Automated verification of MerkleLockupLL

[PaulRBerg]

Problem

Note: MerkleStreamer will be renamed to MerkleLockup in the future release of the protocol.

The MerkleLockupLL contract is not meant to be deployed by us, but by users. This means that we cannot verify its source code on Etherscan at the time when we are deploying the protocol - unless we ourselves deploy one campaign.

I don't find it worth it to pay the deployment cost just to verify the contract. We should let users organically pick up the protocol, and verify the source code only when needed, i.e., only after a campaign gets deployed by a user.

The problem is that the MerkleLockupLL contract will show up as unverified until we realize it and verify it manually, and the process of monitoring deployments and running a verification script is manual and time-consuming.

Potential Solution

We need to come with a creative solution. Maybe there is a way to automate this? There must be some sort of Lambda function-like solution that allows us to run a script in response to certain events emitted by the protocol.

Maybe Tenderly or Etherhook?

Warp Script

I've put this into Warp Drive, which we can use a short-term solution.

FOUNDRY_PROFILE=optimized \
forge verify-contract merkleStreamerLL \
./src/SablierV2MerkleStreamerLL.sol:SablierV2MerkleStreamerLL \
--chain sepolia \
--etherscan-api-key $ETHERSCAN_API_KEY \
--watch \
--constructor-args \
$(
  cast abi-encode "constructor(address,address,address,bytes32,uint40,(uint40,uint40),bool,bool)" \
  initialAdmin \
  lockupLinear \
  asset \
  merkleRoot \
  expiration \
  durations \
  cancelable \
  transferable
)

[smol-ninja]

If I understand you correctly :-

When we deploy the MerkleLockupFactory and verify its source code on Etherscan, doesn't it also verify the MerkleLockupLL bytecode?

And, when a user deploys MerkleLockupLL, etherscan would be able to use the "Similar match" feature to show the source code using the deployed bytecode of the Lockup contract. So with that argument, I don't think the MerkleLockupLL contract will show up as unverified.

However, I may be wrong here. WDYT?

[PaulRBerg]

doesn't it also verify the MerkleLockupLL bytecode?

It doesn't

when a user deploys MerkleLockupLL, etherscan would be able to use the "Similar match" feature

Yes, but not when the first user deploys it.

[PaulRBerg]

Looks like Etherhook might indeed be helpful for this.

[PaulRBerg]

cc @sablier-labs/solidity and @razgraf, we should find an automated solution for this

[smol-ninja]

I think I have a solution.

I have deployed a contract that takes in the transaction data of createMerkleLL and createMerkleLT function calls and then returns the constructor arguments of merkleLL and merkleLT contracts: https://sepolia.etherscan.io/address/0xa9fb181be1c9e8b294925964294c9aae86c7a5e9#readContract

Now all I have to do is write a shell script that does the following:

1. Takes in the transaction id, fetch the transaction data from it and then uses the above contract to fetch constructor arguments.
2. Run the verify command:

FOUNDRY_PROFILE=optimized \
forge verify-contract --etherscan-api-key $ETHERSCAN_API_KEY --verifier-url https://api.polygonscan.com/api \
--constructor-args $CONSTRUCTO_ARGS <CONTRACT_TO_VERIFY> \
src/SablierV2MerkleLT.sol:SablierV2MerkleLT --watch

Atleast, it would be easier to verify contracts, even manually, from now on.

[PaulRBerg]

Smart!

[PaulRBerg]

Confused user asking about unverified Merkle campaign on Polygon:

cc @sablier-labs/solidity how difficult would it be to set up an automated verification service? We should brainstorm about this on a call someday

cc @maxdesalle

[smol-ninja]

It's easy as long as we have easy access to the API key and API endpoint. But it cannot be generalized, as in some cases, such as Meld, it required flattening of the code, which could only be figured out through their documentation.

This is how I manually verify the code:

• Go to https://sepolia.etherscan.io/address/0xa9fb181be1c9e8b294925964294c9aae86c7a5e9#readContract
• Enter transaction data from the transaction that deployed the MerkleLL / MerkleLT contract and copy the return value
• Go to v2-periphery repo
• Run the following command command

FOUNDRY_PROFILE=optimized \
forge verify-contract --etherscan-api-key $ETHERSCAN_API_KEY --verifier-url $ETHERSCAN_URL \
--constructor-args $COPIED_VALUE <CONTRACT_TO_VERIFY> \
src/SablierV2MerkleLT.sol:SablierV2MerkleLT --watch

Lets say we deploy an automated service to do the same. We'd still have to pass the tx id, API key (if its a new chain), API endpoint and the rest can be fetched automatically.

[PaulRBerg]

If we can get this automated on just the major chains (Ethereum, Polygon, Arbitrum, etc.), that would be a major win.

Thanks for sharing the manual verification steps. Would you like to put them in a new discussion of type Show and Tell?

Lets say we deploy an automated service to do the same. We'd still have to pass the tx id, API key (if its a new chain), API endpoint

The API key and endpoints can be hard-coded if we restrict the service to major, known chains.

However, would the service be 'automated' if we had to manually pass the tx hash Can't we spin up a Lambda function on Vercel that listens to events emitted by the Merkle factories, and use the tx hash of the first deployment?

Tagging @gavriliumircea, whose expertise in web2 infra may be relevant here.

[gavriliumircea]

A lambda functions works has a limited lifespan and is not the right choice for active listening tasks. We need a server that is up at any time in order to listen for the events.