Open in app

Sign in

Write

Sign in

Verify Contracts on Remix with Sourcify

Rob Stupay
Remix Project
Published in
5 min readJun 26, 2020

Have you ever wanted to get your smart contracts verified? Have you ever wanted to read the code of a deployed (& verified) contract? The new Sourcify plugin for Remix does both!

Sourcify is a service that listens for newly deployed contracts on Ethereum’s mainnet & most testnets and tries to verify them. If successful, publishes the contract’s bytecode, source code and metadata in a repo.

Remember: Lots of goodies can be found inside the contract’s metadata — including its ABI, Natspec comments, and compiler version.

Why is contract verification important?

The short answer is that verified code is readable code. The process of setting your code to be verified involves publishing source code and metadata to IPFS/Swarm and using Natspec to make code comments targeting developers or end users.

Consequently, verified code can improve both the safety and UX of DApps.

For the complete answer see the Solidity Blog about Sourcify.
Also check the Sourcify FAQ.

The Sourcify Service & Developer Tooling

The Sourcify monitoring service tries to verify all newly deployed contracts. Only those contracts with their source code and metadata published IPFS or Swarm will be verified.

To get more contracts verified, publishing the source code & metadata at deployment time should be seamlessly part of a dev’s workflow.

Once contracts have been verified, reading the source code, grabbing the ABI and debugging deployed contracts won’t be such a convoluted process.

For details about the Sourcify Service — check the Solidity Blog post of the Sourcify FAQ.

Remix IDE & Verifying Contracts

Integration of publishing into the workflow

With Remix, publishing to IPFS & Swarm is easy:

  • from the Solidity Compiler module: after the contract has been compiled the publish buttons will appear.
  • from the Deploy and Run module, by checking the PUBLISH TO IPFS checkbox.

With the contract’s source code and metadata published and the contract deployed, the Sourcify service — which listens for the deployment of new contracts, will verify the contract. The caveat is that the Solidity version must be greater than 0.6.

When your contract has been verified you will see it in Sourcify’s repo of verified contracts. The repo is also on IPFS. The contracts are listed by address.

Using Sourcify — a Remix plugin

Verification and Retrieval

The Sourcify plugin, has two sections:

Fetcher and Verifier

The Verifier allows you to:

  1. Get your contract verified on demand.
  2. Get a contract verified that you had previously deployed but had not published its source code & metadata to IPFS / Swarm.
  3. Get a contract verified that you had previously deployed and had published its source code & metadata but the contract was compiled with an older versions of Solidity (< 0.6 ). The Sourcify Monitoring Service cannot automatically verify contracts with older Solidity versions so you’d need to use the plugin or the Sourcify website.

The Fetcher allows you to:

  1. Pull in the source code of a verified contract into the Remix editor.
  2. Use Sourcify with the Debugger on mainnet or a testnet to debug a deployed contract.

Let’s try the Sourcify plugin

You will need to activate these 3 plugins:

  • Solidity compiler
  • Deploy & run transactions
  • Sourcify

Using the Verifier

  • Compile a contract.
  • Go to the Deploy & Run module. It is not necessary to check the publish to IPFS box because we are uploading it to IPFS in Sourcify. But if it is checked, it doesn’t hurt.
  • Choose the environment. In this example, I’m deploying via metamask to Ropsten (you can also choose any other testnet or mainnet).
  • Copy the address of the deployed contract.
  • Switch to the Sourcify plugin.
  • Click the Verifier button.
  • Paste the address of the deployed contract.

In the graphic below, you’ll see that the Files box contains: t1.sol and metadata.json. The Files box lists the source files and metadata file of the most recent contract compiled.

  • Copy the address of the deployed contract so that we can verify it.
  • Click the Verify

If successful, you’ll get a link to the verified code in the Sourcify repo of verified contracts.

Note: You can also use a local testchain but you’d need to run the entire Sourcify service locally — not through the Remix’s plugin. This will be included in future iterations of the plugin.

Using the Contract Fetcher

The Contract Fetcher is the tool to use when you have a contract’s address and want to get its source code.

The Fetcher will check the repo of verified contracts for the network & address. If the contract is there, it will load it into Remix’s editor.

For me, the Fetcher is magic! I realize its just doing a simple lookup — but I’m so used to thinking about a deployed contract as a black box full of illegible bytecode with no route to its source code. So I’m amazed.

But it is not magic — it is the system of verification and getting everyone to join this system by publishing their source code and metadata.

To learn more about Sourcify and Contract Verification — see this introductory article on the Solidity Blog called Sourcify: Towards Safer Contract Interaction for Humans. Also check the Sourcify FAQ.

In the next article about Remix & Sourcify, I’ll go through how Remix’s Debugger uses the Sourcify plugin to debug a verified contract on the mainnet.

A big thanks to Edi Sinovcic who helped me write write this article.

Solidity
Remix
Smartcontractdevelopment
Developer Tools
Verification

--

--

Rob Stupay
Remix Project

Written by Rob Stupay

426 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams