TECHNICAL_DOC // BLOCK / MERKLE-ROOT
MERKLE
ROOT
ROOT
The Merkle root is a single 32-byte hash that cryptographically commits to every
transaction in a block. Stored in the block header, it ensures that changing any
transaction — even one bit — would change the Merkle root, changing the block hash, and
invalidating the block. It also enables efficient SPV proofs, allowing lightweight clients
to verify transaction inclusion with only O(log n) data.
CONSTRUCTION
BUILDING THE MERKLE TREE
Step 1: Hash each transaction (SHA256d)
TxA → HA = SHA256d(TxA)
TxB → HB = SHA256d(TxB)
TxC → HC = SHA256d(TxC)
TxD → HD = SHA256d(TxD)
Step 2: Pair and hash up the tree
HAB = SHA256d(HA || HB)
HCD = SHA256d(HC || HD)
Step 3: Final root
Merkle Root = SHA256d(HAB || HCD)
Odd number of transactions? Duplicate last leaf:
[HA, HB, HC] → [HA, HB, HC, HC]
Then proceed as normal.
[ROOT]
/ \
[HAB] [HCD]
/ \ / \
[HA] [HB] [HC] [HD]
Witness Merkle Root (SegWit)
BIP 141
SegWit introduced a second Merkle tree over WTXIDs (witness transaction IDs) that include the witness data. The witness Merkle root is committed via the coinbase transaction.
TXID: SHA256d(serialized tx WITHOUT witness)
WTXID: SHA256d(serialized tx WITH witness)
Witness Merkle tree:
Built from WTXIDs (coinbase WTXID = 0x00...00)
witness_root = Merkle root of WTXIDs
Commitment in coinbase:
OP_RETURN 0xaa21a9ed <witness_root_hash>
Appears in an output of the coinbase transaction
Block header Merkle root: still uses TXIDs (unchanged)
This dual-root design keeps SegWit backward-compatible.
Full nodes validate both the TXID Merkle root (in the header) and the WTXID witness commitment (in the coinbase). SPV nodes only need the TXID root.
TERMINOLOGY_INDEX
Merkle Root
A 32-byte SHA256d hash committing to all transactions in a block. Stored in the block header.
TXID
Transaction ID: SHA256d of serialized transaction without witness. Used in the block header Merkle tree.
WTXID
Witness transaction ID: SHA256d with witness data included. Used in the SegWit witness commitment.
Leaf Node
A transaction hash at the bottom of the Merkle tree. Each transaction corresponds to one leaf.
Merkle Proof
Sibling hashes needed to recompute the root and prove a specific transaction is included in a block.
INTERACTIVE — TRY IT YOURSELF
BLOCKS / TRANSACTIONS
Merkle Root
Every Bitcoin block header contains a Merkle root — a single 32-byte hash that commits to every transaction in the block. It's built by pairwise-hashing transaction IDs up a binary tree until one root hash remains. Change any transaction and the root changes completely, making tampering immediately detectable without downloading the full block.
BUILD YOUR OWN MERKLE TREE
Enter transaction IDs (or any hex strings) as leaves. The builder pairwise-hashes them with
SHA256d up to the root. If there's an odd number of nodes at any level, the last node is duplicated before hashing — Bitcoin's rule for odd-length levels.
MERKLE TREE BUILDER — EDIT LEAVESclick a node to select for proof
MERKLE PROOF — COMPACT INCLUSION
A Merkle proof lets you prove a transaction is in a block using only O(log n) hashes — about 12 hashes for a block with 4,000 transactions, instead of all 4,000 TXIDs. Click any leaf in the tree above to generate its inclusion proof.
INCLUSION PROOF FOR SELECTED LEAFclick a leaf node above
Select a leaf node in the tree above to generate its Merkle proof.
CVE-2012-2459 — Duplicate TXID attack: Bitcoin's duplicate-last-leaf rule creates a subtle vulnerability: a block with transactions [A, B, C, D, D] has the same Merkle root as [A, B, C, D]. This was patched by requiring nodes to check for duplicate TXIDs. The fix is in the consensus rules, not the Merkle algorithm itself.