Verifying the contract's signature

Don't trust, verify

This section will soon be updated to support the new Reproducible builds

When deploying a new Vault, the user becomes the owner of the contract, but they must still trust that the compiled code provided is the official and open-sourced MultiversX multisig contract.

To verify the signature of the contract, one can use the official MultiversX API with the route /accounts/{address}, where the address is the address of the Vault. This will return the contract's code and code hash, as well as other properties. The user can then locally compile the open-source MultiversX multisig standard and compare the code, or the code hash, to ensure that the deployed contract is indeed the official and secure MultiversX multisig contract.

The code hash should be "4SkFg1DqGm4A/AcvGIpdFJTOwYlVNIPN7dh2lns8Wa4="

To convert your generated multisig-full.wasm into hexadecimal and store it in the file code.hex, you can use

xxd -p output/multisig-full.wasm | tr -d '\n' > code.hex

Here's some relevant build information as found in our generated ABI

"buildInfo": {
        "rustc": {
            "version": "1.66.0-nightly",
            "commitHash": "0da281b6068a7d889ae89a9bd8991284cc9b7535",
            "commitDate": "2022-10-27",
            "channel": "Nightly",
            "short": "rustc 1.66.0-nightly (0da281b60 2022-10-27)"
        },
        "contractCrate": {
            "name": "multisig",
            "version": "1.0.0",
            "gitVersion": "v0.39.4-25-g4ed25ea29"
        },
        "framework": {
            "name": "multiversx-sc",
            "version": "0.39.4"
        }
    }