Skip to main content


To verify that the programs deployed on-chain were built from a specific version of the Soldio source code, we can reproduce the programs with the steps below.


The ./ script in the repository root builds the programs in a Docker container, and copies them out of the container into the build directory. That directory will then contain:

  • the Solido program that runs on-chain.
  • the multisig governance program that runs on-chain.
  • solido: the command-line management client that runs locally.


To verify that an on-chain program matches one we built, we have to download the on-chain program. Suppose the program was deployed at address 7k3rzqoNQxgTLTooAvXriGBKYsd16bV3JMvatvXcBfNo, then to download it:

$ mkdir onchain
$ solana program dump 7k3rzqoNQxgTLTooAvXriGBKYsd16bV3JMvatvXcBfNo onchain/
Wrote program to onchain/

Note that if you have configured a network other than mainnet-beta in ~/.config/solana/cli/config.yml, this will dump from that network. To override, pass --url and set it to e.g. or

The dumped file will not match that we built previously, because by default, Solana pads programs with zeros during the initial deployment, to allow room for future upgrades. The easiest way to verify, is to zero-pad our build of the program as well, so we can make a fair comparison. First, note the file size of the dumped program and of our build:

$ stat onchain/ build/
File: onchain/
Size: 1042528 Blocks: 2040 IO Block: 4096 regular file
File: build/
Size: 521264 Blocks: 1024 IO Block: 4096 regular file

Confirm that the dump is larger than our build, then pad our build to that size:

$ cp build/ build/
$ truncate --size=1042528 build/

Now we can confirm that the programs match:

$ sha256sum build/ onchain/
350bae669da9b92ded86c0a89013160c42c4691d1cd5947a285b2e6657bb0c5b build/
350bae669da9b92ded86c0a89013160c42c4691d1cd5947a285b2e6657bb0c5b onchain/