bytecode-verifier icon indicating copy to clipboard operation
bytecode-verifier copied to clipboard
verified publisher icon Consensys

As a user, I want to extend the bytecode verifier to search the web for the metadata hash, so I can verify published source code.

Open owocki opened this issue 7 years ago • 3 comments

https://twitter.com/ethchris/status/988796972306980864

Someone please extend https://github.com/ConsenSys/bytecode-verifier … to search the web for the metadata hash, search the web for the source hash and auto-download and verify everything. And make it standard practice to publish source code under its hash so it can be found.

Acceptance Criteria

  • bytecode verifier searches the web for the metadata hash
  • will auto-download and verify everything.
  • make this the default practice for publishing source code

owocki avatar Apr 24 '18 22:04 owocki

Perhaps some more details:

The Solidity compiler generates a metadata file (json-formatted) with each compilation run. This metadata file helps reproducing the compilation (i.e. bytecode-verifying it) since it contains the compiler settings and either the full source code or at least the hashes of all source code files. The hash of this metadata file is stored inside the bytecode of every single contract. Because of that, source code always compiles to unique bytecode (assuming hash functions are collision-resistant).

This allows programmers to add so-called "natspec" comments into the source code. These comments are also part of the metadata. The intention is that these comments are displayed to the user at the point where they confirm a transaction (for example in the offline signing device), so that they do not blindly sign a transaction that has a bunch of hex data attached.

In order for this to work, the metadata file and the source code needs to find its way to the signing device. Ideally, since the hashes of these files are known, we could use a decentralized content-addressed storage solution like swarm or ipfs, but these seem to be not practical yet.

As an approximation to this situation, some centralized storage provider (or multiple different ones) could be used. Since they are usually not content-addressed, the hash of the file needs to be stored in a way that a search for the hash would eventually lead to the file.

chriseth avatar Apr 25 '18 16:04 chriseth

This is awesome! Actually trying to create something somewhat similar for 1Hive where all our major deployments will have info linking to the exact snapshot of the source code, the deployment addresses, and a guide on how to use the bytecode-verifier to verify that the deployed contract is the same as the one they're looking at on GitHub. We're recreating MolochDAO on Aragon so this will be especially relevant for security audits to let users know which exact versions of the code were audited. Having that process automated and available for all Aragon apps (and really any Ethereum contracts) would be amazing.

@owocki @chriseth

  • Was any progress made in this direction and/or do you know any projects that are doing something similar? If so, please link!
  • If not, is there an open GitCoin bounty or something for this task?

yeqbfgxjiq avatar Sep 13 '19 02:09 yeqbfgxjiq

i dont know of any progress made; no theres no open bounty afaik.. @gitcoinbot would have commented if there was.

owocki avatar Sep 13 '19 14:09 owocki