You have a smart contract on BSC, but BscScan shows only bytecode? Investors can't see the logic, auditors refuse to work without source code, and exchange listing is stuck. Verification solves this in an hour. We turn bytecode back into readable Solidity, making your project transparent and accessible. Our track record: over 50 contracts on BSC, Ethereum, and Polygon, 5 years helping projects pass checks on the first try.
Why Verification Fails Even for Experienced Developers
The most common failure reason is a bytecode mismatch. BscScan recompiles your uploaded source with the specified parameters and compares it with the on-chain bytecode. If the compiler version, optimizer runs, or evmVersion differ—it fails. We guarantee exact parameter matching through detailed deployment configuration analysis.
Contract flattening with dependencies also creates issues. If your contract imports OpenZeppelin, you must either upload all files via Standard JSON Input or flatten into a single file. When flattening with hardhat flatten, SPDX-License-Identifier and pragma solidity may duplicate—causing compilation errors. Solution: keep only one directive at the file start.
Immutable variables are written into bytecode at deployment with specific values. Verification through the standard form sometimes fails to correctly specify constructor arguments for immutables—Standard JSON Input is more reliable.
Preparing the Contract for Verification
First, obtain the exact compilation parameters used at deployment. You can read metadata from bytecode via solc --metadata or use Tenderly. Then ensure the source is flattened correctly: no duplicate licenses or pragmas. If the contract uses immutable, specify their values in the constructor. When errors occur, upload sources via Standard JSON Input—it gives full control over the structure.
Verification Methods
| Method |
Complexity |
When to Use |
| Hardhat Verify |
Low |
Standard projects, single contract |
| Standard JSON Input |
Medium |
Complex projects with dependencies |
| API Verification |
High |
CI/CD, automated deployment |
Typical Verification Errors
| Error |
Cause |
Solution |
| Bytecode mismatch |
Wrong optimizer runs or evmVersion |
Check deployment metadata |
| Duplicate license |
Flattening with hardhat flatten |
Remove extra SPDX-License-Identifier |
| Compilation pragma error |
Two pragma solidity directives |
Keep one at file start |
How We Verify Contracts
We use all three methods depending on the task. Our typical process:
- Analyze bytecode and deployment configuration (Solidity version, optimizer, evmVersion).
- Prepare source code: flatten or build Standard JSON.
- Verify on a local node: compile and compare bytecode.
- Upload to BscScan via chosen method.
- Test Read/Write functions—ensure everything works.
- Document the process for your team.
Case study: Recently we verified a DeFi protocol with 15 contracts importing multiple versions of OpenZeppelin. Hardhat Verify failed due to a pragma conflict. We prepared a Standard JSON Input with explicit file references—verification passed on the first try. This saved the developer at least 4 hours per contract, and the project cost was determined after complexity assessment.
What to Do If Verification Fails
Analyze the BscScan error. If it reports bytecode mismatch, check: compiler version, optimizer runs, evmVersion. Use a local node for simulation. Ensure all libraries are correctly connected. If the contract imports external packages (e.g., OpenZeppelin), use Standard JSON Input—the only way to guarantee exact dependency structure. For repeated errors, contact us—we'll help restore the configuration.
What's Included in the Turnkey Service
- Recovery of exact compilation parameters (optimizer runs, evmVersion).
- Flattening or building Standard JSON Input.
- Uploading verification to BscScan.
- Verification correctness via Read/Write Contract.
- Brief process documentation.
- Support for reverification after upgrades.
Timeline and Cost
Verification of a single contract takes 1–2 hours. If the contract is already deployed and no source with exact parameters exists—up to a few hours to recover configuration via bytecode analysis. Cost is determined individually based on complexity and scope. BscScan documentation recommends checking parameters before uploading. Get a consultation—we'll prepare your contract for verification and you'll pass on the first try. Order turnkey verification, contact us—we'll help.
Smart Contract Development
We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().
Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.
How We Develop Smart Contracts Turnkey
We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).
| Language |
Execution Model |
Typical Domain |
Risks |
| Solidity 0.8.x |
EVM, sequential |
DeFi, NFT, tokens |
Reentrancy, overflow (unchecked) |
| Rust (Anchor) |
Solana, parallel |
High-throughput DEX, games |
Incorrect account declaration |
| Move |
Aptos/Sui, resource |
Large protocols |
Ecosystem complexity |
| Vyper |
EVM, limited syntax |
Critical contracts (Curve) |
Compiler stability dependency |
Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.
Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.
Why Smart Contract Audit Is Critical for Security
Audit is not a one-time check—it is a built-in development stage. We use three levels:
-
Static analysis—
Slither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
-
Fuzzing and invariant tests—
Foundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
-
Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.
Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.
What Upgrade Patterns Do We Choose?
| Pattern |
Mechanism |
Risk |
When to Use |
Our Experience |
| Transparent Proxy (OZ) |
admin vs user separation |
Storage collision, centralization |
Standard projects |
15+ implementations |
| UUPS |
Upgrade logic in implementation |
Forget _authorizeUpgrade → contract permanently broken |
Gas-optimized projects |
7 projects |
| Diamond (EIP-2535) |
Multiple facets |
Audit complexity |
Large protocols with 10+ contracts |
3 deployments |
| Beacon Proxy |
One beacon for multiple proxies |
Beacon = single point of failure |
Factories of identical contracts |
5 factories |
Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.
How to Protect a Contract from MEV and Front-Running
On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.
What Is the Development Process?
-
Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
-
Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
-
Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
-
External audit—for projects with real money. Timeline: 2–4 weeks.
-
Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
-
Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.
What Is Included
- Architecture documentation and contract specification (NatSpec).
- Source code with repository and CI (Slither, Foundry, coverage).
- Deployed contract with verification on blockchain explorer.
- Audit results (internal and external upon request).
- Access to monitoring and management (Gnosis Safe).
- Code warranty: critical bug fixes within one month after deployment.
- Consultation on web integration (wagmi, RainbowKit).
Estimated Timelines
- ERC-20 token with basic functions: 1–2 weeks
- Vesting contract with cliff/linear schedule: 2–3 weeks
- NFT ERC-721/1155 with marketplace: 4–6 weeks
- AMM or lending protocol: 2–4 months
- Multichain protocol with bridge: 4–7 months
Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.
Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.