Wasm code is on blockchain?

The ICP guidance published by a well-known think tank in Japan includes the following statement.This is an English translation of part.
link: https://www.jri.co.jp/MediaLibrary/file/column/opinion/pdf/13450.pdf

Wasm code does not appear on the blockchain, so the risk is assumed that developers will arbitrarily rewrite it.
The risk of developers arbitrarily rewriting the Wasm code is assumed.

Is this true?

The wiki states.

Contracts on the IC are called canisters and contain WASM byte code. This allows to create contracts in a range of programming languages. In addition, there’s Motoko, a programming language that has been purposefully designed to write canisters in the actor model for the IC.

It reads to me that Canister keeps the contracts in byte code and they are on the blockchain, but I would like to confirm.If this guidance is incorrect, I would have asked them to correct it.

1 Like

I guess this report wants to say the canister controller can upgrade or change the canister code arbitrarily.


I thought this part refers to the fact that we can see the candid or functions with ICscan, but we can’t check the entire code.
Certainly this statement is misleading.

1 Like

I checked with Canlista, but these are only public functions, private is not listed. Also not all the codes are there, is there any reason not to have all the codes available for viewing like Ethereum?


In the case of Ethereum, the code will not be visible automatically too.
Developers have to register their code through Ethscan’s API.
In ICP, the Candid file plays the role of IDL.

1 Like

@hokosugi the risk the paper alleges is the immutability of code.

In theory code in the Ethereum blockchain is immutable, meaning once deployed it can’t be changed or upgraded. In practice this is no longer true, there are many ways to deploy code in Ethereum that can be upgraded, meaning it can be changed and is not fixed.

The reason Smart Contracts went towards the ability to fix themselves somehow is because problems do happen, and fixes are needed. Ethereum makes it hard to do this, but it’s entirely possible.

On the IC, from our reading of the technical documents, the code runs as WASM in a cluster of nodes. That code can be upgraded anytime. This has a huge advantage for developers, and business, but indeed it introduces the possibility of fraud.

However, as I explained above, Ethereum also has this problem.

Regarding actual auditing of the code itself, the WASM in the chain, this should be possible, but I am not sure if we have the tooling to do it easily yet. Any developers here can comment on this? FWIW WASM is not really readable, is semi compiled code for fast execution, for readable code you need open source of the code running on the IC Smart contract.


The wasm code is on the chain, but raw blocks are (currently) not accessible to entities other than the nodes in the specific subnet. Third parties have only access to a hash of the wasm module. However, if developers publish the source code and follow a reproducible building procedure, then everyone will be able to verify the canister. There’ll be more tooling to support this soon.

1 Like

Will that change in the future? Afaik there are plans to publish blocks of ledger and NNS subnet, does that extend to other subnets too?

No, not every subnet will suddenly disclose the raw blocks. As you said, there are plans to make the NNS blocks public. Further out there might be public and private application subnets (in the sense of public/private raw blocks), and developers could choose. For example, DeFi applications might want live on a public subnet, whereas certain social applications don’t want to.