Problem: Black box after deployment
After deploying a contract on mainnet, users see only bytecode. Etherscan shows "Contract" instead of function names. Other protocols won't call such a contract — too risky. An unverified contract may contain a backdoor or be swapped via proxy. Compilation configuration errors (version, optimization, metadata) lead to verification failure. We solve this problem at the system level: configure the environment, prepare the Standard JSON Input, and pass verification on the first try in 95% of cases.
How verification works?
The block explorer takes the source code and compiler parameters, compiles locally, and compares the bytecode with what's on the chain. Match — contract verified, source code published. The main requirement is deterministic compilation. The Solidity compiler, given identical input data and settings, must produce identical bytecode. A mismatch in compiler version (e.g., 0.8.19 vs 0.8.20), optimization flags (runs: 200 vs runs: 999), file order, or metadata — and verification fails. Documentation Solidity describes this mechanism in detail.
How to cut verification time by 3x?
Use Foundry instead of manually entering parameters on the explorer. forge verify-contract automatically builds the Standard JSON Input and sends it to Etherscan. According to our data, this reduces setup time from 30 minutes to 5. We prepared a comparison table of tools:
| Tool |
Setup Speed |
Proxy Support |
Library Handling |
| Hardhat hardhat-verify |
Medium (10 min) |
Yes (via verify:true) |
Requires address linking |
| Foundry forge verify-contract |
High (5 min) |
Yes (automatic detection) |
Automatic linking |
| Sourcify |
Medium (15 min) |
Limited |
Requires IPFS hash |
For simple contracts, Hardhat is sufficient; for complex ones with proxies and libraries, Foundry is 2x faster.
How we handle complex cases?
We have 7+ years in blockchain and over 50 successful verifications. We've dealt with proxy contracts (UUPS, Transparent), complex library chains, and flash loans. For each project we prepare a Standard JSON Input — this reduces error probability to zero. If the contract uses immutable variables or calldata with complex structures, we manually check constructor arguments. Verification via Foundry reduces setup time by 3x compared to manual parameter entry.
Why verification is important for security?
An unverified contract is a black hole for auditors. No serious audit will start without a verified status. Verification is the first step toward formal verification and static analysis (Slither, Mythril). Imagine: you find a bug, but the contract is unverified — you can't fix and redeploy. Saving on verification results in million-dollar losses from hacks. We guarantee that after our work, the contract passes any checks.
How to avoid common verification errors?
Typical errors and their solutions
| Cause |
Solution |
| Compiler version mismatch |
Specify exact version pragma solidity 0.8.19, on the explorer — the same |
| Optimization settings mismatch (runs) |
Save solc config separately, use get-hardhat-config for logging |
| Using libraries without addresses |
Specify linked library addresses during verification |
| Proxy contracts |
First verify implementation, then proxy — click "Verify as proxy" on Etherscan |
| Metadata (metadata hash) |
Add --metadata-hash none in solc or disable in hardhat |
For proxy contracts, Etherscan supports detection via ABI proxy detection — after verifying both parts, click "Is this a proxy?". We also connect @openzeppelin/contracts and use upgradeable patterns.
Verification tools
Hardhat + hardhat-verify (formerly hardhat-etherscan). After deployment:
npx hardhat verify --network mainnet 0xCONTRACT_ADDRESS "arg1" "arg2"
The plugin automatically detects the compiler version from hardhat.config.ts, builds the Standard JSON Input, and sends it to the Etherscan API. Works for Ethereum, Polygon, BSC, Arbitrum, Optimism — via etherscan.apiUrl config.
Foundry forge verify-contract — works similarly but via Standard JSON Input directly:
forge verify-contract 0xCONTRACT_ADDRESS src/MyContract.sol:MyContract \
--chain-id 1 \
--etherscan-api-key $ETHERSCAN_KEY \
--constructor-args $(cast abi-encode "constructor(address)" 0xADDR)
Sourcify — decentralized alternative. Stores source on IPFS, supported by most explorers. Foundry supports deployment with simultaneous verification:
forge script Script --broadcast --verify --verifier sourcify
What's included in the work
- Full compilation configuration diagnostics
- Preparation of Standard JSON Input
- Verification on block explorer (up to 3 networks by default)
- If proxy — verification of both parts
- Retry attempts on errors (included in cost)
- Documentation on setup and deployment
- Consultation on best practices for gas optimization and security
Timeframe and cost
Timeframe: from 2 hours to 1 business day — depends on contract complexity (libraries, proxies, number of networks). Cost calculated individually. Order verification of your contract today — send a link to the contract on any network (Etherscan, Polygonscan, Arbiscan) and get an estimate within 1 hour. Get a consultation on verification setup — make your contracts transparent.
Contact us to discuss your project details — we'll respond within an hour.
Smart Contract Development
We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().
Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.
How We Develop Smart Contracts Turnkey
We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).
| Language |
Execution Model |
Typical Domain |
Risks |
| Solidity 0.8.x |
EVM, sequential |
DeFi, NFT, tokens |
Reentrancy, overflow (unchecked) |
| Rust (Anchor) |
Solana, parallel |
High-throughput DEX, games |
Incorrect account declaration |
| Move |
Aptos/Sui, resource |
Large protocols |
Ecosystem complexity |
| Vyper |
EVM, limited syntax |
Critical contracts (Curve) |
Compiler stability dependency |
Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.
Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.
Why Smart Contract Audit Is Critical for Security
Audit is not a one-time check—it is a built-in development stage. We use three levels:
-
Static analysis—
Slither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
-
Fuzzing and invariant tests—
Foundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
-
Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.
Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.
What Upgrade Patterns Do We Choose?
| Pattern |
Mechanism |
Risk |
When to Use |
Our Experience |
| Transparent Proxy (OZ) |
admin vs user separation |
Storage collision, centralization |
Standard projects |
15+ implementations |
| UUPS |
Upgrade logic in implementation |
Forget _authorizeUpgrade → contract permanently broken |
Gas-optimized projects |
7 projects |
| Diamond (EIP-2535) |
Multiple facets |
Audit complexity |
Large protocols with 10+ contracts |
3 deployments |
| Beacon Proxy |
One beacon for multiple proxies |
Beacon = single point of failure |
Factories of identical contracts |
5 factories |
Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.
How to Protect a Contract from MEV and Front-Running
On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.
What Is the Development Process?
-
Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
-
Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
-
Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
-
External audit—for projects with real money. Timeline: 2–4 weeks.
-
Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
-
Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.
What Is Included
- Architecture documentation and contract specification (NatSpec).
- Source code with repository and CI (Slither, Foundry, coverage).
- Deployed contract with verification on blockchain explorer.
- Audit results (internal and external upon request).
- Access to monitoring and management (Gnosis Safe).
- Code warranty: critical bug fixes within one month after deployment.
- Consultation on web integration (wagmi, RainbowKit).
Estimated Timelines
- ERC-20 token with basic functions: 1–2 weeks
- Vesting contract with cliff/linear schedule: 2–3 weeks
- NFT ERC-721/1155 with marketplace: 4–6 weeks
- AMM or lending protocol: 2–4 months
- Multichain protocol with bridge: 4–7 months
Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.
Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.