BadCoin - Veryfing the contract

BADCOIN.md

Intro

Let's investigate the Bad Contract deployed on the Neutron as seen here: https://neutron.celat.one/neutron-1/contracts/neutron1y6s52fuhnqtank3wjfgrkcvcp3t3anw6yj72jtk5alufy6ldwrxsa9nzkj code id: 559

Install Neutrod to query the chain

git clone https://github.com/neutron-org/neutron
cd neutron && git checkout v2.0.0
make install

Contract info

neutrond query wasm contract neutron1y6s52fuhnqtank3wjfgrkcvcp3t3anw6yj72jtk5alufy6ldwrxsa9nzkj --node https://neutron-rpc.publicnode.com:443

Output

address: neutron1y6s52fuhnqtank3wjfgrkcvcp3t3anw6yj72jtk5alufy6ldwrxsa9nzkj
contract_info:
  admin: ""
  code_id: "559"
  created:
    block_height: "5416932"
    tx_index: "579760"
  creator: neutron143wp6g8paqasnuuey6zyapucknwy9rhnld8hkr
  extension: null
  ibc_port_id: ""
  label: Bad Contract

Contract version

neutrond query wasm contract-state raw neutron1y6s52fuhnqtank3wjfgrkcvcp3t3anw6yj72jtk5alufy6ldwrxsa9nzkj 636F6E74726163745F696E666F --node https://neutron-rpc.publicnode.com:443 --output json | jq -r .data | base64 -d | jq

What in the world is 636F6E74726163745F696E666F? 😕 ContractInfo is must be stored under "contract_info" key which translates to "636F6E74726163745F696E666F" in hex format. As documented here.

{
  "contract": "crates.io:cw20-merkle-airdrop",
  "version": "0.14.2"
}

Downloading the Contract from the network

neutrond query wasm code 559 559_code.wasm --node https://neutron-rpc.publicnode.com:443

Getting the hash of the contract

sha256sum 559_code.wasm

Output

0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9  559_code.wasm

Time to verify

Now we clone the the git clone https://github.com/CosmWasm/cw-tokens.git repo which conatisn the merkle-drop contract.

git clone https://github.com/CosmWasm/cw-tokens.git
cd cw-tokens

Build an optimized version of the contracts

Usually on Linux you would build it like this:

docker run --rm -v "$(pwd)":/code \                                                                        
  --mount type=volume,source="$(basename "$(pwd)")_cache",target=/code/target \
  --mount type=volume,source=registry_cache,target=/usr/local/cargo/registry \
  cosmwasm/workspace-optimizer:0.12.8

However I reached out to the BadCoin dev and he mentioned he used wasmpack to build the contract. So I did the same.

cargo install wasm-pack@0.12.1

Build

cd contracts/cw20-merkle-airdrop
wasm-pack build --target web --out-dir dist

I got this error so I had to add wasm-bindgen to the Cargo.toml file.

Error: Ensure that you have "wasm-bindgen" as a dependency in your Cargo.toml file:
[dependencies]
wasm-bindgen = "0.2"
Caused by: Ensure that you have "wasm-bindgen" as a dependency in your Cargo.toml file:
[dependencies]
wasm-bindgen = "0.2"

Ran it again and it worked, we now have the contract in the dist folder.

Let's verify the hash of the contract.

sha256sum dist/cw20_merkle_airdrop_bg.wasm

The hash of the contract is ca4f6766efad00a54cf553e6c76185b4905365c094d7c7ce6ff2d07ae7450cec and the hash of the downloaded contract from chain is 0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9 so we can see that they are not the same.

Next steps is to figure out what platform the contract wa built on and make sure we are on the same platform ,currently I'm on a m1.

I'm trying to get more details on how the Binary was originally built, stay tuned but in the meantime if you want to run this on Linux that would be great. I ran this on M1 and I know the hashes do vary between OS.

Here is what I got building it on Ubuntu 22.04.3 LTS using your above Docker command.

8b7c74905b53fc0bf3de79d3832e3fc8ff9bcccbb18bce557e6df04dd49b4a60 cw20_merkle_airdrop.wasm

Here is what I got building with wasm-pack + adding wasm-bindgen to Cargo.toml...

2c68e044554866f38e2f6e9283da56f5c6eef535a5c344c40c0b29492eaa62ae dist/cw20_merkle_airdrop_bg.wasm

EDIT: Just adding that I did get the same hash result as you for the contract downloaded from chain.

0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9 559_code.wasm

Here is what I got building it on Ubuntu 22.04.3 LTS using your above Docker command.

8b7c74905b53fc0bf3de79d3832e3fc8ff9bcccbb18bce557e6df04dd49b4a60 cw20_merkle_airdrop.wasm

Here is what I got building with wasm-pack + adding wasm-bindgen to Cargo.toml...

2c68e044554866f38e2f6e9283da56f5c6eef535a5c344c40c0b29492eaa62ae dist/cw20_merkle_airdrop_bg.wasm

EDIT: Just adding that I did get the same hash result as you for the contract downloaded from chain.

0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9 559_code.wasm

so 0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9 doing the wasm-pack build --target web --out-dir dist correct?

Thanks or checking!

so 0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9 doing the wasm-pack build --target web --out-dir dist

No, pardon the confusion of my edit, not from building the contract.

Was just attempting to convey that the neutrond query wasm code 559 559_code.wasm --node https://neutron-rpc.publicnode.com:443 downloaded contract produce the same hash as you got.

This 👇 is what I got from doing the wasm-pack build --target web --out-dir dist

Here is what I got building with wasm-pack + adding wasm-bindgen to Cargo.toml...

2c68e044554866f38e2f6e9283da56f5c6eef535a5c344c40c0b29492eaa62ae dist/cw20_merkle_airdrop_bg.wasm

ok good to know!
I'll run it on a Linux machine today and double check.

I just tried on CentOS 9 on Digital ocean, installed all dev dependencies, go and everything under the sun. (note go must be 1.20.x)

Just checking code from contract since we alreyd have the has from chain binary.

sudo yum update -y
sudo yum install git -y
sudo yum groupinstall "Development Tools" -y
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 
sudo yum install docker-ce docker-ce-cli containerd.io -y

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
export PATH="$HOME/.cargo/bin:$PATH"
source ~/.bash_profile
rustc --version
cargo --version

cargo install wasm-pack@0.12.1
cd ~/cw-tokens/contracts/cw20-merkle-airdrop
echo 'wasm-bindgen = "0.2"' >> ~/cw-tokens/contracts/cw20-merkle-airdrop/Cargo.toml
wasm-pack build --target web --out-dir dist
sha256sum dist/cw20_merkle_airdrop_bg.wasm

The hash is b2d20851d9f0d0806887a571e3d651d9530253aa2eb85ea385e9aaf38d369fe7 arg....

I'm reaching out to again to get exact OS specs.

ok I tried CentOS 7 with the official form from Badcoin posted here: https://github.com/xBadcoin/cw-tokens

sudo yum update -y
sudo yum install git -y
sudo yum groupinstall "Development Tools" -y

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
export PATH="$HOME/.cargo/bin:$PATH"
source ~/.bash_profile
rustc --version
cargo --version

git clone https://github.com/xBadcoin/cw-tokens
cargo install wasm-pack@0.12.1
cd ~/cw-tokens/contracts/cw20-merkle-airdrop
wasm-pack build --target web --out-dir dist
sha256sum dist/cw20_merkle_airdrop_bg.wasm

Hash output is:

2095b813730a010ce88484d4733852446cf2a2ddc0dba3847ac8a58699e3c6dd

On Mac:

e5d031498b21afcca4720f812e1daeab20a18f3d2369ca9ec2b40ed9739aac2e

@xBadcoin can you post replicable steps please.

Thanks

docker pull badcoin/contracts:latest
docker run -it --name my-contracts-container badcoin/contracts:latest /bin/bash

git clone https://github.com/CosmWasm/cw-tokens/
cd /cw-tokens/contracts/cw20-merkle-airdrop

add

[dependencies]
wasm-bindgen = "0.2" 

to Cargo.toml

wasm-pack build --target web --out-dir dist
sha256sum dist/cw20_merkle_airdrop_bg.wasm

Then get hash

0a514d35b6759d5e448afcebe04f2ce33d1665dcf76f614d2a9d95fc3d3c63a9  dist/cw20_merkle_airdrop_bg.wasm