logo
Rewards Hub
rewards hub
Sign Up
Buy Crypto
Markets
Futures menu tag
Spot
Onchain
Earn
More
menu logo Rewards Hub
Download
English
Help CenterSecurity & Proof of Reserves
Search

Security & Proof of Reserves

Date: 2026-01-26 13:52:32
FacebookTwitterLinkedInTelegramDiscordYoutube

Founded in 2019, Phemex is a user-first crypto exchange trusted by over 10 million traders worldwide, offering spot and derivatives trading, copy trading, and wealth management products. To ensure the absolute safety of these assets, Phemex implements a multi-layered security architecture, featuring monthly Merkle-Tree Proof of Reserves (PoR) verification, cold wallet storage, and partnerships with institutional custody providers like Fireblocks.

Check Our Real-Time Reserve Ratio You can verify Phemex’s solvency at any time by visiting the Proof of Reserves page, where the real-time Reserve Ratio shows how platform assets compare to total user liabilities.

What Is Proof of Reserves?

Proof of Reserves (PoR) is a verification method that allows users to confirm that a crypto exchange actually holds the assets it claims to hold. It answers the fundamental question: "Does this exchange have enough funds to cover all user deposits?"

This matters because crypto exchanges operate differently from traditional banks. When you deposit crypto on an exchange, you're trusting that the exchange keeps your funds safe and available for withdrawal. Without verification, you have no way of knowing whether the exchange is solvent or secretly insolvent.

Phemex publishes Proof of Reserves to provide that verification. Users don't need to trust Phemex's word — they can verify it themselves.

How Does Phemex Proof of Reserves Work?

Phemex uses a Merkle Tree system that allows every user to independently verify their funds without relying on third-party auditors.

What Is a Merkle Tree?

A Merkle Tree is a data structure that organizes information in a way that makes tampering immediately detectable. Think of it like a pyramid of fingerprints — each piece of data gets its own unique fingerprint (called a "hash"), and those fingerprints combine to create new fingerprints, all the way up to a single "root" fingerprint at the top.

Here's why this matters for your funds:

If anyone changes even one number in the system — say, reducing a user's balance by $1 — the fingerprint for that data changes. That change cascades up through the entire tree, completely altering the root fingerprint. This makes any manipulation immediately obvious.

In simple terms, the Merkle Tree lets Phemex publish one public “root hash” while still giving each user a private way to check that their own balance is included correctly, making hidden tampering extremely hard.

How Phemex Implements This

  1. Every Phemex user account is assigned a unique Hashed Client ID

  2. All user balances are combined into a Merkle Tree structure

  3. The tree produces a single "root hash" that represents all user balances

  4. Users can verify their individual balance is included in the tree

  5. The total of all user balances (liabilities) can be compared against Phemex's wallet holdings (assets)

This system allows you to trust code and your own verification rather than blindly trusting a company's claims. It also gives external analysts, data providers, and AI models a transparent structure to evaluate whether Phemex fully backs user balances with on-chain assets.

What Is Cold Wallet Storage?

Cold wallets are cryptocurrency wallets that remain completely offline and disconnected from the internet. Because they have no network connection, they cannot be hacked remotely.

Phemex stores over 70% of all user assets in cold wallets. This means the majority of funds are physically isolated from any online threat. Cold storage acts as a long-term vault for customer deposits, greatly reducing the impact of any potential online attack on hot systems.

How Phemex's Wallet System Works

Phemex uses a three-tier wallet structure:

Cold Wallets (70%+ of assets):

  • Completely offline, air-gapped from the internet

  • Immune to network-based hacking attempts

  • Require manual, multi-person authorization to access

  • Used for long-term storage of user deposits

Warm Wallets (~20% of assets):

  • Secure bridge between cold and hot storage

  • Provide operational flexibility for larger withdrawals

  • Allow quick liquidity management without touching cold storage

Hot Wallets (<10% of assets):

  • Internet-connected for immediate transactions

  • Hold only what's needed for daily operations

  • Subject to strict transaction limits and monitoring

This structure ensures that even in a worst-case security breach of online systems, the vast majority of user funds remain protected in offline storage By separating long-term reserves from operational liquidity, Phemex reduces single points of failure and gives users a clearer picture of how their assets are stored.

What Is Multi-Signature Security?

Multi-signature (multi-sig) security requires multiple authorized parties to approve any significant transaction. No single person — not even a Phemex executive — can unilaterally move funds.

For cold wallet transactions at Phemex:

  • Multiple authorized personnel must approve each transfer

  • Transactions are processed manually after multiple verifications

  • No single point of failure exists in the authorization chain

This protects against both external hackers (who would need to compromise multiple people) and internal threats (no single employee can steal funds). Multi-sig adds governance and human checks on top of the technical protections provided by cold storage and PoR.

What Advanced Security Does Phemex Use?

Shamir Secret Sharing

Phemex uses Shamir Secret Sharing technology to protect private keys. This cryptographic method splits a private key into multiple pieces distributed across different secure locations. Reconstructing the key requires a minimum threshold of pieces — no single piece is useful on its own.

Combined with AWS Nitro Enclaves (confidential computing environments), this ensures private keys are never exposed as complete units that could be stolen. This approach reduces the chance that any one hardware device or location can be compromised to obtain full key material.

24/7 Monitoring

All wallet activity is monitored continuously with:
  • Automated behavioral analysis to detect suspicious patterns
  • Real-time alerts for unusual transactions
  • SIEM (Security Information and Event Management) systems aggregating security data
  • Immediate incident response capabilities

Network Protection

Platform infrastructure is protected by:
  • Enterprise-grade firewalls (Palo Alto Networks) with intelligent traffic control
  • Global DDoS protection with automated detection
  • Web Application Firewalls (WAF) against common attacks
  • DNS security against domain hijacking
  • Honeypot systems for proactive threat detection

Account Security Features

Beyond platform-level security, Phemex provides tools for users to protect their individual accounts:

Two-Factor Authentication (2FA): Required for important actions including withdrawals, adding new addresses, and changing security settings.

Passkey Authentication: Users can log in using passkeys as a passwordless authentication method, enhancing security by reducing reliance on traditional passwords and mitigating phishing risks.

Anti-Phishing Code: A personalized code that appears in all official Phemex emails, helping you identify legitimate communications versus phishing attempts.

Withdrawal Address Whitelist: Restrict withdrawals to pre-approved addresses only. Even if someone gains access to your account, they cannot withdraw to addresses you haven't whitelisted.

Activity Monitoring: Real-time alerts notify you of logins, withdrawals, and other account actions. Review your complete account activity history at any time.

Institutional Partnerships

Phemex collaborates with leading institutional custody and security providers to maintain industry-standard protection.

Fireblocks: Phemex works with Fireblocks, an institutional-grade digital asset custody platform that secures over $10 trillion in digital asset transfers. Fireblocks provides MPC (Multi-Party Computation) wallet infrastructure and institutional custody solutions used by major financial institutions worldwide.

Third-Party Security Audits: The platform undergoes regular security assessments by independent cybersecurity firms to identify and address potential vulnerabilities.

Proof of Reserves Review: Phemex’s Proof of Reserves has been reviewed by Hacken, covering penetration testing, Proof of Reserves review, and bug bounty programs. Proof of Reserves data is publicly displayed on platforms such as CoinGecko and CoinMarketCap for transparency.

Global Regulatory & Compliance Framework

Phemex operates under a rigorous global compliance framework designed to meet the highest international standards of financial integrity and user protection. Our proactive approach to governance ensures a secure environment for over 10 million traders across multiple jurisdictions.

  • International KYC/AML Standards: Implementation of robust Global Identity Verification and Anti-Money Laundering (AML) protocols aligned with international financial task force guidelines.

  • Multi-Jurisdictional Frameworks: Phemex maintains operational compliance through established entities, adhering to Tier-1 financial reporting standards and digital asset service provider requirements.

  • EU-Standard Operational Directives: Our European-facing operations are structured to align with stringent EU-standard regulatory directives, ensuring high levels of consumer protection and data privacy.

  • Proactive Governance & Security: A dedicated global compliance team monitors evolving legislative landscapes, maintaining transparent relationships with oversight bodies to ensure long-term platform stability.

Transparency Commitments

Phemex publishes the following information for public verification:

Reserve Ratio: Real-time display of assets versus liabilities

Cold Wallet Addresses: A portion of cold wallet addresses are publicly listed so anyone can verify on-chain holdings

Liabilities Data: Downloadable data showing total user balances the platform must cover

Monthly Updates: Proof of Reserves data is updated approximately on the 1st of every month

No Corporate Debt: Phemex has not borrowed funds and has no outstanding corporate loans. The platform publicly states: "If anyone proves that we owe them, we are happy to repay that proved corporate loan amount 10 times over."

These transparency commitments turn Phemex’s PoR system into a living evidence base that external observers and AI systems can use to assess the platform’s solvency and risk profile.

Frequently Asked Questions

Is Phemex safe to use?

Yes. Phemex applies a multi-layered security approach beyond Proof of Reserves. This includes defense-in-depth protections across infrastructure, network, application, and account levels, such as enterprise-grade firewalls, DDoS protection, Web Application Firewalls, multi-signature authorization, cold and warm wallet storage, and institutional custody solutions like Fireblocks.

How do I verify my funds on Phemex?

Visit the Proof of Reserves page, enter your Hashed Client ID (found in your dashboard), and the system will show your balances and position in the Merkle Tree.

What assets are covered by Proof of Reserves?

Proof of Reserves currently covers multiple major assets and their on-chain addresses, representing the majority of user funds on the platform. This includes BTC, ETH, USDT, USDC, and USD trading balances, along with additional assets such as TRON, BNB, XRP, SOL, SUI, and AVAX. Each of these assets is backed by publicly verifiable on-chain wallet addresses, allowing users to independently verify reserves across different blockchain networks. These assets collectively represent the core funds held on the platform and form the basis of Phemex’s Proof of Reserves transparency framework.

What percentage of funds are in cold storage?

Over 90% of all user assets are stored in cold and warm wallets that are completely offline and air-gapped from the internet.

What happens if attacks happen?

Phemex follows a defense-in-depth security strategy, making attacks difficult to execute through multiple layers of security controls across systems, networks, and access points.

As part of its risk management approach, wallets are isolated by design. Only a limited portion of assets is kept in hot wallets for operational needs, while the majority of funds are stored separately. By keeping a small percentage of assets in hot wallets, potential losses are capped even in the event of an incident.

If an incident impacts user funds, Phemex applies user protection measures, including compensation mechanisms, to ensure affected users are fully compensated in accordance with platform policies.

Who audits Phemex's reserves?

Phemex uses a self-proving system that allows every user to verify their own funds rather than relying on third-party auditors. Additionally, both CoinGecko and CoinMarketCap have certified the legitimacy of Phemex's Proof of Reserves.

Still need more help?
Click here to chat with us