ethereum: Add verify script to match up the deployed bytecode with the
local build Also include this step in the generated governance verification instructions
This commit is contained in:
parent
9a42aacf0f
commit
58cd031ea8
|
@ -0,0 +1,102 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
function usage() {
|
||||
cat <<EOF >&2
|
||||
Usage:
|
||||
|
||||
$(basename "$0") [-h] [-n network] [-r rpc] [-c chain] <.json file> <contract address> -- Verify that the deployed on-chain bytecode matches the local build artifact
|
||||
|
||||
where:
|
||||
-h show this help text
|
||||
-n set the network (mainnet, testnet, devnet)
|
||||
-r rpc url
|
||||
-c set the chain name (required)"
|
||||
|
||||
The -n and -r flags are mutually exclusive.
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
chain=""
|
||||
network=""
|
||||
rpc=""
|
||||
while getopts ':hn:r:c:' option; do
|
||||
case "$option" in
|
||||
h) usage
|
||||
;;
|
||||
c) chain=$OPTARG
|
||||
;;
|
||||
n) network=$OPTARG
|
||||
;;
|
||||
r) rpc=$OPTARG
|
||||
;;
|
||||
:) printf "missing argument for -%s\n" "$OPTARG" >&2
|
||||
usage
|
||||
;;
|
||||
\?) printf "illegal option: -%s\n" "$OPTARG" >&2
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift $((OPTIND - 1))
|
||||
[ $# -ne 2 ] && usage
|
||||
|
||||
[[ -z $chain ]] && { echo "Missing chain flag (-c)"; usage; }
|
||||
|
||||
json_file=$1
|
||||
contract_addr=$2
|
||||
|
||||
# network and rpc flags are mutually exlusive
|
||||
[[ -n $network && -n $rpc ]] && usage
|
||||
|
||||
|
||||
# if network flag is set, we query the rpc from the cli tool.
|
||||
if [[ -n $network ]]; then
|
||||
if ! command -v worm &> /dev/null
|
||||
then
|
||||
echo "worm binary could not be found. See installation instructions in clients/js/README.md"
|
||||
exit 1
|
||||
fi
|
||||
rpc=$(worm rpc "$network" "$chain")
|
||||
fi
|
||||
|
||||
if [[ -z $rpc ]]; then
|
||||
echo "rpc endpoint or network name required."
|
||||
usage
|
||||
fi
|
||||
|
||||
# We'll write the bytecodes to temporary files
|
||||
deployed=$(mktemp)
|
||||
local=$(mktemp)
|
||||
|
||||
cat "$json_file" | jq -r .deployedBytecode > "$local"
|
||||
|
||||
ret=0
|
||||
# Grab bytecode from the JSON RPC using the eth_getCode method.
|
||||
curl "$rpc" \
|
||||
-X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "{\"method\":\"eth_getCode\",\"params\":[\"$contract_addr\",\"latest\"],\"id\":1,\"jsonrpc\":\"2.0\"}" --silent | jq -r .result > "$deployed" || ret=$?
|
||||
|
||||
if [ $ret -gt 0 ]; then
|
||||
printf "\033[0;31mFailed to query eth RPC '%s' while verifying %s on %s\033[0m\n" "$rpc" "$contract_addr" "$chain"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# hash, then see if they match up
|
||||
hash1=$(sha256sum "$deployed" | cut -f1 -d' ')
|
||||
hash2=$(sha256sum "$local" | cut -f1 -d' ')
|
||||
|
||||
if [ "$hash1" == "$hash2" ]; then
|
||||
printf "\033[0;32mDeployed bytecode of %s on %s matches %s\033[0m\n" "$contract_addr" "$chain" "$json_file";
|
||||
exit 0;
|
||||
else
|
||||
printf "\033[0;31mDeployed bytecode of %s on %s doesn't match %s\033[0m\n" "$contract_addr" "$chain" "$json_file";
|
||||
echo "deployed hash:"
|
||||
echo "$hash1"
|
||||
echo "$json_file hash:"
|
||||
echo "$hash2"
|
||||
exit 1;
|
||||
fi
|
|
@ -93,6 +93,7 @@ fi
|
|||
|
||||
explorer=""
|
||||
evm=false
|
||||
# TODO: move to CLI
|
||||
case "$chain_name" in
|
||||
solana)
|
||||
chain=1
|
||||
|
@ -180,7 +181,7 @@ evm_artifact=""
|
|||
solana_artifact=""
|
||||
terra_artifact=""
|
||||
case "$module" in
|
||||
bridge)
|
||||
bridge|core)
|
||||
create_governance="\
|
||||
guardiand template contract-upgrade \\
|
||||
--chain-id $chain \\
|
||||
|
@ -271,7 +272,7 @@ EOD
|
|||
# The rest of the output is printed to the instructions file (which then also
|
||||
# gets printed to stdout at the end)
|
||||
|
||||
echo "# Verification steps ($chain_name)
|
||||
echo "# Verification steps ($chain_name $module)
|
||||
" >> "$instructions_file"
|
||||
|
||||
# Verification steps depend on the chain.
|
||||
|
@ -280,16 +281,16 @@ if [ "$evm" = true ]; then
|
|||
cat <<-EOF >> "$instructions_file"
|
||||
## Build
|
||||
\`\`\`shell
|
||||
wormhole/ethereum $ npm ci
|
||||
wormhole/ethereum $ npm run build
|
||||
wormhole/ethereum $ make
|
||||
\`\`\`
|
||||
|
||||
## Verify
|
||||
Contract at [$explorer$address]($explorer$address)
|
||||
|
||||
Next, use the \`verify\` script to verify that the deployed bytecodes we are upgrading to match the build artifacts:
|
||||
|
||||
\`\`\`shell
|
||||
wormhole/ethereum $ export BYTECODE=<BYTECODE FROM EXPLORER HERE>
|
||||
wormhole/ethereum $ cat $evm_artifact | jq -r ".deployedBytecode" | sha256sum
|
||||
wormhole/ethereum $ echo \$BYTECODE | sha256sum
|
||||
wormhole/ethereum $ ./verify -r $(worm rpc mainnet $chain_name) -c $chain_name $evm_artifact $address
|
||||
\`\`\`
|
||||
|
||||
EOF
|
||||
|
|
Loading…
Reference in New Issue