Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 2 of 7
~20 minStablecoins & Payments

Lesson 2 — Attestations vs audits: what monthly reports actually prove

Every major fiat-backed stablecoin publishes an 'attestation.' Almost none publish full audits. Today: the technical difference, why it matters, and what gaps remain.

Intermediate
Evergreen
20 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

If you spend any time reading stablecoin transparency pages, you'll see the same word repeatedly: 'attestation.' What you almost never see is the word 'audit.' Both come from CPA firms, both have a CPA's signature, both involve numbers and reserves — and they are, technically and substantively, completely different things. The distinction is the single most important piece of literacy for evaluating any fiat-backed stablecoin claim.

An **audit** is a structured examination, governed by professional standards (in the US: SAS / AICPA standards), of a complete set of financial statements over a defined period — typically a full fiscal year. An audit examines internal controls, traces transactions through the system, evaluates accounting policies, applies materiality thresholds, and concludes with an opinion: are the financial statements, taken as a whole, free of material misstatement? An audit takes months. It is performed under specific professional independence and quality-control rules. A passed audit is a meaningful third-party validation that an organization's books reflect reality.

An **attestation** is much narrower. It is a CPA's report on a specific assertion made by management — typically: 'as of [single point in time], our reserves were at least equal to the circulating supply of our token.' The CPA verifies the assertion by examining management's records and confirmations from custodians, but does not audit internal controls, does not look at the period before or after that moment, does not examine the composition risk of the reserves, and does not conclude on the entity as a going concern. Attestations are also governed by professional standards (SSAEs in the US), but the standard is fundamentally different: an attestation answers a specific, narrowly-scoped question.

**Why stablecoin issuers publish attestations, not audits.** Three reasons. First, an attestation can be performed monthly or even more frequently — useful for showing continuous reserve coverage to a market that needs daily reassurance. A full audit can only be performed annually because of the work involved. Second, a global audit firm willing to sign a full-entity opinion on a crypto issuer is rare, and the largest firms have specific positions on which clients they'll take. Third, the disclosures required in an audit's accompanying notes are substantially more invasive than what most stablecoin issuers have wanted to publish historically — comprehensive related-party disclosures, contingent liabilities, debt covenants, etc.

**What an attestation does not tell you.** It does not tell you whether the reserves were sufficient between the attestation dates. A point-in-time snapshot can be true at month-end while massive intra-month deficits existed. It does not tell you about the quality of the reserve assets in detail — typically you get a categorical breakdown ('cash, Treasuries, money-market funds') but not duration, counterparty exposure, or specific holdings. It does not tell you about operational risks — bank concentrations, custody arrangements, the issuer's overall solvency outside the reserve. It does not opine on internal controls or fraud risk. It tells you exactly one thing: at one specific moment, the named CPA verified the reserves met the issuer's claim.

**What full audits exist in the stablecoin landscape.** Some issuers publish full audited financial statements at the entity level — Circle (USDC's issuer) has done so since at least 2022; Paxos publishes annual audits. Tether publishes attestations (formerly through MHA Cayman, more recently through BDO) but not, as of this writing, a full audit. The distinction shows up in pricing: USDC and PYUSD have historically traded closer to peg with smaller deviations than USDT, which the market has priced as carrying somewhat higher (though still small) opacity risk.

**The practical takeaway.** An attestation is not nothing — it is a meaningful continuous signal that reserves exist at known moments, and the absence of a recent attestation should be treated as a serious warning sign for any fiat-backed stablecoin. But it is not a substitute for the broader transparency that a full audit provides. When you're evaluating a stablecoin, look for: (a) recent attestations performed by a credible firm, (b) reserve composition disclosed in enough detail that asset-quality risk is visible, (c) full audited entity financials at least annually, and (d) regulatory oversight by an entity with meaningful enforcement teeth (NYDFS, OCC, EU competent authorities under MiCA). The presence of all four is the gold standard. Two of the four is what most actual major stablecoins have today.

Example

Walk through Circle's October 2024 USDC reserve report (a real published document). The report shows reserves on the last business day of the month, with a categorical breakdown: cash held at named banks (typically including BNY Mellon, Customers Bank, and others rotating), Treasury bills with stated weighted-average maturity, and money-market fund holdings. The CPA firm (Grant Thornton at the time) attests that the named assets, valued at the methods stated, equal or exceed the circulating USDC supply on that single date. What the report doesn't tell you: how concentrated the cash holdings are at any single bank between attestations, the specific CUSIPs of the Treasuries, or whether the issuer has off-balance-sheet exposures elsewhere. Those gaps were exactly what made the SVB weekend a real event for USDC: between attestations, the cash portion was meaningfully exposed to a single bank's solvency. The attestation hadn't lied; it simply hadn't been designed to surface that specific risk.

Common mistakes

  • Treating 'we publish monthly attestations' as equivalent to 'we are audited.' They are different things, governed by different standards, with very different scopes.
  • Assuming the absence of intra-period deficits because the month-end snapshots are clean. The snapshots are by design point-in-time.
  • Believing that all CPA firms are interchangeable. The reputation, scale, and independence of the attesting firm matters substantially; major firms (Big Four, plus a small number of others) carry weight that smaller firms don't.
  • Treating any negative observation about an attestation as 'FUD.' Attestations are designed precisely to provide a basis for criticism — that's the entire point of independent verification. Legitimate critique should be examined, not dismissed.
  • Overweighting attestations relative to regulatory oversight. NYDFS or MiCA-licensed issuers face a different and complementary set of disclosure requirements that often surface what attestations don't.

Check your understanding

A new fiat-backed stablecoin proudly announces that it publishes a 'monthly attestation by a top accounting firm.' Which of the following does this attestation *not* tell you?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper