OpenZeppelin Blog

Improved Security Through Bytecode Verification - OpenZeppelin blog

Written by Stephen Webber | September 21, 2022

 

By design, decentralization presents the user with many scenarios that expect them to understand the technicalities involved with their interactions. Put plainly: “What will happen when I press this button?” Can the user make a fully informed decision, or are they forced to rely on assumptions? For both better security as well as smoother user interaction, it’s important to present the user with the information they need. 

Whether the user is a DAO member, a Governance administrator, or a signer on a team’s multisig wanting to approve or reject a change being proposed to a smart contract, one of the pain points is what to do when presented with that change proposal. It’s clear that they have the ability to approve or reject the proposed change, but how do they know what they are saying yes or no to? They should not be required to rest any assumptions on the engineers who submitted the proposal because doing so places undue liability on them, and would perpetuate a situation where users aren’t really empowered to flex their full agency in a decentralized ecosystem.

To address this fundamental issue, Defender now offers a bytecode validation feature for all users, performing basic checks on whether the on-chain data matches when paired with the relevant binaries. A signer is able to supply the build artifacts to verify it for themselves or (more likely), the developer who submitted the change proposal can include bytecode verification quite easily as a part of their existing CI/CD pipeline. This feature makes it easy for signers to know what they are signing for.

This Defender feature offers a big step forward in assisting users with compliance concerns, and there are several ways of making this happen.

Bytecode can be verified manually via the Defender Admin dashboard as well as programmatically using either the Admin client or Hardhat plugin. Either method can also be triggered via a Github Action to automate bytecode verification as a part of an existing deployment pipeline. 

Linked here is a walkthrough guide for how to implement this feature.

OpenZeppelin Defender automates smart contract operations, allowing developers to deliver high-quality products faster and with less risk. Defender is continually updated with new features in response to developer and market needs. Sign up for a free account now!