Custodial risk: why proof-of-reserves must be paired with audits

by | Nov 29, 2025 | Hacks & Enforcement, Security

Custodial risk: why proof‑of‑reserves must be paired with audits

Explore how custodial risk persists despite proof‑of‑reserves and why independent audits are essential for protecting crypto investors in 2025.

  • Proof‑of‑reserves alone can mislead; audits add verifiable assurance.
  • Custodians may hold assets off‑chain, creating opacity that PoR cannot fully resolve.
  • Independent third‑party audits reveal discrepancies and validate custodial practices.

Custodial risk: why proof‑of‑reserves must be paired with audits is a question at the heart of today’s crypto‑asset ecosystem. In 2025, as institutional money flows into tokenized real‑world assets (RWAs), retail investors face a new form of exposure: the security of custodial arrangements that hold the underlying funds or securities. Proof‑of‑reserves (PoR) is widely promoted as a transparency mechanism, yet it has limitations that can leave investors vulnerable.

In this article we’ll dissect the relationship between PoR and audits, examine real‑world examples—including Eden RWA’s tokenized luxury properties—and outline what you should look for when evaluating custodial platforms. The goal is to equip intermediate retail investors with a clear framework for assessing custodial risk in 2025 and beyond.

We’ll cover:

  • The evolution of custody and PoR in the crypto‑asset space

Background & Context

Custody has become a cornerstone of the asset tokenisation movement. Traditional finance relies on custodians—banks, trust companies, or securities depositories—to safeguard physical or electronic holdings. In crypto, custody is more fragmented: exchanges, multi‑signature wallets, hardware security modules (HSMs), and specialised custodial firms each offer varying degrees of control.

Proof‑of‑reserves emerged in 2019 as a cryptographic technique that allows custodians to publish a snapshot of their holdings without revealing individual balances. A PoR typically involves signing a Merkle tree root with the custodian’s private key, which can then be verified by anyone against the public ledger. The result is a claim that “the custodian holds at least X amount of token Y.”

Regulators have begun to take notice. In 2024, MiCA (Markets in Crypto‑Assets Regulation) introduced provisional guidelines for custodial services, while the SEC has issued clarifying statements on custody requirements for securities‑like tokens. These developments underscore the growing expectation that custodians must demonstrate transparency and reliability.

Despite these regulatory signals, PoR alone is insufficient to guarantee asset safety. The technique does not audit the underlying processes that generate the Merkle root, nor does it verify that the custodian’s records match on‑chain statements or external audits. Consequently, PoR can be gamed or misrepresented.

How Proof‑of‑Reserves Works

The standard PoR workflow involves several steps:

  • Data collection: The custodian aggregates balances across all relevant wallets and accounts.
  • Merkle tree construction: Each asset balance becomes a leaf node; the tree is hashed to produce a root hash.
  • Signing: The custodian signs the root with their private key, creating a signed proof.
  • Publication: The signed root and signature are posted publicly (e.g., on a blockchain or website).
  • Verification: Anyone can verify that the signature matches the custodian’s public key and that the root hash corresponds to the claimed balances.

While technically sound, this process has blind spots:

  • The custodian could sign a fabricated root that does not reflect actual holdings.
  • Data aggregation errors or omissions can lead to an inaccurate Merkle tree.
  • PoR provides no temporal guarantee; the snapshot may become stale within minutes if balances shift.

Why Audits Matter

An independent audit adds a layer of verification that PoR lacks. Auditors review:

  • Internal controls: How balances are tracked, reconciled, and reported.
  • Segregation of duties: Whether the same entity does custody, reconciliation, and reporting.
  • Security posture: Hardware security modules, cold storage practices, and incident response plans.
  • Reconciliation accuracy: Cross‑checking on‑chain balances against custodial ledgers.

Auditors also issue a signed report that can be publicly shared. Unlike PoR, an audit’s credibility depends on the auditor’s reputation, methodology, and adherence to international standards such as ISO 27001 or NIST CSF.

Market Impact & Use Cases

The combination of PoR and audits is already shaping several sectors:

  • Tokenised real estate: Platforms issue property tokens backed by physical assets. Investors rely on custodians to hold the underlying securities or real‑estate titles.
  • Securities‑like token offerings (STOs): Regulatory frameworks require custodial verification of holdings before listing.
  • Many yield‑aggregating vaults publish PoR but are increasingly seeking third‑party audits to satisfy institutional partners.

Below is a simplified comparison table illustrating the differences between relying solely on PoR versus pairing it with an audit:

Feature Proof‑of‑Reserves Only Proof‑of‑Reserves + Audit
Transparency level High (public root hash) Very high (root + audit report)
Verification of processes No Yes
Risk of misrepresentation Medium‑high Low
Regulatory acceptance Limited Growing support
Investor confidence Moderate High

Risks, Regulation & Challenges

Even with PoR and audits, custodial risk persists:

  • Smart contract risk: Custodians may use on‑chain wallets that are vulnerable to bugs or exploits.
  • KYC/AML compliance gaps: Custodians may not fully vet all participants, exposing the platform to sanctions.
  • Legal ownership ambiguity: Token holders might not have legal claim over underlying assets if contracts lack clarity.
  • Liquidity constraints: Even a well‑audited custodian can face liquidity shortages during market stress.

Regulators are tightening rules. The SEC’s proposed “Custody Rule” for securities tokens would mandate audits as part of listing requirements, while MiCA will likely extend similar standards to EU residents. Non‑compliance could result in fines or delisting.

Outlook & Scenarios for 2025+

Bullish scenario: Custodial firms adopt blockchain‑based audit trails and integrate real‑time PoR with continuous monitoring. Investor confidence rises, leading to higher capital inflows into tokenized assets.

Bearish scenario: A high‑profile custodial breach triggers a wave of lawsuits and regulatory crackdowns. The market reacts by tightening due diligence, increasing costs for issuers.

Base case: Custodians continue to publish PoR while gradually adding audit layers. Institutional demand remains strong but investors become more discerning about custody disclosures.

Eden RWA – A Concrete Example

Eden RWA is an investment platform that democratises access to French Caribbean luxury real estate through tokenised, income‑generating properties. The model works as follows:

  • Each villa in Saint‑Barthélemy, Saint‑Martin, Guadeloupe or Martinique is owned by a special purpose vehicle (SPV) – typically an SCI or SAS.
  • Eden issues ERC‑20 property tokens that represent indirect shares of the SPV. For example, STB-VILLA-01 token holders own a fractional stake in a Saint‑Barthélemy villa.
  • The platform collects rental income and distributes it to investors in USDC directly into their Ethereum wallets via automated smart contracts.
  • A quarterly experiential draw selects a token holder for a free week’s stay, adding utility beyond passive income.
  • Governance follows a “DAO‑light” model: token holders vote on major decisions such as renovations or sale timing.

Custody plays a critical role. The SPV’s assets – the real estate deeds and rental contracts – are held in a secure custody arrangement that must prove ownership and income flows to token holders. Eden publishes PoR for its treasury balances, but it also commissions annual audits of its custodial practices, smart‑contract code, and financial reporting. This dual approach aligns with the best practice framework discussed earlier.

For investors curious about fractional real‑estate exposure, Eden RWA offers a structured pathway that combines blockchain transparency with traditional legal safeguards. The platform’s presale is currently live for interested participants.

Practical Takeaways

  • Always verify that a custodian publishes both PoR and an independent audit report.
  • Check the auditor’s credentials: look for ISO 27001, NIST CSF or industry‑specific certifications.
  • Understand how on‑chain balances are reconciled with off‑chain holdings; mismatches can signal risk.
  • Monitor custodial policies around KYC/AML to ensure regulatory compliance.
  • Assess liquidity provisions: can the custodian unlock assets quickly if market conditions change?
  • Evaluate governance mechanisms that allow token holders to influence custody decisions.
  • Track audit frequency and scope; annual audits are standard, but quarterly reviews add assurance.

Mini FAQ

What is proof‑of‑reserves (PoR) exactly?

PoR is a cryptographic method where a custodian signs a Merkle tree root that represents the total balances of assets they hold. Anyone can verify the signature against the custodian’s public key to confirm the claimed holdings.

Can PoR replace traditional audits?

No. While PoR provides transparency about on‑chain balances, it does not audit internal controls, reconciliation processes, or legal ownership. Independent audits are needed for comprehensive assurance.

How often should a custodian conduct an audit?

Industry best practice is at least once per year, with interim reviews (quarterly or semi‑annual) for high‑volume custodians. Some platforms opt for continuous monitoring using automated tools.

What happens if a custodian fails the audit?

A failed audit typically triggers remediation plans, potential penalties from regulators, and loss of investor confidence. Investors may withdraw funds or demand compensation depending on contractual terms.

Is PoR sufficient for regulatory compliance?

Regulators increasingly require both PoR and audited statements to meet custody standards, especially under MiCA and SEC guidance. Sole reliance on PoR is unlikely to satisfy all legal obligations.

Conclusion

Custodial risk remains a core challenge as crypto assets converge with real‑world investments. Proof‑of‑reserves offers valuable transparency but must be complemented by rigorous, independent audits to validate custodial claims and processes. Platforms such as Eden RWA illustrate how combining PoR, smart‑contract automation, and audited custody can create robust, investor‑friendly tokenised asset classes.

For intermediate retail investors, the key takeaway is vigilance: look beyond flashy PoR statements and demand comprehensive audit disclosures before allocating capital to custodial platforms. As 2025 unfolds, those who adopt a disciplined approach to custodial assurance will be better positioned to navigate both growth opportunities and regulatory uncertainties.

Disclaimer

This article is for informational purposes only and does not constitute investment, legal, or tax advice. Always do your own research before making financial decisions.