Etherscan compares the bytecode on the chain and the bytecode generated from the provided source code match. Then they publish the source code, as "verified"
The main purpose is to grantee the published source code is indeed the one running on chain, so that everyone can audit the code, and evaluate the risk before interacting with the smart contract.
So the verification doesn't serve as an audit, or security check. It's only the first step
There are tools to perform security checks and static linting, such as:
slither static analytic tool
Echidna property based fuzz tester
eth-security-toolbox docker image that includes all the popular tools
-
fallback() & delegatecall operator
-
"unstructured storage"
why it work: EVM storage is 256 bits to 256 bits key-value store
2*. Storage layout
instruction set: 256-bit operation, mload, mstore
- Transparency proxy vs UUPS proxy vs Beacon proxy
UUPS: Universal Upgradeable Proxy Standard (EIP1822).
- Tools: Truffle and hardhat upgradeable plugins
Compatibility validation on chain and offchain
-
Replace
constructorwithinitialize -
Avoiding Initial Values in Field Declarations
-
Initializing the Implementation Contract
Always call the initializer modifier
- Multiple Inheritance
Unlike constructor, initialize functions are not linearized by compiler, need to manually organize to avoid calling the same init function multiple times.
- No call to
selfdestructanddelegatecall