Defender Release: Verifying deployment bytecode

Hey everyone! We've released a new version of Defender that allows for verifying the bytecode of any contract. You can use this to check that a given address is running the version of the code you'd expect, allowing auditable deployment processes.

Whenever you see an address in Defender, if it belongs to a contract, you can now hit the Verification button that will show you if any of your teammates has verified its bytecode, or open a dialog so you can link to the compilation artifact that corresponds to that contract.

Screenshot from 2022-08-29 16-25-24

When verifying, you will be asked for a link to the Hardhat compilation artifact, and Defender will try to match the artifact and the deployed bytecode, confirming that the contract was deployed from that artifact.

While this is available for any address, Defender will show this information front and center on every Upgrade proposal. The goal is that any signer who is approving an upgrade should have full knowledge of where the new implementation comes from.

You can also verify the deployment bytecode via API using the latest version of the defender-admin-client, or even easier if you're using the hardhat plugin for Defender. When you create a new upgrade proposal, the Hardhat plugin will now:

  • Verify that it's safe to upgrade to the new implementation
  • Deploy the new implementation contract
  • Create a new upgrade proposal in Defender
  • Upload the compilation artifact to Defender to verify the deployed bytecode
const proposal = await defender.proposeUpgrade(address, 'Box',{ 
  bytecodeVerificationReferenceUrl: url,
  kind: 'uups',
  description: `Upgrading box contract to new version deployed at ${url}`,
  multisig: owner,
  multisigType: 'EOA',
});
const verification = proposal.verificationResponse;
console.log(`Created new upgrade proposal at ${proposal.url} for artifact with digest ${verification?.providedSha256 ?? 'unknown'} (match ${verification.matchType})`);

You can also hook this to your CI so whenever you push a new tag, you will automatically get an upgrade proposal with a verified implementation waiting for approval in your Admin dashboard, with a link back to the CI run that produced the build artifact, which you can trace back to the specific git commit of the source code that generated the artifact.

These building blocks allow you to have a fully traceable deployment pipeline, that goes from a specific version of the source code (that could be referenced in an audit report, for instance) to a compiled artifact, and from there to an implementation deployed at a specific address that can be reviewed and approved by the project's signers.

Let us know what you think, and what other building blocks we can add to Defender to help you secure your deployment operations!

3 Likes