Component
Forge
Have you ensured that all of these are up to date?
What version of Foundry are you on?
1.5.1-stable
What version of Foundryup are you on?
0.3.3
What command(s) is the bug in?
forge verify-bytecode
Operating System
macOS (Apple Silicon)
Describe the bug
Expectation
forge verify-bytecode command compiles a specified contract locally, then compares locally generated bytecode with the onchain bytecode.
Actual behaviour
Currently, if one tries to verify a contract deployed to a blockchain, but not verified in any block scanners, the verify-bytecode command will fail:
- Either with
Error: Error fetching creation data from verifier-url: InvalidApiKey
- Or, if API key is provided,
Error: Contract source code not verified: 0x...
This is confirmed by a quick look into the source code: at least constructor args, contract name, compilation metadata are being unconditionally fetched from a block scanner, expecting it to be there. While I understand that it might be helpful for debugging (to e.g. suggest that some compilation settings are incorrectly set locally) or for identifying additional problems (locally compiled bytecode match external one, but verified contract name is different), it's not very helpful that those additional actions can't be disabled/ignored.
Proposed mitigation
Ideally, make those additional checks optional (warning-style) or add new --ignore-... flag to skip those checks. The goal is to be able to verify bytecode without any external services, based only on a locally available configuration.
Component
Forge
Have you ensured that all of these are up to date?
What version of Foundry are you on?
1.5.1-stable
What version of Foundryup are you on?
0.3.3
What command(s) is the bug in?
forge verify-bytecode
Operating System
macOS (Apple Silicon)
Describe the bug
Expectation
forge verify-bytecodecommand compiles a specified contract locally, then compares locally generated bytecode with the onchain bytecode.Actual behaviour
Currently, if one tries to verify a contract deployed to a blockchain, but not verified in any block scanners, the
verify-bytecodecommand will fail:Error: Error fetching creation data from verifier-url: InvalidApiKeyError: Contract source code not verified: 0x...This is confirmed by a quick look into the source code: at least constructor args, contract name, compilation metadata are being unconditionally fetched from a block scanner, expecting it to be there. While I understand that it might be helpful for debugging (to e.g. suggest that some compilation settings are incorrectly set locally) or for identifying additional problems (locally compiled bytecode match external one, but verified contract name is different), it's not very helpful that those additional actions can't be disabled/ignored.
Proposed mitigation
Ideally, make those additional checks optional (warning-style) or add new
--ignore-...flag to skip those checks. The goal is to be able to verify bytecode without any external services, based only on a locally available configuration.