 We've been part of Ethereum Foundation for the past three years or so and for two years we've been working with Remix Team and for the past two months we've been working on this topic, how to make Ethereum more trustless. So we'll show you what we see as a problem and then hopefully also get your input into what you see as a problem and how what solutions you may be suggesting what you could commit to do so that as a community we bring these things forward and make it more trustless. Okay so that's basically just a small introduction and there are many ways to introduce this but the idea is that this represents like a dab and you could open a wallet to start making an interaction and of course Ethereum executes contracts the way it does and there's no magic administrator that can do anything about it but the thing is that as a user when you interact with a dab then yeah you have some expectations what this is going to do and what the contract is all about but if you don't have the source code and there's no way of easily verifying it maybe your wallet will show you some data before you confirm the transaction but generally it's not so easy to say is that what you are seeing and doing actually what is happening behind the scenes and even if you do how secure is it has it been audited I mean there's so many levels from having maybe a source code that is verified that you know that this source code is actually the one that is deployed to that contract address that you interact with to is it has it been analyzed it's been audited I mean there's many different levels and the situations can be improved to over what it is currently and then because if we don't do that then basically you could use Ethereum as an alternative hosting solution at AWS I have my back and I'm using it as a back-end and it's supposed to be trustless but in the end you actually have to trust then yeah that's that's not the situation to be so right so we have also some numbers and we have the source there so basically that data is already a little bit older so the numbers should be even higher but like we have a lot of developers that come in touch and try out and learn about Ethereum in the broader ecosystem every month like 15,000 that's actually a lot of them and every every month like I mean it depends it changes but like it's 1.5 million contracts that are getting deployed to the chain and 10 10 more than 10 million contracts are on chain but actually it's even more because the data is a little bit older so the contracts are getting constantly published and every day also those numbers are fluctuating but like 1.2 million contracts called per day so that's actually a lot and the thing is that just when it comes to verified source codes there are some many of you are maybe familiar with EtherScan but generally there are like in the thousands not in the millions so of course also some contracts are deployed many times over but still the situation is not really as good as it maybe could be and we were thinking what we maybe can do about it so the thing is yeah so what is also very important here like we have all these numbers but the problem is that apart from EtherScan there is no other place where we could explore or store verified source codes so that means that it's stored on a centralized place and if they decide to put a paywall on or I don't know just don't want to open the data that means that we have a trustless system where we have to trust the contracts but we don't have access to these contracts and we have to ask ourselves is there even an incentive to share a Solidity source code or what can we do to find out what would be the incentive and as you mentioned there is only a couple of thousands of them but we have like over 10 million contracts currently on blockchain so how do we get more verified source codes yeah and so the thing is we were thinking maybe if we have like a neutral place that could be used to explore and find information whether there is a source code that is verified whether it has been analyzed whether it has been audited maybe multiple times by different parties there's so many so many things that you might want to know about your so maybe you're an end user you interact with a DAF and it uses a smart contract or even multiple ones or your developer and you want to use libraries and maybe those libraries have been audited or not maybe the source code and everything is audited but the contract itself makes calls to other contracts so it's not kind of the source code but you also need to know about those contracts and there's so many different situations that basically it needs a whole ecosystem of projects and organization and they all are active in slightly different fields but I think they all need to work together because there's a lot of different aspects to this problem so one more thing so the thing is so that's the neutral place like so basically we need to collaborate and there's many ways in which we can do it one way that we were thinking where to have like some kind of open API standards in ways that we can basically use the different projects services or libraries or whatever they are about and mesh them and to improve the situation because one project alone is hard for them to change everything like either skin is all the contract but then there's auditors but then you have also depth developers and everyone and then your photo wallets so every everyone has like a user base and has some kind of expertise and you would maybe change something you have like a standard or a way of doing things across those different kinds of organizations and like each project alone might have a hard time of doing it because it requires others to maybe also change something so that's maybe why the situation is not as good as it could be and yeah like we want to have it scale and decentralize this is where we started this project called smart contract codes which is basically a peer-to-peer database and a search engine for very bad source code so I mean let's just go over quickly so the ideas maybe this could be a point where we can try out to improve the situation and there are multiple aspects to this like one is we have a lot of data that is I mean for example for the source code as such we could publish them and then you have a way of retrieving them and maybe verifying them but like still there's a lot of auditors and also the wallets that might want to show certain information about this and can we publish this does that need to be updated maybe a certain contract is updatable or there's multiple versions and one has been audited but the next not or maybe you don't only want to use part of the contract functionality maybe interact with like two functions and those maybe have been audited even though the rest has been updated and all these things we need to do and because the data is always changing I mean when you deploy the contract that particular contract is immutable but the whole list of contracts there will be always new contracts and also maybe new versions of contracts so in order to get all the also with the audits that's kind of the same like you audit maybe the next version of the contract so all these updates need like a mechanism that you can also easily update and interact and still all in the end even though updates are possible you want to be able to trust or have it as trustless as possible so yeah how do we do that like the idea about this database is that we have a first of all like a neutral place so you could of course use the peer-to-peer network to retrieve all these kind of different information but also if you're a heaven organization like as an auditor for example you could have your own copy of the the data set but annotated so for example you could say these are all the ones that I contacted be audited and those kind of on the versions and then this information can be used on one place like this search interface to display all the contracts that have been audited by whom they have been audited which versions and there might be updates coming to this but every every node of the database under hosted by one particular person organization could update their annotations and all these different data basically is merged or shown in like a mixed way so that's why we also have this second part the app connect maybe I assume that many of you might know remix as a in browser IDE and they happen that's not the only project but they have this approach of having plugins and we want to see how we can maybe make it so that all these different like whether they are wallets or whatever is their app or software they're using that we can connect them together in a way that like maybe a particular app or whatever whatever the software is wants to reuse the code or maybe we on the smart contractor codes would allow the connection embedded so it goes both ways when plugin usually as a standalone thing it's relatively useless it only works as a plugin for something but we want to be able to connect things so then that way let's say an auditor that displays their audited contracts could retrieve data from the or maybe they have tools to analyze them so they can use the database to import that data and show it on their page but the other way around is also possible so the search engine could or the search interface could display or even offer those kind of services to to to for example analyze the contracts and give the user or even offer the service like there's an auditor that offers a certain service and it could be it could be a way for users to discover audited contracts and the way they want and because we want these database to be truly decentralized so everyone can run a node we're using that which can handle dynamic data sets so because there is a database that and we are constantly publishing new information we can sadly not use IPFS for this or it doesn't come out of the box but as Christian will later show the source codes will be stored on IPFS probably or one possible solution but then we can patch them and display them in this big database for everyone yeah this is like I mentioned wallets and auditors but also of course developer tools they support publishing source codes as an opt-in or maybe ideally as an opt-out mechanism that will also be useful so somebody who really doesn't want to publish their source code even though you could always put in the effort to decompile and figure out because usually this source code are meant to be small because anyway expensive to have a lot of storage computation going on in the chain that would be of course very useful so now we just picked like for each category that we see a few I mean not random but like almost like there's many more organizations or projects in each of those categories but just to get like a feeling what we are we personally see what are all the different players in the ecosystem that could contribute and do something to improve the status quo but yeah that's we would love to discuss to get more input to maybe update or make the perspective of this a little bit broader yeah so there are security developers so people who develop security codes then you have tabs basically like business owners or somebody who makes a concept of how this validity code should work that tools which enable publishing to the network which basically they could also publish to the database and then everybody could see what is actually the source code of the that they're using security auditors of course taking care of that the contract is secure because verified means only that it does what it's supposed to do but it doesn't mean that it's secure so it can still have some bugs or something then we have infrastructure projects which basically enable that this whole thing exists so to search for for things and to publish and block and data explorers which are basically running nodes and getting information from the blockchain because if everyone of us wants to get this information it's hard job so we need to run it for like months so we have of course like awesome tools to do that and wallets of course because as it be the ones displaying this information that is stored in this database so what we wanted this is like a short introduction of what we do and how we are thinking about things but now we would like to hear something from you like I don't know how do you see the ecosystem maybe we didn't even manage to capture all the main actors and we forgot something what are you doing in the space and what is your role in these terms like how to build more trust in the ecosystem does anybody want to start so hi I'm David I have a phone that runs in EOS which is the kind of open source version of Android so I use Android applications a lot when I was able to use a wallet crypto wallet and a lot of times I can download a crypto wallet APK from anywhere else only from pirated from Google Play that very many developers publish only on Google Play or if I can get the APK from the GitHub or from someone else the APK is not signed with a PGP key they don't even have the PGP key for their releases so I can't really verify it's really what I download is really what was meant to be installed on my phone so like this is my reach out my cry of hell so please learn PGP make a PGP sign APK and always sign your releases and also publish APKs on GitHub and your website and please please if you can and have the bandwidth for it publish your application on Android with his wallet wallet because like when I'm thinking of how to make this ecosystem trustless I believe that is a crucial point of trust you know the applications that you put in your device so yeah that's what I'm going to say and thank you for the tension which we skip like probably many more so the thing is that would be super cool to have everything all that like all the software that enables is to work I mean many things are published into the app stores but of course also on GitHub you have a lot of things and yeah they should of course always be ideally signed and the keys should be known from the teams or people that publish so that I can actually verify that what we use is coming from the right sources and is working the way it's supposed to work just I think I think that basically we cannot do this with a microphone because this is gonna be crazy should we just like start discussion like I think the single most effective thing we could do is the compiler publishing the source codes what's the name of that thing you were talking about the swarm hash and then actually publishing the source to swarm without as a default I think if we made that the default then 99% of these pieces of source code will be available because people wouldn't turn it off and it would also promote an idea that we should all be publishing all of our source code and we should all be interacting with smart contracts that have published source code so we make the community ethos that the code is there and if somebody wants to turn it off then I would look at them and say why did you turn it off but I think that's the most effective by far I think trying to get people to volunteer you're gonna end up four years from now with 3,200 published smart contract so Chris works in a Solidity team do you Chris know why is this not a default but what are the obstacles so I think the compiler is unfortunately not the right tool to do this and the main reason is first you do not know whether the source code that is currently being compiled is the final thing that will be published or some random people are just testing some stuff and second the compiler may not even have access to the network and the results might be the compilers used to generate bytecode and the bytecode is moved somewhere else and then published here so I think the tools that do the smart contract deployment should do that and I agree it should be the default yes is there any efforts to communicate that to the people that are right in that code I'm talking to them yes I think that's also when we try to invite the filmmakers so that they might consider to at least have like an opt-in ideally probably an opt-out version to publish the source code and I think also it's pretty new that like the IP address of source code to be published to when anybody is that the deployed bytecode of every smart contract has a hash of a JSON file at the end and this JSON file contains information like the ABI the compiler that was used to compile the source code and also yeah link hashes to the source code so the the integrity of all this is not the problem the problem is the data availability here and I think if if we could get to a point where people publish that information at the point of deployment then also the the user experience of what it's for example would greatly improve not only because you have access to the source code but only because you have access so this this JSON file contains and the truth is that it ABI and also the the nut spec comments of the functions so whenever you have a whenever your wallet asks you to confirm a transaction it should not display this garbled hex string of data it should actually fully decode all the function parameters and display the the nut spec comment that is associated with this function so I mean also people are thinking maybe for example wallets they could display like if the data was available so if tools all if we in general like established this as a like a mindset that it would be better for everyone if we had the source code because the theory was meant to be trustless but that's kind of a missing link and if we don't do that and why we do all this in the first place and I cannot just go back to how things always worked but okay so if we if we have that and we maybe have the tools publishing this and we are getting more source code and this is also pretty cool because then wallets could of course display if a certain transaction is happening with like a contract where at least the source code is known but then ideally also any like auditor or any any any security related project could could analyze the source code easier because there's many of them ready or even publish like a kind of annotation in which form that's the question but like basically having an opinion that this source code has been audited and maybe we also get to standards like what does it mean what level of auditing happened and was it ordered by one organization or many and is there like even like a rating when there's so many metadata that could be generated that basically have like additional information because the source code as such is like a good first set and so of course we need them to be available but this is for the future what about for the past over to you working with your auditing contracts like is there like a good client deep up for sharing their code yeah so yeah so I'm we are a security auditing company and typically the majority of clients want to publish the fact that they have gotten an audit and also want to publish the full audit report which is uncommon compared to other industries and so it would I think it would be great to highlight both positive and negative examples so recently there was a good next I mean the famous negative example which was happened right where people looked into the contract and were like there's definitely a problem here and you could warn the user saying like please don't put any more money in because at the time that the vulnerabilities were published people are still putting more money in like some people were saying it was money laundering but that's another issue and so yeah I think it would be great to kind of have like they could probably be like three different things like they could be like a check mark like when you click on the check mark you see like the full report or they could be like a warning and these could go to different sources right like so I mean ideally of course this shouldn't just be us and people shouldn't just all trust us but like would be great anyway so yeah like any there could be five check mark and then you go to the different sources and like so that anyone can provide their opinion but do you also audit sometimes like some call that is not like coming from the client but you just analyze it anyway yeah so we often have dependencies that are already existing right so like some client code is using I don't know compound or maker or whatever so it is in dependencies that we then look at this and do you publish this data anywhere like so this is in your know how database or something would you be willing to share this information like sure yeah I mean we were thinking like if there was a standard I mean there's okay one standard like what does it mean to have an audit and what levels and what does that what kind of guarantees does it maybe give but another one a format like a data format standard then maybe for example I mean our project that will be useful but generally wallets could use it to just like the basic as the source for the exists but like what about does it hasn't been audited so they could basically grab the data from and they notice the standardized format so they can display that and hopefully all the wallets would use the same standard so users get used to it this is how it looks and that's what it means and maybe even if I click the link I can see on chain in any maybe walk explorer or whatever that this is what means explain it again and show it and that could improve but also one thing is integrate this out version to publish source code but if wallets would integrate this this would also create another like pressure to maybe or incentivization to publish source codes because of users every time they confirm now see oh I'm interacting with all the time with contracts that kind of give me like a warning or something that it hasn't the source code doesn't even exist or maybe then later on okay it has been audited but what does it mean is like how how in depth has it been audited and then maybe users would even change their behavior and either demand this or we switch to alternatives that have it better audited and then everybody would think like me maybe try to publish or get an audit so that would be one thing again from remix to it we're discussing basically like what are the problems of getting the source code and you basically just now introduce something that people who are building on remix can publish the source code so that's a good example so is it the default thing or do the users have to select or is it in or out? Do you have any ideas why would what be better like that you will automatically publish and then just use it out because I think at first I was a bit afraid of what you think of the machine all right you are working on brownie which is a Python framework yeah yeah I also feel that publishing like an opt out it seems a bit it's a large assumption to make if it's someone working on on something sensitive that you just push it because they forgot to change the box that seems a bit but I think off the end it's a great idea there's something halfway between not publishing and publishing the source you can publish the function signatures and the encoded value basically a thing that you would get from the ABI you don't have to publish the entire source just publish the ABI just the strings of the function and their corresponding encoded value the four byte encoding and then that way they could be a wallet could decode the function but you want you wouldn't have published the person source code you've actually published something that's public anyway so you can publish the metadata file without the source code yeah then you have I mean that also includes that spec which might be sensitive is there a way to I mean if the deploying process is an interactive process then that tool could also just ask where you have to answer with yes or no yeah that would make a click in an interactive process yeah but it's just scripting yeah I'm sure very yeah you're developing something sensible when you forget to check a box probably shouldn't be developing something sensibly like from your perspective do you think that data is I would love to display that and I would also be aggressive there and just publish that people that just to close so stuff but I'm a bit ready for that so yeah but I know that there's been against that for example like a crypto kiddies that has closed reading function or stuff but currently I think we should just blame them and just really currently would blame everyone but where's the problem I mean do you think that like education with how that people just knew that this is important they would do it or is it like to make it easier but I think what really good stuff so it's just easier because people have a lot of things to do I understand that and it's just an extra step and they were kind of finished now there's an extra step so it would be nice if it gets just easier and ideally let people opt out so many counts the transition phase maybe first like up in and then after some time now it's like you have to check later is you have to uncheck I think like in the front end like everyone is like used to that like all this code is like playing visible but like when it comes to backends that was kind of never the case and now with blockchain or smart contracts it's kind of kind of a new one made people just need to be used to you mentioned that there's an optimization you can turn on in the compiler which will just reduce the size of your contract by taking the contract names out so the function names out so people start turning that on to save on gas for upload so you can't really rely on what sort of function names probably be in English and some of you strange it comes down to default in the end like what's on because 90% of people probably wouldn't choose to do those types of things so it would improve the situation yeah what about having something like them like the secret source tag or something like that when you're writing the code you this comes in secret sauce it's closed you mean like that like like as an indicator to the developer tools to say okay I can't do everything but I'd say don't make so you don't actually include it but you know you've declared it has there's a few reason why it's not because it's a great secret it's probably a hard to verify the source but then you can have a table and a board to declare a secret source you have to be more detailed and some science to say this was ordered but secret the verification would maybe fail because I don't have all the brilliant source but I still want to get it but not here I think the editors and the code if they think it's very public they can just upload published to the website and when we upload to the website we can use the compiling binary to have to do a hash and use that hash to SID to save the code and then when they deploy and they can they also use the heart the harsh and then in fact whether the law the code has been published if yes they can say whether you can you can use the link as a same to the smart contract with it and then when user use it the link is there if they want to check whether the source code they can just if they find a link there they can share that source code and when they click they will go to the website to see just exactly where the code they actually collect all these things and the thing is that's why we prepare this link for the download like on the internet but one more thing that I wanted sorry just like because Victor is from Rock Scout and they are actually also a source of getting the butterfly I would like to do some comments what we have in Rock Scout, so Rock Scout is an open source option explorer so not only users can have centralized database of their websites so what we provide for users we have user interface to promote their application and also what is more important we have API for verification process and what is important so users can should provide long-term data like a compiler version of the API so and we contract will be verified and our centralized database but what is more important we have in point get all these contracts and we have no ratings so does it mean that everyone can get the copy of Rock Scout to get verified source code if they want so of course we have a pagination because of what counted how much 10,000 of verified smart phones or something like that two Rock Scouts yes so and everyone and this is more important that everyone can get it so this is our current vision of this realization right so everyone can get the copy of our database so what what I would like to add so to go I like your idea but decentralized database and I think we would like to participate in this so it can be another way so in order to increase trustlessness we need to increase the number of verified smart phones right and what what ways can we place can we choose to I think there are four basic ways the first one we need to educate users as much as we can to create the articles you know in GitHub repositories on medium on forums somewhere else how to verify how to house easy what instruments we can use for verification the second one is based on assumption that user will always forget to verify the smart phones that's when we do somehow to embed a verification step into all development tools we have for this top applications like environment for brownie so it's important to have a verification step on the whole process so as soon as you publish meter data and source code verification is automatic it's not an additional step I mean to publish where swarm and IPFS yeah sure and that's also the hope so as soon as we publish this then block explorers so you don't need to go to the block explorer to verify your contract the block explorer itself can do it right sure the tools need that and this is now look for some that are already published and could come and verify basically I'm sorry you wanted to say something hi I'm Nick and I were gonna be here and are like our team isn't so good but I think these are like useful for a lot of these problems and it's just like a standardized data format includes everything we talked about like the source code APIs also specifies like deployment data so you can also in terms of getting this like strong verification you can add like launching deployments so you know you're interacting with like the dye you're supposed to interact with like whoever's wallet address and so yeah like check out EPM we're in brownie we're in we meant to be a plug-in we're in truffle it's just like a very good way to pass around safely your smart up to see more integration is there one way to do it to actually have the if I'm able to build that contract and it's binary identical with what's deployed then I know everything about it I know all the dependencies and stuff like that so I can do anything I want to verify and run all the tests and everything like that and to do that that information is if you know the project and the git commit then I can get that code and I can build it and it's exactly what's deployed I can do anything like that we are going I wrote one of the Bitcoin wallets and we were really worried about the dependency tax so it changes one of the libraries that we use it gets into our code and it's a wallet stealer and it's a guy who wrote a little verify on all our dependencies that nobody changed anything without our knowledge but that's in the build tools and that's well away from what their users will see but if you can if someone can rebuild it and you get identically what's deployed you learn a lot from that and you can automate it as well How can we do that? This is one angle, the other angle is the credibility of the smart contract so he is talking about dependency and also how about having a proxy smart contract and changing the business logic of what you are pointing to so this is also should be also a consequence I mean one thing is to explain what is verified in the sense of like bytecode matches actual smart contract I mean the compilation result but another thing is yeah is it safe and all this additional information or is it using oracles and like is it depending on oracles so that the users know that they are interacting with something that could maybe be corrupt so we would like to be able to I mean smart contract code is just an interface but what we want to focus on mainly is the database so the thing is like we already scripted together a little source code but now if the situation changes and in the future maybe the developers will always ideally automatically publish the source code let's say the database is warm then all of them are available now the question is still where do we get the list of all of them so maybe there can also be a solution for this and then we can start annotating them because once we do it would be better if you got them to come to you rather than you to them so if you can incentivize it for like an awarding then they can earn continuous revenue by putting it on your database because you act as a gateway so that if someone says oh I want this thing this is a smart contract if I can see you marked it as yellow I want to know why if they get the button it says that it will be taken in the right amount but of course do you have pens just one comment before I give you a word but like it's not our database that's I think the whole point because everybody can run a node and then if you run your node you can add more data and I run my node and I can sync I have some logic built in that I the decentralized system that runs this because nobody wants to empower somebody who grabs the data I understand my point is that you incentivize the actors within it so that they can each earn money so that way they want to grow the system so they continue to get revenue by people requesting audit reports so they can charge for the audit reports so that gives an incentive for the auditor to import it as many things as possible and then make those reports available and also the people who wrote the smart contracts if they do them correctly they get a share of the audit reports so that's another challenge that we see even in all the smart contracts for example by adding something to the developer tools could be published to IPFS or so on and of course on chain we have and of course the metadata too and on chain we have like a hash to verify that this is the right metadata still where do I get the list of all of them so it would be good to also find one way to publish the list of all the metadata or all the links at least like all the IPFS hashes that exist so my plan is to write a small tool that constantly monitors the blockchain for newly created contracts and create a gigantic IPFS database that contains all source codes of all smart contracts so the hash to this on chain contains the address too how will you update this? whenever there is a new contract published you have to find the address where it's published is that on chain? is it using a topic on DHT? the developer tool has a source code publishes it to IPFS and the developer tool then returns it to the user the address or the source code anyways I can figure out the address but then I publish it to the chain and now somebody detects that there is a new contract on chain but how do I know where that source code is stored I mean it's stored now and if I had the source code the hope is that the deployment tools publish it to Swarmo IPFS then you can grab it via the metadata and the link in the metadata and then keep it persistent in that big data where do I get the metadata from? from the hash link in the byte code so the hash link in the byte code contains the address of Swarmo IPFS for the metadata alright so then that would be perfect so if that happens and all the tools were published then you could go to the blockchain data get all these addresses and slowly pull them all and fill them into one database and then the system that we are currently using works a bit like a version controlled torrent system so the more peers and so you can update the torrent the address doesn't change so for example auditors could run it and make their annotations so they can say ok this one has audited up to that level and so on but also maybe other organizations could start saying I annotate this contract into somebody somewhere on a smart contract state some money because they want an audit but maybe to do the whole audit is a little bit expensive so maybe publish that and then you could retrieve all these data and see ah there's like a lot of contracts that have stakes and show those and maybe that's already a selection and that's an interesting contract maybe it's a library that does certain things that we could use to get other smart contracts and now this one seems to be a very interesting library let's take more and then maybe also auditors could use that to bid to actually do the audit and then get paid from that and so that could be additional incentives one is like about figuring out if somebody is willing to state some money to pay for an audit another one could be publishing like audits and other kind of metadata that some organization that analyzed things thinks that this contract has an opinion about that contract and that's maybe also valuable so that kind of system would work but of course it first looks like a basic data set and so... Let's welcome to that Yeah, well well once we have free course Interfaces, I mean so it's very interesting and we're working both because sometimes you want to build your smart contract you want to keep it private because for any reason maybe it's not finished maybe it's not digital or whatever then you want to make it privileged like any social network and with FreeBox it's exactly the kind of thing they do they are just creating like your your own box based on your the program address and then you can even like flag this contract build this contract and then you can create the whole social network actually incentivize without any question about staking any money on whatever because you're just saying like in Github oh I built this contract you know and I had a record of all the contracts I'm building it's another way of incentivizing without having to publish everything just saying ok I built this contract maybe then you have someone that can just give an annotation on his strike saying oh yeah I audited this contract I think it's good it's putting his name on that thing so that's another way of incentivizing without thinking always with cryptocurrency I work on Apple Word one of the apps a huge part of our effort is working on something called token script it's open source and we submitted it to Oasis for standardization but basically it's a layer of how called smart contracts so within token script if you want to make a call to a smart contract you write it in XML file which we provide this email for by writing it by declaring it in the XML file that means you have to specify exactly what is the function name the argument type and so forth so one thing it helps is when the user makes a smart contract call from within the token script point within a wallet which supports token script we can display the function and the arguments what it does so a user will know which one it is can see what it's being called and I think which is more important is because it is built and transported as one single actual file we can let the author of the XML file sign it expressing trust for the smart contract so when the user and use it it will be like using a web browser you visit a website you see a log and you can click on the log and see that this is verified by who and this is a certificate issued for this domain yahoo.com I think we should collect all these things because that's exactly the thing like there are many standards in certain ways of doing things but yeah that's what we need to talk about and what is the most important thing because if we are talking about decentralized Ethereum and trustlessness for real we cannot rely on any centralized authority who will say this is certified or not this is based on the chain of trust because you can trust that the signer of this file is asserting that this smart contract can be trusted because as a user when you use a world attack you're not going to look at the source code on the contract but it's very unlikely you will go and look for the source code and even if you can find the source code for the smart contract how do you associate that back to the button which you are clicking is that going to call that smart contract but if you see a log like when you are in the web browser you see that it has a valid HD TLS certificate then to a certain extent because you know that this certificate is issued by say very signed by chain of trust you trust that this website is who they say they are and you can trust that you can buy a product from this website using your credit card chain of trust so you wouldn't have to use the regular CD search because you've got CCDs you've got elliptical a curve signing anyhow so you just sign by it could still be two dollars like the if you've got if you control an address then there's a private key behind that address signed by that so you might have you might have something that's created by a pseudonymous key that everybody knows who they are because the signing by a well known address has never changed since the start of the project so you don't have to rely on very signed anybody like that you might as well use the elliptical curve technology to to do the signing so maybe we should have a place like originally we thought about a document maybe how do you collect all these things because we're kind of having the last five minutes I was just I just wanted to add because we have Giso also from Super which is also like a tool for security analysis do you have any thoughts because I invited human tradition like you didn't have any opportunities or this gift at the early discussions so we're the pretty audit firm we also have like for a very fire also but what we focus is more developer friendly way the reason for that is actually we care about the code privacy so what we talked was like we have to publish all the source code on the swarm or anywhere but most of our clients it might be like it's Korean culture but they doesn't want to share their code before published because yeah so we have to build some technology for which is keeping the code privacy so what we extract from the source code is some code pattern not just source code exact but more abstracted code like intermediate like this like that so we extract it and then make a signature of them and then we just give and the clients it's on our vulnerability database we just start from our database so it doesn't need original source code so it's similar to the traditional Java software like NPM's vulnerability on the system platform or the Android Play Contact so it could be achieve more code privacy first and developer friendly techniques for the audience but maybe you can offer some premium service so if somebody wants to publish all the signature that we hatched from the wild iterating memorial so in terms of trustlessness I was thinking that maybe you could offer them like the premium service you can also publish on a swarm or more decentralized so if there is anyone to use it and that I mean the way it's maybe a little early but like the way we were thinking about supporting that kind of use case the contract that is behind an address is private but we have an audit about it that we share fully or just like parts of it so maybe in the future you want to share more or you should share it next time this peer-to-peer database know that it's open source and you have a globally public address as a public key and you it's like a torrent to that torrent it's globally available through the public address and you with a private key or your organization is the only one that can have a data but everybody who is also running the same note you might also hear auditors or other parties that can do the same and they have an address but those not synced so everybody will also the same as a torrent everybody who already synced the database still has a data available as a read-only version but it means like all the information about which conflict was audited or what kind of information published is available in the same standardized format and it is available by all the others which could then be used to display either in wallets or in any kind of application certain information that comes from that decentralized system where you have where you can publish as much data as you want and it doesn't cost anything and after that you make it available in that format so wallets could show that there is all that happening and the most important thing is that nobody is one maintainer and there is not like database of everything everywhere but nobody collects them or if they do then they have like crazy power because then they have all the data that would help us that we all share this data if we commit to do something like this or if we find better ways than God I mean but this is like our suggestion so we were even thinking like that could help because I was pointing from the very beginning when you have one contract and then you have a new version of that contract so the author could continuously publish the different versions and they would all be available version controlled through all the different versions and because they're in that same standard system you could for example not even publish the entire source code but like if you wanted to do that you could basically point to that address of that source code and annotate it and that annotation is basically controlled by your private key while the update of the source code is controlled by the private key of the author or organization that develops further there was another question it's about a suggestion you are thinking about a solution on top of the protocol itself on top of the next itself however would you have any idea of interacting with the ethereal community to implement the solution or part of the solution to be part of the protocol itself let me imagine this a compiler the compiler is the standard of the compiler when it compiles a smart contract it's going to generate a state filled representing this contract is certified or not and the level of certification slash two embedded functions out of the box coming from the compiler that's changed the state of the level of certification so this is in the protocol there on top of that whatever solution that benefits from this change in the protocol itself I mean the certification is a problem because who I mean what if you mean by certificate that it's secured that somebody did the audit that's hard because then we have to trust certain parties but if you mean verification in the sense that we have access that this address we can easily match to a certain source code this could potentially work but as you said there are problems like first because of the data availability problem and the compiler cannot publish it doesn't live on the internet so it's not possible practically no I'm not I'm not saying that you publish and you generate the bytecode part sharing part of the job is to produce functions that's not exist in the actual source code that's enable a certificate authority to verify the smart program also you have a state variable presenting if this smart model has been verified or not or certified or not this concept is way too complicated to easily be embedded in storage because what does verification mean some person said something about that smart contract you can't assume probably there would need to be a first solution to develop some kind of best practice what all this kind of even means what levels and how should that even look like this is established and it takes some time and maybe in the future somebody could think of this and maybe that makes actually sense but I would love that this is an interesting discussion and we cannot solve it alone we need to use the discourse yes this is a question discourse or telegram or what can we vote who is discourse discourse because it's much more and telegram email email do we have email do we have emails do we have emails do we have emails do you know what what's inside in a nice interactive way yes they're just gifts gifts gift everybody uses gift gift yes so long as you can have topics conversations so we can thank you well done for comment this was thank you