consensys / bytecode-verifier Goto Github PK

Compile Solidity source code and verify its bytecode matches the blockchain

JavaScript 100.00%

ethereum smart-contracts solidity evm bytecode verifier

bytecode-verifier's Introduction

Bytecode Verifier

Bytecode Verifier is a handy commandline tool for verifying locally compiled bytecode of a target Solidity contract against its actual bytecode stored in Etheruem Blockchain provided its contract address. This tool:

integrity/correctness of bytecode: what's actually being stored on chain is correctly compiled from particular contract, which might be helpful in case of non-trivial potential high-value holder contract deployment(e.g. MultiSig Wallet), especially the contract is deployed through a third party platform.
Minimimal effort, simple to use: solidity compiler envolves overtime with minor and some major changes, which complicates the verification of bytecode. (as recurring "bytecode doesn't match" questions being asked on Ethereum Stack Exchange). Bytecode Verifier has been tested against latest version all the way back to some of the oldest deployed contracts.
Testnet friendly: most projects launch on testnet before deploying the contract system to mainnet, this tool supports Rinkeby, Kovan and Ropsten Testnet, which constitute three active, well-maintained testnets that most ethereum developers use.

Installation

Prefer global install:

npm install eth-bytecode-verifier -g

If successfully installed, try the -h or --help to read a brief info about this tool.

ethv --help

Quick Usage

ethv verify <chainChoice>

! Currently this tool can verify contracts on: mainnet, kovan, ropsten and rinkeby (NOTE: for contracts on Rinkeby, only compiler version no earlier than 0.4.9)!

Save the contract code into a file with name *YourContractName*.sol. If your contract imports other contract in a separate file or it consists of multiple contracts, please do name the file as the main contract since that's what's the bytecode we tend to verify.(e.g. contract StandardToken is Token {}, then StandardToken.sol should be the file name.)
The ethv verifier will prompt 4 questions. Among which, be careful about the format of compiler version specification. If you are not sure, try run ethv compiler first, and copy the legitimate version string from the output.
If bytecode of your local file checks out with what's actually on the blockchain address, then terminal will return positive feedback, otherwise red bold alert feedback will be returned.

Example1: Golem_MultiSigWallet (mainnet)

Example2: Oraclize (kovan)

For more example: please go to example subfolder

ethv --list

To quickly get a list of formal major release version of solidity compiler.

ethv compiler

To look up for an intermediate "nightly" version of solidity compiler

Contributing

This bytecode verifier is entirely open sourced, anyone in the community is free to use in any purpose. (see MIT License for details) More importantly, any issues or pull request are more than welcomed. According npm package can be found here.

Acknowledgement

Big thanks and great gratitude to ConsenSys Diligence for making this project possible.

bytecode-verifier's People

Contributors

Stargazers

Watchers

bytecode-verifier's Issues

Another wrong swarm hash extraction out of the bytecode

https://kovan.etherscan.io/address/0xc2e5a20673803fc1df4c71d98a56cefa33a2d0e8#code

Although the actual deployed code is verified as expected, but the swarm hash was wrong:


==========================================
result from blockchain is written in "from_blockchain.txt" file
Corresponding swarm hash is: 0xebdbafe92f2da234cf6f114f8c8a6604c83e53f7ab6a1fdbb90b4a836e620fbd002960606040526003805460a060020a60ff02191690555b6003805
4600160a060020a03191633600160a060020a03161790555b5b610c40806100416000396000f300606060405236156100e35763ffffffff7c0100000000000000000000000000000000000
00000000000000000000060003504166305d2035b81146100e857806306fdde031461010f578063095ea7b31461019a57806318160ddd146101d057806323b872dd146101f5578063313ce
5671461023157806340c10f191461025a578063661884631461029057806370a08231146102c65780637d64bcb4146102f75780638da5cb5b1461031e57806395d89b411461034d578063a
9059cbb146103d8578063d73dd6231461040e578063dd62ed3e14610444578063f2fde38b1461047b575b600080fd5b34156100f357600080fd5b6100fb61049c565b60405190151581526
0200160405180910390f35b341561011a5760........1115610bef57fe5b508082035b92915050565b600082820183811015610c0957fe5b8091505b50929150505600a165627a7a723058201229ce8b9f64190c5
013afdf7e662806ba3a541af549d0c11b8e0376b6795e710029a165627a7a72305820809cc4332e02f7e2b4e72ab517175ce5b3cd934c9def2916cc3360b1a6e69598

==========================================
Bytecode Verified!!

As a user, I want to extend the bytecode verifier to search the web for the metadata hash, so I can verify published source code.

https://twitter.com/ethchris/status/988796972306980864

Someone please extend https://github.com/ConsenSys/bytecode-verifier … to search the web for the metadata hash, search the web for the source hash and auto-download and verify everything. And make it standard practice to publish source code under its hash so it can be found.

Acceptance Criteria

bytecode verifier searches the web for the metadata hash
will auto-download and verify everything.
make this the default practice for publishing source code

Verifying libraries

Needs investigation.
example try to verify https://etherscan.io/address/0xdd9dbcc279b0e034ce74db24015ebf2606d88539#code

You've chosen: mainnet
? Enter compiler version. (e.g. v0.4.10+commit.f0d539ae). v0.4.13+commit.fb4cb1a


? Enter the contract file name. (e.g. MultiSigWalletWithDailyLimit.sol) WalletMainLib.sol
? Enter the contract address on blockchain. (e.g. 0x851b7f3ab81bd8df354f0d7640ef
cd7288553419) 0xdd9dbcc279b0e034ce74db24015ebf2606d88539
? 0 for not optimized, 1 for optimized. 1
Current working directory: /someDirectory
File being compiled and compared: WalletMainLib.sol
==========================================
Compiler Version: v0.4.13+commit.fb4cb1a
Compiling in progress, dude, please be patient and give me 15~30 sec ...

==========================================
result from compiler is written in "from_compiler.txt" file

==========================================
result from blockchain is written in "from_blockchain.txt" file
Corresponding swarm hash is: 0x524b9849f0828f79136454754f2ea2351df027a217fd58452a2af5423d538463

==========================================
Bytecode doesn't match!!

`ethv --list` latestRelease: 0.4.21

This tool seems amazing, but also not maintained.

$ ethv --list

================================

latestRelease: 0.4.21

Here is a list of solc versions from formal major releases:

0.4.21 : v0.4.21+commit.dfe3193c
0.4.20 : v0.4.20+commit.3155dd80
0.4.19 : v0.4.19+commit.c4cbbb05
0.4.18 : v0.4.18+commit.9cf6e910
0.4.17 : v0.4.17+commit.bdeb9e52
0.4.16 : v0.4.16+commit.d7661dd9
0.4.15 : v0.4.15+commit.bbb8e64f
0.4.14 : v0.4.14+commit.c2215d46
0.4.13 : v0.4.13+commit.fb4cb1a
0.4.12 : v0.4.12+commit.194ff033
0.4.11 : v0.4.11+commit.68ef5810
0.4.10 : v0.4.10+commit.f0d539ae
0.4.9 : v0.4.9+commit.364da425
0.4.8 : v0.4.8+commit.60cc1668
0.4.7 : v0.4.7+commit.822622cf
0.4.6 : v0.4.6+commit.2dabbdf0
0.4.5 : v0.4.5+commit.b318366e
0.4.4 : v0.4.4+commit.4633f3de
0.4.3 : v0.4.3+commit.2353da71
0.4.2 : v0.4.2+commit.af6afb04
0.4.1 : v0.4.1+commit.4fc6fc2c
0.4.0 : v0.4.0+commit.acd334c9
0.3.6 : v0.3.6+commit.3fc68da
0.3.5 : v0.3.5+commit.5f97274
0.3.4 : v0.3.4+commit.7dab890
0.3.3 : v0.3.3+commit.4dc1cb1
0.3.2 : v0.3.2+commit.81ae2a7
0.3.1 : v0.3.1+commit.c492d9b
0.3.0 : v0.3.0+commit.11d6736
0.2.2 : v0.2.2+commit.ef92f56
0.2.1 : v0.2.1+commit.91a6b35
0.2.0 : v0.2.0+commit.4dc2445
0.1.7 : v0.1.7+commit.b4e666c
0.1.6 : v0.1.6+commit.d41f8b7
0.1.5 : v0.1.5+commit.23865e3
0.1.4 : v0.1.4+commit.5f6c3cd
0.1.3 : v0.1.3+commit.28f561
0.1.2 : v0.1.2+commit.d0d36e3
0.1.1 : v0.1.1+commit.6ff4cd6

Why did you guys stop maintaining the bytecode-verifier and/or was it incorporated into some other toolkit?

Programative usage

Awesome work!

I intend to use this as part of a program and was wondering if there is any reason that it is made to only log the result as verbose and not being able to be called/used as a function giving the result in a reusable way to other programs?

Things that could be returned are:

bytecode_from_compiler
compilation error if any
swarm_hash
ABI

Link references support

I tried to verify contract from there and found, that compiled contract has link references to SafeMathLibExt in bytecode. But blockchain doesn't have this information.

Maybe you may know, for what reason we have it in compiled bytecode and why we don't have it on deployed bytecode?

TypeError: Cannot read property 'compile' of undefined

Command:

ethv verify ropsten erc20.sol
You've chosen: ropsten
? Enter compiler version. (e.g. v0.4.10+commit.f0d539ae). v0.5.9
? Enter the contract file name. (e.g. MultiSigWalletWithDailyLimit.sol) erc20.sol
? Enter the contract address on blockchain. (e.g. 0x851b7f3ab81bd8df354f0d7640efcd7288553419) 0xC921254a908e25d1695D677037d8901885ad6228

Output error:

Compiling in progress, dude, please be patient and give me 15~30 sec ...
Solc failed to loadedError: Error retrieving binary: Not Found
/Users/macbookpro/.nvm/versions/node/v13.6.0/lib/node_modules/eth-bytecode-verifier/src/verifier.js:34
  	var output = solc_specific.compile(input, is_optimized);
  	                           ^

TypeError: Cannot read property 'compile' of undefined
    at /Users/macbookpro/.nvm/versions/node/v13.6.0/lib/node_modules/eth-bytecode-verifier/src/verifier.js:34:31
    at ClientRequest.<anonymous> (/Users/macbookpro/.nvm/versions/node/v13.6.0/lib/node_modules/eth-bytecode-verifier/node_modules/solc/wrapper.js:205:11)
    at Object.onceWrapper (events.js:428:26)
    at ClientRequest.emit (events.js:321:20)
    at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:602:27)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:116:17)
    at TLSSocket.socketOnData (_http_client.js:471:22)
    at TLSSocket.emit (events.js:321:20)
    at addChunk (_stream_readable.js:305:12)
    at readableAddChunk (_stream_readable.js:280:11)
    at TLSSocket.Readable.push (_stream_readable.js:214:10)
    at TLSWrap.onStreamRead (internal/stream_base_commons.js:186:23)

Cannot build

$ node -v
v10.16.0
$ npm -v
6.9.0
$ npm i

> [email protected] preinstall /Users/primary/Projects/Tools/bytecode-verifier/node_modules/scrypt
> node node-scrypt-preinstall.js


> [email protected] install /Users/primary/Projects/Tools/bytecode-verifier/node_modules/scrypt
> node-gyp rebuild

gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
  SOLINK_MODULE(target) Release/copied_files.node
  CC(target) Release/obj.target/scrypt_wrapper/src/util/memlimit.o
  CC(target) Release/obj.target/scrypt_wrapper/src/scryptwrapper/keyderivation.o
  CC(target) Release/obj.target/scrypt_wrapper/src/scryptwrapper/pickparams.o
  CC(target) Release/obj.target/scrypt_wrapper/src/scryptwrapper/hash.o
  LIBTOOL-STATIC Release/scrypt_wrapper.a
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/lib/crypto/crypto_scrypt.o
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/lib/crypto/crypto_scrypt_smix.o
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/libcperciva/util/warnp.o
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/libcperciva/alg/sha256.o
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/libcperciva/util/insecure_memzero.o
  CC(target) Release/obj.target/scrypt_lib/scrypt/scrypt-1.2.0/lib/scryptenc/scryptenc_cpuperf.o
  LIBTOOL-STATIC Release/scrypt_lib.a
  CXX(target) Release/obj.target/scrypt/src/node-boilerplate/scrypt_common.o
In file included from ../src/node-boilerplate/scrypt_common.cc:28:
In file included from ../../nan/nan.h:192:
../../nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
  return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
         ~~~  ^
In file included from ../src/node-boilerplate/scrypt_common.cc:28:
../../nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(...,
      async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been
      explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro
      'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/node-boilerplate/scrypt_common.cc:28:
../../nan/nan.h:849:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(...,
      async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:169:1: note: 'MakeCallback' has been
      explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro
      'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/node-boilerplate/scrypt_common.cc:28:
../../nan/nan.h:864:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(...,
      async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:162:1: note: 'MakeCallback' has been
      explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro
      'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../src/node-boilerplate/scrypt_common.cc:28:
../../nan/nan.h:1473:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(...,
      async_context) [-Wdeprecated-declarations]
    return scope.Escape(node::MakeCallback(
                              ^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been
      explicitly marked deprecated here
NODE_DEPRECATED("Use MakeCallback(..., async_context)",
^
/Users/primary/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro
      'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
4 warnings and 1 error generated.
make: *** [Release/obj.target/scrypt/src/node-boilerplate/scrypt_common.o] Error 1
gyp ERR! build error
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/Users/primary/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:262:23)
gyp ERR! stack     at ChildProcess.emit (events.js:198:13)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)
gyp ERR! System Darwin 19.0.0
gyp ERR! command "/Users/primary/.nvm/versions/node/v10.16.0/bin/node" "/Users/primary/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/primary/Projects/Tools/bytecode-verifier/node_modules/scrypt
gyp ERR! node -v v10.16.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] install: `node-gyp rebuild`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/primary/.npm/_logs/2019-12-26T16_01_12_629Z-debug.log

primary at primarys-MacBook-Pro in ~/Projects/Tools/bytecode-verifier (master●)
$ gco .
Updated 2 paths from the index

primary at primarys-MacBook-Pro in ~/Projects/Tools/bytecode-verifier (master)
$ npm i
npm ERR! path /Users/primary/Projects/Tools/bytecode-verifier/node_modules/websocket
npm ERR! code EISGIT
npm ERR! git /Users/primary/Projects/Tools/bytecode-verifier/node_modules/websocket: Appears to be a git repo or submodule.
npm ERR! git     /Users/primary/Projects/Tools/bytecode-verifier/node_modules/websocket
npm ERR! git Refusing to remove it. Update manually,
npm ERR! git or move it out of the way first.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/primary/.npm/_log

Option to verify contracts on the primary testnets

Perhaps the prioritization is Kovan, Rinkeby, then Ropsten.

Assertion failed: Cannot call unknown function compileJSON

I'm trying to verify bytecode of a contract with solc version 0.5.7 but getting the following error.

You've chosen: mainnet
? Enter compiler version. (e.g. v0.4.10+commit.f0d539ae). v0.5.7+commit.6da8b019


? Enter the contract file name. (e.g. MultiSigWalletWithDailyLimit.sol) NXMaster
.sol
? Enter the contract address on blockchain. (e.g. 0x851b7f3ab81bd8df354f0d7640ef
cd7288553419) 0x1cc712e2a9f77149c2eb3a4051b6dd63d71dbc4f
? 0 for not optimized, 1 for optimized. 1
Current working directory: /home/suraj/Thesis/test/smart-contracts/contracts
File being compiled and compared: NXMaster.sol
==========================================
Compiler Version: v0.5.7+commit.6da8b019
Compiling in progress, dude, please be patient and give me 15~30 sec ...
Assertion failed: Cannot call unknown function compileJSON, make sure it is exported
Assertion failed: Cannot call unknown function compileJSON, make sure it is exported

soljson-v0.5.7+commit.6da8b019.js:30
(Module.asmGlobalArg,Module.asmLibraryArg,buffer);var __GLOBAL__I_000101=Module["__GLOBAL__I_000101"]=asm["__GLOBAL__I_000101"];var __GLOBAL__sub_I_ABIFunctions_cpp=Module["__GLOBAL__sub_I_ABIFunctions_cpp"]=asm["__GLOBAL__sub_I_ABIFunctions_cpp"];var __GLOBAL__sub_I_ABI_cpp=Module["__GLOBAL__sub_I_ABI_cpp"]=asm["__GLOBAL__sub_I_ABI_cpp"];var __GLOBAL__sub_I_ASTJsonConverter_cpp=Module["__GLOBAL__sub_I_ASTJsonConverter_cpp"]=asm["__GLOBAL__sub_I_ASTJsonConverter_cpp"];var __GLOBAL__sub_I_AST_cpp=Module["__GLOBAL__sub_I_AST_cpp"]=asm["__GLOBAL__sub_I_AST_cpp"];var __GLOBAL__sub_I_ArrayUtils_cpp=Module["__GLOBAL__sub_I_ArrayUtils_cpp"]=asm["__GLOBAL__sub_I_ArrayUtils_cpp"];var __GLOBAL__sub_I_AsmAnalysis_cpp=Module["__GLOBAL__sub_I_AsmAnalysis_cpp"]=asm["__GLOBAL__sub_I_AsmAnalysis_cpp"];var __GLOBAL__sub_I_CompilerContext_cpp=Module["__GLOBAL__sub_I_CompilerContext_cpp"]=asm["__GLOBAL__sub_I_CompilerContext_cpp"];var __GLOBAL__sub_I_CompilerStack_cpp=Module["__GLOBAL__sub
abort("Assertion failed: Cannot call unknown function compileJSON, make sure it is exported"). Build with -s ASSERTIONS=1 for more info.

Contract File Link
EtherScan Link for above contract
You can see that deployed version of contract is an exact match of the Contract file from NexusMutual/smart-contracts repository but still the verifier fails to verify

CC : @yxliang01

Verify inherited contracts

Hi, @AlexXiong97. Thanks for great library.

As I understand, when my contract imports another contracts, you verify only contract, that has the same name as a file. In this case main contract may has a many parents and for every parent, swarm hash will be generated.

But I found, that in your source code:

var ending_point = bytecode.search('a165627a7a72305820');

you don't check all bytecode after first swarm hash.

Is it right?

For example, for this contract, you may check all bytecode (include parents) if you remove the whole swarm information instead of getting substring before first swarm.

Thanks a lot.