Bytecode
Published Last updated
Key Takeaway
The low-level machine-readable instructions that smart contracts compile into for execution on the Ethereum Virtual Machine, representing the actual code that nodes process rather than human-readable source code.
Learn These First
What Is Bytecode?
The low-level machine-readable instructions that smart contracts compile into for execution on the Ethereum Virtual Machine, representing the actual code that nodes process rather than human-readable source code.
How Bytecode Works
Frequently Asked Questions
Why does bytecode matter if I'm just using smart contracts, not building them?
Bytecode matters for users because it represents what actually executes when you interact with smart contracts, regardless of what source code developers claim to have written. A malicious developer could show you safe-looking Solidity code while deploying completely different harmful bytecode that steals your funds. Contract verification on sites like Etherscan allows you to confirm that the readable source code actually matches the deployed bytecode through compilation. Before trusting contracts with significant value, check for the green verification checkmark and review the verified source code. Unverified contracts only show bytecode—the raw machine instructions that are nearly impossible for humans to understand. The verification checkmark means someone linked human-readable Solidity to the deployed bytecode, enabling community security review. Always prefer verified contracts when possible.
How can I check if a smart contract's bytecode matches its published source code?
Use blockchain explorers like Etherscan, which provide contract verification features. When viewing a contract address, look for a green checkmark and 'Contract' tab. Verified contracts show 'Contract Source Code Verified,' letting you read the Solidity code that compiled into the deployed bytecode. Etherscan confirms the published source code compiles to identical bytecode as what's deployed on-chain. For additional verification, you can download the source code, compile it yourself using the specified compiler version, and compare the resulting bytecode to what's deployed—though this requires technical expertise. Block explorers also show the actual deployed bytecode in the 'Bytecode' tab for comparison. Multiple explorers (Etherscan, Blockchair) independently verify contracts, providing additional confidence. Always check verification status before trusting contracts with substantial funds.
Can bytecode be changed after a contract is deployed?
No, bytecode cannot be directly modified after deployment—it's immutable on the blockchain. However, upgradeable contracts use proxy patterns to change effective bytecode indirectly. A proxy contract delegates function calls to an implementation contract containing the actual logic. By changing which implementation the proxy points to, developers can effectively 'upgrade' functionality without modifying the original deployed bytecode. The proxy's bytecode remains unchanged, but it redirects to different implementation bytecode over time. This upgradeability introduces centralization risks—whoever controls the upgrade mechanism can change contract behavior, potentially maliciously. When evaluating contracts, check if they're upgradeable and who controls upgrade authority. Non-upgradeable contracts provide stronger immutability guarantees—their behavior is permanently fixed. Upgradeable contracts offer flexibility but require trusting upgrade controllers not to abuse that power. The bytecode itself is always immutable; upgradeability works around this through architectural patterns.
Common Misconceptions About Bytecode
If a developer publishes Solidity source code for a contract, that's what's actually running on Ethereum.
Only the compiled bytecode runs on Ethereum, not the Solidity source code. Developers could publish safe-looking Solidity while deploying completely different malicious bytecode. This is why contract verification through services like Etherscan is critical—verification confirms the published source code actually compiles into the exact bytecode deployed on-chain. Without verification, there's no guarantee the source code you're reading matches what executes when you interact with the contract. Always check for verified contracts (green checkmark on Etherscan) before trusting them with funds. Reading published source code without verification provides false security since there's no proof that code is actually what runs. The bytecode is the source of truth; everything else is claims that need independent verification.
Bytecode is too technical to matter for regular users—it's only relevant for developers.
While regular users don't need to read bytecode directly, understanding that only bytecode executes (not source code) is critical for security. This knowledge explains why contract verification matters—it proves the readable source code actually compiled into the deployed bytecode. Users should always prefer verified contracts because verification links human-readable code to the executed bytecode, enabling community security review. Unverified contracts show only incomprehensible bytecode, making security evaluation impossible for most people. Even without technical skills to read bytecode or Solidity, recognizing that verification bridges the gap between readable code and executed instructions helps users make safer decisions. The practical takeaway: check for verification checkmarks and favor projects that publish and verify their source code publicly.
Decompiling bytecode back to Solidity gives you the exact original source code.
Decompilers produce approximate high-level code from bytecode, not the exact original Solidity source. The compilation process loses information like variable names, comments, original code structure, and developer intent. Decompiled code is functionally similar to the original but typically less readable, using generic variable names (var_1, var_2) instead of meaningful names. Multiple different Solidity programs can compile to identical or similar bytecode, making perfect reverse compilation impossible. Decompilers are useful for security research when source code isn't available, but they produce reconstructed code that's harder to understand than well-written original Solidity. This is another reason contract verification matters—verified contracts let you read the actual developer-written, well-documented source code rather than machine-reconstructed approximations. Always prefer verified source over decompiled bytecode for understanding contract functionality.