Socket
Socket
Sign inDemoInstall

merkletreejs

Package Overview
Dependencies
24
Maintainers
1
Versions
77
Alerts
File Explorer

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

merkletreejs

Construct Merkle Trees and verify proofs


Version published
Maintainers
1
Weekly downloads
114,237
decreased by-12.29%

Weekly downloads

Readme

Source


merkletree.js logo


MerkleTree.js

Construct Merkle Trees and verify proofs in JavaScript.

License Documentation Build Status dependencies Status NPM version PRs Welcome

Contents

Install

From NPM:

npm install merkletreejs

Import as ES6 module

import { MerkleTree } from 'merkletreejs'

Import as CommonJs

const { MerkleTree } = require('merkletreejs')

CDN

Available on jsDelivr CDN:

<script src="https://cdn.jsdelivr.net/npm/merkletreejs@latest/merkletree.js"></script>

The exported classes will be available on window object, e.g. window.MerkleTree

Example

https://lab.miguelmota.com/merkletreejs

Getting started

Construct tree, generate proof, and verify proof:

const { MerkleTree } = require('merkletreejs')
const SHA256 = require('crypto-js/sha256')

const leaves = ['a', 'b', 'c'].map(x => SHA256(x))
const tree = new MerkleTree(leaves, SHA256)
const root = tree.getRoot().toString('hex')
const leaf = SHA256('a')
const proof = tree.getProof(leaf)
console.log(tree.verify(proof, leaf, root)) // true


const badLeaves = ['a', 'x', 'c'].map(x => SHA256(x))
const badTree = new MerkleTree(badLeaves, SHA256)
const badLeaf = SHA256('x')
const badProof = badTree.getProof(badLeaf)
console.log(badTree.verify(badProof, badLeaf, root)) // false

Print tree to console:

console.log(tree.toString())

Output:

└─ 7075152d03a5cd92104887b476862778ec0c87be5c2fa1c0a90f87c49fad6eff
   ├─ e5a01fee14e0ed5c48714f22180f25ad8365b53f9779f79dc4a3d7e93963f94a
   │  ├─ ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
   │  └─ 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d
   └─ 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6
      └─ 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

Diagrams

▾ Visualization of Merkle Tree

Merkle Tree

▾ Visualization of Merkle Tree Proof

Merkle Tree Proof

▾ Visualization of Invalid Merkle Tree Proofs

Merkle Tree Proof

▾ Visualization of Bitcoin Merkle Tree

Merkle Tree Proof

Documentation

See documentation (under docs/)

Test

npm test

FAQ

  • Q: How do you verify merkle proofs in Solidity?

    • A: Check out the example repo merkletreejs-solidity on how to generate merkle proofs with this library and verify them in Solidity.
  • Q: How do you verify merkle multiproofs in Solidity?

  • Q: Is there an NFT whitelist example in Solidity?

    • A: Check out the example repo merkletreejs-nft-whitelist on how to generate merkle root of whitelisted accounts and merkle proofs with this library and verify them in Solidity.
  • Q: What other types of merkle trees are supported?

    • Besides standard MerkleTree, there's also MerkleMountainRange, MerkleSumTree, and IncrementalMerkleTree implemenation classes available.
  • Q: Is there a CLI version of this library?

  • Q: Is there a way to visualize the merkle trees in the browser?

Notes

As is, this implemenation is vulnerable to a second pre-image attack. Use a difference hashing function for leaves and nodes, so that H(x) != H'(x).

Also, as is, this implementation is vulnerable to a forgery attack for an unbalanced tree, where the last leaf node can be duplicated to create an artificial balanced tree, resulting in the same Merkle root hash. Do not accept unbalanced tree to prevent this. More info here.

Please use the library @openzeppelin/merkle-tree if you're integrating with OpenZeppelin contracts or using multiproofs. There are known issues with the current multiproof implementation as pointed out in issues.

Disclaimer

This library was created for my own purposes and is provided as-is. Use at your own risk.

Resources

Contributing

Pull requests are welcome!

For contributions please create a new branch and submit a pull request for review.

Many thanks to all the contributors that made this library better.

License

Released under the MIT license.

© Miguel Mota

Keywords

FAQs

Last updated on 30 Oct 2023

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc