> Doesn't matter if you do or don't publish the verified source code; if you do, no one will look at it, and if you don't, no one will notice/care that you didn't before investing their life savings in it.
As someone who doesn't know much at all about crypto, it seems insane that apparently coins can be closed source? But how? How does the chain know what code to execute?
The Ethereum interpreter bytecode is stored on the blockchain, but the source code isn't. (It'd be inefficient both for storage and CPU cycle reasons.) Basically like storing a Python .pyc or Java .class file.
There's pretty much a rule of thumb that tokens should always be open source, in part because it's much easier to hide a backdoor if you don't publish the source, and also because cryptocurrency communities generally share the open source, high-transparency ethos. The #1 Ethereum blockchain explorer site has a system that lets you submit source code for a contract, and they verify that the source code compiles to the exact same bytecode.
You can very safely assume that if there's no source, it's malware. For every single instance I've seen where a project doesn't publish the verified source code, it's always been because the code is backdoored.
You can decompile bytecode, but scam projects will often add a ton of obfuscation or even specific things to confuse the decompiler and make it fail to decompile certain parts. Better decompilers will keep getting written, so you theoretically won't ever be able to truly hide what your code is doing even if you don't publish source, but it's sort of moot because verified source code is bare minimum "table stakes" for anyone (competent) to interact with your project.
The caveat being that most investors are non-technical and don't have a clue what any of what I just wrote means and will just invest in whatever if it has a name and a logo. But in that case, they'll invest in a scam project whether or not they publish the source code. And for the percentage who do at least know that no source = scam, they'll still invest in every scam that does have source code, which is most of the scams.
My understanding is it's always reproducible if you submit the compiler version and flags you used. The (EVM compiler version, flags, source code) tuple should always generate the same bytecode.
(Though I guess it would be hard to imagine how that wouldn't be the case, if you're assuming the same reference compiler is used and that each release, no matter how minor, has a different version. A non-deterministic compiler is probably a bad idea, unless you're trying to make a Malbolge-type language or something.)
In theory perhaps you could discover some major compiler issue where benign-seeming source code generates malicious bytecode for a certain version, and then use that specific version to deploy and verify your contract, but I'm not aware of any such issues. I imagine there would probably have to be an incredibly big fuckup for that kind of bug to occur.
Most chains have a low-level representation which higher-level smart contrast source code is compiled to. E.g.,have a look at the "contract creator creator code" section on this contract:
Ethereum apps are typically written in Solidity before being compiled to EVM bytecode. The EVM bytecode must be public, but one could keep the (more readable) Solidity code private, like distributing an executable without the source. I think it would be unusual though.
As someone who doesn't know much at all about crypto, it seems insane that apparently coins can be closed source? But how? How does the chain know what code to execute?