actually do the research of whats included and excluded from the hash+ clear text. and how merkles work. and then form your opinion on the technique.
Yup, done all that. Here's the page I've read directly from Binance which explains their process:
https://www.binance.com/en/proof-of-reserves#proof-of-reservesEach user uses their unique account code, a salt, and the audit ID, concatenates all this, and then SHA256s it to create their "record ID". The record ID is then concatenated with all their balances, hashed again, and the first 16 characters (8 bytes) taken as that user's individual Merkle leaf.
Great. So I can verify that my balances are accurately hashed in to my Merkle leaf, and I can verify that my Merkle leaf is contained with the Merkle tree. Now, here is the bit you seem to be missing,
I can verify absolutely nothing about any one else's balances or leaves. I have no idea if your balances are accurately reflected in your leaf. I don't even know if your leaf is even included. I don't know if CZ has included a fake account with -10,000 BTC to balance the books. The screenshot on the page I linked above even shows "Balance" and "Debt" at the time of the audit with a final negative equity in the account in question, so the process to have negative accounts already exists.
Here's an example to illustrate. I'll take you as an example customer with 50 BTC on your account. Your hash input will be "franky1,BTC:50". For the sake of simplicity of this example, everything is single hashed as simple text.
User 1 - 828ab4dea3944c2aae12c2e4faa3cc7d7c79d2f1903323c0d1110cc233d02855
franky1 - bdf65086e0f247c9fd0a14368833b65530750fcb79128a5e7186de313589c25c
User 3 - dccf02131c89244750fffc1bc647c5e1cd8bb536b98700d6f002066497e73893
User 4 - ad3d8ae71b24929d1eb84fd10f25c1ea2e159dc1ddf453d3832c78899a08b419
User 1 + franky1 = 38fd94e48ec804a3616fe20a4c2bc4f9a3d9c0b0812d5c421bc49ce9784a4b95
User 3 + User 4 = 6a712e021ef304ae0c8226602ffe934e1ea8868771ef429d43d73029e3205b5d
Merkle root = fa45368d13a36054cca1db862adfde5ae1c6f0bf6c479ad54c799fee47e3fdd1
Now, you have this Merkle tree, and you see Binance have posted a wallet with 200 BTC in it. Are they backed up 1:1? You have absolutely no idea. Is that 4 users with 50 BTC each? Or are there 2 users with 100 BTC and one fake account with -50 BTC? Who knows. Only Binance. You have verified that your balances are within the Merkle tree, but the Merkle tree itself tells you absolutely nothing about whether or not Binance are solvent. The whole thing is a sham.