Is it safe to publish to IPFS when using Remix?

Could hackers use the metadata?

Couldn’t hackers gain the metadata from the blockchain itself as stated here: https://medium.com/remix-ide/remix-ide-0-10-0-release-88c25d1d997

Should I redeploy the contract?

Since smart contracts cannot be changed it seems like a bad idea to let people see the source code/meta data despite my code being imported from OpenZeppelin. I copy pasted from here: Deploy a simple ERC20 token in Remix

I just want to be certain that I did the right/safe thing.

The whole point of contract metadata is to make human-readable information about your contract available to users. That's why a metadata hash is always included in the compiled bytecode and why services like Sourcify have been created to make it easily obtainable.

If you publish it to IPFS and do not strip the hash from your bytecode then by design anyone will be able to find it using just that hash. At least as long as someone is hosting it - IPFS does not magically preserve the file if no one has it. Note also that metadata does not contain the source code by default. There's an option for that but you have to enable it. Normally it only has compiler settings, file paths and hashes of all the source files.

There might be some valid (usually business-related) reasons for hiding the source but I do not think the risk of a hack is one of them. It's just security by obscurity. Even without the source code, your bytecode is still readily available and finding holes in it is not impossible for an attacker who is motivated enough. It's actually a lot easier than for applications because contracts are so much smaller.

On the other I think that hiding your source will easily drive away any whitehats who are hunting for bugs for a bounty. There are whole marketplaces for bounties like Immunefi that directly incentivize this behavior and even without them there are a lot of people in DeFi that actually read contract code and would rather report the bug for some recognition than exploit it. There's tons of low-hanging fruit around though and barely anyone will bother disassembling a contract when they can just look at all the open ones. If you're worried about hacks on the mainnet then I think that making the code public and funding a bounty would be more effective than going closed-source. Just make sure that in early stages of your contract's life you can still update it (or at least have a way to rescue funds).

EDIT: It's actually very well said in the article you linked to:

Please do share your contract data. Sharing your contract doesn’t make it vulnerable. It makes your contract auditable by the community. By publishing to IPFS, you are making sure that the solidity code will be verified (e.g that the code will be associated with its address). Don’t be afraid that everyone will have access to it, because that’s already the case: the bytecode is stored transparently in the blockchain anyway. But allowing users to have access to the source code and its ABI will greatly foster contract adoption (auditing, debugging, calling it, etc…).

2 Likes