Estimated time: 6 minutes read

The verification of smart contracts is essential to ensure security and transparency in blockchain projects. Tools such as Etherscan and Sourcify are analyzed, and their usage is detailed through Hardhat.

What is smart contract verification?

Smart contract verification involves certifying that a specific source code corresponds to the bytecode of a smart contract deployed on a blockchain.

This process is crucial to assure the web3 community that a particular DApp, project, or protocol is reliable and that interactions with the blockchain are trustworthy.

The fundamentals involve compiling the source code of the smart contract with the same configuration used at deployment to verify the identity of the generated bytecode.

However, there are established tools within the Web3 world that support the task of verifying a smart contract. We will look at them later.

What types of verifications can be performed?

When the execution bytecode of a contract is generated, some parts are not reflected, such as variable names or code comments. If only the equality of this bytecode with the result of compiling a specific source code is checked, there would be room for malicious actions such as falsifying comments to mislead users into undesired interactions with the contracts.

To address this issue, there are the metadata of a compiled contract. This structure stores a hash of the fingerprint corresponding to all the source code, including variable names and comments.

In the following example, we see the metadata section generated when compiling a contract with Hardhat:

"contracts/TestingContract.sol":{	
	"keccak256":"0xd7da3905f69366deae6758106c08f6efbb26432e673a94ea912bbaa2e26a435a",
	"license":"MIT",
	"urls":[
		"bzz-raw://55746fe8790603e6379513044771b17a81818979ad3edd9dcbae86c2d32a9f4b",
		"dweb:/ipfs/QmWhJK38DLNG16GP6GUrSX82YyPHexaah8r5MXE1nnFdJs"
	]
}

The “keccak256” element represents the digital fingerprint of the entire source code of the contract, including, as mentioned, variable names and comments.

Finally, in the bytecode of the compiled contract, the hash of the digital fingerprint of all the metadata is added. This is the key point that allows for the complete verification of a smart contract’s source code. If, for example, a comment in the source code is altered, the digital fingerprint of the metadata will not match the bytecode deployed on the blockchain.

Therefore, we speak of partial verification when there is a difference in the hash of the metadata and total verification when there is complete match in the bytecode.

What tools allow for the verification of a smart contract?

This article examines two of the available options: Etherscan and Sourcify.

Etherscan

It is one of the most popular, as it is one of the most widely used block explorers.

There are several ways to verify smart contracts with Etherscan, for example, through its verification web page or using a programming tool, as we will see for Hardhat.

Once the contract is verified, it will be visually highlighted on the Etherscan interface, within the contract tab, as shown in the image:

Verificacion de smart contract en Etherscan

Additionally, the contract will be added to the verified contracts section, a repository specific to the tool.

The main drawback of verifying smart contracts with Etherscan is that the contract’s metadata is not checked, making it a partial verification.

Under the Etherscan umbrella, there are other block explorers for networks compatible with the EVM. For example, to verify smart contracts deployed on Polygon, the Polygonscan service would be used in a similar manner.

Sourcify

This is a tool dedicated exclusively to the verification of smart contracts.

There are also several ways to verify smart contracts with Sourcify, such as through its online verifier or programmatically via plugins for major smart contract development environments like Hardhat or Foundry.

The main advantage over Etherscan is that it allows for complete verifications by also checking the equality of the smart contract’s metadata.

Verified contracts are stored in Sourcify’s public repository, accessible via HTTPS or IPFS. This allows access to the source code and metadata of verified contracts.

Another interesting feature of Sourcify is that it monitors contract creation in new blocks and automatically verifies them if the source code and metadata are available on IPFS.

Once the contract is verified, it can be checked using the online search service.

Verificacion de smart contract con Sourcify

How to Verify Contracts with Hardhat?

Etherscan

The easiest way is through Ignition, Hardhat’s declarative system for deploying smart contracts on Ethereum-compatible networks.

I recommend reviewing my article on deploying smart contracts with Hardhat to understand the details of using that tool.

As a prerequisite, you need to have an Etherscan API KEY and add it to the “hardhat.config.js” file (it is defined separately in a “.env” properties file):

etherscan: {
    apiKey: `${ETHERSCAN_API_KEY}`,
}

Verification can be requested at the time of deployment by adding the “- -verify” modifier. This way, all deployed contracts will be verified at once.

For the example in the referenced article, the command would be invoked like this:

yarn hardhat ignition deploy .\ignition\modules\CryptoTask.js --network sepolia --verify

Another option is to request verification after the contracts have been deployed.

For example, if the contracts were deployed on Sepolia:

yarn hardhat ignition verify chain-11155111

If you need to verify a deployment on another block explorer, such as Polygonscan, in addition to obtaining the corresponding API KEY, you must add the blockchain definition to the “hardhat.config.js” file.

For example, to verify a deployment on the Amoy testnet:

etherscan: {
    apiKey: {        
        polygonAmoy: `${POLYGONSCAN_API_KEY}`,
    },
    customChains: [
        {
          network: "polygonAmoy",
          chainId: 80002,
          urls: {
            apiURL: "https://api-amoy.polygonscan.com/api",
            browserURL: "https://amoy.polygonscan.com",
          },
        },
    ],    
},
Sourcify

You need to install the hardhat-verify plugin.

yarn add --dev @nomicfoundation/hardhat-verify

Add its definition and enable it in the “hardhat.config.js” file:

require("@nomicfoundation/hardhat-verify");

module.exports = {
    sourcify: {      
          enabled: true
    }
}

Finally, invoke the command to verify the contract using its deployment address:

yarn hardhat verify --network sepolia $DEPLOYED_CONTRACT_ADDRESS

For the process to be successful, the contract must first be verified on Etherscan.

Using Scripts

The Hardhat “run” task allows for the programmatic execution of commands typically invoked through the shell.

The following script calls the previously discussed “hardhat verify” command to verify a contract. By default, it will first attempt verification via Etherscan if it is still pending. In that case, the arguments used in the constructor at the time of deployment must be provided. This is illustrated in the example:

import { run } from 'hardhat';

const args = [10, "name"]

await run('verify:verify', {
        address: contractAddress,
        constructorArguments: args,
        contract: 'contracts/TestingContract.sol:TestingContract',
});

Conclusion: Building Trust in the Web3 Ecosystem

The verification of smart contracts is a crucial aspect for ensuring trust and transparency in transactions conducted on the blockchain.

There are various tools that assist developers and builders in the Web3 space with verification, among which the analyzed Etherscan and Sourcify stand out, along with others like Blockscout or Chainlens.

However, considering the functionality offered by Sourcify (the most comprehensive), there are certain limitations that complicate the process and create some friction:

  • Each contract needs to be verified independently on each deployed network.
  • Only smart contracts programmed in Solidity are supported.
  • It is not possible to automatically retrieve information contained in the metadata of a verified contract.

To overcome these barriers, enable free access to the source code of smart contracts, and create a collaborative environment involving all parties in contract verification, The Verifier Alliance has emerged. This working group is still in its early stages and is worth following to stay updated on the latest developments related to contract verification.


Do you know of other tools for verifying smart contracts? What other initiatives exist to provide transparency and reliability to transactions on the blockchain? I encourage you to share your knowledge.

I can help if you need a smart contract developer who knows how to deploy them successfully on the blockchain. Contact me, and we can discuss.