Merkle proof

Merkle proof (inclusion proof) is a compact cryptographic proof that value X actually lives in a Merkle tree whose root equals R. Proof size is O(log n) in the number of leaves, which keeps it cheap even for trees with millions of entries.

How it works

The verifier knows only the root R. The party presenting the proof submits:

• the value X;
• the list of sibling hashes along the path from leaf X to the root (O(log n) hashes).

The verifier recomputes the hash chain — if the result equals R, then X really is in the tree. You can’t forge X without recomputing the root (the hiding/binding properties of SHA-256 forbid it).

Uses on TON

• Cell Merkle updates (merkle_update cell): one of the four service cell types in TVM. Stores “before/after” hashes when only a subtree changes — no need to copy the whole subtree.
• Lite-client sync: a lite-client doesn’t store full blocks, but can verify the inclusion of any TON transaction in the chain via a Merkle proof served by a full node.
• Cross-chain bridges: the bridge rotator signs event-tree roots from the other chain; relay clients submit Merkle proofs that the required event really belongs to the signed root.

Architectural trap

A Merkle proof only proves inclusion under a given root. If the roots are signed off-chain without on-chain validator signature verification, the proof works mathematically but the system’s security collapses: the attacker who controls the rotator can sign any root and drain the bridge. This is precisely what happened to the TAC bridge in May 2026.

Unlike a Merkle tree (data structure), a Merkle proof is a compact certificate for one specific element.