Smart contracts play a vital role in the Ethereum ecosystem. Due to the prevalence of kinds of security issues in smart contracts, the smart contract verification is urgently needed, which is the process of matching a smart contract's source code to its on-chain bytecode for gaining mutual trust between smart contract developers and users. Although smart contract verification services are embedded in both popular Ethereum browsers (e.g., Etherscan and Blockscout) and official platforms (i.e., Sourcify), and gain great popularity in the ecosystem, their security and trustworthiness remain unclear. To fill the void, we present the first comprehensive security analysis of smart contract verification services in the wild. By diving into the detailed workflow of existing verifiers, we have summarized the key security properties that should be met, and observed eight types of vulnerabilities that can break the verification. Further, we propose a series of detection and exploitation methods to reveal the presence of vulnerabilities in the most popular services, and uncover 19 exploitable vulnerabilities in total. All the studied smart contract verification services can be abused to help spread malicious smart contracts, and we have already observed the presence of using this kind of tricks for scamming by attackers. It is hence urgent for our community to take actions to detect and mitigate security issues related to smart contract verification, a key component of the Ethereum smart contract ecosystem.

翻译：智能合约在以太坊生态系统中扮演着关键角色。由于智能合约中存在多种安全漏洞，智能合约验证（即将智能合约源代码与其链上字节码匹配，以建立智能合约开发者与用户之间互信的过程）变得尤为迫切。尽管智能合约验证服务已嵌入主流以太坊浏览器（如Etherscan和Blockscout）及官方平台（如Sourcify）中，并在生态系统中获得广泛普及，但其安全性和可信度仍不明确。为填补这一空白，我们首次对现实世界中的智能合约验证服务进行了全面的安全分析。通过深入探究现有验证器的详细工作流程，我们总结了验证服务应满足的关键安全属性，并观察到八类可能破坏验证流程的漏洞。进一步地，我们提出了一系列检测与利用方法，以揭示主流服务中的漏洞存在，并共发现19个可利用漏洞。所有被研究的智能合约验证服务均可能被利用来传播恶意智能合约，而我们已观察到攻击者利用此类手段进行诈骗的现象。因此，社区亟需采取行动来检测与缓解与智能合约验证相关的安全问题——这是以太坊智能合约生态系统的关键组件。