A Comprehensive Guide to Smart Contract Verification.
Smart contracts automate and ensure tamper-proof execution of Blockchain transactions. Given the immutable nature of Blockchain, thorough testing and verifying smart contracts is crucial for safeguarding valuable assets against vulnerabilities exploited by hackers. This tutorial will explain why smart contract verification is important and demonstrate how to verify contracts using one of the best tools available.
Smart Contracts: Ensuring Security Through Verification
Let us revise what smart contracts are and their components. Smart contracts are programs that execute based on predefined conditions on the blockchain. It eliminates the need for intermediaries, ensuring transactions are transparent, secure, and tamper-proof. But how can we ensure a smart contract deployed on a blockchain is secure and transparent? How can we be so sure that the logic in the smart contract performs as it is intended to?
Let us look into past incidents such as the DAO hack in 2016, where a vulnerability in a smart contract led to the theft of $50 million worth of Ether. Had the contract been thoroughly verified, this breach might have been prevented. Similarly, the Parity wallet bug in 2017 resulted in the freezing of $150 million in Ether due to a flaw in the contract code. These incidents underscore the critical need for verification processes to prevent significant losses due to unverified contracts.
What is Smart Contract Verification?
Smart contract verification ensures the contract’s source code matches its bytecode on the blockchain. When a contract is compiled, it generates several byproducts, including bytecode, ABI (Application Binary Interface), and metadata. The bytecode is machine-readable, and humans cannot directly inspect whether it matches the source code. The verification confirms that the deployed bytecode corresponds to the source code, providing transparency and security. These are the reasons you should verify your contracts:
- Security: Verification helps identify and mitigate vulnerabilities.
- Transparency: Ensures the contract behaves as intended.
- Trust: Builds confidence among users and stakeholders.
How to Verify Smart Contracts?
Verification of Smart contracts can be done using automated tools. The choice of tool depends on the blockchain and programming language used. While Etherscan is a popular tool, it is centralized, which contradicts the decentralized nature of blockchain. Why opt for centralized when the sole purpose of smart contracts and blockchain is decentralization?
Sourcify is the best alternative decentralized platform for solidity smart contract verification, and its usage is expected to become much more widespread in the future. It utilizes the metadata of your contract for verification. Metadata contains all information to interact with the contract such as compiler settings, source code, ABI, and Natspec comments. Etherscan doesn’t guarantee that comments match those used during deployment. Thus, the first verification on Etherscan is accepted as correct, which can lead to discrepancies if comments differ.
Do you want to test your smart contracts before deployment on the Mainnet in a similar environment, and verify the contract in a private setup to call smart contract functions? The BuildBear Sourcify plugin got you covered. We will see how to verify multiple contracts at once in Foundry projects, with the Sourcify Plugin.
Verifying Contracts with Sourcify Using BuildBear Sandbox
In this tutorial, we will explore how to implement a decentralized governance system with Foundry using a set of smart contracts verified with Sourcify.
Setting Development Environment:
Create a private Sandbox from BuildBear, if you are new to BuildBear, refer to our comprehensive documentation to sign up and create your sandbox here.
Writing Smart Contract
Our governance system will include the following contracts:
GovToken.sol: An ERC20 token with voting and permit features, allowing token holders to participate in governance processes.
Timelock Contract: This contract extends the OpenZeppelin TimelockController contract and adds additional functionality for specifying proposers and executors.
Box contract: This contract allows owner to store and retrieve a single unsigned integer value.
MyGovernor.sol: An extension of the OpenZeppelin Governor contract, incorporating voting, vote counting, vote quorum, timelock control, and proposal management functionalities.
Clone the repository containing all the contracts and scripts to deploy and verify DAO Governance.
git clone https://github.com/BuildBearLabs/Tutorials.git
cd DAO
forge install
forge buildDeploying the Contracts and Verifying using Sourcify.
To deploy all the contracts in a single command, we have set up a deploy script. By running the below command it will deploy and verify all the contracts at once.
You can easily copy and paste the commands from the sandbox dashboard by navigating to the “Verify Contracts” Option.
To run the script, replace it with your BuildBear Sandbox RPC :
forge script script/Deploy.s.sol --rpc-url <YOUR_RPC_URL> --private-key <"YOUR_PRIVATE_KEY"> --verify --verifier sourcify --verifier-url https://rpc.buildbear.io/verify/sourcify/server/<YOR_NODE_ID> -vvvv --broadcast --slow
Upon successful execution, go to Explorer to check the source code ensuring your contract verification using Sourcify.
Conclusion
Smart contract testing and verification are essential to the Web3 development lifecycle. It ensures the trustless, transparent nature of blockchain making source code verifiable and reducing vulnerability risks. Sourcify can be defined as the decentralized Etherscan for seamless verification utilizing contract metadata. The BuildBear Sandbox complements this by providing a private deployment environment that mirrors the mainnet setup. With the Sourcify plugin seamlessly integrated into BuildBear Sandbox, developers experience a streamlined and hassle-free verification process for their smart contracts.
About BuildBear:
BuildBear is a platform tailored for DApp development and testing. Developers gain the freedom to construct a personalized Private Testnet sandbox across a variety of blockchain networks. The liberty to mint unlimited Native and ERC20 tokens, coupled with rapid transaction times on BuildBear (under 3 seconds!), enhances the DApp development lifecycle manifold. The platform comes equipped with tools and plugins designed for real-time testing and debugging, ensuring developers can keep tabs on intricate blockchain transactions with unparalleled ease.
