CSV Verify — Contract Source Verify

Verify smart contracts.
Trust the source.

CSV Verify rebuilds Soroban contracts from their public source and proves the on-chain WASM matches. Secure. Transparent. Verified.

SEP-58 Compatible
Official Stellar CLI
Reproducible Builds
Open Source

Learn more

SEP-58 is a Stellar Ecosystem Proposal that defines a standard for embedding source-code metadata directly inside a compiled Soroban WASM binary. This allows anyone to independently verify that a deployed contract was built from a specific, auditable source repository.

Metadata fields

  • source_repoURL of the public source repository
  • source_revGit commit SHA pinned at build time
  • bldimgDocker image used for reproducible build
  • tarball_sha256SHA-256 hash of the source tarball
  1. 01Fetch the deployed WASM bytecode for the given contract ID from the Stellar RPC node.
  2. 02Extract the contractmetav0 custom section embedded in the WASM binary.
  3. 03Parse the SEP-58 fields (source_repo, source_rev, bldimg).
  4. 04Clone the repository at the exact commit referenced by source_rev.
  5. 05Reproduce the build inside an isolated Docker container using the bldimg image.
  6. 06Compare the resulting WASM hash with the on-chain bytecode — a match means cryptographic verification.

Smart contracts control real assets. Without source verification, users must blindly trust that the bytecode on-chain matches the audited source code — a gap that has led to multi-million dollar exploits in other ecosystems.

  • Trust minimisationAnyone can reproduce the build and check the hash without relying on a third party.
  • Audit traceabilitySecurity auditors can confirm that the audited commit is exactly what was deployed.
  • Supply chain integrityPinning the Docker build image prevents toolchain substitution attacks.
  • Ecosystem confidenceVerified contracts signal professionalism and attract more users and integrators.

Built on Stellar