Andamio Logo

Contract Verification

Confirm that Andamio's deployed on-chain contracts are exactly the code we publish — cryptographically, without trusting Andamio and without any source release.

Enterprise integrators need to confirm that the contracts they rely on are governed by exactly the code Andamio claims — not take it on trust. You can verify this yourself, cryptographically, with no source release required.

This page proves which code is deployed (identity). For whether that code is correct (behavior), see the independent Security Audit.

How verification works

Every Andamio on-chain contract is identified by a script hash — a blake2b-224 hash of the compiled validator bytes. A script address embeds that hash as its payment credential (CIP-19); a minting policy ID is that hash. Because the hash binds to the compiled artifact rather than the source, anyone can confirm that a given address or policy is governed by exactly the code we publish the hash for — without Andamio releasing the source.

The compiled bytes are already public: each validator is deployed on mainnet as a reference script (CIP-33), so the bytecode lives permanently in the UTxO set. To verify, you fetch those bytes, hash them, and confirm the result equals the published hash.

Andamio Protocol V2 — mainnet

Minting policies

The policy ID is the script hash — verify it directly.

ContractScript hash (= policy ID)
Access Tokene760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2
Instancea8d2f21558831626a4ab01582a4568be1dac3298e6b92450a8e839a3
Instance Admin16c5b8eaf75a95d04cfdaa20d4a227835ec9c52db75ff0df12806a5f
Instance Providerda109ad01a8d7050e079ed7537930ba074b37fa3fdad76320788b2e8
Index Admin0de83d7df97fcf539c56a43605d77800d93917a678af5d2c1702c423
Index Ref Token98128687f1622463d2d37cba33150c14b32651ebc96cbb52ad975cba

Spend validators

The script hash is the address's payment credential.

ContractScript address
Global Stateaddr1x84ulqv75kc4880kx3e22jwec55n7arkazjljy34q5axxuvch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psypmkwq
Index Ref Validatoraddr1xyp6xrsf4z9tl7r2dkydg75763e2g5vjpawt9uksgjwetpuch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6ps4hvn9s
Index Scriptsaddr1x8nkqvydps2qjml508k97fy4g42stl4hjpgrjql7jakyl55ch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psfdeh90
Instance Governance Scriptsaddr1x9jptucmd72z6g2qw9c8dm4try6w8y34ac2a7ntudj0m8luch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6ps6tp63q
Instance Provider Scriptsaddr1x8dppxksr2xhq58q08kh2dunpws8fvml50766a3jq7yt96ych6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6pse7ytve
Instance Scriptsaddr1xx5d9us4tzp3vf4y4vq4s2j9dzlpmtpjnrntjfzs4r5rnguch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psl3she9

Prerequisites

The commands below assume a small toolchain:

  • A Blockfrost mainnet project ID (the free tier is fine), exported as $BLOCKFROST. It must be a mainnet key — a preprod key returns 404 for these hashes.
  • jq to pull fields out of JSON responses.
  • cardano-cli, recent enough for hash script and address info --address … | jq .base16.

Blockfrost is only a convenient way to fetch the on-chain bytes — it is not a trusted party. Any source works (for a keyless fetch, Koios needs no account); the proof is that you recompute the hash and it matches.

Verify it yourself

A minting policy — confirm the on-chain script hashes to the listed policy ID:

# The /scripts/{hash} endpoint is keyed by the hash, so this only fetches the
# bytes Blockfrost holds for that key — a 200 alone is not proof (any source
# works). The proof is recomputing the hash yourself and matching it. Fetch:
CBOR=$(curl -s -H "project_id: $BLOCKFROST" \
  https://cardano-mainnet.blockfrost.io/api/v0/scripts/<script_hash>/cbor | jq -r .cbor)
# Andamio's validators are Plutus V3 (language-tag byte 0x03). Let cardano-cli
# prepend the tag and hash — it computes blake2b-224(0x03 || script):
printf '{"type":"PlutusScriptV3","description":"","cborHex":"%s"}' "$CBOR" > script.plutus
cardano-cli hash script --script-file script.plutus   # must equal <script_hash>
# If it does not match, the bytes are double-CBOR-wrapped: decode one CBOR
# bytestring layer (e.g. `cbor2`/`xxd`) before re-wrapping, then hash again.

A spend validator — extract the script hash from the address, then verify as above:

# The script hash is the payment credential embedded in the address: the
# 28 bytes right after the 1-byte header. Decode to base16 and slice it out:
cardano-cli address info --address <addr1x...> | jq -r .base16 | cut -c3-58
# → the script hash. Then fetch + verify it exactly as for a minting policy.

A match proves the address or policy is governed by exactly the compiled validator we publish the hash for. No source, no trust in Andamio.

A worked example

The commands above use placeholders, so a reader can't tell success from a subtle mistake. Here is the full minting-policy path with real values — the Access Token policy:

HASH=e760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2
CBOR=$(curl -s -H "project_id: $BLOCKFROST" \
  "https://cardano-mainnet.blockfrost.io/api/v0/scripts/$HASH/cbor" | jq -r .cbor)
printf '{"type":"PlutusScriptV3","description":"","cborHex":"%s"}' "$CBOR" > script.plutus
cardano-cli hash script --script-file script.plutus
# → e760308d0c14096ff479ec5f2495455505feb790503903fe976c4fd2   ✓ matches HASH

And the spend-validator path, using the Global State address — extract its script hash, then fetch + hash it exactly as above:

ADDR=addr1x84ulqv75kc4880kx3e22jwec55n7arkazjljy34q5axxuvch6g0j0xe5272m2ysjs698fnmdlrpt4qseng6wp04z6psypmkwq
cardano-cli address info --address "$ADDR" | jq -r .base16 | cut -c3-58
# → ebcf819ea5b1539df63472a549d9c5293f7476e8a5f91235053a6371
# Feed that script hash into the minting-policy steps above; it recomputes to itself.

Project treasuries

The contracts above are the global protocol — one deployment, one hash each. Project treasuries are different. Each project holds its funds in its own treasury contract, so there is no single static hash to publish. That is exactly where an enterprise's money sits, so it is exactly where verification matters most.

Every project treasury is the same audited validator, parameterized for one project. Six parameters are applied to it; five are global constants shared by every project, and only one varies: the project NFT policy ID, which is the project's ID. Both that ID and the shared parameters are public, so a project's treasury hash is fully determined by public data. Nothing is hidden, so verification stays as trustless as the static contracts above, just recomputed per project.

In practice the recompute is even simpler than applying parameters from scratch. We pin one deployed treasury as a reference script; the only thing that differs between any two project treasuries is a single 28-byte run (the project NFT policy ID). Substitute your project's ID into the reference script, hash 0x03 || script with blake2b-224, and you have that project's treasury hash. The widget below does this in your browser. Nothing is sent anywhere.

Project treasury verifier
preprod

This verifier currently covers preprod. Mainnet uses its own deployed reference (different global parameters); a mainnet pin follows once published.

To confirm a result is the treasury actually in use, open the derived address in the explorer and check that it holds the project's funds, or paste the treasury address you were given and let the widget compare it. A match proves that address runs exactly the canonical Andamio treasury code, parameterized for your project, with no source release and no trust in Andamio.

Identity and correctness, together

  • Identity (this page): the cryptographic proof above confirms which code is deployed.
  • Correctness (Security Audit): TxPipe independently audited the validator and minting-policy surface, covering threats like token theft, protocol halting, and double satisfaction.

Together they let an integrator confirm both that Andamio runs the code it claims, and that the code was independently reviewed.