MerkleDistributor.sol is
// SPDX-License-Identifier: UNLICENSED
Is this on purpose? I saw that you made the code GPL-3.0 c3255bf.

As mentioned here Merkle trees are susceptible to the second preimage attack when a node can be presented as a leaf. To prevent this attack, OpenZeppelin typically uses double hashing for leaf values. However, in MerkleDistributor.sol, the leaf is constructed by hashing the value only once. Does this mean that the current implementation is not safe about these attacks? Is it assumed that they can't happen or are there other safeguards in the current contract?

Hi, i am newbie here and want to understand the definition of one of the params passed to constructor. the token address

Clawbacks of unclaimed tokens after X amount of time is a relatively common usecase. I'd like to propose either extending the existing contract or adding a second contract that inherits from the primary MerkleDistributor and handles clawbacks. I'd be happy to implement this.

Hello team!

Like this project and would love to see everything running. Compiling and installing was fine, but yarn test gave me the following error which i couldn't resolve until now.
node -v = v14.17.0
npm -v = 7.17.0

/merkle-distributor$ yarn test
yarn run v1.22.10
$ yarn compile
$ rimraf ./build/
$ waffle
$ mocha


  MerkleDistributor
    #token
      1) "before each" hook: deploy token


  0 passing (64ms)
  1 failing

  1) MerkleDistributor
       "before each" hook: deploy token:
     Uncaught Error: Callback was already called.
      at /merkle-distributor/node_modules/merkle-patricia-tree/node_modules/async/lib/async.js:43:36
      at WriteStream.<anonymous> (node_modules/merkle-patricia-tree/node_modules/async/lib/async.js:358:17)
      at WriteStream.destroy (node_modules/merkle-patricia-tree/node_modules/level-ws/level-ws.js:140:8)
      at finish (internal/streams/writable.js:670:14)
      at processTicksAndRejections (internal/process/task_queues.js:82:21)

/merkle-distributor/node_modules/merkle-patricia-tree/node_modules/async/lib/async.js:358
                callback(err);
                ^
Error: Callback was already called.
    at /merkle-distributor/node_modules/merkle-patricia-tree/node_modules/async/lib/async.js:43:36
    at WriteStream.<anonymous> (/merkle-distributor/node_modules/merkle-patricia-tree/node_modules/async/lib/async.js:358:17)
    at WriteStream.emit (events.js:376:20)
    at WriteStream.destroy (/merkle-distributor/node_modules/merkle-patricia-tree/node_modules/level-ws/level-ws.js:140:8)
    at finish (internal/streams/writable.js:670:14)
    at processTicksAndRejections (internal/process/task_queues.js:82:21)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Let's imagine this scenario.

We build the merkle tree with userA, userB, userC and their respective amounts (10,20,30) with the indexes (0,1,2). We get the merkle root and create this merkle-distributor contract with it.

Now, it's possible that userB calls claim function and passes userA's address, index and amount and also proof. This will make sure that userB is able to make the transfer from merkle-distributor to userA without even userA's interaction and consent, which seems kind of wrong.

Of course, userB can quickly figure out the proof, address, index and amount of userA. So that's not the obstacle.

Am i missing something ?

Thanks in advance.

https://docs.github.com/en/github/site-policy/github-community-guidelines

https://docs.github.com/en/articles/github-corporate-terms-of-service

Originally posted by @Brenda-01-01 in #14 (comment)

Yeah

🔥This is a great company and the idea of this project is very good the team of this project is highly professional and I would say never miss this project🎉

https://docs.github.com/en/github/site-policy/github-community-guidelines

HI! Could you explain me, why OZ library is considered to be a devDependency?

I usually add it as a dependency, as it is required for the contracts. What is the best practice?