[POC] Validate contract with Sourcify

[matthieuauger]

This PR is a proof of concept for Sourcify integration. https://github.com/walnuthq/op-scan/issues/9

What's good is that we can leverage Sourcify public infrastructure and keep this client light. One thing not really documented on their side is how the handle rate-limiting. There is a Bearer Auth we can send to the API but no mention of API keys.

Proof of validation

For my testing I deployed a simple ERC20 contract. Here is the output from Hardhat that we can upload to sourcify to validate the contract.

Test URL

Changes that need to be made to fully implement the feature

• use chainId from global configuration
• see how we handle partial matches
• handle solc-json
• move some of the logic to external files
• better error management

[mazurroman]

Would be good to check if it also works for brand new chains.

@saimeunt maybe you could give it a spin with your local OP Stack chain?

[matthieuauger]

Thinking about your comment, I need to perform deeper investigation. Sourcify has a bunch of supported chains, OP for example, but this is a manually maintained list.

There are three options that could be explored if we want to support any chain deployed on the superchain:

• manually adding it new chains to Sourcify: there is an existing process for that (https://docs.sourcify.dev/docs/chain-support/). If the process is quick and easy it would be the simplest way
• looking at Sourcify code to see if a more permissionless approach can be implemented, technically they should be able to support any EVM chain, I'm wondering why this is a manual step
• hosting our own validation server that support chains on superchain

First thing would be to test the first option. Do we have a test OP Stack deployed and running somewhere besides localhost?

[saimeunt]

@matthieuauger Hi Matthieu, thank you for your POC, it looks like integrating with sourcify to verify contracts and display the source code as well as fetching the correct ABI is totally feasible and quite easy to setup as they're doing all the heavy lifting.

At the moment we're focused on running the explorer locally and to our best knowledge, verifying contracts on your own devnet, besides testing and developing the feature for future usage on a real self-hosted explorer in production is of little use.

We discussed with @mazurroman how we envision the architecture for going to production with sourcify and we would probably go with hosting our own version of sourcify-server along with the explorer and the indexer as part of a SaaS / Rollup as a Service approach. As far as the manual process is concerned, I think it's simply to discard obscure, short-lived chains from being added/indexed by their service, just like you can request adding your chain on say viem.

So I think the scope of this issue is already addressed with your POC and you don't need to go deeper. I'll keep this open until the end of the hack as this is not top-priority and we'll merge your work ASAP to keep it as reference for later, thank you for your contribution!

[matthieuauger]

Alright 👌

[matthieuauger]

@saimeunt that's good 👍