The Paladin Live Match is a proprietary mechanism that compares the verified source code of deployed contracts with the code that was audited by Paladin during the audit process. This is valuable to the project, investors and users because it provides assurance that the smart contracts which are in use match the code that was audited and approved by Paladin.
Why it matters
The Paladin Live Match is important because it helps to ensure the integrity of the smart contract codebase. By comparing the deployed code with the audited code, it is possible to catch any discrepancies that may exist between the two. This is valuable for projects, investors and users because it allows them to be sure that they are using the approved version of the smart contract code.
How it works
The Paladin Live Match works by comparing the deployed source code with the last approved revision of the audit (the last resolution). Oftentimes this revision includes third-party libraries like OpenZeppelin contracts. Paladin has audited many versions of these contracts and will automatically match the deployed dependencies with the closest audited match. If there are any discrepancies within these libraries or within the deployed source code in general, Paladin will carefully assess these differences. In case the changes compared to the audited contracts are found to be malicious, the client will be informed and Paladin will work together with the client to resolve the potential impact. In case the client decided to add new features or change the contracts, we will reach out to indicate that we can audit these changes for a nominal charge. If the client decides to leave the changes unaudited, this will be communicated to the users with a failed live match status for that specific contract.
In case the live match succeeds, this will be added both within the report document and on the website page for the project. All individual contract addresses will be added to the report and the website page allowing for users to validate that the contract they are interacting with is in fact genuine as well.
Who benefits
The Paladin Live Match is beneficial for projects, investors and users.
Projects benefit from the Paladin Live Match because it helps to ensure the integrity of their codebase. If there are any discrepancies between the deployed code and the audited code, the Paladin Live Match will catch them and allow the project to take corrective action.
Investors benefit from the Paladin Live Match because it provides them with assurance that the smart contracts which are in use match the code that was audited and approved by Paladin. This helps to instill confidence in the project and the smart contracts that it is using.
Users benefit from the Paladin Live Match because it allows them to double check the contract addresses of the contracts they interact with (to avoid front-end phishing attacks) and validate that the audit actually applies to their situation. This helps to ensure that the contracts are safe to use and that they will behave as expected.
Why it’s unique
The Paladin Live Match is unique because it is the only mechanism of its kind that compares the verified source code of deployed contracts with not only the code that was audited by the auditor, but also the dependencies and deployment configuration. This helps to ensure the integrity of the smart contract codebase and provides assurance to projects, investors and users that the contracts which they are using match the code that was audited and approved by Paladin.
But my project is closed-source
The Paladin Live Match can still be executed even for projects who want to keep their code closed-source. This is possible through some clever engineering:
Paladin first flattens all the contracts within the codebase. These flattened contracts are then compiled by a trusted and isolated Solidity compiler to ensure that any toolchain vulnerabilities are caught. Afterwards, the trusted compiled bytecode is compared with the on-chain unverified bytecode.
At this point, you might think we are done. We are not. The final step that remains is to run the flattened contracts from the first step through our proprietary live match system. We still want to ensure that the flattened contracts match our audited code and that no changes have been introduced in the dependencies.
These steps are all done to avoid needing to trust the deployment framework, libraries or compiler that the client provides.
This must be expensive?
The Paladin Live Match is completely free and included in every single one of our public audits. This makes it an affordable and valuable addition to any smart contract audit.