Have you ever wanted to get your smart contracts verified? Have you ever wanted to read the code of a deployed (& verified) contract? The new Sourcify plugin for Remix does both!
Sourcify is a service that listens for newly deployed contracts on Ethereum’s mainnet & most testnets and tries to verify them. If successful, publishes the contract’s bytecode, source code and metadata in a repo.
Remember: Lots of goodies can be found inside the contract’s metadata — including its ABI, Natspec comments, and compiler version.
Why is contract verification important?
The short answer is that verified code is readable code. The process of setting your code to be verified involves publishing source code and metadata to IPFS/Swarm and using Natspec to make code comments targeting developers or end users.
Consequently, verified code can improve both the safety and UX of DApps.
The Sourcify Service & Developer Tooling
The Sourcify monitoring service tries to verify all newly deployed contracts. Only those contracts with their source code and metadata published IPFS or Swarm will be verified.
To get more contracts verified, publishing the source code & metadata at deployment time should be seamlessly part of a dev’s workflow.
Once contracts have been verified, reading the source code, grabbing the ABI and debugging deployed contracts won’t be such a convoluted process.
Remix IDE & Verifying Contracts
Integration of publishing into the workflow
With Remix, publishing to IPFS & Swarm is easy:
- from the Solidity Compiler module: after the contract has been compiled the publish buttons will appear.
- from the Deploy and Run module, by checking the PUBLISH TO IPFS checkbox.
With the contract’s source code and metadata published and the contract deployed, the Sourcify service — which listens for the deployment of new contracts, will verify the contract. The caveat is that the Solidity version must be greater than 0.6.
Using Sourcify — a Remix plugin
Verification and Retrieval
The Sourcify plugin, has two sections:
Fetcher and Verifier
The Verifier allows you to:
- Get your contract verified on demand.
- Get a contract verified that you had previously deployed but had not published its source code & metadata to IPFS / Swarm.
- Get a contract verified that you had previously deployed and had published its source code & metadata but the contract was compiled with an older versions of Solidity (< 0.6 ). The Sourcify Monitoring Service cannot automatically verify contracts with older Solidity versions so you’d need to use the plugin or the Sourcify website.
The Fetcher allows you to:
- Pull in the source code of a verified contract into the Remix editor.
- Use Sourcify with the Debugger on mainnet or a testnet to debug a deployed contract.
Let’s try the Sourcify plugin
You will need to activate these 3 plugins:
- Solidity compiler
- Deploy & run transactions
Using the Verifier
- Compile a contract.
- Go to the Deploy & Run module. It is not necessary to check the publish to IPFS box because we are uploading it to IPFS in Sourcify. But if it is checked, it doesn’t hurt.
- Choose the environment. In this example, I’m deploying via metamask to Ropsten (you can also choose any other testnet or mainnet).
- Copy the address of the deployed contract.
- Switch to the Sourcify plugin.
- Click the Verifier button.
- Paste the address of the deployed contract.
In the graphic below, you’ll see that the Files box contains: t1.sol and metadata.json. The Files box lists the source files and metadata file of the most recent contract compiled.
- Copy the address of the deployed contract so that we can verify it.
- Click the Verify
If successful, you’ll get a link to the verified code in the Sourcify repo of verified contracts.
Note: You can also use a local testchain but you’d need to run the entire Sourcify service locally — not through the Remix’s plugin. This will be included in future iterations of the plugin.
Using the Contract Fetcher
The Contract Fetcher is the tool to use when you have a contract’s address and want to get its source code.
The Fetcher will check the repo of verified contracts for the network & address. If the contract is there, it will load it into Remix’s editor.
For me, the Fetcher is magic! I realize its just doing a simple lookup — but I’m so used to thinking about a deployed contract as a black box full of illegible bytecode with no route to its source code. So I’m amazed.
But it is not magic — it is the system of verification and getting everyone to join this system by publishing their source code and metadata.
To learn more about Sourcify and Contract Verification — see this introductory article on the Solidity Blog called Sourcify: Towards Safer Contract Interaction for Humans. Also check the Sourcify FAQ.
In the next article about Remix & Sourcify, I’ll go through how Remix’s Debugger uses the Sourcify plugin to debug a verified contract on the mainnet.
A big thanks to Edi Sinovcic who helped me write write this article.