How Safe Is It to Store Assets on a Cryptocurrency Exchange

Alexander Lubnevsky

Mar 7, 2025

Last week we wrote about how changes in accounting rules for crypto exchanges forced Coinbase to reduce the value of assets reflected on Coinbase's balance sheet by more than 10 times (from $229 billion to $22 billion) and what this means for the company's clients. Now let's discuss in more detail how the crypto industry responds to problems and criticism related to insufficient security of client funds, what protection mechanisms it offers, and whether it is possible to ensure that funds in a crypto exchange account are safe.

How crypto exchange clients lost money

In November 2022, the crypto sphere — and beyond — was shaken by the rapid bankruptcy of FTX, at that time the third largest crypto exchange, serving about 5 million clients. It all started when CoinDesk journalists published internal documents of the hedge fund Alameda Research, affiliated with FTX. As a result, it turned out that more than half of Alameda's funds were illiquid FTT tokens — the internal cryptocurrency of the FTX exchange. The free float was about 20% of the total number of tokens, the rest were controlled by FTX and Alameda.

This was followed by a statement from the CEO of the largest crypto exchange Binance, Changpeng Zhao (CZ), about selling all FTT, freezing client withdrawals from FTX, blocking accounts, the exchange's bankruptcy, and the resignation of FTX founder Sam Bankman-Fried, who in March 2024 was sentenced to 25 years in prison on fraud charges.

As a result of an audit conducted by the new management of the company, it was revealed that there was a gap between assets and liabilities in the company's balance sheet of about $8 billion. Among other things, FTX secretly transferred client funds to Alameda Research, where they were used as collateral for loans and trading. As emphasized by appointed crisis manager John Ray (coincidentally, he previously dealt with the Enron bankruptcy), "there was no segregation of client money" and no proper accounting was kept. In fact, client funds were uncontrollably mixed with the company's cash flows.

The collapse of FTX is not an exceptional case. QuadrigaCX — a Canadian exchange where the sole owner had full control over the keys. After his sudden death in December 2018, it was discovered that there were no key records and that user and company funds were not separated. A significant portion of crypto assets was withdrawn by the founder to personal accounts and lost​. The exchange turned out to be a classic Ponzi scheme, and users lost about $190 million.

In 2014, the largest bitcoin exchange at the time, Mt. Gox, collapsed after hacks and the disappearance of about 650 thousand bitcoins, which at the time of bankruptcy amounted to approximately $480 million. It later turned out that Mt. Gox stored client bitcoins in a single pool and did not separate them by accounts; there were not enough cold (offline) wallets, and most of the funds remained in hot wallets online. Such "pool" storage meant that clients did not have legally separate coins — in bankruptcy, their claims were mixed with other creditors. Legal proceedings dragged on for years, and only a decade later did creditors of MT. Gox begin to receive payments for the return of their funds.

What lessons the crypto sphere learned after the bankruptcy of FTX

After the collapse of FTX and subsequent criticism, the heads of major crypto exchanges publicly assured the safety of client funds, trying to distance themselves from FTX.

For example, Binance CEO Changpeng Zhao regularly emphasized that the exchange does not touch client funds, drawing a clear line between Binance and the FTX case​. Binance representatives clarified that the exchange "does not use, trade, or lend client assets." After the collapse of FTX, Binance was the first to publish the addresses of its wallets — anyone could look at the blockchain to see how many assets were in Binance's wallets. "The best way to restore trust is transparency," Zhao wrote at the time. Such statements are intended to convince clients that with Binance, the situation where funds disappear or are used without the owners' knowledge will not be repeated.

Crypto.com CEO Kris Marszalek held an AMA session, responding to suspicions about the platform. He directly stated: "We never engage in irresponsible lending, do not take external risks. We are not a hedge fund and do not trade client assets." According to Marszalek, Crypto.com conducts business "as usual," client funds are fully backed and available for withdrawal. These assurances came after information emerged that the exchange mistakenly sent $400 million in ether to the address of another exchange, Gate.io (which was subsequently returned). Marszalek explained that the error was corrected and all funds are intact.

After the collapse of FTX, one of the solutions to restore trust was Proof of Reserves (PoR) — the exchange's "proof of reserves." This mechanism allows clients and third-party observers to verify that the exchange has a sufficient amount of assets on its balance sheets to cover all client deposits. The key technical tool of PoR is the Merkle Tree — a cryptographic data structure (hash tree) that allows verifying the integrity of a large data set without revealing personal information of each client.

How Proof of Reserves works

The exchange takes a snapshot of all client balances at a specific moment and organizes this data in the form of a Merkle Tree. The leaves of the tree are hashes of individual user balance data. Typically, each account is associated with a hash derived from its balance, plus a random "salt" for anonymity​.

Then pairs of hashes are combined and hashed again, forming nodes of the upper levels. Iteratively continuing this procedure results in a single root hash (Merkle Root), which cryptographically represents the total state of all accounts. The exchange publishes this root hash (for example, on its website) and optionally provides users with a tool to give them a Merkle Proof — a sequence of hashes from their own leaf to the root.

With such proof, each client can independently verify that their balance is included in the aggregate reserves (the user locally recalculates the hashes along the tree path and compares the resulting top hash with the published root). If even one client account were secretly excluded or distorted, the root hash would not match — and the violation would immediately be revealed. 

Simultaneously, the exchange discloses information about its reserves on the blockchain. For example, it publishes the addresses and balances of its wallets, as mentioned above.

In the second stage of PoR, an independent auditor (or community) compares the total balance from client data (calculated through the Merkle Tree) with the aggregate of the exchange's on-chain assets. Ideally, these values should match (or the reserves in blockchain wallets should be greater). If so, it means the exchange has enough assets in wallets to cover all obligations to users. 

For example, the large cryptocurrency exchange OKX reports that according to its PoR, clients can "be assured that their assets are held in a 1:1 ratio," as the total user balances in the Merkle Tree match the published data on OKX wallet reserves.

What other arguments exist in defense of the safety of crypto assets on exchanges

Segregation means that the exchange holds user funds separately from its own operational accounts, often in special custodial accounts or trust accounts, whose safety is ensured by a third party. Segregation guarantees that in the event of the exchange's bankruptcy or debts, client assets will not be used to settle its obligations​. For example, Coinbase stores crypto assets through a separate custodial company, Coinbase Custody, which has fiduciary status in the state of New York. This means that the company must act in the interests of clients, not its own. 

Here's how else exchanges should ensure the safety of client funds.

1. Cold storage and cybersecurity. Exchanges strive to keep the majority of cryptocurrencies in cold wallets (offline), out of internet access. Only a small percentage is held in hot wallets for quick withdrawals. This architecture (e.g., ~95% of funds in cold storage) reduces the likelihood of theft in the event of a hack. The lack of sufficient cold storage played a fatal role in the bankruptcy of Mt. Gox — most bitcoins were online and stolen, while offline reserves were not enough to return them to clients after the hack. Now almost all major exchanges have a multi-level wallet system: hot — for small amounts and daily operations, warm — for intermediate amounts, cold wallets — for the main mass. 

2. Multisignature (multisig) is another standard: access to wallets is distributed among several employees so that no one person can unilaterally withdraw assets. This protects against both external attacks and internal abuses or key loss. A sad example of the opposite is QuadrigaCX, where passwords were held by only one owner, and after his death, the company lost access to all cold wallets.

3. Insurance funds and policies. Many exchanges create reserves to cover unforeseen user losses. For example, Binance established the SAFU (Secure Asset Fund for Users) fund in 2018 — a special insurance reserve where part of the fees is allocated. The fund's size exceeds $1 billion. These funds are stored in separate cold wallets and are intended to compensate users for damage in emergency cases. Binance has already used SAFU to cover losses from a hacker attack in 2019.

Coinbase, in turn, claims the largest insurance program against criminal risks, covering the theft of digital assets from hot wallets. However, the exact coverage amount and information about the insurer are not publicly disclosed. But this policy does not cover losses related to unauthorized access to user accounts due to the loss or compromise of their credentials.

What regulators are doing in different countries

After the collapse of FTX, the Securities and Exchange Commission (SEC) began actively checking crypto firms, primarily crypto exchanges, for compliance with asset safety principles. For example, in January and February 2023, investigations were initiated against Kraken and Gemini Earn services, which allowed users to earn interest on cryptocurrency assets, as they, according to the SEC, could violate securities laws and were offered without proper registration.

Here's how things stand in other countries:

• In Australia and Singapore, regulators have also proposed new rules requiring crypto platforms to separate client funds and periodically report on reserves. 
• In the European Union, a comprehensive MiCA (Markets in Crypto-Assets) regulation was adopted in May 2023, coming into force in stages in 2024–2025. It directly obliges crypto service providers (CASP) to ensure the separation of client crypto assets from the company's own funds and conduct regular audits to ensure the safety of client funds.
• In the United Kingdom, a set of regulations on applying Client Money Rules to crypto assets was launched in 2023 — similar to how forex dealers or brokers are regulated (they are required to keep client funds in separate trust accounts in the banking system).
• In Japan, a strict model is already in place, introduced after the bankruptcy of Mt. Gox and a cyberattack on another crypto exchange, Coincheck, in 2018. Exchanges are required to store client cryptocurrencies under the control of an external trust bank or trust, and their own tokens must be separated. For example, FTX Japan was eventually able to return funds to clients because local requirements forced them to keep them in a trust account.
• In the UAE, the VARA regulation was adopted, requiring custodians to regularly confirm reserves and have a plan in case of collapse.

What to pay attention to anyway

Crypto exchange clients can use non-custodial (self-managed) wallets for storing crypto assets, where private keys are held only by the user. There are hardware wallets (Ledger, Trezor), software wallets (MetaMask, Trust Wallet), or even paper wallets. The principle here is simple: whoever controls the key controls the cryptocurrency on the blockchain​.

If you have recorded the seed phrase and private key for an address, only you decide where to transfer the funds; no exchange can freeze or seize them. Even if any exchange or service closes tomorrow, your BTC/ETH will remain at your address, and you can manage them through the blockchain. The risk of global hacks is also reduced: hacking thousands of individual wallets is harder than one large hot wallet of an exchange.

But such storage has obvious downsides — the responsibility for safety lies entirely with the owner. You need to take care of securely storing the key (offline backups, protection from loss and theft). If you lose the private key or seed phrase, it is almost impossible to restore access — the coins will remain "hanging" in the blockchain forever.