To verify that the programs deployed on-chain were built from a specific version of the Soldio source code, we can reproduce the programs with the steps below.
./buildimage.sh script in the repository root builds the
programs in a Docker container, and copies them out of the container into the
build directory. That directory will then contain:
lido.so: the Solido program that runs on-chain.
serum_multisig.so: the multisig governance program that runs on-chain.
solido: the command-line management client that runs locally.
To verify that an on-chain program matches one we built, we have to download the
on-chain program. Suppose the program was deployed at address
7k3rzqoNQxgTLTooAvXriGBKYsd16bV3JMvatvXcBfNo, then to download it:
Note that if you have configured a network other than mainnet-beta in
~/.config/solana/cli/config.yml, this will dump from that network.
To override, pass
--url and set it to e.g.
The dumped file will not match
lido.so that we built previously, because by
default, Solana pads programs with zeros during the initial deployment, to allow
room for future upgrades. The easiest way to verify, is to zero-pad our build of
the program as well, so we can make a fair comparison. First, note the file size
of the dumped program and of our build:
Confirm that the dump is larger than our build, then pad our build to that size:
Now we can confirm that the programs match: