MetaMask
[Bug]: "We cannot verify this contract. Make sure you trust this address." for verified contract
Describe the bug
I deployed this test contract:
https://rinkeby.etherscan.io/address/0xa823fe789B32b1566fF6931E6e0d0E8c2C51435B#code
The Etherscan page says: "Contract Source Code Verified (Exact Match)".
However when I try to call a function on this contract, MetaMask displays:
"We cannot verify this contract. Make sure you trust this address."
Isn't Etherscan verification sufficient for MetaMask to know this contract is verified in some way? Why does MetaMask display this warning? Is there a way to suppress this MetaMask warning? Why not simply link to the Etherscan verification page?
Steps to reproduce
Try calling any contract method (e.g. cancelMySellOrder()) on the above contract address, and look at the MetaMask verification window that pops up.
Error messages or log output
No response
Version
10.18.0
Build type
No response
Browser
Chrome
Operating system
Linux, Other (please elaborate in the "Additional Context" section)
Hardware wallet
No response
Additional context
No response
Heey @hiroshi-yamamoto-dublr, thank you for your question! There's no way to suppress this tool tip currently. We show it as a way to encourage the users on going to the block explorer and checking if it's indeed a contract they trust. Etherscan verification only verifies that the source code matches the one on chain, but if doesn't verify if the contract belongs to a trusted source or if it's indeed non-malicious, for example. So relying on it to claim that a contract is verified on the MM UI could be dangerous to users. We'll be improving this screen in the near future and we'll likely might make changes to this message or how it's displayed to give more context.
Hi @bschorchit -- thanks for the explanation. So it sounds like all contract addresses always have this warning displayed? And there is no way to verify that a given contract is the official contract address for an ERC20 token with a given ticker name?
I know you have automated token discovery now, where tokens have to show up on at least two token lists. Would it be reasonable to at least hide the warning for tokens that pass that minimum level of scrutiny?
Thanks for this suggestion @hiroshi-yamamoto-dublr, we'll take it into consideration as we re-design these confirmation screens.
Hi, @bschorchit. I developed a simple fundMe contract for my website that enables the transfer of funds to a particular account. I ended up seeing this message on metamask which I believe will throw potential users off. My concern is that I am only seeing the warning for the first time in the contract I developed myself and not on the other websites I interact with. How were the other websites able to suppress the warning? Is there a smart contract test for metamask or a tool I need to verify my contract on?
Here is the warning.
Hey @EECvision, thank you for reaching out. As mentioned in the warning and in the settings for this feature, this warning is based on information from third party security providers. I'm forwarding this to them for their visibility.
@EECvision could you share more info for the team to triage? E.g. website, contract and transaction data
Sure!
Verified address: https://etherscan.io/address/0x030E57179F1e3F27b945455EEb2e6e16d82628ae#code
Error message:
@bschorchit, using the term "verify" that is commonly referred to the process of submitting the source code of a contract to a block explorer is, indeed, misleading.
How about "We are not in a position to assess the reliability of this contract. Make sure you trust this address before interacting with it."?
