Stablecoin Reserve Transparency: What Monthly Attestations Actually Prove (and Don't)

The stablecoin market now exceeds $320 billion in circulating supply. Every major issuer claims their tokens are "fully backed" and points to reserve reports as evidence. But the documents that issuers publish vary enormously in scope, frequency, and rigor. Some undergo monthly third-party examinations. Others release quarterly snapshots with limited detail. The terminology itself is slippery: the word "audit" gets applied to procedures that fall far short of one.

Understanding what these reports actually prove, and what they leave unexamined, is essential for anyone holding or building on fiat-backed stablecoins. This article breaks down the difference between attestations and audits, compares what major issuers disclose, identifies the gaps that persist even under new federal regulation, and offers a framework for evaluating reserve quality.

Attestation vs. Audit: Why the Distinction Matters

In accounting, the terms "attestation" and "audit" describe procedures with fundamentally different scopes. Conflating them, as much of the crypto industry does, obscures how much assurance a report actually provides.

What is an attestation?

An attestation is a narrow, point-in-time examination of a specific management assertion. In the stablecoin context, the assertion is typically: "On this date, the fair value of reserve assets equaled or exceeded the number of tokens outstanding." The CPA firm examines evidence supporting that claim and issues a report under AICPA AT-C Section 205 (the examination standard for attestation engagements). The scope is deliberately limited: the accountant verifies the specific claim, not the issuer's overall financial health.

What is an audit?

A financial statement audit is comprehensive. Conducted under Generally Accepted Auditing Standards (GAAS), it examines the entity's complete financial statements, internal controls, operational risks, legal contingencies, and related-party transactions. The auditor issues an opinion on whether the financial statements, taken as a whole, present fairly in accordance with GAAP. This is a fundamentally broader engagement that costs more, takes longer, and reveals far more about an organization's financial condition.

Key distinction: An attestation tells you that reserves matched tokens on a specific date. An audit tells you whether the organization is financially sound over time. No major stablecoin issuer currently publishes a full, independent financial statement audit of its reserve operations, though the GENIUS Act will require this for the largest issuers.

What Major Issuers Actually Disclose

The three largest fiat-backed stablecoin issuers: Tether, Circle, and Paxos: take meaningfully different approaches to transparency. Comparing their practices reveals how wide the gap between "best in class" and "minimum viable disclosure" has become.

Circle (USDC)

Circle publishes monthly attestation reports examined by Deloitte & Touche LLP, one of the Big Four accounting firms. Each report confirms that, on the reporting date, the fair value of USDC reserves equaled or exceeded the number of tokens in circulation. As of early 2026, USDC's approximately $77.6 billion in reserves are held in two pools: roughly 80% in the Circle Reserve Fund (ticker: USDXX), a SEC-registered 2a-7 government money market fund managed by BlackRock and custodied at BNY Mellon, holding short-dated US Treasuries and overnight repurchase agreements; and approximately 20% in cash deposits at Global Systemically Important Banks.

Circle goes further than most issuers by publishing CUSIP-level Treasury holdings daily through the BlackRock fund page, providing granular visibility into the exact securities backing the token. Reports typically surface within three to four weeks of month-end. Since its June 2025 NYSE listing (ticker: CRCL), Circle also files quarterly and annual SEC reports with audited financial statements, adding a layer of transparency beyond the reserve attestations themselves.

Tether (USDT)

Tether publishes quarterly attestation reports (not monthly) performed by BDO Italia under the international ISAE 3000 standard. With approximately $185 billion in circulation as of Q1 2026, USDT is the largest stablecoin by market cap. Reserve composition as reported in recent attestations includes roughly 80% US Treasury bills, with the remainder split across overnight repos, cash, approximately $8 billion in gold, approximately $7 billion in Bitcoin, and a smaller allocation to secured loans and other investments.

Tether's transparency history includes notable regulatory actions. In 2021, Tether paid an $18.5 million settlement to the New York Attorney General over claims that it misrepresented reserve backing. The CFTC separately fined Tether $41 million for making "untrue or misleading statements" about its reserves, finding that USDT was fully backed only 27.6% of the time over a 26-month period between 2016 and 2018. As of March 2026, Tether has engaged KPMG for its first full financial statement audit, with PwC brought on to strengthen internal controls: a significant step toward closing the gap between quarterly attestations and comprehensive auditing.

Paxos (USDP)

Paxos originally issued USDP under a NYDFS trust charter and converted to a federally chartered national trust bank under the Office of the Comptroller of the Currency (OCC) in December 2025. Both charters legally require reserves to be held in bankruptcy-remote, fully segregated accounts consisting exclusively of cash and cash equivalents. Monthly attestations are now performed by KPMG LLP (previously WithumSmith+Brown through early 2025) under AT-C 205, with all reports dating back to 2018 publicly accessible. Reserve assets are limited to cash deposits, short-dated US Treasury bills, and overnight reverse repos collateralized by Treasuries, with no exposure to corporate debt, digital assets, or secured loans.

What Attestations Actually Prove

Despite their limitations, attestations performed under professional standards do provide meaningful assurance. A properly conducted AT-C 205 examination verifies several important facts.

• On the specific reporting date, reserve assets existed and were valued at or above the number of tokens in circulation
• The CPA firm independently confirmed asset balances with custodians and banks (not just the issuer's internal records)
• The token supply number was reconciled against on-chain data
• The accounting firm stakes its professional reputation and license on the accuracy of the report

These are not trivial assurances. The involvement of a registered public accounting firm creates legal liability: if the firm signs off on a false assertion, it faces regulatory sanctions, lawsuits, and reputational destruction. This incentive structure provides real, if imperfect, accountability. In March 2025, the AICPA published its 2025 Criteria for Stablecoin Reporting, establishing standardized benchmarks for reserve disclosure and attestation for the first time.

What Attestations Do Not Prove

The gaps in attestation-based transparency are where real risk hides. Understanding these gaps is critical for evaluating stablecoin reserves and assessing depeg risk.

No continuous backing guarantee

An attestation confirms reserves on a single date: typically the last day of the month. It says nothing about the other 29 days. Reserves could theoretically dip below 1:1 backing between reporting dates and be replenished before the next snapshot. This is sometimes called "window dressing," a practice well-documented in traditional finance where institutions temporarily improve their balance sheets around reporting dates. The CFTC's 2021 order against Tether specifically cited evidence of $382 million transferred to Tether's bank account ahead of a reserve review.

No counterparty risk assessment

The March 2023 USDC depeg demonstrated this gap clearly. Circle's attestations had consistently shown reserves exceeding tokens in circulation. But when Silicon Valley Bank failed on March 10, 2023, $3.3 billion of USDC reserves were trapped at the failed bank. USDC dropped to approximately $0.87 before recovering only after the US government guaranteed all SVB deposits. The attestation had verified that reserves existed but had not evaluated the credit risk of the banks holding those reserves.

No assessment of related-party transactions

Attestations do not examine whether the issuer has off-balance-sheet obligations, loans against reserve assets, or complex related-party arrangements that could create hidden claims on the collateral. A full audit would evaluate these risks; an attestation by design ignores them. This gap was central to the Tether/Bitfinex controversy, where Tether transferred $700 million in reserves to its sister company Bitfinex to cover trading losses: a related-party transaction that no attestation surfaced until regulators investigated.

No evaluation of operational controls

How does the issuer manage private keys for minting? Who authorizes redemptions? What happens if an employee goes rogue? These operational risk questions are addressed in SOC 2 audits and financial statement audits but fall entirely outside the scope of a reserve attestation.

No forward-looking assessment

An attestation is backward-looking: it confirms what was true at a moment in time. It provides no assessment of whether the issuer can maintain backing going forward, whether its business model is sustainable, or whether it faces legal or regulatory risks that could impair reserves. In accounting terms, there is no "going concern" evaluation.

The SVB lesson: Circle's reserves were fully attested by Deloitte the month before SVB collapsed. The attestation was accurate: reserves existed. But it did not, and could not, reveal that a bank holding $3.3 billion of those reserves was days away from failure. This is the fundamental limitation of point-in-time verification.

The GENIUS Act: A New Regulatory Baseline

The GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins), signed into law on July 18, 2025, establishes the first federal framework for stablecoin regulation in the United States. It passed the Senate 68-30 and the House 308-122, reflecting broad bipartisan support.

What the law requires

The GENIUS Act mandates that all "permitted payment stablecoin issuers" comply with specific transparency requirements:

• 100% reserve backing with permitted assets (US dollars, Treasury bills with remaining maturity under 93 days, overnight repos, government money market fund shares)
• Monthly public disclosure of reserve composition and the total number of outstanding tokens
• Monthly examination of disclosures by a registered public accounting firm
• CEO and CFO certification of the accuracy of each monthly report, with false certifications subject to criminal penalties (up to 5 years imprisonment under 18 U.S.C. Section 1350(c))
• Reserves must be segregated, never rehypothecated, and excluded from the issuer's bankruptcy estate
• Compliance with Bank Secrecy Act KYC/AML requirements

The $50 billion audit threshold

For issuers exceeding $50 billion in outstanding stablecoins (currently only Tether and Circle), the GENIUS Act goes further: it requires annual audited financial statements prepared in accordance with GAAP and audited under PCAOB standards. This is a meaningful step toward closing the gap between attestations and full audits, though it applies only to the very largest issuers.

Where the GENIUS Act falls short

While the law raises the floor for transparency, it does not close every gap. The monthly attestation requirement still produces point-in-time snapshots rather than continuous verification. The law does not mandate SOC 2 examinations of operational controls or real-time on-chain proof of reserves. And the 18-month implementation timeline means full enforcement is not expected until January 2027 at the earliest. The FDIC published its proposed rulemaking in April 2026, and final regulations are still being developed.

CEO/CFO certification: The GENIUS Act's personal certification requirement mirrors Sarbanes-Oxley's approach for public companies. If an executive knowingly signs off on a false reserve report, they face criminal prosecution: not just the company, but the individual. This adds an accountability layer that voluntary attestations alone do not provide.

On-Chain Proof of Reserves

Oracle networks like Chainlink offer an alternative approach: Proof of Reserve (PoR) feeds that publish reserve data directly on-chain. The concept is appealing: instead of waiting for monthly reports, smart contracts can query reserve status in real time and enforce collateralization programmatically.

How Chainlink PoR works

Chainlink Proof of Reserve connects oracle nodes to custodian APIs, bank account feeds, or on-chain wallet addresses. The oracles periodically publish the confirmed reserve balance to a smart contract. DeFi protocols can then reference this feed before executing operations. One notable application is "Secure Minting," where a stablecoin's minting contract checks the PoR feed and refuses to issue new tokens unless the oracle confirms sufficient collateral has been deposited.

Limitations of on-chain PoR

On-chain proof of reserves improves on monthly attestations in frequency but introduces its own limitations:

• PoR verifies that assets exist at specific addresses or accounts but cannot verify that those assets are unencumbered (free of liens, pledges, or rehypothecation)
• For fiat-backed stablecoins, PoR ultimately depends on the custodian's API or bank reporting: the oracle confirms what the bank says, but cannot independently verify the bank's own solvency
• Oracle networks introduce their own trust assumptions: if oracle nodes are compromised or collude, the feed can misreport
• PoR does not assess reserve quality (a dollar in a failing bank counts the same as a dollar in Treasuries)

On-chain proof of reserves is best understood as a complementary mechanism rather than a replacement for professional attestations. It excels at preventing over-minting and providing real-time visibility into aggregate collateral levels but cannot substitute for the counterparty analysis and legal scrutiny that traditional accounting engagements provide.

A Framework for Evaluating Reserve Quality

Given the gaps in every existing transparency mechanism, how should users and developers evaluate the quality of a stablecoin's reserves? The Wharton Stablecoin Toolkit (published January 2026 by the Wharton Blockchain and Digital Asset Project) provides an analytical taxonomy for stablecoin design, while S&P Global's Stablecoin Stability Assessment offers quantitative scores from 1 (very strong) to 5 (weak). Drawing on these frameworks, accounting standards, and the practical lessons of events like the SVB depeg, here are the key dimensions to evaluate.

Asset composition

Not all "fully backed" reserves carry equal risk. A stablecoin backed 100% by short-dated US Treasuries has a fundamentally different risk profile than one backed by a mix of Treasuries, corporate bonds, secured loans, and digital assets. Key questions to ask:

• What percentage of reserves are in cash or overnight instruments versus longer-duration assets?
• Are any reserve assets illiquid, volatile, or difficult to value (such as secured loans, Bitcoin, or gold)?
• Does the issuer hold only assets permitted under the GENIUS Act's definition of high-quality liquid assets?

Custodian diversification

Concentration at a single bank or custodian creates systemic risk, as the SVB episode proved. Evaluating reserve safety requires understanding where assets are held, whether custodians are themselves systemically important, and whether reserves are held in bankruptcy-remote structures that protect token holders in the event of a custodian failure.

Reporting rigor

The quality of the attestation itself matters. Factors include:

• Frequency (monthly is better than quarterly)
• Reputation and independence of the accounting firm
• Granularity of disclosure (CUSIP-level detail is better than category summaries)
• Timeliness (a report published three weeks after month-end is more useful than one published three months later)

Regulatory oversight

Issuers operating under prudential regulators (like the OCC for Paxos) face ongoing supervisory examinations beyond what voluntary attestations provide. These examinations can include surprise inspections, capital adequacy requirements, and enforcement actions: layers of oversight that operate independently of the issuer's published reports.

Redemption mechanics

The ultimate test of reserve quality is redemption. Can token holders actually convert tokens back to dollars at par, at any time, without delay? Understanding the peg mechanism and the practical mechanics of redemption (minimum amounts, processing times, blacklist restrictions) provides a more complete picture than reserve reports alone.

What This Means for Stablecoin Users

The current transparency regime for stablecoins is significantly better than it was three years ago. Monthly attestations by reputable firms, the GENIUS Act's federal requirements, and on-chain proof of reserves each contribute to a more accountable ecosystem. But none of these mechanisms, individually or combined, provide the level of assurance that a full financial audit would offer for all issuers.

For users, this means that evaluating a stablecoin requires looking beyond the headline claim of "fully backed." The composition of reserves, the identity and diversification of custodians, the regulatory framework governing the issuer, and the practical mechanics of redemption all matter. The stablecoin landscape on Bitcoin is expanding, and understanding reserve transparency is essential for navigating it.

Platforms like Spark that support stablecoins such as USDB benefit when users can independently evaluate the backing behind the tokens they hold. The more transparent the reserve reporting, the more informed the trust decision. For those looking to use stablecoins on Bitcoin-native infrastructure, wallets like General Bread (built on Spark) provide access to dollar-denominated payments with self-custody, but the safety of the underlying stablecoin still depends on the issuer's reserve practices.

The trajectory is clear: regulation is raising the floor, technology is enabling more frequent verification, and market pressure is rewarding issuers who disclose more. The remaining gap between attestation and audit may close as the industry matures. Until it does, informed skepticism remains the best tool available.

This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.