ignored based on data indicators alone.

Why upgrade to zk-STARK technology? The traditional Merkel Tree Proof Solution has loopholes, which leads to the possibility of CEX committing evil. Merkel tree is a common data structure that when used for reserve proof, it hash the balance of each account and organizes it into a tree structure to verify whether an account balance is included in the total liabilities of the exchange. However, traditional Merkel trees have a key drawback : it cannot prevent negative value nodes. If a centralized exchange (CEX) wants to do evil, you can make the reserves look like they match the liability by creating fake accounts and setting the balance of those accounts to a negative value, even if they are not.

zk-STARK uses advanced encryption technology, and the proofs generated are mathematically verifiable and can be verified by anyone. Most importantly, zk-STARK does not require a trusted setup . Trusted settings refer to the fact that in some encryption systems (such as zk-SNARK), a special process is needed to generate initial secret parameters , and after the trusted settings are completed, all initial secret parameters need to be destroyed. If this initial secret parameter is leaked or manipulated, the security of the entire system may be compromised.

But zk-STARK avoids this risk, it is based on transparent encryption technology, the entire process does not rely on any secret information or external trust, and is completely decentralized. Users do not need to worry about potential vulnerabilities during platform operation or settings. zk-STARK provides a truly "trustless" security guarantee and is the safest solution in PoR at present.

How does zk-STARK solve this problem? zk-STARK provides a powerful mathematical guarantee to verify that the balance of each account is true and legal. There are no hidden negative value nodes, zk-STARK ensures that the net balance of all accounts is greater than or equal to zero. In addition, the total amount of reserves cannot be manipulated, and CEX cannot forge the illusion of reserve matching by artificially tampering with data. zk-STARK completely eliminates the possible loopholes in traditional reserve fund proof, truly ensuring the safety of user funds and avoiding exchanges maliciously deceiving users.

OKX continues to lead the credibility and transparency

In addition to using advanced zk-STARK zero-knowledge proof technology, OKX also introduced the third-party independent auditing agency HACKEN for certification, providing users with additional trust guarantees. Currently, Hacken's audit team verifies OKX's reserves every month to ensure that its on-chain assets fully cover user liabilities, that is, the reserve ratio is at 100% or higher, and will publicly audit reports, which users can view at any time.

PoR is just a section of CEX security and cannot fully prevent potential risks. When choosing CEX, users must rely on the on-chain asset verification capabilities provided by PoR, and also need to comprehensively consider the governance structure, capital liquidity, and technical strength. OKX is precisely with the continuous and stable PoR release pace, industry-leading zk-STARK innovative technology and third-party independent audit collaboration to build a more credible security line, truly making it transparent and visible and user-friendly.

OKX is gaining the trust and choice of more and more users around the world with its continued leading credibility and transparency.

Don't Trust, Verify.