From the FTX crash to the Bybit incident, how proof of reserves can disappoint investors

Author: Steven Ehrlich Source: unchainedcrypto Translation: Shan Ouba, Golden Finance

One ​​lesson from the FTX collapse is that the words of cryptocurrency bigwigs can never be taken on faith alone. So when Bybit executives launched a coordinated PR campaign to assure the outside world that everything was fine and that they had enough funds in reserve to cover the losses, I decided to investigate anyway. The proof of reserves released by the exchange on February 20 (the day before the hack) helped me analyze it. It showed a surplus - meaning that total funds exceeded customer deposits by $1.15 billion. Therefore, once $1.5 billion in Ethereum was stolen, the company may have had a $385 million asset hole.

How Bybit Responded and Guaranteed Customer Funds Safe

The Ethereum gap has been filled through a series of loans, but Bybit's overall financial situation remains unclear because the terms of the loans are unknown. There are important lessons to be learned from this incident that will make the industry more transparent in the future. After North Korean hackers stole 400,000 Ethereum from cryptocurrency exchange Bybit on Friday, CEO Ben Zhou and his team moved quickly to reassure customers that their funds were safe and that the exchange remained solvent. In a Twitter Spaces on Feb. 22 (one day after the attack), Zhou said his CFO told him, “Yes, we have enough funds to cover this loss.” Zhou went on to say in the interview that he was “not sure how much of our liquidity is in which tokens” and “if we have enough Ethereum” to handle the coming wave of withdrawals. However, the reality is a little more complicated. It appears that the company may have had a $385 million shortfall in its exchange wallet before taking out a loan from an industry partner to cover it. While Bybit deserves credit for being able to temporarily fill the gap so quickly, the initial shortfall reveals why current industry transparency standards, especially Proof of Reserves, fall short for crypto exchange customers.

(Inadequate) Proof of Reserves

The collapse of FTX in 2022 was a wake-up call for the entire crypto industry. It made millions of crypto traders around the world realize that they could no longer trust what was displayed on their computer and mobile screens. When news broke that Sam Bankman-Fried had misappropriated billions of dollars in customer funds, the balances that were displayed turned out to be phantom numbers.

The best way to address this problem is through an audit, a comprehensive process managed by an accounting firm that looks at the inflows and outflows of funds and takes into account any liabilities or liens the company may have, which reduce the assets that customers can recover. Such audits are particularly important for the cryptocurrency industry, as there is no insurance protection similar to that provided by the Federal Deposit Insurance Corporation (FDIC), which guarantees deposits up to $250,000 per account in U.S. banks.

Due to cryptocurrency’s high-risk reputation, many companies have difficulty getting audits, and those that do almost never make their audit reports public. This means that customers are left to rely on other ways for exchanges to prove their solvency, known as “proof of reserves” (PoR).

These reports, which are available on almost every major exchange’s website, aim to do two things:

1. Show the cryptocurrency balances of an exchange at a given moment, across all tradable tokens.

2. Let customers see that their specific balances are included in the total balance displayed on the website, through a cryptographic mechanism called a Merkle tree.

Proof of reserves is a great step forward, but it’s still not enough. In a 2022 interview with Forbes, Kraken founder Jesse Powell emphasized the difference between an audit and proof of reserves. "You can't know if we just borrowed 100,000 bitcoins from some investor to do this snapshot. And then, you know, we gave it back five minutes later."

In addition, for companies like Bybit, the frequency of regular updates to proof of reserves is only once a month, which requires customers to rely more on trust that the funds in the report will remain there for a long time. "If you publish (verification reports) more frequently, these things will be less likely to happen and more likely to be discovered in a timely manner," Powell said. "For example, if you see 100,000 coins moving on the chain on the 30th of each month," he said.

A Bybit spokesperson told Unchained that the exchange had been audited, but did not disclose the name of the auditing company or provide other details.

Bybit’s Last Proof of Reserves Before the Hack

Coincidentally, Bybit published its Proof of Reserves on February 20, the day before the hack. According to the data in the table below, the total assets on the company’s platform at that time were approximately $17.47 billion. Of this total, approximately $16.3 billion was liabilities for customer deposits. This means that the remaining assets were $1.15 billion, covering stablecoins, Bitcoin, Ethereum, and some less popular tokens such as Decentraland’s MANA - unless the company also has additional reserves that are not included in the Proof of Reserves.

However, when North Korea’s Lazarus group stole $1.5 billion worth of Ethereum on February 21, Bybit was left with a $385 million hole in its Proof of Reserves.

In the following days, Bybit worked closely with partners such as cryptocurrency exchanges MEXC and Bitget, as well as major broker Antalpha, to re-capitalize the Proof of Reserves (PoR).

In a statement this morning, the company said it had recovered “77% of its assets under management (AUM) to pre-incident levels” and that its Ethereum collateralization ratio had recovered to 102%.

This swift action stabilized the market, but it did not indicate whether Bybit had any encumbrances on the Ethereum it received after the hack, or what the terms Bybit agreed to for those funds were. That answer is not to be found in the proof of reserves.

How Audits Complement the Complete Picture

For a listed exchange like Coinbase, anyone can quickly check its audited balance sheet to see its complete financial picture. The financial statements for the fourth quarter of 2024 were released on February 13, 2025, and the data showed that the company held $1.5 billion in investment assets, meaning they were separate from any customer liabilities. Interestingly, this figure is only $385 million more than Bybit's surplus before the attack.

But the more important part is the company's $10.28 billion in shareholders' equity. This can be seen as excess capital that can be used for general operations or as an emergency fund. The two main components of shareholders' equity are: $4.96 billion in retained earnings, meaning profits that have not yet been extracted by shareholders, and $5.4 billion in additional paid-in capital, meaning the amount that investors paid in excess of $0.00001 of the par value of the shares, received directly from the company through sales. The specific sales schedule can be seen in the balance sheet below.

For a private company like Bybit, it would be particularly helpful to understand its retained earnings, whether it is in the form of cryptocurrency, stablecoins, or fiat currency. But this information is not publicly available.

How Bybit Can Make Up the Gap

Bybit is the world's second-largest cryptocurrency exchange by trading volume, and while the company did not provide any additional details about its financials, industry insiders believe the company has multiple ways to make up the gap. A business partner who wished to remain anonymous said the company may have retained earnings that were not included in the reserve certificate, but he was unable to elaborate further.

The CEO of a rival exchange, who also agreed to speak anonymously, said the company could make up the gap in a few months and the entire loss in a few years. However, he also cautioned that the costs of running an exchange are considerable. “My base guess for a good exchange business is a 50% profitability,” he said, adding that over-inflated marketing and regulatory compliance budgets could quickly cause expense ratios to soar. Assuming the $15 billion hack was equivalent to a year’s revenue for Bybit, “it would take at least two years for the exchange to make up for the lost funds.” However, he said that since the attack, the price of Ethereum has fallen from $2,800 to $2,300, so assuming there is no corresponding drop in trading volume, that could reduce the time it takes to make up the gap.

Another way to make up the gap is to recover the stolen funds. A number of organizations have expressed their willingness to freeze assets and assist in recovering funds if it is possible. The company missed out on a bounty program worth up to $140 million to help freeze and recover funds. So far, the company has paid out $4.23 million, with the largest bounty paid to Mantle, which froze 15,000 mETH (worth $34 million).

Therefore, Bybit has many ways to recover funds. But as cryptocurrencies enter a new era of legitimization in 2025, promoting transparency remains crucial.