ethereum: Add verify script to match up the deployed bytecode with the
local build Also include this step in the generated governance verification instructions
This commit is contained in:
parent
9a42aacf0f
commit
58cd031ea8
|
@ -0,0 +1,102 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
function usage() {
|
||||||
|
cat <<EOF >&2
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
$(basename "$0") [-h] [-n network] [-r rpc] [-c chain] <.json file> <contract address> -- Verify that the deployed on-chain bytecode matches the local build artifact
|
||||||
|
|
||||||
|
where:
|
||||||
|
-h show this help text
|
||||||
|
-n set the network (mainnet, testnet, devnet)
|
||||||
|
-r rpc url
|
||||||
|
-c set the chain name (required)"
|
||||||
|
|
||||||
|
The -n and -r flags are mutually exclusive.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
chain=""
|
||||||
|
network=""
|
||||||
|
rpc=""
|
||||||
|
while getopts ':hn:r:c:' option; do
|
||||||
|
case "$option" in
|
||||||
|
h) usage
|
||||||
|
;;
|
||||||
|
c) chain=$OPTARG
|
||||||
|
;;
|
||||||
|
n) network=$OPTARG
|
||||||
|
;;
|
||||||
|
r) rpc=$OPTARG
|
||||||
|
;;
|
||||||
|
:) printf "missing argument for -%s\n" "$OPTARG" >&2
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
\?) printf "illegal option: -%s\n" "$OPTARG" >&2
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift $((OPTIND - 1))
|
||||||
|
[ $# -ne 2 ] && usage
|
||||||
|
|
||||||
|
[[ -z $chain ]] && { echo "Missing chain flag (-c)"; usage; }
|
||||||
|
|
||||||
|
json_file=$1
|
||||||
|
contract_addr=$2
|
||||||
|
|
||||||
|
# network and rpc flags are mutually exlusive
|
||||||
|
[[ -n $network && -n $rpc ]] && usage
|
||||||
|
|
||||||
|
|
||||||
|
# if network flag is set, we query the rpc from the cli tool.
|
||||||
|
if [[ -n $network ]]; then
|
||||||
|
if ! command -v worm &> /dev/null
|
||||||
|
then
|
||||||
|
echo "worm binary could not be found. See installation instructions in clients/js/README.md"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
rpc=$(worm rpc "$network" "$chain")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -z $rpc ]]; then
|
||||||
|
echo "rpc endpoint or network name required."
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
# We'll write the bytecodes to temporary files
|
||||||
|
deployed=$(mktemp)
|
||||||
|
local=$(mktemp)
|
||||||
|
|
||||||
|
cat "$json_file" | jq -r .deployedBytecode > "$local"
|
||||||
|
|
||||||
|
ret=0
|
||||||
|
# Grab bytecode from the JSON RPC using the eth_getCode method.
|
||||||
|
curl "$rpc" \
|
||||||
|
-X POST \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
--data "{\"method\":\"eth_getCode\",\"params\":[\"$contract_addr\",\"latest\"],\"id\":1,\"jsonrpc\":\"2.0\"}" --silent | jq -r .result > "$deployed" || ret=$?
|
||||||
|
|
||||||
|
if [ $ret -gt 0 ]; then
|
||||||
|
printf "\033[0;31mFailed to query eth RPC '%s' while verifying %s on %s\033[0m\n" "$rpc" "$contract_addr" "$chain"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# hash, then see if they match up
|
||||||
|
hash1=$(sha256sum "$deployed" | cut -f1 -d' ')
|
||||||
|
hash2=$(sha256sum "$local" | cut -f1 -d' ')
|
||||||
|
|
||||||
|
if [ "$hash1" == "$hash2" ]; then
|
||||||
|
printf "\033[0;32mDeployed bytecode of %s on %s matches %s\033[0m\n" "$contract_addr" "$chain" "$json_file";
|
||||||
|
exit 0;
|
||||||
|
else
|
||||||
|
printf "\033[0;31mDeployed bytecode of %s on %s doesn't match %s\033[0m\n" "$contract_addr" "$chain" "$json_file";
|
||||||
|
echo "deployed hash:"
|
||||||
|
echo "$hash1"
|
||||||
|
echo "$json_file hash:"
|
||||||
|
echo "$hash2"
|
||||||
|
exit 1;
|
||||||
|
fi
|
|
@ -93,6 +93,7 @@ fi
|
||||||
|
|
||||||
explorer=""
|
explorer=""
|
||||||
evm=false
|
evm=false
|
||||||
|
# TODO: move to CLI
|
||||||
case "$chain_name" in
|
case "$chain_name" in
|
||||||
solana)
|
solana)
|
||||||
chain=1
|
chain=1
|
||||||
|
@ -180,7 +181,7 @@ evm_artifact=""
|
||||||
solana_artifact=""
|
solana_artifact=""
|
||||||
terra_artifact=""
|
terra_artifact=""
|
||||||
case "$module" in
|
case "$module" in
|
||||||
bridge)
|
bridge|core)
|
||||||
create_governance="\
|
create_governance="\
|
||||||
guardiand template contract-upgrade \\
|
guardiand template contract-upgrade \\
|
||||||
--chain-id $chain \\
|
--chain-id $chain \\
|
||||||
|
@ -271,7 +272,7 @@ EOD
|
||||||
# The rest of the output is printed to the instructions file (which then also
|
# The rest of the output is printed to the instructions file (which then also
|
||||||
# gets printed to stdout at the end)
|
# gets printed to stdout at the end)
|
||||||
|
|
||||||
echo "# Verification steps ($chain_name)
|
echo "# Verification steps ($chain_name $module)
|
||||||
" >> "$instructions_file"
|
" >> "$instructions_file"
|
||||||
|
|
||||||
# Verification steps depend on the chain.
|
# Verification steps depend on the chain.
|
||||||
|
@ -280,16 +281,16 @@ if [ "$evm" = true ]; then
|
||||||
cat <<-EOF >> "$instructions_file"
|
cat <<-EOF >> "$instructions_file"
|
||||||
## Build
|
## Build
|
||||||
\`\`\`shell
|
\`\`\`shell
|
||||||
wormhole/ethereum $ npm ci
|
wormhole/ethereum $ make
|
||||||
wormhole/ethereum $ npm run build
|
|
||||||
\`\`\`
|
\`\`\`
|
||||||
|
|
||||||
## Verify
|
## Verify
|
||||||
Contract at [$explorer$address]($explorer$address)
|
Contract at [$explorer$address]($explorer$address)
|
||||||
|
|
||||||
|
Next, use the \`verify\` script to verify that the deployed bytecodes we are upgrading to match the build artifacts:
|
||||||
|
|
||||||
\`\`\`shell
|
\`\`\`shell
|
||||||
wormhole/ethereum $ export BYTECODE=<BYTECODE FROM EXPLORER HERE>
|
wormhole/ethereum $ ./verify -r $(worm rpc mainnet $chain_name) -c $chain_name $evm_artifact $address
|
||||||
wormhole/ethereum $ cat $evm_artifact | jq -r ".deployedBytecode" | sha256sum
|
|
||||||
wormhole/ethereum $ echo \$BYTECODE | sha256sum
|
|
||||||
\`\`\`
|
\`\`\`
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
Loading…
Reference in New Issue