Bitcoin Companies
Rankings Blog Sign In Register
Merkle Tree Proof of Reserves Explained

Merkle Tree Proof of Reserves Explained

Bitcoin Companies

How do you prove 1 million users have $10 billion in deposits without revealing anyone’s individual balance?

You use a Merkle tree.

The same cryptographic structure that secures Bitcoin blocks also powers proof of reserves. It’s how exchanges prove they owe what they claim—and how you can verify your balance is included.

What is a Merkle Tree?

A Merkle tree is a data structure invented by Ralph Merkle in 1979. It organizes data into a tree where:

  • Leaves contain the actual data (hashed)
  • Branches combine pairs of leaves into new hashes
  • The root is a single hash representing all the data

The magic: if any single piece of data changes, the root hash changes completely. This makes it impossible to tamper with data without detection.

Bitcoin uses Merkle trees to summarize all transactions in a block. Git uses them to track file changes. And proof of reserves uses them to summarize all customer balances.

Hash Functions: The Building Block

Before understanding Merkle trees, you need to understand hash functions.

A hash function takes any input and produces a fixed-size output (the “hash”). Key properties:

  • Deterministic — Same input always produces same output
  • One-way — Can’t reverse-engineer input from output
  • Collision-resistant — Practically impossible to find two inputs with the same hash

Example using SHA-256:

"Alice: 1.5 BTC" → a3f2b8c9...
"Alice: 1.6 BTC" → 7d4e9f1a... (completely different!)

How Merkle Trees Work in Proof of Reserves

In a proof of reserves context, here’s how the Merkle tree is constructed:

Step 1: Create Leaves

Each user’s balance becomes a leaf node. The exchange hashes the user ID and balance together:

Leaf_Alice = hash("user_alice" + "1.5 BTC")
Leaf_Bob   = hash("user_bob" + "2.3 BTC")
Leaf_Carol = hash("user_carol" + "0.8 BTC")
Leaf_Dave  = hash("user_dave" + "5.0 BTC")

Step 2: Build the Tree

Leaves are paired and hashed together:

                    [Root Hash]
                    /          \
           [Branch_AB]        [Branch_CD]
            /      \           /       \
      [Leaf_A]  [Leaf_B]  [Leaf_C]  [Leaf_D]
         |         |          |          |
       Alice     Bob       Carol      Dave
       1.5 BTC   2.3 BTC   0.8 BTC   5.0 BTC

The branch hashes combine children:

Branch_AB = hash(Leaf_Alice + Leaf_Bob + sum_balance)
Branch_CD = hash(Leaf_Carol + Leaf_Dave + sum_balance)
Root = hash(Branch_AB + Branch_CD + total_balance)

Step 3: Publish the Root

The exchange publishes only the root hash and total balance. This single value represents all customer liabilities—in our example, 9.6 BTC across 4 users.

Verifying Your Inclusion

Here’s where Merkle trees shine. To prove your balance is included, you don’t need to see everyone else’s data.

You receive a Merkle path—the minimum set of hashes needed to reconstruct the root from your leaf.

Example: Alice Verifies Her Balance

Alice wants to verify her 1.5 BTC is included. The exchange gives her:

  1. Her leaf data: user_alice + 1.5 BTC
  2. Bob’s leaf hash (not Bob’s actual data)
  3. The Branch_CD hash

Alice can now compute:

1. Hash her own data → Leaf_Alice
2. Combine with Bob's hash → Branch_AB
3. Combine with Branch_CD → Root

If her computed root matches the published root, her balance is included. If it doesn’t match, something is wrong.

Alice never sees Bob’s actual balance. She only sees a hash. Same for Carol and Dave. Privacy preserved.

Privacy Preservation

Merkle tree proofs protect user privacy in several ways:

  • You only see your own data — Your balance and Merkle path
  • Other balances are hashed — Impossible to reverse-engineer
  • Tree structure obscures patterns — Can’t determine total user count easily

However, some metadata leaks are possible. An attacker who obtains multiple Merkle paths could potentially deduce information about tree structure and estimate total users.

Limitations of Merkle PoR

Merkle trees are powerful but not perfect:

  • Only proves liabilities — Doesn’t prove the exchange has matching assets
  • Negative balances can be hidden — Malicious tree construction can hide debts
  • Snapshot timing — Only valid at moment of creation
  • Trust in construction — Users must trust the exchange built the tree correctly

For a complete picture, Merkle tree proofs should be combined with on-chain asset verification.

zk-SNARKs: The Next Evolution

Zero-knowledge proofs (specifically zk-SNARKs) address some Merkle limitations. Binance pioneered this approach:

  • Prove solvency without revealing individual balances
  • Cryptographically guarantee no negative balances
  • More privacy-preserving than standard Merkle proofs

The trade-off: significantly more technical complexity.

Who Uses Merkle Tree PoR?

Major exchanges implementing Merkle tree proof of reserves:

Exchange Implementation Verification
Binance Merkle + zk-SNARK User-verifiable
OKX Standard Merkle User-verifiable
Kraken Merkle with auditor Third-party verified
Bitget Standard Merkle User-verifiable

FAQ

What’s the difference between a Merkle tree and a regular database?

A regular database stores data in tables—change one record, and nothing else is affected. A Merkle tree cryptographically links all data together. Change one balance, and the root hash changes completely, making tampering detectable.

Can I verify my balance without understanding the math?

Yes. Most exchanges with Merkle PoR provide verification tools. You download your proof file, run it through their verifier, and it confirms your balance is included. The cryptography happens automatically.

What if the exchange lies when building the tree?

This is a real limitation. An exchange could omit users or include fake negative balances. That’s why third-party auditors and on-chain asset verification are important complements to Merkle proofs.

How often should proof of reserves be updated?

More frequently is better. Point-in-time snapshots can miss fraud that happens between audits. Some exchanges update monthly, others quarterly. Real-time verification (like on-chain monitoring) is the gold standard.

Is Merkle tree PoR the same as proof of solvency?

No. Merkle PoR proves liabilities (what the exchange owes). Proof of solvency requires also proving assets exceed liabilities. A complete system needs both—Merkle tree for liabilities and on-chain verification for assets.

Want to verify your exchange’s reserves? Check our Bitcoin Companies Leaderboard to see which companies provide on-chain proof of their holdings.