Smart Contract Verification

About Juno

Juno is a permissionless smart contract chain in the Cosmos ecosystem. Juno is an ecosystem unto itself with tooling for DAOs, NFTs, DeFi and all sorts of dApps.

  1. finding the most likely commit from the contract github repo and building into .wasm
  2. converting .wasm files to wat files or comparing hashes
  3. repeating steps 1–3 until a matching commit and compiler settings are found

Previous approaches focused on comparing hashes

Why not just hashes instead of WAT?

Hashes don’t provide insight into where differences in contracts lie, and may be affected by optimizations applied to the resulting compiled contract. WAT can guide you towards the commits in repo with dependency changes and other key signals to help understand why a hash may not be matching and where to check next.


Getting the contract on-chain

to get a contract on chain you can use an rpc query from the cosmos sdk equivalent for the chain you are using (wasmd, junod etc)

  1. write down the id column of mintscan Id this is the wasm code , this code increments for every new contract so a new contact should have one of the largest codes
  2. write down the created timestamp
  3. write down Contract name field
  4. ensure that you know who the Creator address belongs to


Building wasm from repo

  1. find the code repo or be given access to the repo if its a private code repo
  2. follow the steps in to produce wasm (summarized below )
  • run %sudo docker run — rm -v “(pwd)”:/code −−mounttype=volume,source=”(basename “$(pwd)”)_cache”,target=/code/target
    — mount type=volume,source=registry_cache,target=/usr/local/cargo/registry
  • cd into artifact folder in root of the github repo
  • the compiled .wasm file should be within
  • a cargo.toml should be in the folder
  • make sure you are in the right contract folder with the right commit if the project has multiple contracts
  • if you build on a different commit than deployed you may see a different version built
  • if the contract was deployed a long time a go try to determine the commit(possibly release) that was used when the contract was deployed.
  • if the contract was deployed recently than the latest commit on the main repo branch is the likey one to use or the latest release if one is provided
  • if the contract was built without an optimzer or different compiler settings than the files will not match completely

Verify Contract Matching

We have 3 options:

Check the hash

  1. check the hash (sha-256) of the wasm files ( if the checksum matches we have a winner)
  2. check the creator address of the contract
  3. covert wasm to wat and look at the differences between the files (git diff)
  4. checking hash
  • $HASHONCHAIN = sha256sum WAGMI_ONCHAIN.wasm
  • diff <(echo “HASHSOURCE”)<(echo”HASHONCHAIN”)>

Check the creators address

Ask the following questions of the creator address to see if any red flags stand out:

  • Are you familiar with the creator address?
  • Have others used contracts from this creator address before?

Convert wasm to wat

  • select .wasm file
  • copy and paste .wat output into new text file in editor and save as WAGMI_ONCHAIN.wat

Analyzing WAT Files

  • run git diff --no-index --unified=0 WAGMI_ONCHAIN.wat WAGMI_SOURCE.wat
  • if there is no output response than the files are the same , you can check the command against 2 paths to the same file to verify this
  • if there is output you will see the highlighted difference and can exit the terminal by pressing esc and than q
  • upgrading dependencies
  • difference in commit used for building the contract
  • bad actor trying to slip in a dangerous update

Binary authorization and transparent builds

If you must be 100% sure the contract you are using is the correct one than you must prove that the CosmWasm contract source code matches the on chain wasm, and that it is indeed authored by the repo owner.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store