← Voltar
75/100r/solidity · u/Alternative-Goat7010 · Wevolv3 · Development

Is it risky to publicly share a verified smart contract address and source code for transparency?

Abrir no Reddit ↗
💡 Por que Ă© um lead: [PROJECT/NEED] O autor estĂĄ construindo um app de transferĂȘncia de USDC e busca opiniĂ”es sobre a segurança de divulgar o cĂłdigo do contrato, indicando uma necessidade de mitigar riscos e garantir a segurança do projeto.

Post original

Hi everyone, I’m building a small non-custodial USDC transfer app, and I recently verified the app’s contract on BaseScan. Now I’m considering publishing the contract address and source code more visibly on our official website and GitHub, so users can inspect how the transfer and fee logic works. The contract is simple: when a user sends USDC, it pulls the approved USDC from the sender and routes it to: the recipient the project’s fee wallet The fee logic is fixed in the contract: - 0.39% - minimum fee: 0.25 USDC - maximum fee: 3.90 USDC The contract does not have an admin function to change the fee after deployment. The USDC token address and fee recipient are immutable. I understand that BaseScan verification is not the same as a formal audit, and I do not plan to describe it as audited or guaranteed safe. My question is: Is it generally safe and reasonable for an early-stage crypto payment/transfer app to publicly share its verified contract address and source code on its website and GitHub for transparency? Or could this create meaningful risks, such as: - making it easier for attackers to analyze the contract - creating legal/marketing risk if users misunderstand “verified” as “audited” - exposing too much business logic too early - attracting criticism before the contract has a formal audit I’m not asking whether this replaces an audit. I’m trying to understand whether public disclosure of an already verified contract is a good transparency practice, or whether there are risks I should consider first. What would you recommend?   submitted by   /u/Alternative-Goat7010 [link]   [comments]

Rascunhos

Resposta pĂșblica
Publicly sharing a verified contract address and source for a simple non-custodial transfer is standard practice on Base and helps users inspect immutable logic like your fixed 0.39% fee with caps. It reduces information asymmetry without claiming audit status, which you already avoid.

The main downsides are limited: attackers can already read verified code on explorers, so GitHub/website publication adds little new attack surface. Greater risk comes from users mistaking verification for security or from any uncaught edge cases in fee routing.

Focus on clear disclaimers about no admin keys and immutable parameters. A lightweight peer review or checklist review of the transfer and approval flow often surfaces issues faster than waiting for a full audit at early stage.
DM
Your fee caps and immutable setup look reasonable on paper for a basic router. If the contract is small, sharing the address here lets me check the actual transfer logic and any approval assumptions before wider publication. Many early teams run into subtle USDC allowance issues rather than fee math itself.

Status