🚀 Feature Request Description
Integrate bytecode verification status display in the explorer to show warnings when source code doesn't match deployed bytecode.
Is your feature request related to a problem? Please describe your use case.
The explorer currently displays source code from PackageRegistry without verifying that it matches the deployed bytecode. This creates a security vulnerability where malicious actors can provide fake source code that doesn't match what's actually running on-chain, misleading users into thinking they're viewing the actual contract code.
Impact:
- High: Users cannot trust the source code displayed in the explorer
- Exploit: Deployers can publish contracts with intentionally misleading source code
- User Risk: Developers and auditors may make decisions based on incorrect source code
Expected Behavior
Describe the solution you would like
- Explorer should query node verification status before displaying code
- If verification is enabled and passes (
verified: true): Show code normally
- If verification is enabled and fails (
verified: false): Show code with warning
- If verification is disabled or unavailable: Hide code with appropriate message
The explorer should integrate with the node-side bytecode verification API endpoint:
GET /v1/accounts/{address}/modules/{module_name}/verification_status- Query verification status before displaying source code
- Display appropriate warnings or hide code based on verification results
- Provide clear user feedback for all states (loading, verified, failed, disabled)
Additional context
Current Behavior:
- Explorer fetches source code from
PackageRegistry metadata and displays it directly
- No verification mechanism exists to check if source matches bytecode
- Users see a disclaimer but code is still shown without verification
Solution:
This issue is addressed by a PR that integrates the bytecode verification API endpoint into the explorer UI.
Testing:
A test setup is available at analysis-explorer-vulnerability that demonstrates:
- Valid contract with matching source/bytecode
- Invalid contract with mismatched source/bytecode
Are you willing to open a pull request? (See CONTRIBUTING)
Yes, a pull request is ready that implements this feature.
🚀 Feature Request Description
Integrate bytecode verification status display in the explorer to show warnings when source code doesn't match deployed bytecode.
Is your feature request related to a problem? Please describe your use case.
The explorer currently displays source code from
PackageRegistrywithout verifying that it matches the deployed bytecode. This creates a security vulnerability where malicious actors can provide fake source code that doesn't match what's actually running on-chain, misleading users into thinking they're viewing the actual contract code.Impact:
Expected Behavior
Describe the solution you would like
verified: true): Show code normallyverified: false): Show code with warningThe explorer should integrate with the node-side bytecode verification API endpoint:
GET /v1/accounts/{address}/modules/{module_name}/verification_statusAdditional context
Current Behavior:
PackageRegistrymetadata and displays it directlySolution:
This issue is addressed by a PR that integrates the bytecode verification API endpoint into the explorer UI.
Testing:
A test setup is available at analysis-explorer-vulnerability that demonstrates:
Are you willing to open a pull request? (See CONTRIBUTING)
Yes, a pull request is ready that implements this feature.