From 957b2aa1d6ebd9f26a65b7a9d714275246e196d4 Mon Sep 17 00:00:00 2001
From: Miguel Mota <miguelmota2@gmail.com>
Date: Sat, 22 Jul 2017 22:12:37 -0700
Subject: [PATCH] add notes

---
 README.md    | 19 ++++++++-----------
 package.json |  2 +-
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 9b105fb..9110e4b 100644
--- a/README.md
+++ b/README.md
@@ -305,23 +305,18 @@ const verified = tree.verify(proof, leaves[2], root)
 
 * * *
 
-
-
-<!--
- merkle-lib
-Warnings
-
-This implementation is vulnerable to a forgery attack (as a second pre-image attack), see these[1][2] crypto.stackexchange questions for an explanation. To avoid this vulnerability, you should pre-hash your leaves using a different hash function than the function provided such that H(x) != H'(x).
-
-This implementation is vulnerable to a forgery attack (for an unbalanced merkle tree), wherein, in an unbalanced merkle tree, the last leaf node can be duplicated to create an artificial balanced tree, resulting in the same root hash. To avoid this vulnerability [in this implementation], do not accept unbalanced merkle trees in your application.
--->
-
 # Test
 
 ```bash
 npm test
 ```
 
+# Notes
+
+As is, this implemenation is vulnerable to a [second pre-image attack](https://en.wikipedia.org/wiki/Merkle_tree#Second_preimage_attack). Use a difference hashing algorithm function for leaves and nodes so that `H(x) != H'(x)`.
+
+As is, this implementation is also vulnerable to a forgery attack for an unbalanced tree, where the last leaf node can be duplicated to create an artificial balanced tree, resulting in the same Merkle root hash. Do not accept unbalanced tree to prevent this.
+
 # Resources
 
 - [Bitcoin mining the hard way: the algorithms, protocols, and bytes](http://www.righto.com/2014/02/bitcoin-mining-hard-way-algorithms.html)
@@ -334,6 +329,8 @@ npm test
 
 - [Why aren't Solidity sha3 hashes not matching what other sha3 libraries produce?](https://ethereum.stackexchange.com/questions/559/why-arent-solidity-sha3-hashes-not-matching-what-other-sha3-libraries-produce)
 
+- [What is the purpose of using different hash functions for the leaves and internals of a hash tree?](https://crypto.stackexchange.com/questions/2106/what-is-the-purpose-of-using-different-hash-functions-for-the-leaves-and-interna)
+
 # License
 
 MIT
diff --git a/package.json b/package.json
index 760e028..bf862db 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "m-tree",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "merkle-tree Filter algorithm in JavaScript.",
   "main": "index.js",
   "directories": {