Merkle Trees and The Simple Problem with Proof of Reserves
✌️ Welcome to the latest issue of The Informationist, the newsletter that makes you smarter in just a few minutes each week.
🙌 The Informationist takes one current event or complicated concept and simplifies it for you in bullet points and easy to understand text.
🧠 Sound smart? Feed your brain with weekly issues sent directly to your inbox:
What is a Hash?
What is a Merkle Tree?
Merkle Tree Proof of Reserves
With all the nefarious and downright criminal behavior we’ve witnessed in the crypto world recently, we will soon start to hear a lot more about Merkle Trees and their ability to verify reserves on an exchange or other decentralized platform.
But what exactly is a Merkle Tree, and are they actually fool (or crook, in these cases) proof as a method to prove your balances?
I’m no coder, and I don’t expect you are either. So, let’s walk through this nice and easy today, get you a bit smarter on the collateral side of the decentralized world, shall we?
#️⃣ What is a Hash?
To start, and in the most basic terms of the cryptography world, a secure hash algorithm or SHA, is a mathematical formula that transforms and compresses a string of data from any size into a fixed-size that is completely different than the original data.
The most common place we see the use of hashes is in the encryption of passwords. This way, the server that’s checking the password only has to keep track of a user’s hash value, rather than the actual password itself. So, if a company’s database is hacked, it will only reveal the hashes and not the actual passwords.
Hashes can be extremely effective because of what is called the avalanche effect, where the change of just a few characters being encrypted can produce a huge change in the output value.
Notice in the example below how the output values are all the same size, but completely different.
As a note, Bitcoin uses SHA-256, a hash function within the SHA-2 (Secure Hash Algorithm 2) family. SHA-256 was developed by the NSA in 2001 to solve problems with SHA-1.
SHA-256 has never been compromised and is an extremely secure cryptographic hash function. As a result, it's one of the most popular cryptographic hash functions in the cryptocurrency world.
Created to be a one-way street of information, hash functions, and SHA-256 in particular, make it impossible to recreate a hash’s input from the output.
SHA-256 and the Bitcoin network, is widely considered the most secure hash algorithm in the world.
Which brings us to the hash tree, or Merkle Tree.
🌳 What is a Merkle Tree?
First, a Merkle Tree is simply a hash tree, a concept patented by Ralph Merkle in 1979.
See, in decentralized, peer-to-peer transactions, data verification is imperative. With data being recording in numerous places all at once, if data is changed in one location, it must be changed everywhere.
And these changes must be verified to be consistent everywhere. But it can become overwhelming pretty quickly to check the entirety of every single file across an entire system when checking for consistency.
But we can use hashing to minimize the amount of data that needs to be checked, right?
Turn data into hashes and list those instead (just like passwords).
Exactly. And this is where the Merkle or hash tree comes into play.
Basically, hash trees allow us to verify data stored or transferred in and between computers in a peer-to-per network by ensuring blocks sent between peers are received unaltered and undamaged.
A hash tree is a tree of hashes (see below) in which the leaves (or leafs or leaf nodes) are hashes of blocks of data in a file. Nodes toward the top of the tree are hashes of their respective children.
For example, hash 1 is the result of hashing the concatenation (fancy computer programming word for combination) of the two hashes below it on the tree.
I.e., Hash 1 = Hash (hash 1-0 + Hash 1-1)
See Red Circle Below
Sitting at the very top of the tree is what is called the top hash (aka root). This top hash allows any part of the hash tree to be received from any non-trusted source, like a peer-to-peer network.
Then, any received branch, etc. can be checked against the trusted top hash for verification, to see if the hash is damaged or even fake.
In other words, instead of sending an entire file over the network, we can just send a hash of the file, and checking it against the root tells us if it has been compromised.
✅ Merkle Tree Proof of Reserves
In traditional financial accounting, we use books and records and balance sheets. A balance sheet shows what a company owns and what it owes, as a summary. The books and records show all the transactions that add up to the balance sheet.
All these books and records and balance sheets, etc. are reviewed and verified by a third party.
And if an auditor finds something that doesn’t add up, they will flag it and refuse to vouch for the validity of the books until the discrepancy is resolved.
So, if you deposit money with a traditional bank, say JP Morgan, there is a pretty clear record of you sending money from your bank to JP Morgan and hence a liability on their books to you.
JP Morgan’s account managers, accountants, comptrollers, CFO, and auditors all agree that your deposit is there and JP Morgan owes that to you.
But what about decentralized exchanges without the same human monitored chain of custody and account oversight?
If you sent a Bitcoin to Binance, for instance, how can you tell your deposit, a few hours, days, or months later are still there? That they weren’t lent out or moved by a bad actor?
It would seem absurd for Binance to publish a list of every single balance of every account so individuals could check their balance against it, right?
Small privacy problem there.
So, what’s the solution?
You got it. The Merkle Tree.
And so Binance just announced they will be using a Merkle Tree to verify assets are 1:1 and “allow people to verify their assets within the platform.”
Here’s a photo of the Merkle Tree that Binance now has on the Proof of Reserves page of their website:
And the instructions: Log in to the Binance website, Click on Wallet, Click on Audit, and find your Merkle Leaf and Record ID within the page.
Awesome. So you can check that your balances are indeed still there, and that they have not been moved or misappropriated.
All good. The verification of reserves problem is solved, end of story, right?
🔍 What’s Missing?
Let’s get back to today’s Tweet of Inspiration and Jesse Powell, CEO of Kraken Exchange for a contrarian view on the matter.
He makes the point that in order for the Merkle Tree proof of reserves to be a valid way to check your balances, the company must also include any liabilities to demonstrate solvency.
And it must be verified by a trustworthy third-party auditor.
In other words, proof of reserves (through Merkle Tree or any other trusted method) is simply a proof of assets.
And proof of assets + audited liabilities = proof of solvency.
Because solvency (and verification of asset to liabilities ratio above 1:1), as many seem to be learning the hard way these days, is all that really matters when verifying that your assets are safe on an exchange or other decentralized platform.
But then we are back to trusting the human sources of information. I mean, look at how many people were complicit in the FTX fraud this month.
They all said FTX was solvent and safe. People trusted them. People got hurt.
Some people lost their life’s savings.
Of course, there is a much more trustworthy method of ensuring your balances are safe and secure. Many of you reading this already preach it continuously. But for those who do not and have not done it yet, it’s a simple solution.
Take your coins off the exchanges, and put them in a wallet secured by you. Take possession of your own assets. That’s the point of Bitcoin’s peer-to-peer trustless protocol, after all.
That, my friends, is the only way you can truly be certain that your balances are secure.
If you’re seeking extra yield by pledging your Bitcoin (or other) holdings on an exchange, please recognize the risk you are taking. Make sure you understand this now, before it is too late.
You are trusting someone else to hold and secure your money. Period. There’s no other way to put it.
And so, if you’re just too scared to self custody, try to do it in steps (easy as 1, 2, 3):
Buy a Ledger or Trezor or a ColdCard, always directly from the manufacturer and never from Amazon or eBay or other reseller,
Watch YouTube videos on the steps to move your coins from exchange to the wallet
My good friend Ben from BTC Sessions on YouTube has some phenomenal and easy to follow videos on how to do this (it is exactly how I learned),
Then just move a tiny bit the first time to see how it works and to get comfortable with the process, before you eventually move it all.
You will soon feel confident to trust yourself. And this is truly the only way to be sure your balances are safe and secure from bad actors, fraud, or total theft.
That’s it. I hope you feel a little bit smarter knowing about Merkle Trees, how they work, and their limitations. And I hope you’re inspire to take possession of your own assets.
Before leaving, feel free to respond to this newsletter with questions or future topics of interest. And if you want daily financial insights and commentary, you can always find me on Twitter!