To increase decentralization, it would be great to have a verified repository of smart contract source codes. Due to the metadata being part of the bytecode, we should have everything that is needed to actually perform the verification. This repository could be an actual repository on github, where people can create pull requests to have their smart contract code compiled and verified. There could be a CI job that does the verification as follows:
- fetch the bytecode from the chain via infura or another service
- install the correct compiler version using npm
- only flag the PR green, if the compilation output matches the bytecode
If the directory name is the address of the contract, the source code should be easy to find, even if multiple such repositories exist across github or other services.
If such a checker script is in place, people (or wallets) can get extra security by running the checker locally before making a transaction. A wallet could even extract the ABI and NatSpec information from the metadata.
There are at least two problems to overcome:
- a pull request should not be allowed to modify the checking routine.
- to make proper source verification, you have to compare the creation bytecode, not the deployed bytecode.
What are steps of verification? What are the rules which decides OK or BAD ?