Epirus Substrate Explorer - Phase II
- Team Name: Web3 Labs Ltd
- Payment Address: 0xc905c448db9942c662fcb1680f3ecfcd0592409c
- Level: 3
Project Overview πβ
This is an application for a follow-up grant for the Epirus Substrate Explorer that has been completed in the following delivery: https://github.com/w3f/Grant-Milestone-Delivery/pull/527
Overviewβ
The main objective of this phase is to build a Metadata Registry service whose functions are (1) to verify Wasm contract source code and (2) to generate and store contract metadata and serve it through an API.
We will also evolve the Squid Ink processor and Explorer UI, systems developed in the first grant, to connect to the Metadata Registry. The Squid Ink processor will be responsible for decoding contract messages and events using the metadata retrieved from the Metadata Registry. The Explorer UI will display the decoded data, the verification status and the verified source code.
Project Detailsβ
The Metadata Registry is a standalone service exposing a web-based API to be used by other systems that implement these main features:
- Uploading of source code and reproducible build metadata for a given chain and code hash
- Building of source code according to reproducible build metadata and matching with on-chain pristine code for verification
- Building contract metadata descriptors from source code and reproducible build metadata
- Downloading contract artefacts by chain identifier and code hash
Source Code Verificationβ
Block explorers supporting EVM smart contracts typically allow contract owners to upload source code for their contracts. Having the source code for a smart contract offers users insights into what the smart contract is doing under the hood, thus increasing transparency. However, the uploaded source code needs verification to ensure that no purposefully misleading source code is uploaded. In order to support this verification process, the ink! development team is implementing reproducible builds in ink! smart contracts (https://github.com/paritytech/cargo-contract/issues/525).
After discussions with the ink! team, we have determined that the process for verifying ink! smart contract source codes will be as follows:
- The user uploads the source code and
.contract
file to the Metadata Registry. - The Wasm bytecode in the uploaded
.contract
file is matched against the bytecode stored on-chain. - Using build information stored in the
.contract
file, we build the source code to generate a new.contract
file. - If the generated
.contract
file matches the uploaded.contract
file, the contract is marked as verified.
Security
The Metadata Registry is a public service that allows users to upload compressed archives, in zip or tar.gz format, to reproduce the build of their smart contracts.
We will carefully consider the potential security risks and address them in the service design or by secure technology choice.
These are the identified main concerns of the service security:
- Prevent compression-related attacks (e.g. zip slip, recursive and non-recursive zip bombs)
- Cargo build sandboxing and access to required dependencies
Web API
Here is a draft of the Web API verbs.
Method | Path | Description |
---|---|---|
POST | /:chain_id/:code_hash | Upload source code and metadata files using multi-part form data |
GET | /:chain_id/:code_hash | Downloads contract information such as verification status and related resource paths. |
GET | /:chain_id/:code_hash/:resouce_path | Download the file at resource path; this could be source code files or metadata files. |
Mock-ups
The view of the contract code page when the contract code has not been verified:
The view of the contract code page during the process of source upload:
View of contract code page for a verified contract code:
More details of verified contract source codes: