Since the launch of Smart Contracts 2.0 in February 2022, more features and capabilities have been introduced continuously to improve the Hedera smart contract ecosystem. Today, we are launching Smart Contract Verification on Hedera to bolster security and trust between smart contract owners and smart contract users. This feature is useful for all smart contract applications, but it is a must-have for many DeFi products.
Smart contract verification is an established feature of many Ethereum Virtual Machine (EVM) ecosystems. It enables smart contract users to view the source code of those contracts. Regardless of the implementation, at a high level, the process of verifying smart contracts follows a few simple steps:
A smart contract owner deploys the contract
After deployment, a user (presumably the smart contract owner) goes to a verification service and uploads source code and/or metadata related to the deployed smart contract.
The verification service compiles the uploaded source code if needed, and compares the resulting or provided compiled bytecode vs the bytecode of the deployed contract on the network. From this comparison, the verification service creates a result of no match, partial match, or full match (also called perfect match).
Upon a partial or full match, the verification service saves the verification result and the uploaded source code in a repository.
Users of the smart contract can now look up the smart contract in an explorer, view the verification result, and view and evaluate the contract source code.
The process above enables users to review and evaluate the smart contract source code with the assurance from the verification service that the source code they are viewing matches the contract deployed on the network. This process may require the user reviewing the source code to have a strong understanding of Solidity smart contract code, architecture, potential security vulnerabilities, etc. Not all users will have this technical skillset, so they can in turn rely upon experts they trust to perform these reviews in their stead and report the results. However, it should be noted that the presence of a smart contract verification in no way asserts that a given smart contract is good, bad, safe, malicious etc. It's only meaning is that the source code is available for review, and it’s up to the users to do their own research to determine if the contract is worthy of interaction.
The Smart Contract Verification Ecosystem
Looking upon the EVM Smart Contract verification ecosystem we see a few dominant services. First we have Sourcify (sourcify.dev) which is an open source offering. Second we see Smart Contract verification offered by Etherscan and Etherscan clones (Polygonscan, Arbiscan, FTMscan etc.) These services are typically operated as separate repositories - so a verification performed on Etherscan will not appear in Sourcify.dev and vice versa. Then downstream services such as Remix and Hardhat will often support the reading and writing of verifications from one or more of these services.
Hedera Smart Contract Verification Service Overview
When setting out to support smart contract verification, Swirlds Labs looked at a number of options and ultimately decided to host an instance of Sourcify as the industry tool of record. The hosted instance can be found at https://verify.hashscan.io/. This instance of Sourcify driving the Hedera verifications has a few changes from the main Sourcify branch including removal of support for other chains, UI/UX modifications, and most notably support for testnet/previewnet “resets” where all of the stored verifications will be deleted when the Hedera testnet/previewnet periodically resets.
The code base for the Hedera Sourcify instance is open source for all to review and contribute to. This instance operates independently from the Sourcify.dev instance, as previously mentioned. Hedera mainnet is available in Sourcify.dev as an network option to independently perform verifications. In some cases, it might make sense for a smart contract owner to do verifications on both Hedera and Sourcify.dev in particular if a smart contract is being deployed across multiple chains using the same EVM address.
The deployment of the Hedera Sourcify instance seeks to enable 3 verification options in the Hedera ecosystem.
Users can go directly to verify.hashscan.io to perform verifications.
Users can go Hashscan.io to perform verifications as part of the broader explorer experience.
Other blockchain explorers in the Hedera ecosystem can leverage the Sourcify instance to enable verifications through their services.
As a testament to the impact of this advancement in the Hedera ecosystem, some application developers have recently expressed their commendation and highlighted the significance of these efforts. In the case of Eta Swap, a DEX aggregator on Hedera, they stated:
“Kudos to @swirldslabs for implementing smart-contract verification on #hashscan. Huge step to transparency (source code is easily verifiable now).”
There are three types of results when performing a smart contract verification; no match, partial match, and full match (also known as perfect match). Based on the previous explanation of the verification process, the “no match” result is self explanatory. Where there is more complexity is between partial match and full match. A full match means there is a 1-1 match between the verification service compiled code and the bytecode deployed on the network. Partial match occurs in cases where the compiled bytecode matches the deployed bytecode except for the metadata hash. For a more detailed explanation on these differences please refer to the Sourcify documentation here. The most desired outcome for a Smart Contract owner is a full match. If a user verifies a contract and achieves a partial match, Hashscan supports the ability to “re-verify” the contract with updated source files to achieve a full match. Also, if a smart contract owner is struggling to get a desired match, the Sourcify Playground provides valuable tools to support verification debugging.
Hashscan Smart Contract Verification
Performing Smart Contract Verification using the service is simple and straightforward.
Step 1: Deploy a smart contract on Hedera.
Step 2: Go to Hashscan and lookup the unverified deployed contract and choose the option to “Verify Contract”
Step 3: Upload the source code files associated with the smart contract.
Step 4: After a successful verification (partial or full match) any user viewing the smart contract will see the verification status, verification details, and a link to the source code files.
Step 5: Users can click on the “View contract sources” button and view the source code
The ability to verify smart contracts is crucial for various applications, especially in the DeFi sector. Introducing Smart Contract Verification on Hedera bolsters transparency and security between smart contract owners and users. This verification process is integral in establishing trust in the smart contracts deployed on the Hedera network. It also ensures that users can review and assess the smart contract source code with confidence, knowing it matches the contract deployed on the network. However, it's important to note that verification itself doesn't label a smart contract as safe or risky; it merely makes the code available for scrutiny. The responsibility of evaluating the safety and suitability of a contract lies with the users, who may rely on experts for in-depth analysis.
Continually enhancing the security features of smart contracts on Hedera, complementing its other top-tier attributes like high performance and low gas costs, helps Hedera become the preferred platform for reliable on-chain programmability.