1

I am trying to understand how a web application using web3 is pulling the data and how I can inspect it.

Example:

https://charts.bogged.finance/?token=0xD2602dBB063627B80D5ae671007900F558c49E35

If you look at the network tab, it will contain requests such as:

{
    "id": 19,
    "jsonrpc": "2.0",
    "method": "eth_call",
    "params": [
        {
            "data": "0x0eb22982000000000000000000000000d2602dbb06362000000000000000000bb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c",
            "to": "0x0bd91f45fca6428680c02a79a2496d6f97bdf24a"
        },
        "latest"
    ]
}

and responses such as:

{
    "id": 19,
    "jsonrpc": "2.0",
    "result": "0x000000000000000000000000000000000000000000000000b0020ad7e5d55dc9"
}

Neither is particularly useful.

As far as I understand, to is the contract address.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Gajus
  • 69,002
  • 70
  • 275
  • 438

1 Answers1

1

The requests go to https://bsc-dataseed.binance.org/, which is a JSON-RPC endpoint of Binance Smart Chain. This particular node seems to be operated by Binance directly.

The eth_call is a read-only method of the JSON-RPC API.

The params.data contain ABI-encoded function signature (first 4 bytes, or 8 hex characters after the 0x) and arguments (after the signature) passed to the function.

Unfortunately the authors of the target contract have not published its source code, and the decompiled bytecode is a bit messy (the decompiler returns some pseudocode). But it shows that the function with signature 0eb22982 (on line 99 of the pseudocode) takes two addresses as arguments:

def unknown0eb22982(addr _param1, addr _param2) payable: 
  require calldata.size - 4 >= 64
  require ext_code.size(stor2)
  static call stor2.0x8fc06c02 with:
          gas gas_remaining wei
         args addr(_param1), _param2

, calls an external contract (found its address through querying the storage slot, also does not have source code published), transforms the result and returns the transformation.

If they published the source code, you could go through the Solidity function definitions and find one that translates to the known signature.

You can find more info about converting the definition (e.g. transferOwnership(address)) to the signature (e.g. f2fde38b) in my other answer.

Gajus
  • 69,002
  • 70
  • 275
  • 438
Petr Hejda
  • 40,554
  • 8
  • 72
  • 100
  • Thak you. This is great. Even though we do not have that contract published, that JavaScript code is calling this contract. So it must have JSON interface? Otherwise, how would it call it / decode the output? – Gajus May 14 '21 at 14:31
  • It's probable that the JS app has JSON interface of the contract. Or at least it has information that the contract implements some standard interface (such as BEP20). – Petr Hejda May 14 '21 at 14:41