This is a hosted wrapper over solana-verifiable-build.
Submit a program for asynchronous verification:
curl -X POST https://verify.osec.io/verify \
-H "Content-Type: application/json" \
-d '{
"repository": "https://github.com/your-org/your-program",
"program_id": "PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY",
"commit_hash": "abc123...",
"lib_name": "your_program"
}'To verify a program, simply add --remote to your verification arguments:
solana-verify verify-from-repo --remote -um --program-id PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY https://github.com/Ellipsis-Labs/phoenix-v1Submit verification with a specific signer:
curl -X POST https://verify.osec.io/verify-with-signer \
-H "Content-Type: application/json" \
-d '{
"signer": "9VWiUUhgNoRwTH5NVehYJEDwcotwYX3VgW4MChiHPAqU",
"program_id": "PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY"
}'Check the verification status of a specific program:
curl https://verify.osec.io/status/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY | jqResponse format:
{
"is_verified": true,
"message": "On chain program verified",
"on_chain_hash": "5bdb733d10c170fbe08912d258bca0bd15dc52ae4919b7db162f44fa0608516b",
"executable_hash": "5bdb733d10c170fbe08912d258bca0bd15dc52ae4919b7db162f44fa0608516b",
"last_verified_at": "2024-02-06T11:36:03.547955",
"repo_url": "https://github.com/Squads-Protocol/v4/commit/3742e5521a3e833f24a4c6bc024dd1aa5385d010"
}Check the status of an asynchronous verification job:
curl https://verify.osec.io/job/f65e0e70-d258-4091-94c1-c039de3734fc | jqRetrieve build logs for a program verification:
curl https://verify.osec.io/logs/PhoeNiXZ8ByJGLkxNfZRnkUfjvmuYqLR89jjFHGqdXY | jqcurl https://verify.osec.io/verified-programs | jqcurl https://verify.osec.io/verified-programs/1 | jqcurl https://verify.osec.io/verified-programs-status | jq- Verification endpoints: 5 requests/second globally, 1 request per 30 seconds per IP
- Status/query endpoints: 10,000 requests/second globally, 100 requests/second per IP
- Unverify endpoint: 100 requests/second globally
To mitigate against false verification results, we rerun program verification every 24 hours. Note that verification should not be considered a strict security boundary.
The Otter Verify PDA Worker is a service that monitors and processes Program Derived Address (PDA) updates and creations from the Otter Verify program. It automatically updates the database with new PDAs and initiates verification jobs if needed.
- Helius Webhook Configuration
- Set up a enhanced Helius webhook to monitor all transactions (Select Any in the transaction type filter).
- Configure the webhook to listen to the Otter Verify program address:
verifycLy8mB96wd9wqq3WDXQwM4oU6r42Th37Db9fC - The webhook should forward transactions to:
https://verify.osec.io/pda
Monitor program upgrades, and unverify the program if it is upgraded.
- Helius Webhook Configuration
- Set up a enhanced Helius webhook to monitor transactions of type
UPGRADE_PROGRAM_INSTRUCTION. - Configure the webhook to listen to the BPF Loader program address:
BPFLoaderUpgradeab1e11111111111111111111111 - The webhook should forward transactions to:
https://verify.osec.io/unverify
- Set up a enhanced Helius webhook to monitor transactions of type
To ensure that only legitimate requests from our Helius webhook are processed, we add a secret key (defined in .env) as a authentication header in the webhook requests.
docker-compose up --buildFor responsible disclosure of security issues or any other questions, please reach out to [email protected]