That's a good point. The exchange's remaining liabilities outside user deposits are still an unknown. (Or at least can't be verified in a trustless manner.)
It does prove that the exchange is in possession of "liquid" assets matching user deposits, which I don't think is worthless, especially if the userbase is large.
I agree that it's far from a comprehensive proof though. Perhaps exchanges need to stick to the bigger auditors for now.
Providing a proof of reserves is about putting user/investor minds at ease. If you're not willing to go all the way, why bother doing it at all?
Though I guess post FTX, all exchanges are scrambling to avoid losing a large chunk of their userbase. Claiming to have a proof of reserves, even if it was done in a half-assed and non transparent way, is probably good enough for the non-scrutinous user.
In the interest of championing transparency, we would like to share some of the shortcomings in the Proof of Reserves process that we’ve identified.
A Proof of Reserves involves proving control over on-chain funds at the point in time of the audit, but cannot prove exclusive possession of private keys that may have theoretically been duplicated by an attacker.
The procedure cannot identify any hidden encumbrances or prove that funds had not been borrowed for purposes of passing the audit. Similarly, keys may have been lost or funds stolen since the latest audit.
The auditor must be competent and independent to minimize the risk of duplicity on the part of the auditee, or collusion amongst the parties.
> Proof of reserves today != proof of reserves tomorrow.
You should be able to detect large outflows/inflows from/to their wallets and demand an explanation.