According to what has been said on Terra’s Discord, it is not possible to verify the byte code of smart contracts uploaded and deployed to the Terra Blockchain matches a given rust cosmwasm source code. If this is true, it would have huge implications.
This would go against the principle of a trustless blockchain. How can anyone trust the source code uploaded by TFL, Anchor or Mirror on GitHub matches what the user actually interacts with on-chain? It also defeats the purpose of audits done on those projects because they all reference the source code uploaded to GitHub (i.e. Anchor Audit page 5).
This is a huge security concern. A malicious actor could write a new smart contract and publish it to GitHub having done audits. Only to upload a completely different compiled smart contract to the blockchain that steals people’s assets.
There currently is not even a way to view contract code on Terra Finder unlike Etherscan. I understand that this is because Solidity can be decompiled differently than cosmwasm which compiles down to bytecode. However, you still should have the ability to see the bytecode and from there compile what was uploaded to GitHub to verify they match.
Discord says this is all because the rust compiler is non-deterministic. Although according to the cosmwasm discord,
rust-optimizer is deterministic and it’s a uniquely Terra problem. As a developer myself, I can’t imagine a compiler being non-deterministic.
Apologies if this is not true. I would love to get to the bottom of this and be able to verify the smart contracts myself as a user of the blockchain.