About Contracts Verification

Contracts verification is an important step for the deployment of EVMv1 smart contracts. The goals of the production pipeline of the contracts verification are:

1. Automated verification after each smart contracts deployment.
2. Reproducible verification process locally as a developer.
3. Support major block explorer solutions.
4. Keep the pipeline lean.

Production Pipeline

• It uses truffle-plugin-verify.
• Scripts:
  • info-print-contract-addresses.js
  • etherscan-verify-framework.sh
  • code snippets:

    cd packages/ethereum-contracts
    npx truffle exec --network ${{ matrix.network }} scripts/info-print-contract-addresses.js : addresses.vars
    source addresses.vars
    source tasks/etherscan-verify-framework.sh ${{ matrix.network }}

• Workflows integrated with the pipeline:
  • handler.deploy-to-testnets.yml
• Supported systems:
  • Etherscan and its cousins.
• Supported networks:
  • :ethereum:
  • https://goerli.etherscan.io/
  • https://rinkeby.etherscan.io/
  • https://ropsten.etherscan.io/
  • https://kovan.etherscan.io/
  • :polygon:
  • https://mumbai.polygonscan.com/
  • https://polygonscan.com/
  • :arbitrum:
  • https://testnet.arbiscan.io/
  • https://arbiscan.io/
  • :optimism:
  • https://kovan-optimistic.etherscan.io/
  • https://optimistic.etherscan.io/
  • :avalanche:
  • https://testnet.snowtrace.io/
  • https://snowtrace.io/
• Unsupported:
  • Gnosis Chain (former xdai) currently doesn't have an etherscan-like explorer and we don't yet have automation for blockscout based explorers or sourcify in general, due to lack of sourcify/blockscout integration.
  • With avascan, there exists a more network-specific explorer for Avalanche we don't yet have automation for.

Security Considerations

Verifiability

The Solidity compiler generates contract metadata which contains the contract ABI, compiler version and settings, hashes of source files, natspec docs and more - see related Solidity docs.
A hash of this metadata and the compiler version are CBOR encoded and appended to the bytecode deployed on chain, such that the compile-time metadata is cryptographically verifiable.
Check out the sourcify playground for an intuitive and interactive explanation.

Availability

Making metadata (most importantly - the underlying sourcecode) available is a process independent of the actual contract deployment.
The currently most popular method is to upload the data to etherscan-like exporers via an API they provide. After verification of a contract, this explorers provide a UI interface which not only shows the contract source code, but also provides forms which allow to query and modify (if a wallet is connected) the contract state based on its ABI. As an example, see the Polygon Superfluid Host contract.
Etherscan-like explorers also provide API endpoints for querying data (ABI, source code) of verified contracts, see API docs.

Metadata should ideally also be stored on decentralized storage systems like IPFS and Swarm in order to make its availability independent of centralized entities.
The sourcify project is dedicated to help make that the norm by building tooling and documentation for a decentralized repository of contract metadata.

Bugs & Future Work

• create additional workflow for manual contracts verification.
• Arbitrum verification of SuperToken logic contract.
• xdai blockscount code verification automation #319
• Use proxy verification feature of truffle-plugin-verify #620
• Investigate of upgrading to hardhat and its plugin as new pipeline. https://github.com/superfluid-finance/protocol-monorepo/issues/898