v2.1.0

What's Changed

• Added basic test coverage
• Fix: Handling Etherscan contracts with multiple sources
• Use the respective solc binary according to the platform, save binaries locally
• Update Etherscan chains
  • Users can now import contracts from other Etherscan instances: Polygonscan, Snowtrace etc.
• Make use of immutableReferences on verification
  • This lets us verify contracts with immutables very often without needing alternative methods such as looking at the creatorTxHash or "simulation"
• Fix addLibraryAddresses potential vulnerability with regex.

Fixed vulnerability

Thanks to @Hellobloc and @samczsun for reporting the vulnerability.

addLibraryAddress RegExp vulnerability

Risk Description

Previously the following code was used to replace libraryAddresses.

export function addLibraryAddresses(
  template: string,
  real: string
): {
  replaced: string;
  libraryMap: StringMap;
} {
  const PLACEHOLDER_START = '__$';
  const PLACEHOLDER_LENGTH = 40;

  const libraryMap: StringMap = {};

  let index = template.indexOf(PLACEHOLDER_START);
  for (; index !== -1; index = template.indexOf(PLACEHOLDER_START)) {
    const placeholder = template.slice(index, index + PLACEHOLDER_LENGTH);
    const address = real.slice(index, index + PLACEHOLDER_LENGTH);
    libraryMap[placeholder] = address;
    const regexCompatiblePlaceholder = placeholder
      .replace('__$', '__\\\\$')
      .replace('$__', '\\\\$__');
    const regex = RegExp(regexCompatiblePlaceholder, 'g');
    template = template.replace(regex, address);
  }
  return {
    replaced: template,
    libraryMap,
  };
}

The code replaced the library placeholders in the bytecode by identifying __$ and constructed regular matching expressions from the placeholder.
But note that not all versions use the hash of the library name as a placeholder. For example, the 0.4 Solidity version uses __{Path:FileName}__ placeholder.

This allows a malicious user to manipulate regular expressions, which in turn allows other parts of the bytecode to be marked as a library address.

Example

As with the risks mentioned above, we can achieve arbitrary regular expression tampering by changing the file name of the library contract.
An example is the following:

pragma solidity ^0.4.0;
import "./$.{37}|2{40}|cantbematchedcharacters__";
contract A {
    address constant public a = address(0x2222222222222222222222222222222222222222);
    uint public b;
    function cc() public{
        b = L_.get4();
    }
}

In the above code, a regular expression is written in the filename and the expression appears in the generated bytecode and is adopted by the addLibraryAddresses function.

This regular expression will first replace itself, and then look for 22...22 to do the same. Here 2{40} can also be modified to 5b.{...} to perform arbitrary replacements of executable bytecode.

A real attack case(0x4AD29c9716569f3c466BB123Efdd0B9B43207dE1 in goerli) was constructed.

The tampering of constants in the above case is possible. Of course executable bytecode tampering is also possible, simply by changing
2{40} to 5b.{...}, and writing L_ address to the bytecode we want.

DOS Attack

In addition to performing bytecode tampering, one can also perform a DOS attack on Sourcify. Specifically, once can design a regular expression that will not have any matches in bytecode, resulting in __$ not being replaced, which in turn makes addLibraryAddresses a dead loop.

Solution

We replaced the regex replacement of the pattern with a simple string match to __ in the bytecode, and replacing the placeholder with a fixed length (40 chars = 20 bytes).

PRs

• Added wagmi to tools in the landing page by @SaTiSH-K-R in #962
• handle etherscan contracts with multiple sources by @marcocastignoli in #965
• Test coverage by @marcocastignoli in #963
• Default SolcJs compiler by @marcocastignoli in #964
• Add other Etherscan chains by @kuzdogan in #959
• Verify with immutableReferences by @kuzdogan in #973
• Fix CORS error on req too large by @kuzdogan in #977
• Handle solc links in repo when fetching compiler by @marcocastignoli in #979
• fix: auto-scroll to about section by @aalimsahin in #982
• Change how addLibraryAddresses replaces the library addresses from the recompiled bytecode by @marcocastignoli in #981
• Release by @kuzdogan in #985

New Contributors

• @SaTiSH-K-R made their first contribution in #962
• @aalimsahin made their first contribution in #982

Full Changelog: v2.0.0...v2.1.0

v2.0.0

This is the release for the v2 of Sourcify. It is a MAJOR release because of the significant changes to the codebase. The server API does not have breaking changes but has additions.

• Codebase refactoring with lib-sourcify library:
  • Removes the old npm packages @ethereum-sourcify/core -verification and -validation.
  • Maintain the main verification functionality in a reusable package @ethereum-sourcify/lib-sourcify, including types etc.
• Fix Etherscan regex for the new Etherscan
• Fix created contract address calculation with the nonce
• Add monitoring support to Meter Network
• Use local IPFS gateway in tests instead of ipfs.io/ipfs
• Add creatorTxHash parameter to verification API
• New Chains:
  • Bear Network Chain Mainnet #641230
  • Base Goerli Testnet #938

What's Changed

• Add chain 641230 by @kuzdogan in #934
• lib-sourcify refactoring (w/ rebase) by @kuzdogan in #935
• Add chain 84531 by @kuzdogan in #938
• update: explorer endpoint by @jessepinkman9900 in #939
• Use a local ipfs gw on tests by @kuzdogan in #946
• User input creator tx by @kuzdogan in #942
• File not saved after CREATE2 verification by @marcocastignoli in #957
• Release v2 by @kuzdogan in #960

Full Changelog: v1.2.2...v2.0.0

v1.2.2

What's Changed

• Update chains.json
• Stringify compiler errors
• Persist compiler binaries
• New Chains:
  • Oasis Sapphire Mainnet (23294)

Full Changelog: v1.2.1...v1.2.2

v1.2.1

• update Chainsafe S3
• fix dockerfile for IPFS
• added ens to featured contracts
• Update Avalanche subnet creation data address
• New chains:
  • Flare (14)
  • Stratos Testnet (2047)
  • Songbird Canary Network (19)

New Contributors

• @yash251 made their first contribution in #899
• @Uttam-Singhh made their first contribution in #907
• @jasonatran made their first contribution in #901
• @BoThe1K made their first contribution in #912

Full Changelog: v1.2.0...v1.2.1

v1.2.0

• Changes to the ipfs node config to improve performance
• Change how local node URLs are added to sourcify-chains
• Require tests to pass to build and deploy server&monitor on CI
• Emit events with EventManager and log events onto console and to a Grafana dashboard
• Verification with simulation: Capability to verify contracts by executing the creation bytecode on an EthereumJS instance with additional contextVariables i.e. msgSenger and abiEncodedConstructorArguments. This enables verifying contracts created by a factory contract and that contain immutables.
• Add contract-call-decoder as a package
• Fix create2 verification logic
• Handle nightly compiler CBOR encodings 1267f21 and inconsistent compiler version naming cee9d72
• New chains:
  • Dexalot Mainnet #432204
  • Oasis Emerald Mainnet #42262
  • Oasis Emerald Testnet #42261
  • Oasis Sapphire Testnet #23295
  • Update Celo Mainnet contractFetchAddress 3069c98

New Contributors

• @CharlieMc0 made their first contribution in #862
• @ilkerulutas made their first contribution in #859
• @matevz made their first contribution in #882
• @0xCoDeFi made their first contribution in #886

Full Changelog: v1.1.0...v1.2.0

v1.1.0

• create2
• import from contract
• repository now rewrites url
• added chains (8217, 10200, 336, 28428)
• npm script to update chains
• bytecode-utils
• typescript strict null check

v1.0.1

The release includes:

• add chain 592, 1001
• ui fixes for mobile
• remove kovan and ropsten support for both L1 and L2

v1.0.0

Initial release for Sourcify.

Sourcify is a Solidity source code and metadata verification tool and repository and acts as a base layer allowing other tools build on top of it. We aim to keep as much as smart contract metadata and verified source code open and available via IPFS, and facilitate an improved smart contract UX with verified sources and decoded transactions.

The release includes:

• Server
• Monitor
• UI
• Repository
• external services: IPFS, s3
• packages
  • verification
  • validation
  • core

https://sourcify.dev