Like the city of Troy, the only way to breach your wallet\’s defenses is with some deception. So long as you are the sole holder of your private key, no one can interact with your funds without your explicit approval. For this reason, we must be particularly vigilant when deciding which transactions and contracts we approve. Today I will be showing you how to verify a contract address so you that you only approve contracts you actually know.
Verify an Address
I’ll be using Metamask and FTMScan to demonstrate how to verify an address on FTM, but the process should be the same for all wallets and block EVM compatible block explorer.
![\"\"/](\"https://lh5.googleusercontent.com/ql2GZ0UpBGa1TUYx6vosOiclFU37St0q8WIVy9vGNzIyi7xWyLVoBQObRquoTOnmA8jlfMHqvySMw5thMptVuHZaiZsEA1CoojIpqiJPz-m428ZqyKwn2waJGPNk8vX-xfUbNdeTooAldbY99ZnfSds\")
First things first, let’s take a look at our own wallet. Open the MetaMask browser extension and you should see this at the top:
![\"\"/](\"https://lh4.googleusercontent.com/yNW9HPWwoszF_NoxAFso1S2iK_MwDAwdDd_UiBt7yQO7_zTyWn05EczcT4KYjvWGY5R4D101DzANeEwBcqNdtfNGZZtLFVplMpOuwAqGTfe1mG_JlFvLzj-wG4YJ-l8z289MbJJVoMl7i2lXelbAZQI\")
If you click the three dots on the right you will open this menu. Click the “View Account in Explorer” prompt to automatically open a new tab displaying your wallet in the appropriate block explorer.
![\"\"/](\"https://lh4.googleusercontent.com/2NZaLhvyfnYnDERsAXnVfrY-8AFajx7VNBeXlEsT-Z6h1qsc2bvIJE8Xaw-g8tCIawrSuaaxOq-M0VQFF8Bg793G-PdVEfOst-fLwQzCeS-tELDJuuEFriya_OimKv6KyYDwhDE8KXPMAQdBPwiOsrM\")
Here you can review transactions that your address has participated in over its entire history. The transactions tab shows all the transactions using this particular blockchain’s coin, in this case FTM. You can click on any address on or TXN Hash on this page to see more info about that particular address or transaction.
If you want to check transactions of different tokens on this particular chain you would click the ERC-20 Token Txns tab. This would show all transactions involving things like BEETS, BOO, SPIRIT, etc.
The last tab of interest is the ERC-721 Token Txns tab. Here you will see all NFT transactions that have occurred on this address.
You can filter transactions by type, sending address, and receiving address.
With these tools we can verify activity in our own wallet and see exactly what addresses and contracts we have interacted with in the past.
Very handy if you are trying to figure out how or why a token entered your wallet!
Verifying a Contract
Now that we\’ve seen what a regular wallet address looks like, let\’s take a look at a smart contract.
Quick refresher: A smart contract is code deployed on the blockchain. These contracts can do many things, including route funds, liquidity pools, and DEXs, etc. These contracts have addresses just like your wallet and tokens do. You could get into serious trouble if you sent tokens to a contract address when you meant to send them to a wallet address! Contracts are very powerful and immutable, so it is essential that we are interacting with the appropriate ones. Accidental transactions often can not be rolled back or refunded!
Obtaining the Contract Address
To verify an address, the first thing we will need is an address! Let\’s grab ones from SpookySwap. We can do this by initiating a transaction or approval request on the pool we are interested in. In the example I\’m looking at the FTM-DEUS pool on SpookySwap.
![\"\"/](\"https://lh6.googleusercontent.com/zC18VIzsU6nQ0q4_LnsD58waunR9HTZu0fOcJ8sWQ_y2OB0qfJguuRfypbYEoyOTjnhr3IgAeLuqHCTzskDfaMksZGPGN4qAWq1bHWz_3zdn_pL3rk-0UtK2NGY26aDuloguf7Mxbcss_pwenrROGU0\")
When you first submit any transaction on any site you should receive a message in your MetaMask that looks like the image on the left.
Before we approve anything, let\’s verify that address that is asking for approval. You can copy and paste it into FTMScan directly or click that arrow button and it should open up FTMScan with the address pre loaded.
![\"\"/](\"https://lh5.googleusercontent.com/ctjQ4B1fsMNfQbAmHHX0wqflDq0fKUBcN53xjV6sUBND3DoQNSJJTcjMZx-5zQtffZ_MH3TXQ9ak9YghDryil7Uh3mccvp3Y6huoe8wTXfaLyxeWnwMYzHCmuTlNPRFquX9NyRpRLkymQKFonmOM-fw\")
It looks a bit bare doesn\’t it? That\’s because this address is for one of the many contracts that makes up the entire SpookySwap system, specifically the placeholder token for approvals. If we click on the contract tab we can get some more information.
![\"\"/](\"https://lh5.googleusercontent.com/YOi8IwKQI_-kfxCtQJ4Ntw_PpBtA5bUondGtY9tlo6nJHFo_EuMDOlzYasXxJ8HDzb6VxeiGyX0ABg330F3FpD8salB2MZXfibYqYxFxMbEt9bJpeF7p3JO5q40VHRDFVRdzTgsms_zDmkXNqb0Fez8\")
On the contract tab we can read all the functions and addresses tied to this contract. If you explore this page some more you will even see some spots where you can query the contract for data directly from the blockchain. We will go into this functionality more in depth in later articles.
There isn\’t too much information we can use on this page for verifying that this is indeed the correct SpookySwap contract. If we click on the contract address in the top-right, we can see the parent contract that this one interacts with.
Verifying the Contract
![\"\"/](\"https://lh3.googleusercontent.com/5T0XnIA4XNfe_1Vt1zU_WHjHkXcyS5nC0qrlI49z1YS3yyXqhDwxl42OF3FPwKrsqlU1_FZ_PEnRdduITV-EuFEGOuS6makBU9drEfQm8lh6x3HGCXtyDsFNJHw9K5TNuuBsIRGEu95m1TBR3LYTMJg\")
After clicking the parent contract address, we will land on a page with tons of information. Here we can really verify that this is a legitimate contract. We can review the transaction history, which address created this contract and even the actual code of this contract.
While we can examine the transaction history and confirm that this contract has seemingly legitimate transactions, the best place for verification is the Contract tab. Let\’s head over there.
![\"\"/](\"https://lh5.googleusercontent.com/yw8sS9V_C21kyfTC4Qxc0iHrJ0YYMbyFFAMVdrgmnm0ouCPn0gYH5BVZ4tNUM7rOcQxauyluekdxXLrV-pCDc-TeYg6fjzr-FQOfVYZ6dEOTNeqHg2OzAl9maGA5a4i5r_Ud3A1M1rKmLqH7moaRlZo\")
On the contract tab we find that this contract has been verified. This is excellent because it means that the code itself is clearly visible. We could audit its functionality itself directly from the browser if we wanted! We also see that this contract is an exact match for MasterChefV2. This is another good sign that this contract is safe to interact with.
Since we are familiar with MasterChef and know it to be legitimate, we can with high certainty conclude that this is a legitimate approval transaction for SpookySwap. After all, our initial transaction was to enter a farm on their site and MasterChef is the exact contract that handles that.
Final Thoughts
After this walkthrough, you should be a bit more comfortable using MetaMask and block explorers. While we did not cover their full functionality, simple verification like this will be incredibly useful if you\’re building Web 3 apps or just transacting through these services. If you have any questions, feel free to reach out! You can reach me on Twitter @MasonCorval and on Discord at Corval#1788.
