source-verify
Advanced tools
Solidity metadata-based re-compilation and source verification tool
JavaScript / node.js tool that can be used to verify that Ethereum bytecode was compiled from a certain Solidity source code.
This tool uses the metadata that is embedded in every Solidity contract bytecode to automatically retrieve the compiler versiond and all settings used, so at best, you only need to specify the metadata and nothing else.
Until we have a reliable way to retrieve files based on their hash (see "Future Plans" below), you need to supply both the matadata and the source code. The Solidity compiler has an option to include the source code in the metadata directly and only this mode is currently supported (see "Future Plans" below). You can achieve this by compiling using
solc --metadata --metadata-literal
on the commandline or via
{
"settings": {
"metadata": { "useLiteralContent": true }
}
}
in standard-json-io.
Once you have that metadata in e.g. the file called "meta.json" you run
./index.js < meta.json
The script will download the correct Solidity compiler binary, compile the contract and output the resulting bytecode and metadata json. The only step you still have to do is comparing the bytecode with the craetion bytecode of the contract in the blockchain.
Please note that source code verification is only reliable if it is performed on the creation bytecode, i.e. the bytecode payload used when the contract was created. The deployed bytecode, i.e. the bytecode stored in the blockchain as code is not sufficient, because the constructor can still be different and set arbitrary storage entries.
Furthermore, if the constructor requires parameters, these have to be checked as well.
Also note that there can still be differences in the source code that are not visible in the bytecode. Variables can be renamed or unused code can be introduced. Since the bytecode contains a hash of the source code, such modifications have to be prepared at deploy time, but it is still a possibility.
FAQs
Solidity metadata-based re-compilation and source verification tool
The npm package source-verify receives a total of 0 weekly downloads. As such, source-verify popularity was classified as not popular.
We found that source-verify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.