7 min read
Proof of Reserves with Merkle Roots
A Merkle root anchored with a Label 309 timestamp lets you commit to a snapshot of reserves, liabilities, or evidence and prove inclusion to individual customers — without publishing every account.
A Merkle root can make a proof-of-reserves snapshot much easier to verify, but it does not prove solvency on its own. It proves that a specific set of entries was committed at a specific time. Whether those entries add up to a solvent business is a separate question.
Here is the pattern. An exchange, custodian, fintech, marketplace, stablecoin issuer, or internal treasury team builds a Merkle tree over a reserves or liabilities snapshot, then anchors the single 32-byte root with a Label 309 record on Cardano. Each customer, wallet, or balance line is a leaf. Later, any participant can be handed a short inclusion proof showing their entry was part of the committed snapshot — without the whole dataset ever being published.
The timestamp does one precise job: it fixes when that commitment existed, on a public chain, with no issuer server to trust. The quality of the snapshot itself still rests on accounting, scope, liability coverage, custody controls, and independent review.
What is a proof-of-reserves snapshot?
A proof-of-reserves snapshot is evidence about assets at a point in time.
For crypto-native companies, it often means proving that certain on-chain wallets held certain assets at a certain block height or time. In a stronger process, it also connects those assets to customer liabilities, internal ledgers, custody controls, and independent review.
A snapshot may include:
- reserve wallet balances;
- asset identifiers;
- block heights;
- liability balances;
- customer account commitments;
- exclusions and adjustments;
- auditor reports;
- control evidence;
- reconciliation files;
- management attestations.
The snapshot is not a living balance sheet. It is a point-in-time commitment.
Why use a Merkle root?
Because the full snapshot is usually too large or too sensitive to publish.
A Merkle tree lets a company commit to many entries with one 32-byte root. Each
customer, account, wallet, or balance line becomes a leaf, the leaves are hashed
together into a tree, and only the root goes on chain. The root reveals nothing
about the leaves it commits to, yet it is bound to all of them: change any leaf,
or the number of leaves, and the root no longer matches. Later, a participant
receives an inclusion proof — a short sibling path, on the order of log n
hashes — showing their entry was part of the committed snapshot.
That is what makes selective disclosure possible:
- a single customer can verify only their own inclusion;
- an auditor can be given the full leaf list and account mapping;
- the public sees just the timestamped root;
- sensitive account details never have to be exposed.
This is the same batching mechanism behind anchoring one record for thousands of files: the root is compact, but the underlying process is what actually matters.
What does Label 309 add?
It adds an independent public timestamp that no single party controls.
A proof-of-reserves report often lives on a website or in a PDF, and the Merkle root in a blog post. But a website can change. A PDF can be replaced. A report can be quietly updated, and an old root can disappear with it.
Publishing the snapshot root in a Label 309 record gives the commitment a public Cardano time anchor instead. Anyone can later confirm that the same root existed by the transaction's block time, using only the transaction metadata and a public Cardano explorer — no issuer server, and no trust in CardanoWall's domain or infrastructure.
The record can also include:
- a signed statement hash;
- asset snapshot hashes;
- liability snapshot roots;
- content-addressed report URIs;
- sealed audit workpapers for selected recipients;
- a supersedence pointer for corrected reports.
What should go into the snapshot?
Define the claim before building the tree.
The snapshot should make clear what it is proving. A reserves-only snapshot is not the same as a reserves-and-liabilities snapshot. A wallet-only snapshot is not the same as an audited financial statement.
Useful fields may include:
- snapshot id;
- snapshot time;
- chain and asset id;
- block height or ledger reference;
- wallet address or internal account id;
- balance;
- liability entry hash;
- customer identifier hash or blinded id;
- inclusion leaf hash;
- auditor or reviewer reference;
- report hash;
- scope statement;
- exclusions;
- Merkle leaf index.
The schema should be deterministic. If the leaf construction is ambiguous, verification becomes fragile.
How can customers verify inclusion?
The company gives each customer a proof package.
That package may include:
- the customer's own balance entry;
- salt or blinding material, if used;
- the Merkle path;
- the root;
- the Label 309 transaction reference;
- the report hash;
- verification instructions.
The customer verifies that their entry hashes to the leaf, that the Merkle path
folds up to the published root, and that the root matches the one in the Label 309
record on chain. None of this requires the company's servers to be online or
honest — the open-source Label 309 tooling,
including the cardanowall command-line tool, can
verify a record and check inclusion proofs
independently.
This proves inclusion in that snapshot. It does not prove that every other account was handled correctly, which is exactly why the auditor's view below matters.
How can auditors use this?
Auditors can inspect the full evidence set.
The public may only see the root and a report. An auditor or regulator may be given the full manifest, leaf list, account mapping, wallet evidence, reconciliation files, and sealed workpapers.
Label 309 can help by anchoring:
- the public root;
- the full private manifest hash;
- wallet balance evidence;
- liability files;
- reconciliation exports;
- audit report drafts;
- final signed report.
That makes the audit trail harder to rewrite after the fact.
What about corrections?
Corrections should be visible, not hidden.
If the company discovers an error in a snapshot, it should publish a corrected
record rather than silently replacing the old report. Label 309 has a built-in
mechanism for this: a supersedes pointer carries the transaction hash of the
earlier record, creating an append-only link from the correction back to what it
replaces.
Two things are worth understanding about that link. First, supersedence does not remove or invalidate the prior record — the chain is append-only, so the original root stays on chain and independently verifiable forever. The new record sits beside it and points back; readers can see both. Second, for the link to be trustworthy, both records should be signed by the same key. Anyone can publish a record that claims to supersede yours, so verifiers and tools are expected to honour a supersedence link only when the superseding record is signed by a key also present in the original. If you intend to issue corrections, sign your snapshots.
That is far better than pretending the first root never existed.
What does this not prove?
It does not prove solvency by itself.
It does not prove that all liabilities were included.
It does not prove assets are unencumbered.
It does not prove that keys are controlled securely.
It does not prove that assets were not borrowed temporarily for the snapshot.
It does not replace an audit, a regulator review, accounting controls, or customer liability reconciliation.
What it does prove is narrow and genuinely useful: a specific commitment existed at a public time, and individual entries can be shown to be inside it. As with any Proof of Existence, it is proof of timing and integrity, not of truth or rights.
Where can this be useful outside crypto exchanges?
The same pattern works anywhere a snapshot has many private entries.
Examples:
- stablecoin reserves;
- tokenized asset reports;
- marketplace seller balances;
- fintech custody balances;
- internal treasury snapshots;
- employee equity ledgers;
- loyalty point liabilities;
- carbon credit inventories;
- insurance claim reserves;
- customer deposit ledgers.
The shared idea is simple: commit many entries, reveal selectively, preserve the timestamp.
The short version
Merkle roots make proof-of-reserves snapshots scalable. Label 309 makes the root timestamped and independently verifiable against a public chain.
Use the root to commit to the snapshot. Use inclusion proofs for customers and auditors. Use sealed records for sensitive evidence. Use supersedence — with signatures — for corrections.
Then be honest about the limit: a timestamped Merkle root is not solvency. It is one strong, tamper-evident piece of a broader proof process. Label 309 itself is an open, vendor-neutral standard, submitted to the Cardano CIP process and currently under review by the CIP editors as a Metadata-category proposal — the batching, hashing, and supersedence mechanics above are defined in the standard, not in any one product.
Further reading
- Label 309 standard and specification — the wire format for records, Merkle commitments, signatures, and supersedence.
- Open-source code, SDKs, and the
cardanowallCLI — verify records and inclusion proofs without trusting any single server. - The Label 309 CIP proposal — the submission tracking review in the Cardano CIP process.
- One record for thousands of files — the batching mechanism in more detail.
- Compliance logs without vendor trust — the same commit-and-anchor pattern applied to audit and event logs.
- What a proof does — and does not — prove.