(Initially suggested by @frangio)
This is a proposal to build a smart contract sanctuary: an index of verified smart contracts written in Cairo.
An archive of Cairo smart contract code would be a major aid for the design, development, and decision making of a variety of ecosystem actors such as: app developers, SNIP designers, infrastructure developers, RPC-endpoint developers, node/sequencer developers, wallet developers, security researchers, and the list goes on and on.
Just to give two recent examples I stumbled upon this very week myself:
Discussing the Standard Account Interface with account implementers such as Argent and Braavos, we started considering changing the return value of
felt252. Although I’m not going to reproduce the discussion in here, the point is that we had no information on whether such a change would break existing, deployed smart contracts or if it was safe to make such change. A smart contract sanctuary wouldn’t have been final, but it would have greatly informed our discussion.
Similarly, while working on the
SRC5migration we started wondering whether it was required for us to release a backwards compatible implementation of
ERC721that worked with both introspection mechanisms or if it would have been a worthless effort and it was safe to drop ERC165 altogether gaining development speed, simplicity in the codebase, and reduced execution costs. A smart contract sanctuary would have suggested whether there was any or several
ERC721Receivercontracts deployed on the network.
These are just two examples, but the real world use cases are infinite. Just to give one more:
- Several times at OpenZeppelin, after finding or being notified about a critical vulnerability in a contract or module, we’ve found ourselves in the difficult yet critical task of identifying vulnerable contracts to estimate the potential impact and lay out a mitigation plan for each affected contract. Then we faced another challenge which is to notify developers, but that’s out of this proposal’s scope.
The best case scenario would be for RPC endpoint providers, node runners, and block explorers to cooperate to collect as much verified source code (maybe also Sierra code?) as possible into a single, well structured, repository. We should draw inspiration (if not directly contribute to) @tintinweb’s repository, or create a new dedicated one.
The sooner we build this, the better for the sake of completeness and convenience.
Having a smart contract code database provides tremendous value to developers, researchers, companies, individuals, and ultimately the entire ecosystem. Let’s buidl one.