Releases: ethereum/sourcify
v2.5.0
What's Changed
- Fix Puppeteer scraping errors
- Split IPFS into two containers: gateway and server.
- Add Base mainnet (8453) by @mdehoog in #1112
- add chain 212 by @mapdev33 in #1109
- add new chain for 22776 by @mapdev33 in #1113
- Protect create2 verification with an auth0 authentication by @marcocastignoli in #1090
- New Chains:
- Base Mainnet (8453)
- MAP Testnet Makalu (212)
- map-relay-chain Mainnet (22776)
New Contributors
Full Changelog: v2.4.0...v2.5.0
v2.4.0
What's Changed
- Implement logging for LibSourcify by @marcocastignoli in #1082
- Removing web3js in favor of ethers @kuzdogan in #1083
- Blockscout scraping and use
c8
instead ofnyc
by @kuzdogan in #1092 - Change local rpc by @kuzdogan in #1101
- added dex.guru to powered by section by @NemeZZiZZ in #1081
- Catch auxdata decode error when checking for perfect match by @sealer3 in #1105
- New Chains:
- UPTN Mainnet (6119)
- Kava Mainnet (2222)
- Ethereum Classic (61)
- Filecoin Mainnet (314)
- Zilliqa EVM (32769)
- Zilliqa Tesnet EVM (33101)
- Kava Tesnet (2221)
- Siberium (111000)
New Contributors
- @NemeZZiZZ made their first contribution in #1081
- @dfenstermaker made their first contribution in #1063
- @0xRaghu made their first contribution in #1087
- @ksandr84on made their first contribution in #1077
- @kmadorin made their first contribution in #1095
- @JamesHinshelwood made their first contribution in #1096
- @siberiumsourcify made their first contribution in #1093
- @sealer3 made their first contribution in #1105
Full Changelog: v2.3.1...v2.4.0
v2.3.1
- Add Hardhat and Ganache local networks when not running on NODE_ENV=production.
- New Chains:
- Rollux Mainnet (570)
- Rollux Testnet (5700)
- Fix Matomo URLs
- Persist Loki and Prometheus data
- Fix monitor logging
What's Changed
- Add Rollux by @fernando-syslabs in #1076
New Contributors
- @fernando-syslabs made their first contribution in #1076
Full Changelog: v2.3.0...v2.3.1
v2.3.0
What's changed
- Controller refactoring: Refactored the controller code to split into smaller pieces, as the single
VerificationController
was difficult to manage and navigate. Add openAPI documentation for the API. Also validate the API requests through the openAPI specification usingexpress-openapi-validator
.- New Swagger API Docs available at https://sourcify.dev/server/api-docs/
- Fix #1071 prevent overriding already verified contract
- New chains:
- Zora (7777777)
- Update Loki config
PRs
- Controller refactoring by @marcocastignoli in #1033
- Add zora chain mainnet 7777777 by @iainnash in #1064
- Update logging by @kuzdogan in #1072
New Contributors
Full Changelog: v2.2.4...v2.3.0
v2.2.4
- Update chain 7001 test
- Accept update-chain-xxx branch name for chain tests
- Add Promtail config to push nginx logs to Loki
What's Changed
- update-chain-7001 -- New RPC endpoints and test contracts for ZetaChain Athens3 Testnet by @CharlieMc0 in #1051
- Nginx grafana by @kuzdogan in #1060
- Quick Release by @kuzdogan in #1061
Full Changelog: v2.2.3...v2.2.4
v2.2.3
- New Chains
- Bitkub (96)
- Cronos (25)
- Elysium Mainnet (1339)
- Taiko Alpha v3 (167005)
- Update Symplexia (1149) test contracts
- Fix lerna bootsrap failing in CI
- Add cronoscan in Etherscan tests
- Fix Moonbeam scan test
What's Changed
- Add chain 25925 (Bitkub Chain Testnet) by @ppanya in #1046
- Add chain 96 (Bitkub Chain) by @ppanya in #1047
- Add Cronos Chain 25 by @crmax-it in #1049
- Add Elysium Mainnet chain by @aqeelVaival in #1055
- Update_Chain_1149 by @symplexialabs in #1057
- Release by @kuzdogan in #1058
New Contributors
- @ppanya made their first contribution in #1046
- @crmax-it made their first contribution in #1049
- @aqeelVaival made their first contribution in #1055
Full Changelog: v2.2.2...v2.2.3
v2.2.2
Release v2.2.1
What's Changed
- Fix Matomo configs after migration
- Fixes for chain verification tests
- New chains:
- Dogechain (2000)
- Symplexia Smart Chain (1149)
- Turned off support for chains:
- POA Sokol (77)
- Boba Rinkeby (28)
- Candle (534)
- Darwinia Pangolin (43)
- Gather Devnet (486217935)
- Crystaleum (103090)
- POA Core (99)
- Astar (592)
- Gnosis Chiado (10200)
- Flare (14)
- Optimism Bedrock Alpha (28528)
Note that on the prev PR named Release v2.2.1, the commit tag was not generated and no release was actually done.
Pull requests
- Throw before if compiled bytecode empty instead of later in creation bytecode by @kuzdogan in #1022
- Add Symplexia Smart Chain (1149) by @symplexialabs in #1007
- Fix for chain verification tests by @kuzdogan in #1031
- add-chain-2000 (dogechain) by @oliviachef in #1039
New Contributors
- @symplexialabs made their first contribution in #1007
- @oliviachef made their first contribution in #1039
Full Changelog: v2.2.0...v2.2.1
Release 2.2.0
What's Changed
Features
- Verification with Standard JSON Input
- Added support for new chains (295, 7668, 7672, 888, 999, and 7701)
- Implemented a complete Metadata type
- Generate variations of the metadata file in partial match to reach a full match
- Added "Lookup Another" button in Lookup result
- Add server monitoring capabilities to Grafana
- Added GitHub star button
Fixes
- Etherscan metadata variations
- Fix EventManager fails if listeners are not set
- Update h5ai-nginx submodule to the latest version
- Fix how the UI handles non-checksummed addresses
- Reorder the metadata object before generating the variations
- Add test for not alphabetically sorted metadata
- Disable chainId 51 getCreatorTx test
- Re-enable SourcifyEventManager's listeners
- Add a repository link to the create2 verified contracts
- Use checkSupportedChainId instead of checkChainId for contract verification
- Update typescript and typedoc in lib-sourcify
- Handle libraries with call protection
- Add nginx exporter for Prometheus
- Improve the function to sanitize path at storeSources
- Display the create2 repo link only for create2 results
- Fix abitype req. typescript v5+
- Show error on bad Etherscan req
- Change OPTIMISTIC_ETHERSCAN to OPTIMISMSCAN
- Revert accidentally setting sed to gsed
- Fix matchWithCreationTx by decoding the constructor arguments
- Test for paths in metadata containing multiple ../
- Fix linter errors and warnings
Fixed vulnerabilities
Thanks to @Hellobloc for reporting the following vulnerabilities.
Path traversal vulnerability when storing contracts
Summary
When the file path is saved with ../ as prefix, the file is potentially saved in other locations in the repository.
Example
Solution
The solidity compiler collapses all the /../
components in the path, the same algorithm was implemented in Sourcify to fix the path traversal vulnerability.
Malicous creation bytecode bypass the startsWith check in matchWithCreationTx
Summary
The start_with vulnerability enables arbitrary source code verification.
When comparing Creation Code, bytecode comparison is performed using the start_with function. This is designed to facilitate source code validation when constructor arguments are present.
However, relying solely on start_with for source code validation without verifying constructor arguments can introduce risks.
In particular, it is possible to create contract source code without compilation results by utilizing abstract and interface contracts. Such source code can pass the start_with check for any contract bytecode.
Example
https://github.com/Hellobloc/verify/tree/test_start_with
https://repo.staging.sourcify.dev/contracts/partial_match/5/0x5ea1E75790b86C4c5Db5e7c7A1fa14d683D50Cfe/sources/contracts/
Solution
This problem is solved by decoding the rest of the bytecode after startsWith
assuming it is the ABI encoded constructor arguments part. If the decoding fails, an error is thrown.
PRs
- Etherscan metadata variations by @kuzdogan in #976
- Fix how the ui handles non-checksummed addresses by @marcocastignoli in #990
- add-chain-999 by @lolieatapple in #993
- Add chain 888 by @lolieatapple in #995
- Verification with Standard JSON Input by @kuzdogan in #980
- Add chain 7668 by @aidan-starke in #1004
- Add chain 7672 by @aidan-starke in #988
- Implement a complete Metadata type by @marcocastignoli in #1001
- Re-enable SourcifyEventManager's listeners by @marcocastignoli in #1003
- Add chain 7701 by @tster in #1005
- Handle libraries with call protection by @marcocastignoli in #1000
- Add chain 295 (Hedera Mainnet) by @svienot in #1009
- Release by @marcocastignoli in #1016
New Contributors
- @lolieatapple made their first contribution in #993
- @aidan-starke made their first contribution in #1004
- @tster made their first contribution in #1005
- @svienot made their first contribution in #1009
Full Changelog: v2.1.1...v2.2.0
Release 2.1.1
What's Changed
Removed verification through simulation because of the potential vulnerability to "hijack" a contract verification by embedding the deployed bytecode inside the constructor in assembly.
Thanks to @Hellobloc and @samczsun for reporting the following vulnerabilities.
Fixed vulnerability
Summary
Given a partial or unverified contract, it is possible to "fully verify" any contract by just returning the deployed (onchain) bytecode of the contract inside the constructor in assembly. The verified source file would then not contain the original source file but just a few lines of code with the raw deployed bytecode.
Example
- Given a partial match on Sourcify (you can use Import from Etherscan for
0x345a7c9325E7145CA7E8aafabf474361E6c674D5
on Goerli) - Download this repo: https://github.com/Hellobloc/verify
- Edit the file
final2.sol
as follows
pragma solidity ^0.5.10;
contract Deployer {
constructor() public {
bytes memory bytecode = hex'6080604052348015600f57600080fd5b506004361060285760003560e01c8063d1524f7414602d575b600080fd5b60336075565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff168156fea265627a7a72315820b59b9ccfbe01c3596a27c9bf3fc5728c39c25d61c263777e6e6a96dbb69a677a64736f6c63430005110032';
assembly {
return (add(bytecode, 0x20), mload(bytecode))
}
}
}
- Generate the keccak256 of that file and update the keccak256 field of
final2.sol
in the metadata.json - Use Sourcify's API to verify the contract
Explanation
The function verifyDeployed tries to verify the contract with different methods, in order:
matchWithDeployedBytecode
: compare the deployed runtime bytecode with the recompiled runtime bytecodematchWithSimulation
: execute the recompiled creation bytecode on an EVM (hence "simulation"), which will produce a runtime bytecode and compare it with the deployed onematchWithCreationTx
When using Sourcify's API to verify the ´Hellobloc/verify´ contract:
matchWithDeployedBytecode
fails because recompiled runtime bytecode and the onchain runtime bytecode differ:
recompiled runtime bytecode:
0x6080604052600080fdfea265627a7a72315820ff612b856b9428c30f2fecfa6f13c7a7ee8d459a3c22f6c8a900e7a0459aba5f64736f6c63430005110032
onchain runtime bytecode:
0x6080604052348015600f57600080fd5b506004361060285760003560e01c8063d1524f7414602d575b600080fd5b60336075565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff168156fea265627a7a72315820b59b9ccfbe01c3596a27c9bf3fc5728c39c25d61c263777e6e6a96dbb69a677a64736f6c63430005110032
matchWithSimulation
succeed because it actually produces the same runtime bytecode as the deployed runtime bytecode
Solution
We've considered several solutions:
- If during
matchWithDeployedBytecode
we find that the length of the “trimmed” part of runtime bytecode differs then we are probably sure that the contract is neither a partial or a perfect match.- We don’t solve the issue because a malicious code could force the length to be the same.
- Checking the equivalence of the metadata hash after a perfect match.
- This case makes use of this fact: the malicious file that generated a "perfect bytecode" needs a fake metadata (recall we modified the
keccak256
above). Till now we assumed that if the compiler generated a "perfect runtime bytecode" then it was also true that the provided metadata was the correct one, but that's not the case. In this case, because assembly code is utilized, the "simulation" returns a "perfect runtime bytecode" but in fact the metadata hash of the metadata JSON, output from the recompilation is different than what's in the onchain CBOR encoded part. - However this method is not resolved for partial matches.
- **Remove
matchWithSimulation**
The vulnerability comes from this functionality. We were already considering removing this verification as with the recent addition ofimmutableRefences
to verification, we wouldn't need alternative verifications for contracts with immutables.
We decided to comment out matchWithSimulation
type verification and eventually remove it from the codebase.
Full Changelog: v2.1.0...v2.1.1