Openzeppelin-contracts: Adding a header to OpenZeppelin contracts

Created on 10 Apr 2019 · 4Comments · Source: OpenZeppelin/openzeppelin-contracts

🧐 Motivation

The contracts produced by the OpenZeppelin team are of high quality. So when I go Etherscan and check the source code of a verified contract, I tend to trust it more when I can see that it's reusing OpenZeppelin implementations instead of reinventing the wheel. However, this is far from trivial to do. A lot of times I simply don't know if a subcontract from a verified contract is coming from OpenZeppelin or not.

📝 Details

So my suggestion is very simple. I wonder if you could do two simple things:

1) Adding a (comment) header to all OpenZeppelin contracts, which would include an explicit mention to the OpenZeppelin project and the corresponding version of the contract. Something like this:

/**
* @origin This subcontract was developed by the OpenZeppelin team.
* Location: contracts/token/ERC20/ERC20.sol. Version: v1-12-0
*/

2) Since a verified contract is like a flattened version of the original source code, you guys could add delimiters at the beginning and end of your contracts. Something like this:

///////
[The header described above]
[The source code of the OpenZeppelin contract]
///////

With these two measures in place (header and delimiters), end-users would know exactly which subcontracts of a verified contract were reused from OpenZeppelin and their corresponding versions.

This feature request is related to #336 , but it is _not_ the same thing. Thanks!

Source

golivax

👍1

Most helpful comment

@frangio I have got to say please think about it seriously, I do not think this is a good idea, as a matter of fact, no matter who want to write a safe, effective and vulnerable-less contract, he/she will come here for some idea, but I think they will not use the contract directly, he/she will make some changes to satisfy their own requirements. yeah, he/she really uses most of the contract of OpenZeppelin, but it is precisely the changes he/she made that have led to fatal errors, so if you use most of contracts of OpenZeppelin, it does not mean it is safe. So the contract writer can make a comment: This subcontract was developed by the OpenZeppelin team. but the OpenZeppelin team can not. Please consider it seriously!

Skyge on 16 Apr 2019

👍4

All 4 comments

Although the OpenZeppelin team can do it following your suggestion, as for the contract writers, whether they would keep this comment in their code, what is more, if some writers do not use OpenZeppelin contract, but they want to get others trust, they would add these in their contracts. So the key point of your suggestion is that if the OpenZeppelin team would like to do these, they must audit contracts, in order to ensure only they can add official statement, but this would add to their burden. I think the OpenZeppelin team provide users with optional contracts, as for users, they can choose to use it or not.

Skyge on 11 Apr 2019

Thanks for the reply, @Skyge. However, I feel the goal is not really to enforce anything. Instead, it is more of a way for the OpenZeppelin project to ensure that its impact is widely recognized throughout the community. I feel it would be particularly helpful for novice end-users who have just a basic understanding of Solidity. Ultimately, there is tons of great work being done here and it would be great if people could recognize it.

golivax on 12 Apr 2019

This is a great suggestion @golivax, thank you!

I tend to trust it more when I can see that it's reusing OpenZeppelin implementations instead of reinventing the wheel.

I have to agree with @Skyge that if we add a header it should not be for this purpose, because it can be easily "falsified". However, I think a header can still be valuable as a first hint that some code may be OpenZeppelin's.

I'll think of a format for the header.