Contract Verification
Confirm that Andamio's deployed on-chain contracts are exactly the code we publish — cryptographically, without trusting Andamio and without any source release.
Enterprise integrators need to confirm that the contracts they rely on are governed by exactly the code Andamio claims — not take it on trust. You can verify this yourself, cryptographically, with no source release required.
This page proves which code is deployed (identity). For whether that code is correct (behavior), see the independent Security Audit.
How verification works
Every Andamio on-chain contract is identified by a script hash — a blake2b-224 hash of the compiled validator bytes. A script address embeds that hash as its payment credential (CIP-19); a minting policy ID is that hash. Because the hash binds to the compiled artifact rather than the source, anyone can confirm that a given address or policy is governed by exactly the code we publish the hash for — without Andamio releasing the source.
The compiled bytes are already public: each validator is deployed on mainnet as a reference script (CIP-33), so the bytecode lives permanently in the UTxO set. To verify, you fetch those bytes, hash them, and confirm the result equals the published hash.
Andamio Protocol V2 — mainnet
Minting policies
The policy ID is the script hash — verify it directly.
| Contract | Script hash (= policy ID) |
|---|---|
| Access Token | e760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2 |
| Instance | a8d2f21558831626a4ab01582a4568be1dac3298e6b92450a8e839a3 |
| Instance Admin | 16c5b8eaf75a95d04cfdaa20d4a227835ec9c52db75ff0df12806a5f |
| Instance Provider | da109ad01a8d7050e079ed7537930ba074b37fa3fdad76320788b2e8 |
| Index Admin | 0de83d7df97fcf539c56a43605d77800d93917a678af5d2c1702c423 |
| Index Ref Token | 98128687f1622463d2d37cba33150c14b32651ebc96cbb52ad975cba |
Spend validators
The script hash is the address's payment credential.
| Contract | Script address |
|---|---|
| Global State | addr1x84ulqv75kc4880kx3e22jwec55n7arkazjljy34q5axxuvch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psypmkwq |
| Index Ref Validator | addr1xyp6xrsf4z9tl7r2dkydg75763e2g5vjpawt9uksgjwetpuch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6ps4hvn9s |
| Index Scripts | addr1x8nkqvydps2qjml508k97fy4g42stl4hjpgrjql7jakyl55ch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psfdeh90 |
| Instance Governance Scripts | addr1x9jptucmd72z6g2qw9c8dm4try6w8y34ac2a7ntudj0m8luch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6ps6tp63q |
| Instance Provider Scripts | addr1x8dppxksr2xhq58q08kh2dunpws8fvml50766a3jq7yt96ych6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6pse7ytve |
| Instance Scripts | addr1xx5d9us4tzp3vf4y4vq4s2j9dzlpmtpjnrntjfzs4r5rnguch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psl3she9 |
Prerequisites
The commands below assume a small toolchain:
- A Blockfrost mainnet project ID (the free tier is fine), exported as
$BLOCKFROST. It must be a mainnet key — a preprod key returns404for these hashes. jqto pull fields out of JSON responses.cardano-cli, recent enough forhash scriptandaddress info --address … | jq .base16.
Blockfrost is only a convenient way to fetch the on-chain bytes — it is not a trusted party. Any source works (for a keyless fetch, Koios needs no account); the proof is that you recompute the hash and it matches.
Verify it yourself
A minting policy — confirm the on-chain script hashes to the listed policy ID:
# The /scripts/{hash} endpoint is keyed by the hash, so this only fetches the
# bytes Blockfrost holds for that key — a 200 alone is not proof (any source
# works). The proof is recomputing the hash yourself and matching it. Fetch:
CBOR=$(curl -s -H "project_id: $BLOCKFROST" \
https://cardano-mainnet.blockfrost.io/api/v0/scripts/<script_hash>/cbor | jq -r .cbor)
# Andamio's validators are Plutus V3 (language-tag byte 0x03). Let cardano-cli
# prepend the tag and hash — it computes blake2b-224(0x03 || script):
printf '{"type":"PlutusScriptV3","description":"","cborHex":"%s"}' "$CBOR" > script.plutus
cardano-cli hash script --script-file script.plutus # must equal <script_hash>
# If it does not match, the bytes are double-CBOR-wrapped: decode one CBOR
# bytestring layer (e.g. `cbor2`/`xxd`) before re-wrapping, then hash again.A spend validator — extract the script hash from the address, then verify as above:
# The script hash is the payment credential embedded in the address: the
# 28 bytes right after the 1-byte header. Decode to base16 and slice it out:
cardano-cli address info --address <addr1x...> | jq -r .base16 | cut -c3-58
# → the script hash. Then fetch + verify it exactly as for a minting policy.A match proves the address or policy is governed by exactly the compiled validator we publish the hash for. No source, no trust in Andamio.
A worked example
The commands above use placeholders, so a reader can't tell success from a subtle mistake. Here is the full minting-policy path with real values — the Access Token policy:
HASH=e760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2
CBOR=$(curl -s -H "project_id: $BLOCKFROST" \
"https://cardano-mainnet.blockfrost.io/api/v0/scripts/$HASH/cbor" | jq -r .cbor)
printf '{"type":"PlutusScriptV3","description":"","cborHex":"%s"}' "$CBOR" > script.plutus
cardano-cli hash script --script-file script.plutus
# → e760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2 ✓ matches HASHAnd the spend-validator path, using the Global State address — extract its script hash, then fetch + hash it exactly as above:
ADDR=addr1x84ulqv75kc4880kx3e22jwec55n7arkazjljy34q5axxuvch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psypmkwq
cardano-cli address info --address "$ADDR" | jq -r .base16 | cut -c3-58
# → ebcf819ea5b1539df63472a549d9c5293f7476e8a5f91235053a6371
# Feed that script hash into the minting-policy steps above; it recomputes to itself.Project treasuries
The contracts above are the global protocol — one deployment, one hash each. Project treasuries are different. Each project holds its funds in its own treasury contract, so there is no single static hash to publish. That is exactly where an enterprise's money sits, so it is exactly where verification matters most.
Every project treasury is the same audited validator, parameterized for one project. Six parameters are applied to it; five are global constants shared by every project, and only one varies: the project NFT policy ID, which is the project's ID. Both that ID and the shared parameters are public, so a project's treasury hash is fully determined by public data. Nothing is hidden, so verification stays as trustless as the static contracts above, just recomputed per project.
In practice the recompute is even simpler than applying parameters from scratch. We pin one deployed treasury as a reference script; the only thing that differs between any two project treasuries is a single 28-byte run (the project NFT policy ID). Substitute your project's ID into the reference script, hash 0x03 || script with blake2b-224, and you have that project's treasury hash. The widget below does this in your browser. Nothing is sent anywhere.
This verifier currently covers preprod. Mainnet uses its own deployed reference (different global parameters); a mainnet pin follows once published.
To confirm a result is the treasury actually in use, open the derived address in the explorer and check that it holds the project's funds, or paste the treasury address you were given and let the widget compare it. A match proves that address runs exactly the canonical Andamio treasury code, parameterized for your project, with no source release and no trust in Andamio.
Identity and correctness, together
- Identity (this page): the cryptographic proof above confirms which code is deployed.
- Correctness (Security Audit): TxPipe independently audited the validator and minting-policy surface, covering threats like token theft, protocol halting, and double satisfaction.
Together they let an integrator confirm both that Andamio runs the code it claims, and that the code was independently reviewed.