forge_verify/

verify.rs

//! The `forge verify-bytecode` command.

use crate::{
    RetryArgs,
    etherscan::EtherscanVerificationProvider,
    provider::{VerificationContext, VerificationProvider, VerificationProviderType},
    utils::wrap_verifier_url_error,
};
use alloy_primitives::{Address, TxHash, map::HashSet};
use alloy_provider::Provider;
use clap::{Parser, ValueEnum, ValueHint};
use eyre::Result;
use foundry_cli::{
    opts::{EtherscanOpts, RpcOpts},
    utils::{self, LoadConfig},
};
use foundry_common::{ContractsByArtifact, compile::ProjectCompiler};
use foundry_compilers::{artifacts::EvmVersion, compilers::solc::Solc, info::ContractInfo};
use foundry_config::{
    Chain, Config, SolcReq, figment, impl_figment_convert, impl_figment_convert_cast,
};
use itertools::Itertools;
use semver::BuildMetadata;
use std::path::PathBuf;

/// The programming language used for smart contract development.
///
/// This enum represents the supported contract languages for verification.
#[derive(Copy, Clone, Debug, Eq, PartialEq, ValueEnum)]
pub enum ContractLanguage {
    /// Solidity programming language
    Solidity,
    /// Vyper programming language  
    Vyper,
}

/// Verification provider arguments
#[derive(Clone, Debug, Parser)]
pub struct VerifierArgs {
    /// The contract verification provider to use.
    #[arg(long, help_heading = "Verifier options", default_value = "sourcify", value_enum)]
    pub verifier: VerificationProviderType,

    /// The verifier API KEY, if using a custom provider.
    #[arg(long, help_heading = "Verifier options", env = "VERIFIER_API_KEY")]
    pub verifier_api_key: Option<String>,

    /// The verifier URL, if using a custom provider.
    #[arg(long, help_heading = "Verifier options", env = "VERIFIER_URL")]
    pub verifier_url: Option<String>,
}

impl Default for VerifierArgs {
    fn default() -> Self {
        Self {
            verifier: VerificationProviderType::Sourcify,
            verifier_api_key: None,
            verifier_url: None,
        }
    }
}

/// CLI arguments for `forge verify-contract`.
#[derive(Clone, Debug, Parser)]
pub struct VerifyArgs {
    /// The address of the contract to verify.
    pub address: Address,

    /// The contract identifier in the form `<path>:<contractname>`.
    pub contract: Option<ContractInfo>,

    /// The ABI-encoded constructor arguments. Only for Etherscan.
    #[arg(
        long,
        conflicts_with = "constructor_args_path",
        value_name = "ARGS",
        visible_alias = "encoded-constructor-args"
    )]
    pub constructor_args: Option<String>,

    /// The path to a file containing the constructor arguments.
    #[arg(long, value_hint = ValueHint::FilePath, value_name = "PATH")]
    pub constructor_args_path: Option<PathBuf>,

    /// Try to extract constructor arguments from on-chain creation code.
    #[arg(long)]
    pub guess_constructor_args: bool,

    /// The hash of the transaction which created the contract. Optional for Sourcify.
    #[arg(long)]
    pub creation_transaction_hash: Option<TxHash>,

    /// The `solc` version to use to build the smart contract.
    #[arg(long, value_name = "VERSION")]
    pub compiler_version: Option<String>,

    /// The compilation profile to use to build the smart contract.
    #[arg(long, value_name = "PROFILE_NAME")]
    pub compilation_profile: Option<String>,

    /// The number of optimization runs used to build the smart contract.
    #[arg(long, visible_alias = "optimizer-runs", value_name = "NUM")]
    pub num_of_optimizations: Option<usize>,

    /// Flatten the source code before verifying.
    #[arg(long)]
    pub flatten: bool,

    /// Do not compile the flattened smart contract before verifying (if --flatten is passed).
    #[arg(short, long)]
    pub force: bool,

    /// Do not check if the contract is already verified before verifying.
    #[arg(long)]
    pub skip_is_verified_check: bool,

    /// Wait for verification result after submission.
    #[arg(long)]
    pub watch: bool,

    /// Set pre-linked libraries.
    #[arg(long, help_heading = "Linker options", env = "DAPP_LIBRARIES")]
    pub libraries: Vec<String>,

    /// The project's root path.
    ///
    /// By default root of the Git repository, if in one,
    /// or the current working directory.
    #[arg(long, value_hint = ValueHint::DirPath, value_name = "PATH")]
    pub root: Option<PathBuf>,

    /// Prints the standard json compiler input.
    ///
    /// The standard json compiler input can be used to manually submit contract verification in
    /// the browser.
    #[arg(long, conflicts_with = "flatten")]
    pub show_standard_json_input: bool,

    /// Use the Yul intermediate representation compilation pipeline.
    #[arg(long)]
    pub via_ir: bool,

    /// The EVM version to use.
    ///
    /// Overrides the version specified in the config.
    #[arg(long)]
    pub evm_version: Option<EvmVersion>,

    /// Do not auto-detect the `solc` version.
    #[arg(long, help_heading = "Compiler options")]
    pub no_auto_detect: bool,

    /// Specify the solc version, or a path to a local solc, to build with.
    ///
    /// Valid values are in the format `x.y.z`, `solc:x.y.z` or `path/to/solc`.
    #[arg(long = "use", help_heading = "Compiler options", value_name = "SOLC_VERSION")]
    pub use_solc: Option<String>,

    #[command(flatten)]
    pub etherscan: EtherscanOpts,

    #[command(flatten)]
    pub rpc: RpcOpts,

    #[command(flatten)]
    pub retry: RetryArgs,

    #[command(flatten)]
    pub verifier: VerifierArgs,

    /// The contract language (`solidity` or `vyper`).
    ///
    /// Defaults to `solidity` if none provided.
    #[arg(long, value_enum)]
    pub language: Option<ContractLanguage>,
}

impl_figment_convert!(VerifyArgs);

impl figment::Provider for VerifyArgs {
    fn metadata(&self) -> figment::Metadata {
        figment::Metadata::named("Verify Provider")
    }

    fn data(
        &self,
    ) -> Result<figment::value::Map<figment::Profile, figment::value::Dict>, figment::Error> {
        let mut dict = self.etherscan.dict();
        dict.extend(self.rpc.dict());

        if let Some(root) = self.root.as_ref() {
            dict.insert("root".to_string(), figment::value::Value::serialize(root)?);
        }
        if let Some(optimizer_runs) = self.num_of_optimizations {
            dict.insert("optimizer".to_string(), figment::value::Value::serialize(true)?);
            dict.insert(
                "optimizer_runs".to_string(),
                figment::value::Value::serialize(optimizer_runs)?,
            );
        }
        if let Some(evm_version) = self.evm_version {
            dict.insert("evm_version".to_string(), figment::value::Value::serialize(evm_version)?);
        }
        if self.via_ir {
            dict.insert("via_ir".to_string(), figment::value::Value::serialize(self.via_ir)?);
        }

        if self.no_auto_detect {
            dict.insert("auto_detect_solc".to_string(), figment::value::Value::serialize(false)?);
        }

        if let Some(ref solc) = self.use_solc {
            let solc = solc.trim_start_matches("solc:");
            dict.insert("solc".to_string(), figment::value::Value::serialize(solc)?);
        }

        if let Some(api_key) = &self.verifier.verifier_api_key {
            dict.insert("etherscan_api_key".into(), api_key.as_str().into());
        }

        Ok(figment::value::Map::from([(Config::selected_profile(), dict)]))
    }
}

impl VerifyArgs {
    /// Run the verify command to submit the contract's source code for verification on etherscan
    pub async fn run(mut self) -> Result<()> {
        let config = self.load_config()?;

        if self.guess_constructor_args && config.get_rpc_url().is_none() {
            eyre::bail!(
                "You have to provide a valid RPC URL to use --guess-constructor-args feature"
            )
        }

        // If chain is not set, we try to get it from the RPC.
        // If RPC is not set, the default chain is used.
        let chain = match config.get_rpc_url() {
            Some(_) => {
                let provider = utils::get_provider(&config)?;
                utils::get_chain(config.chain, provider).await?
            }
            None => config.chain.unwrap_or_default(),
        };

        let context = self.resolve_context().await?;

        // Set Etherscan options.
        self.etherscan.chain = Some(chain);
        self.etherscan.key = config.get_etherscan_config_with_chain(Some(chain))?.map(|c| c.key);

        // For chains with Sourcify-compatible APIs, use the chain's URL from etherscan_urls
        if self.verifier.verifier.is_sourcify()
            && self.verifier.verifier_url.is_none()
            && let Some(url) = sourcify_api_url(chain)
        {
            self.verifier.verifier_url = Some(url);
        }

        if self.show_standard_json_input {
            let args = EtherscanVerificationProvider::default()
                .create_verify_request(&self, &context)
                .await?;
            sh_println!("{}", args.source)?;
            return Ok(());
        }

        let verifier_url = self.verifier.verifier_url.clone();
        sh_println!("Start verifying contract `{}` deployed on {chain}", self.address)?;
        if let Some(version) = &self.evm_version {
            sh_println!("EVM version: {version}")?;
        }
        if let Some(version) = &self.compiler_version {
            sh_println!("Compiler version: {version}")?;
        }
        if let Some(optimizations) = &self.num_of_optimizations {
            sh_println!("Optimizations:    {optimizations}")?
        }
        if let Some(args) = &self.constructor_args
            && !args.is_empty()
        {
            sh_println!("Constructor args: {args}")?
        }
        // `client()` picks Etherscan when `--verifier etherscan` is passed, or when
        // `ETHERSCAN_API_KEY` is set and no other provider was explicitly chosen. This mirrors
        // that selection closely enough to decide whether the host-only URL hint applies.
        let etherscan_key = self.etherscan.key();
        let using_etherscan = self.verifier.verifier.is_etherscan()
            || (etherscan_key.as_deref().is_some_and(|k| !k.is_empty())
                && !matches!(
                    self.verifier.verifier,
                    VerificationProviderType::Blockscout
                        | VerificationProviderType::Oklink
                        | VerificationProviderType::Custom
                ));
        self.verifier
            .verifier
            .client(
                etherscan_key.as_deref(),
                self.etherscan.chain,
                self.verifier.verifier_url.is_some(),
            )?
            .verify(self, context)
            .await
            .map_err(|err| wrap_verifier_url_error(err, verifier_url.as_deref(), using_etherscan))
    }

    /// Returns the configured verification provider
    pub fn verification_provider(&self) -> Result<Box<dyn VerificationProvider>> {
        self.verifier.verifier.client(
            self.etherscan.key().as_deref(),
            self.etherscan.chain,
            self.verifier.verifier_url.is_some(),
        )
    }

    /// Resolves [VerificationContext] object either from entered contract name or by trying to
    /// match bytecode located at given address.
    pub async fn resolve_context(&self) -> Result<VerificationContext> {
        let mut config = self.load_config()?;
        config.libraries.extend(self.libraries.clone());

        let project = config.project()?;

        if let Some(ref contract) = self.contract {
            let contract_path = if let Some(ref path) = contract.path {
                project.root().join(PathBuf::from(path))
            } else {
                project.find_contract_path(&contract.name)?
            };

            let cache = project.read_cache_file().ok();

            let mut version = if let Some(ref version) = self.compiler_version {
                version.trim_start_matches('v').parse()?
            } else if let Some(ref solc) = config.solc {
                match solc {
                    SolcReq::Version(version) => version.to_owned(),
                    SolcReq::Local(solc) => Solc::new(solc)?.version,
                }
            } else if let Some(entry) =
                cache.as_ref().and_then(|cache| cache.files.get(&contract_path).cloned())
            {
                let unique_versions = entry
                    .artifacts
                    .get(&contract.name)
                    .map(|artifacts| artifacts.keys().collect::<HashSet<_>>())
                    .unwrap_or_default();

                if unique_versions.is_empty() {
                    eyre::bail!(
                        "No matching artifact found for {}. This could be due to:\n\
                        - Compiler version mismatch - the contract was compiled with a different Solidity version than what's being used for verification",
                        contract.name
                    );
                } else if unique_versions.len() > 1 {
                    warn!(
                        "Ambiguous compiler versions found in cache: {}",
                        unique_versions.iter().join(", ")
                    );
                    eyre::bail!(
                        "Compiler version has to be set in `foundry.toml`. If the project was not deployed with foundry, specify the version through `--compiler-version` flag."
                    )
                }

                unique_versions.into_iter().next().unwrap().to_owned()
            } else {
                eyre::bail!(
                    "If cache is disabled, compiler version must be either provided with `--compiler-version` option or set in foundry.toml"
                )
            };

            let settings = if let Some(profile) = &self.compilation_profile {
                if profile == "default" {
                    &project.settings
                } else if let Some(settings) = project.additional_settings.get(profile.as_str()) {
                    settings
                } else {
                    eyre::bail!("Unknown compilation profile: {}", profile)
                }
            } else if let Some((cache, entry)) = cache
                .as_ref()
                .and_then(|cache| Some((cache, cache.files.get(&contract_path)?.clone())))
            {
                let profiles = entry
                    .artifacts
                    .get(&contract.name)
                    .and_then(|artifacts| {
                        let mut cached_artifacts = artifacts.get(&version);
                        // If we try to verify with specific build version and no cached artifacts
                        // found, then check if we have artifacts cached for same version but
                        // without any build metadata.
                        // This could happen when artifacts are built / cached
                        // with a version like `0.8.20` but verify is using a compiler-version arg
                        // as `0.8.20+commit.a1b79de6`.
                        // See <https://github.com/foundry-rs/foundry/issues/9510>.
                        if cached_artifacts.is_none() && version.build != BuildMetadata::EMPTY {
                            version.build = BuildMetadata::EMPTY;
                            cached_artifacts = artifacts.get(&version);
                        }
                        cached_artifacts
                    })
                    .map(|artifacts| artifacts.keys().collect::<HashSet<_>>())
                    .unwrap_or_default();

                if profiles.is_empty() {
                    eyre::bail!(
                        "No matching artifact found for {} with compiler version {}. This could be due to:\n\
                        - Compiler version mismatch - the contract was compiled with a different Solidity version",
                        contract.name,
                        version
                    );
                } else if profiles.len() > 1 {
                    eyre::bail!(
                        "Ambiguous compilation profiles found in cache: {}, please specify the profile through `--compilation-profile` flag",
                        profiles.iter().join(", ")
                    )
                }

                let profile = profiles.into_iter().next().unwrap().to_owned();
                cache.profiles.get(&profile).expect("must be present")
            } else if project.additional_settings.is_empty() {
                &project.settings
            } else {
                eyre::bail!(
                    "If cache is disabled, compilation profile must be provided with `--compilation-profile` option or set in foundry.toml"
                )
            };

            VerificationContext::new(
                contract_path,
                contract.name.clone(),
                version,
                config,
                settings.clone(),
            )
        } else {
            if config.get_rpc_url().is_none() {
                eyre::bail!("You have to provide a contract name or a valid RPC URL")
            }
            let provider = utils::get_provider(&config)?;
            let code = provider.get_code_at(self.address).await?;

            let output = ProjectCompiler::new().compile(&project)?;
            let contracts = ContractsByArtifact::new(
                output.artifact_ids().map(|(id, artifact)| (id, artifact.clone().into())),
            );

            let Some((artifact_id, _)) = contracts.find_by_deployed_code_exact(&code) else {
                eyre::bail!(format!(
                    "Bytecode at {} does not match any local contracts",
                    self.address
                ))
            };

            let settings = project
                .settings_profiles()
                .find_map(|(name, settings)| {
                    (name == artifact_id.profile.as_str()).then_some(settings)
                })
                .expect("must be present");

            VerificationContext::new(
                artifact_id.source.clone(),
                artifact_id.name.split('.').next().unwrap().to_owned(),
                artifact_id.version.clone(),
                config,
                settings.clone(),
            )
        }
    }

    /// Detects the language for verification from source file extension, if none provided.
    pub fn detect_language(&self, ctx: &VerificationContext) -> ContractLanguage {
        self.language.unwrap_or_else(|| {
            match ctx.target_path.extension().and_then(|e| e.to_str()) {
                Some("vy") => ContractLanguage::Vyper,
                _ => ContractLanguage::Solidity,
            }
        })
    }
}

/// Check verification status arguments
#[derive(Clone, Debug, Parser)]
pub struct VerifyCheckArgs {
    /// The verification ID.
    ///
    /// For Etherscan - Submission GUID.
    ///
    /// For Sourcify - Verification Job ID.
    pub id: String,

    #[command(flatten)]
    pub retry: RetryArgs,

    #[command(flatten)]
    pub etherscan: EtherscanOpts,

    #[command(flatten)]
    pub verifier: VerifierArgs,
}

impl_figment_convert_cast!(VerifyCheckArgs);

impl VerifyCheckArgs {
    /// Run the verify command to submit the contract's source code for verification on etherscan
    pub async fn run(self) -> Result<()> {
        sh_println!(
            "Checking verification status on {}",
            self.etherscan.chain.unwrap_or_default()
        )?;
        self.verifier
            .verifier
            .client(
                self.etherscan.key().as_deref(),
                self.etherscan.chain,
                self.verifier.verifier_url.is_some(),
            )?
            .check(self)
            .await
    }
}

impl figment::Provider for VerifyCheckArgs {
    fn metadata(&self) -> figment::Metadata {
        figment::Metadata::named("Verify Check Provider")
    }

    fn data(
        &self,
    ) -> Result<figment::value::Map<figment::Profile, figment::value::Dict>, figment::Error> {
        let mut dict = self.etherscan.dict();
        if let Some(api_key) = &self.etherscan.key {
            dict.insert("etherscan_api_key".into(), api_key.as_str().into());
        }

        Ok(figment::value::Map::from([(Config::selected_profile(), dict)]))
    }
}

/// Returns the Sourcify-compatible API URL for chains that have one registered in `etherscan_urls`.
///
/// Some chains register their Sourcify-compatible verification API under `etherscan_urls` in
/// alloy-chains. This function returns the properly formatted URL for such chains.
fn sourcify_api_url(chain: Chain) -> Option<String> {
    if chain.is_custom_sourcify() {
        chain.etherscan_urls().map(|(api_url, _)| {
            let api_url = api_url.trim_end_matches('/');
            format!("{api_url}/")
        })
    } else {
        None
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn can_parse_verify_contract() {
        let args: VerifyArgs = VerifyArgs::parse_from([
            "foundry-cli",
            "0x0000000000000000000000000000000000000000",
            "src/Domains.sol:Domains",
            "--via-ir",
        ]);
        assert!(args.via_ir);
    }

    #[test]
    fn can_parse_new_compiler_flags() {
        let args: VerifyArgs = VerifyArgs::parse_from([
            "foundry-cli",
            "0x0000000000000000000000000000000000000000",
            "src/Domains.sol:Domains",
            "--no-auto-detect",
            "--use",
            "0.8.23",
        ]);
        assert!(args.no_auto_detect);
        assert_eq!(args.use_solc.as_deref(), Some("0.8.23"));
    }
}