Smart Contracts · Security · DeFi Research

How to Verify a Smart Contract Before You Interact With It

Q: What does it mean for a smart contract to be verified?

A verified smart contract has its source code published and matched against the deployed bytecode on Etherscan or a similar explorer. This means you can read exactly what the contract does before interacting with it. An unverified contract only shows bytecode — machine code that's nearly impossible to read.

Q: How do I check if a contract is verified on Etherscan?

Go to etherscan.io and paste the contract address. Click the "Contract" tab. If you see a green checkmark and readable source code, it's verified. If you only see bytecode with no source, it's unverified. The "Read Contract" and "Write Contract" tabs also only appear for verified contracts.

Q: Is it safe to interact with an unverified contract?

Generally no — especially for token approvals, new tokens, or NFT mints. Unverified contracts can contain hidden functions you have no way to see. Legitimate protocols almost always verify their contracts. The only exceptions are contracts deployed by major teams where the hash is publicly audited independently.

Every token, every protocol, every approval request involves a smart contract. If you can't read it, you don't know what it does. Here's how to check — and what to look for.

MetaMask shows you a contract address and asks you to approve it to spend your USDC. You have no way to tell who deployed it, what it can actually do, or whether the code matches what the site claims. You click Approve because the interface looks legitimate. That's exactly the gap that contract verification is supposed to close.

When a contract is verified on Etherscan, the developer has published the original Solidity source code and proven it compiles to the bytecode deployed on-chain. Anyone can read exactly what the contract does — no coding knowledge required for the basics. When a contract isn't verified, you're looking at raw machine code that's effectively unreadable, and you have no idea what you're approving.

How to check verification on Etherscan

1.Go to etherscan.io (or bscscan.com for BSC, basescan.org for Base)
2.Paste the contract address in the search bar
3.Click the "Contract" tab on the contract page
4.A green checkmark and readable Solidity source code means it's verified
5.If you only see a wall of hex bytecode, it's unverified — treat it as a red flag

Verified contracts also show "Read Contract" and "Write Contract" tabs, which let you query the contract state and simulate interactions directly in your browser.

What to actually look for in the source code

You don't need to be a Solidity developer to spot dangerous functions. These are the patterns worth searching for:

—mint() or _mint() with no access control — anyone or the owner can create new tokens infinitely
—setTax() or updateFee() — tax rates that can be changed after you buy
—blacklist() or blockWallet() — functions that can prevent specific addresses from selling
—transferOwnership() without a timelock — ownership can be transferred to a new malicious address
—Upgradeable proxy patterns (look for delegatecall) — the contract logic can be swapped out entirely

Most of these are legitimate in some contexts. The question is whether they have appropriate access controls and whether you trust the entity that controls them.

Faster tools for contract checks

GoPlus Security API — automated analysis that flags hidden mint functions, sell restrictions, blacklist capabilities, and whether the contract is verified. Used by major aggregators. The fastest way to get a risk summary.

Token Sniffer — good for newly launched tokens. Runs a quick audit and assigns a score. Not a substitute for reading the code, but useful for filtering obvious scams.

Dedaub Contract Library — decompiles unverified contracts into pseudo-code. Not perfectly readable, but often good enough to spot obvious drainer functions.

Frequently asked questions

What does it mean for a smart contract to be verified?

The source code is published and proven to match the deployed bytecode. You can read exactly what the contract does. Without verification, you only see bytecode — machine code that's nearly impossible to audit for hidden traps.

How do I check if a contract is verified on Etherscan?

Search the contract address on etherscan.io, click "Contract." A green checkmark and readable source code means verified. Bytecode only means unverified. The Read/Write Contract tabs only appear for verified contracts.

Is it safe to interact with an unverified contract?

Usually no — especially for approvals or token purchases. Legitimate protocols verify their contracts. An unverified contract hides what it does. The risk is too high for approval-granting interactions.

Contract verification check before every approval

TxnGuide checks whether the contract is verified every time MetaMask shows you an approval request — and explains in plain English what the contract is asking for. No more guessing. Free Chrome extension.

Get TxnGuide — It's Free