Verify Contracts on Remix with Sourcify

Rob Stupay
Jun 26 · 5 min read
Image for post
Image for post

Have you ever wanted to get your smart contracts verified? Have you ever wanted to read the code of a deployed (& verified) contract? The new Sourcify plugin for Remix does both!

Sourcify is a service that listens for newly deployed contracts on Ethereum’s mainnet & most testnets and tries to verify them. If successful, publishes the contract’s bytecode, source code and metadata in a repo.

Remember: Lots of goodies can be found inside the contract’s metadata — including its ABI, Natspec comments, and compiler version.

Why is contract verification important?

The short answer is that verified code is readable code. The process of setting your code to be verified involves publishing source code and metadata to IPFS/Swarm and using Natspec to make code comments targeting developers or end users.

Consequently, verified code can improve both the safety and UX of DApps.

For the complete answer see the Solidity Blog about Sourcify.
Also check the Sourcify FAQ.

The Sourcify Service & Developer Tooling

The Sourcify monitoring service tries to verify all newly deployed contracts. Only those contracts with their source code and metadata published IPFS or Swarm will be verified.

To get more contracts verified, publishing the source code & metadata at deployment time should be seamlessly part of a dev’s workflow.

Once contracts have been verified, reading the source code, grabbing the ABI and debugging deployed contracts won’t be such a convoluted process.

For details about the Sourcify Service — check the Solidity Blog post of the Sourcify FAQ.

Remix IDE & Verifying Contracts

Integration of publishing into the workflow

With Remix, publishing to IPFS & Swarm is easy:

  • from the Solidity Compiler module: after the contract has been compiled the publish buttons will appear.
  • from the Deploy and Run module, by checking the PUBLISH TO IPFS checkbox.
Image for post
Image for post

With the contract’s source code and metadata published and the contract deployed, the Sourcify service — which listens for the deployment of new contracts, will verify the contract. The caveat is that the Solidity version must be greater than 0.6.

When your contract has been verified you will see it in Sourcify’s repo of verified contracts. The repo is also on IPFS. The contracts are listed by address.

Using Sourcify — a Remix plugin

Verification and Retrieval

The Sourcify plugin, has two sections:

Fetcher and Verifier

The Verifier allows you to:

  1. Get your contract verified on demand.
  2. Get a contract verified that you had previously deployed but had not published its source code & metadata to IPFS / Swarm.
  3. Get a contract verified that you had previously deployed and had published its source code & metadata but the contract was compiled with an older versions of Solidity (< 0.6 ). The Sourcify Monitoring Service cannot automatically verify contracts with older Solidity versions so you’d need to use the plugin or the Sourcify website.

The Fetcher allows you to:

  1. Pull in the source code of a verified contract into the Remix editor.
  2. Use Sourcify with the Debugger on mainnet or a testnet to debug a deployed contract.

Let’s try the Sourcify plugin

You will need to activate these 3 plugins:

  • Solidity compiler
  • Deploy & run transactions
  • Sourcify

Using the Verifier

  • Compile a contract.
  • Go to the Deploy & Run module. It is not necessary to check the publish to IPFS box because we are uploading it to IPFS in Sourcify. But if it is checked, it doesn’t hurt.
  • Choose the environment. In this example, I’m deploying via metamask to Ropsten (you can also choose any other testnet or mainnet).
  • Copy the address of the deployed contract.
  • Switch to the Sourcify plugin.
  • Click the Verifier button.
  • Paste the address of the deployed contract.

In the graphic below, you’ll see that the Files box contains: t1.sol and metadata.json. The Files box lists the source files and metadata file of the most recent contract compiled.

Image for post
Image for post
  • Copy the address of the deployed contract so that we can verify it.
  • Click the Verify

If successful, you’ll get a link to the verified code in the Sourcify repo of verified contracts.

Image for post
Image for post

Note: You can also use a local testchain but you’d need to run the entire Sourcify service locally — not through the Remix’s plugin. This will be included in future iterations of the plugin.

Using the Contract Fetcher

The Contract Fetcher is the tool to use when you have a contract’s address and want to get its source code.

Image for post
Image for post

The Fetcher will check the repo of verified contracts for the network & address. If the contract is there, it will load it into Remix’s editor.

For me, the Fetcher is magic! I realize its just doing a simple lookup — but I’m so used to thinking about a deployed contract as a black box full of illegible bytecode with no route to its source code. So I’m amazed.

But it is not magic — it is the system of verification and getting everyone to join this system by publishing their source code and metadata.

To learn more about Sourcify and Contract Verification — see this introductory article on the Solidity Blog called Sourcify: Towards Safer Contract Interaction for Humans. Also check the Sourcify FAQ.

In the next article about Remix & Sourcify, I’ll go through how Remix’s Debugger uses the Sourcify plugin to debug a verified contract on the mainnet.

A big thanks to Edi Sinovcic who helped me write write this article.

Remix IDE

In browser editor for developing, debugging and deploying…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store