When Verified Source Lies
📰 Hackernoon
Etherscan verification does not guarantee bytecode accuracy due to Solidity optimizer bugs
Action Steps
- Understand the difference between source code and compiled bytecode
- Be aware of known Solidity optimizer bugs like SOL-2022-7
- Verify bytecode manually or use additional tools to confirm accuracy
Who Needs to Know This
Developers and auditors on a blockchain project team benefit from understanding the limitations of Etherscan verification to ensure the security and integrity of their smart contracts
Key Insight
💡 Etherscan verification only confirms build reproducibility, not bytecode behavior
Share This
🚨 Etherscan verification doesn't mean bytecode is accurate! 🚨
Key Takeaways
Etherscan verification does not guarantee bytecode accuracy due to Solidity optimizer bugs
Full Article
I deployed a staking vault on Sepolia and got it verified on Etherscan with a green checkmark. The source code contains a storage write that does not exist in the compiled bytecode, due to a known Solidity optimizer bug (SOL-2022-7). The verification confirms the build is reproducible. It does not confirm the bytecode does what the source says.
DeepCamp AI