Ethereum Merkle Tree: Inside Ethereum’s Data Structure
How does Ethereum prove the state of millions of accounts in 32 bytes? Inside the Merkle Patricia Trie – the data structure holding the network together.
Key takeaways
- A Merkle Tree is the foundational structure that lets a single hash represent any amount of data – change any piece, and the root changes too.
- Ethereum can't use a plain Merkle tree because its state changes every block. It needs a structure that supports fast key-based access, efficient updates, and cryptographic verification at the same time.
- The solution is the Merkle Patricia Trie (MPT) – a hybrid where every account address becomes a path through the trie, and every node is hashed up to a single root.
- Ethereum maintains four tries: the State Trie (mutable, network-wide), the Storage Trie (one per contract), the Transaction Trie, and the Receipt Trie (both per-block and immutable).
An Ethereum Merkle Tree is the cryptographic data structure that holds all of Ethereum's data – accounts, balances, smart contracts, transactions – and condenses it into a single 32-byte hash called the root.
Ethereum actually uses a specialized version called the Merkle Patricia Trie, designed to handle a state that changes every block. Understanding how it works starts with the simpler structure it builds on.
What Is a Merkle Tree?
| A Merkle tree is a tree-shaped data structure where every leaf node contains a hash of some data, and every non-leaf node contains a hash derived from its child nodes. The single hash at the top – the Merkle root – represents the entire dataset in 32 bytes. |
The clever part is verification:
- You don't need the whole dataset to prove a piece of data exists in the tree.
- You only need a small list of sibling hashes along the path from your leaf to the root – a Merkle proof.
- Anyone who knows the root hash can re-compute the path and confirm the data is authentic.
This is why Merkle trees became foundational in blockchains. Bitcoin uses them to commit to transactions inside each block, so that lightweight clients can verify a payment without storing the full chain. The structure was originally described by Ralph Merkle in 1979.
Merkle trees give blockchain networks three useful properties at once:
- Tamper detection: any change reshapes the root.
- Efficient proofs: proof size grows logarithmically with the dataset.
- Constant-size commitment: one hash describes any amount of data.
Why Ethereum Needs a Special Merkle Tree
| Ethereum can't use a plain Merkle tree because its state changes every single block, and a plain Merkle tree is built for static datasets, not for fast updates and lookups by key. |
Ethereum's state is more like a giant key-value database than a transaction log:
- Keys = account addresses
- Values = balances, transaction counts, contract code, contract storage
Every transaction can modify this map – a token transfer, a DeFi swap, or a contract deployment all change account values.
According to Vitalik Buterin, "the state in Ethereum is a key-value map" where the keys are addresses and the values are nonces, balances, code, and storage.
A plain Merkle tree would create three problems for this workload:
- No efficient lookup by key. Leaves are organized by position, not by key, so finding "the account at address 0x742d..." would require scanning every leaf.
- Expensive updates. Each state change would force re-hashing of a large portion of the tree, even when only one value changed.
- No clean way to insert or delete. Ethereum accounts are created and destroyed constantly, and the structure must absorb this without recalculating everything.
Ethereum's design needed something that combined a Merkle tree's cryptographic guarantees with a data structure built for fast key-based access.
Ethereum’s Solution: The Merkle Patricia Trie (MPT)
| Ethereum's answer to the limitations of a plain Merkle tree is the Merkle Patricia Trie (MPT) – a data structure that combines a prefix tree's fast key-based access with a Merkle tree's cryptographic verification. |
It lets Ethereum look up any account by address in just a few steps, update only the affected nodes when state changes, and still commit the entire state to a single 32-byte root hash.
The Merkle Patricia Trie is a hybrid data structure that merges two ideas:
- A Patricia trie: a prefix tree that stores key-value pairs efficiently.
- A Merkle tree: which provides cryptographic verification.
The result is a key-value store where every node is hashed, every path is the key itself, and the root hash commits to the entire state.
Ethereum's version is technically called a Modified Merkle Patricia Trie. It adds optimizations on top of standard Patricia tries to fit blockchain requirements.
Three things make it work:
1. Path-as-key encoding: Every key (for example, a hashed account address) is broken into nibbles – single hexadecimal characters (4 bits each). The trie has up to 16 children per branch node, one for each possible nibble (0–F).
2. Three node types keep the structure compact:
- Leaf nodes – store the final key-value pair at the end of a path.
- Extension nodes – compress long stretches of shared path that have no branches, so the trie doesn't waste storage on linear chains.
- Branch nodes – have 17 slots: 16 for the next possible nibble (0–F) and one for a value stored at that exact path.
3. Hashing at every level: Each node's content is hashed with Keccak-256, and that hash becomes the reference used by its parent. Change any value at the bottom, and every hash on the path up to the root changes.
The combination gives Ethereum everything it needs in one structure:
- Fast lookups
- Efficient updates (only nodes along one path need re-hashing)
- Clean insertion and deletion
- Cryptographic verification
Merkle Tree vs Merkle Patricia Trie: what's the difference?
Merkle Tree | Merkle Patricia Trie | |
| Primary purpose | Verify a static set of data | Store and verify a dynamic key-value map |
| Lookup by key | Not supported – leaves are positional | Supported – key is the path |
| Update cost | High when the dataset changes | Low – only nodes on one path re-hash |
| Node types | One (hash node) | Three (leaf, extension, branch) |
| Used in Ethereum for | Conceptual building block | State, storage, transactions, receipts |
| Used in Bitcoin for | Transaction commitment in blocks | Not used |
The MPT is essentially what you get when you treat a Merkle tree as a key-value database instead of a list.
4 Types of Tries in Ethereum
Ethereum uses four Merkle Patricia Tries: Three of them have their root hashes stored directly in every block header, and the fourth lives nested inside the State Trie.
Trie | Where the root lives | Update pattern | Stores |
| State Trie | Block header (stateRoot) | Mutable — updates every block | All accounts (EOAs + contracts) |
| Storage Trie | Inside each contract account | Mutable — per contract | Smart contract variables |
| Transaction Trie | Block header (transactionsRoot) | Immutable once block is mined | Transactions in that block |
| Receipt Trie | Block header (receiptsRoot) | Immutable once block is mined | Transaction results, logs, gas used |
State Trie
The State Trie is Ethereum's global account database. It maps every account address to its account data, and there is exactly one State Trie shared across the entire network.
Key facts:
- The root of this trie, the stateRoot, is stored in every block header.
- It represents the complete state of Ethereum at that block.
- Unlike the other three tries, the State Trie is continuously mutable. Every transaction that changes a balance, deploys a contract, or modifies storage causes the State Trie to update, producing a new stateRoot in the next block.
Storage Trie
The Storage Trie holds the data inside an Ethereum smart contract – its variables, mappings, and any value the contract has written to storage. Each contract account has its own separate Storage Trie.
How it nests:
- The root of each contract's Storage Trie (storageRoot) is stored as a field inside the account's record in the State Trie.
- When the State Trie commits to an account, it commits to the hash of that account's storage.
- Change one variable inside a contract → Storage Trie root changes → account record changes → State Trie root changes.
Transaction Trie
The Transaction Trie organizes all transactions inside a single block into a Merkle Patricia Trie. Every block has its own Transaction Trie.
Key facts:
- Path: the transaction's index in the block (rlp(transactionIndex)).
- Value: the RLP-encoded transaction itself.
- Once the block is mined, the Transaction Trie is never updated — transactions are permanent records.
- Its root, the transactionsRoot, is stored in the block header.
Receipt Trie
The Receipt Trie stores transaction receipts – the results of executing each transaction in a block. Each receipt contains:
- Execution status (success or failure)
- Gas used
- Logs emitted by smart contracts
- A bloom filter for log indexing
Receipts are what make event-based applications possible. Wallets, indexers, and protocols like The Graph all rely on filtering through Receipt Trie data to find logs.
How Ethereum’s Merkle Patricia Trie Works
Step 1: The global state
The Ethereum global state is the complete snapshot of every account at a specific moment in time. Instead of storing this information in a traditional database, Ethereum organizes it inside a single State Trie shared across the network.
This trie contains:
- account balances
- nonces
- smart contract code
- contract storage references
Whenever a new block is processed, the trie updates to reflect the latest network state.
Step 2: Account structure
Every Ethereum account, whether it's a regular wallet (Externally Owned Account) or a smart contract, is represented by a record with four fields.
According to the official ethereum.org documentation:
- nonce – a counter showing how many transactions have been sent from the account (for EOAs) or how many contracts have been created (for contract accounts). It exists to prevent replay attacks.
- balance – the amount of Wei owned by the account (1 ETH = 10¹⁸ Wei).
- storageRoot – a 256-bit hash pointing to the root of this account's Storage Trie. For EOAs without code, this is an empty trie hash.
- codeHash – the Keccak-256 hash of the EVM code stored at this account. For EOAs, this is the hash of an empty string. For contracts, it points to the immutable bytecode.
These four fields get RLP-encoded and stored as the value at the account's leaf in the State Trie.
Step 3: Trie organization
To find an account inside the State Trie, Ethereum uses the Keccak-256 hash of the address, producing a 32-byte (64-hex-character) value.
How the trie routes that hash:
- The hashed address becomes the path through the trie, broken into 64 nibbles.
- Branch nodes route the path one nibble at a time.
- Extension nodes compress shared path segments to save space.
- Leaf nodes hold the final RLP-encoded account record.
- Maximum depth is 64 levels, since hashed addresses are always 32 bytes long.
Step 4: State updates
When a transaction modifies an account – say, Alice sends 1 ETH to Bob – the State Trie needs to update both accounts' records.
The process works like this:
- Compute the path for each affected account: keccak256(address).
- Traverse the trie down those paths to find the leaf nodes.
- Write the new RLP-encoded account values (Alice's balance decreases, her nonce increments; Bob's balance increases).
- Re-hash every node along the path up to the root — leaf, then extension, then branch, then root.
- The trie now has a new root hash reflecting the updated state.
The key insight: the cost is proportional to the depth of the trie, not to the size of the state.
Step 5: State root generation
After all transactions in a block finish executing, the new State Trie's root hash becomes the stateRoot for that block. It gets written into the block header along with the transactionsRoot and receiptsRoot, and the block is then broadcast to the network.
This single 32-byte value is what other nodes use to verify they computed the same state:
- If two nodes process the same block and end up with different stateRoot values, one of them is wrong – they've diverged.
- The only way to generate a given state root is to compute it from each individual piece of the state.
This is what makes Ethereum deterministic and cryptographically verifiable.
Why Merkle Patricia Tries Matter for Ethereum Scaling
| Ethereum’s Merkle Patricia Trie architecture directly shapes how the network scales, who can run a node, and how efficiently the state can be verified. |
- Light clients depend on it: Because the state root commits to every account, a lightweight client (like a mobile wallet) can verify an account's balance without downloading the full chain. It only needs the block header and a small Merkle proof from a trusted full node.
- ZK-rollups commit through state proofs: Layer-2 networks like zkSync Era and Polygon zkEVM use Merkle-based commitments to anchor their compressed state back to Ethereum. The state root lets the rollup prove that thousands of off-chain transactions correctly transformed an initial state into a final state.
- Stateless clients are on the roadmap: Today, full nodes must store the entire state to validate new blocks. The long-term plan is stateless validation: validators receive a small "witness" with each block that proves the state changes are valid, without storing the state themselves.
According to arXiv research on stateless Ethereum, the current MPT design can support stateless validation in theory, but witness sizes become too large at scale. This is one of the main reasons Ethereum is moving toward a new tree structure entirely.
- State growth is a real cost: Every new account, contract deployment, and storage update increases Ethereum’s long-term state size. After the May 2025 Pectra upgrade, full nodes can reach up to 8,192 historical blocks of state.
>> Learn more: Blockchain Scalability Explained: Why Networks Get Congested
The Future – Verkle Trees & Beyond
| Ethereum is preparing to replace the Merkle Patricia Trie with a more efficient structure. The leading candidate has long been Verkle Trees, but a newer alternative – STARKed binary hash trees – is now competing for the role because of post-quantum concerns. |
1. Verkle Trees: smaller proofs, faster verification
Verkle Trees use a cryptographic primitive called vector commitments instead of plain hashes at each branch. The practical result:
- State proofs shrink from several kilobytes to under 200 bytes.
- According to arXiv benchmarks, Verkle witness sizes are roughly on the order of one megabyte for full blocks (compared to potentially tens of megabytes for raw Merkle proofs at the same scale).
- Verkle Trees are slated for Hegota, Ethereum's second major upgrade scheduled for the second half of 2026, following the Glamsterdam fork in the first half of the year.
2. The post-quantum complication
Verkle Trees rely on elliptic curve cryptography, which is vulnerable to future quantum attacks. As a result, the Ethereum community is now debating whether to skip Verkle Trees entirely and move directly to STARKed binary hash trees.
This structure uses zero-knowledge STARK proofs over a binary Merkle trie, which is quantum-resistant because it relies only on hash functions.
The trade-off:
- Verkle Trees: code is more mature, ships sooner.
- Binary trees with STARKs: more durable long-term solution, quantum-resistant.
Either way, the end goal is the same: shrink the state-verification cost low enough that any device can verify Ethereum blocks without storing the state.
Sources and Further Reading
- Ethereum Yellow Paper – Appendix D: Modified Merkle Patricia Tree
- Merkle Patricia Trie – Official ethereum.org Documentation
- Ethereum Accounts – Official ethereum.org Documentation
- Ethereum eth-wiki – Patricia Tree Specification
- Towards Stateless Clients in Ethereum: Benchmarking Verkle Trees and Binary Merkle Trees with SNARKs – arXiv
- Original Merkle Tree Paper – Ralph Merkle, 1979
FAQs About Ethereum Merkle Tree
The trie entry is removed, but the historical state can still be reconstructed if you have an archive node that kept every state snapshot. Full nodes prune older states after a certain window, so they can no longer reproduce ancient balances directly.