PLAYBOOK YMYL Last reviewed May 3, 2026

Build a Proof of Reserves Page That Ranks for Trust Queries

Post-FTX, "safest crypto exchange" queries 5x'd. Exchanges with detailed Proof of Reserves pages own this traffic. Most exchanges have a one-sentence PoR claim. This is how to build a real one.

Time

4-6 hours (after audit attestation in hand)

Difficulty

Intermediate

Impact

High

Why this matters

→"Safest crypto exchange" queries 5x'd after FTX collapsed in November 2022.
→Google's YMYL standards specifically demote unverifiable financial trust claims.
→AI engines specifically check for PoR details when answering "is X exchange safe" queries.
→Eidoo (TG3 client) saw a 2.8x lift on "crypto exchange" queries after migrating CryptoExchange schema and adding a real PoR page in 90 days.

Before state (what bad looks like)

<!-- Buried at the bottom of /security/ page -->
<p>Example Exchange holds full reserves of customer assets at all times.
We are committed to transparency and security.</p>

Step-by-step

Step 1: Engage a real audit firm for attestation

Mazars, Armanino, BDO, Grant Thornton are the firms with crypto-attestation experience. Cost ranges $30k-100k per attestation depending on complexity. Smaller boutique firms also work if reputable. Without a third-party attestation, your PoR page can't earn trust because YMYL specifically demotes self-published claims.

Step 2: Implement Merkle tree proof for customer verification

Customer balances get hashed into a Merkle tree where each customer can verify their balance is included without seeing other customers' data. Use a library like merkletreejs (npm). Publish the Merkle root on-chain as part of the attestation. Build a verifier tool that lets users plug in their account ID and confirm inclusion.

const { MerkleTree } = require('merkletreejs');
const SHA256 = require('crypto-js/sha256');

// Hash each customer balance
const leaves = customerBalances.map(c =>
  SHA256(c.id + ':' + c.balance + ':' + c.timestamp)
);
const tree = new MerkleTree(leaves, SHA256);
const root = tree.getHexRoot();
console.log('Merkle root for attestation:', root);

Step 3: Publish on-chain wallet addresses

List the addresses where you hold customer reserves. Make them publicly verifiable. Buyers and AI engines both check these against block explorers. Hidden addresses signal evasion. Use a /security/wallet-addresses/ sub-page with the full list categorized by chain.

Step 4: Build the page structure with full disclosure

Required sections: (1) attestation date and audit firm, (2) methodology in plain language, (3) reserves breakdown by asset (table format), (4) liabilities snapshot, (5) coverage percentage by asset, (6) verifier tool link, (7) past attestations with PDF links, (8) limitations disclosure. Don't hide limitations; disclose them honestly.

Step 5: Add Article + FAQPage schema

Schema for the PoR page: Article with author byline (your CFO or compliance lead) and dateModified current. Plus FAQPage with the "is X safe", "how does PoR work", "what does this cover" questions explicit.

{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Article",
      "headline": "Proof of Reserves: Q1 2026 Attestation",
      "author": {"@type": "Person", "name": "Jane Doe", "jobTitle": "CFO"},
      "datePublished": "2026-04-15",
      "dateModified": "2026-04-15"
    },
    {
      "@type": "FAQPage",
      "mainEntity": [...]
    }
  ]
}

Step 6: Link from CryptoExchange schema and homepage

Update your CryptoExchange schema (homepage and exchange pages) to set hasProofOfReserves to the URL of your new PoR page. Add a prominent link from your homepage and /security/ page. Hidden PoR is worse than no PoR.

"hasProofOfReserves": "https://example-exchange.com/security/proof-of-reserves/"

Step 7: Set quarterly attestation cadence

Stale PoR (older than 6 months) gets penalized as much as missing PoR. Schedule quarterly attestations minimum. Top exchanges run monthly. Update the page on every attestation, refresh dateModified, add the new PDF to past attestations list.

FREE WEB3 AUDIT

See where this playbook applies to your site.

Run a free Crawlux audit before you start the playbook. It tells you which fixes are most urgent.

Free first audit · No signup · 60 seconds · Full PDF report

After state (what good looks like)

<!-- Dedicated /security/proof-of-reserves/ page -->
<article>
  <h1>Proof of Reserves: Q1 2026 Attestation</h1>
  <p>Last attestation: April 15, 2026. Conducted by Mazars (independent third-party auditor).</p>

  <h2>Methodology</h2>
  <p>We use a Merkle tree proof to demonstrate reserves coverage.
     Customer balances are hashed into a Merkle tree...</p>

  <h2>Reserves Breakdown</h2>
  <table>
    <tr><th>Asset</th><th>Customer Liabilities</th><th>Reserves Held</th><th>Coverage</th></tr>
    <tr><td>BTC</td><td>12,847</td><td>13,201</td><td>102.8%</td></tr>
    <tr><td>ETH</td><td>184,562</td><td>189,401</td><td>102.6%</td></tr>
  </table>

  <h2>Verify Your Account</h2>
  <p>Use the verifier tool at <a href="/security/proof-of-reserves/verify/">verifier</a>...</p>

  <h2>Past Attestations</h2>
  <ul>
    <li>Q1 2026: <a href="/reports/por-q1-2026.pdf">PDF</a></li>
    <li>Q4 2025: <a href="/reports/por-q4-2025.pdf">PDF</a></li>
  </ul>
</article>

How to validate the fix

✓Schema.org Validator: 0 errors on Article and FAQPage entities.
✓Google Rich Results Test: page eligible for FAQ rich results.
✓Manual check: every claim has a citation (audit firm name, attestation date, PDF link).
✓Verifier tool tested with real customer accounts (at least 5) confirms inclusion.
✓AEO citation test: run "does X have proof of reserves" in ChatGPT and Perplexity 2 weeks after publish. Should be cited.

Common pitfalls

Pitfall

Claiming 100% coverage without explanation

Real PoR almost never covers 100% of all assets. Disclose what's covered (e.g., spot custody) vs what's not (e.g., derivatives margins, lending positions). Honest disclosure outranks claimed perfection.

Pitfall

Using a no-name auditor

Mazars, Armanino, BDO, Grant Thornton have crypto-attestation experience and reputational weight. Random local accounting firms don't add trust. AI engines check the auditor's reputation.

Pitfall

Publishing without on-chain verification

Off-chain claims are weaker than on-chain proofs. Publish the Merkle root on-chain (as a transaction or in a smart contract). Lets users independently verify the attestation existed at a specific block height.

Pitfall

Skipping the verifier tool

Without a way for customers to verify their own inclusion, the Merkle tree is just marketing. Build the verifier tool. It signals serious commitment to transparency.

Pitfall

Letting attestations go stale

6+ months old without update demotes you. Schedule quarterly cadence in your operations calendar. Don't treat PoR as a one-time launch event.

If something breaks: rollback

PoR pages don't need rollback because they don't affect site functionality. Worst case: the audit firm finds discrepancies and you delay publication. Don't publish until attestation is clean.

Run a free Crawlux audit on this fix

Crawlux validates the schema, technical and AEO fixes from this playbook automatically. Free tier on one domain.

Run free audit →

FAQ

Do non-custodial exchanges need a Proof of Reserves page?

Less critical because non-custodial exchanges don't hold customer funds. Build a /security/non-custodial/ page instead explaining your custody model and why PoR doesn't apply. Skip this and AI engines may flag your trust signals as missing.

How much does a real attestation cost?

Mazars, Armanino, BDO range from $30k-100k per quarterly attestation depending on complexity. Boutique firms range $15k-50k. Self-attestation is free but doesn't earn trust. Budget for quarterly third-party attestations as cost of doing business.

Can I use Coinbase's on-chain wallet addresses approach?

Yes that's good practice. Publish your custody wallet addresses publicly. Buyers verify on Etherscan, Solscan, etc. Combined with audit attestation, it's the strongest disclosure pattern available.

What if my PoR shows partial coverage?

Disclose it honestly. "PoR covers 92% of customer spot assets. Lending positions and derivatives margins are not included." Specific honesty outranks vague claims of completeness. Buyers and AI engines both reward specificity.

Should the PoR page have its own URL or live on /security/?

Dedicated URL: /security/proof-of-reserves/. Easier to link from CryptoExchange schema, easier to share, easier to track via Search Console. The /security/ hub page links to it as one of several security signals.

Related playbooks

Pillar guides

Audit modules

RUN YOUR FIRST AUDIT

Run the playbook against a real audit.

Get a free Crawlux audit report and use it as the baseline for the work in this playbook.

Free first audit · No signup · 60 seconds · Full PDF report