Remove blocking dependency on etherscan

[SidestreamColdMelon]

Goal

Spell process is not blocked in case etherscan is down/not available

Context

As per the parent issue #29, currently there are multiple places in process which refer to etherscan as place to check something. But as etherscan is a centralised tool, we have to expect a possibility that 1) it is down 2) it is compromised and prepare accordingly.

Places where we refer to etherscan

• Check Rely events
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-reviewer-mainnet-checklist.md?plain=1#L92
• Check source code of a new contract
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-reviewer-mainnet-checklist.md?plain=1#L93
• Check deployed spell (manually)
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-reviewer-mainnet-checklist.md?plain=1#L347
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-reviewer-mainnet-checklist.md?plain=1#L368
• Checks deployed spell (using API)
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-reviewer-mainnet-checklist.md?plain=1#L355-L360
• Get priority fee
  https://github.com/makerdao/pe-checklists/blob/1aa58eeb9044ac332df4351b80e9b9755454972f/spell/spell-crafter-mainnet-workflow.md?plain=1#L182

Proposed circumvention

Use multiple different services to verify the source code.

Tasks

• Extend the verification script
  • Send flattened code to multiple services (potentially using forge verify-contract instead of making raw requests)
  • Ensure requests to services are non-blocking (in case one service is down)
• Editing checklists
  • Replace "etherscan" with "at least 2 trusted block scanners"
  • Define/refer to a "list of trusted blocks canners" (used by the verification script)
  • Get priority fee from a more decentralised source (or otherwise make it a recommendation)
• Replace or remove automatic check of the source code

[0x3phemeralsoul]

it should verify on:
Etherscan
Sourcify
Blockscout

This ticket should also update the checklist to include 2 out 3 verified sources from the above. Spell should always be verified in 2 sources at least, normally on the 3.

[0xp3th1um]

The following commands are used for verifying contracts (the spell in our case) on the different explorers/services supported by foundry:

1. Etherscan

forge verify-contract \
  "contract-address" \
  src/DssSpell.sol:DssSpell \
  --chain-id "chain-Id" \ # default is 1
  --libraries src/DssExecLib.sol:DssExecLib:LibraryAddress \
  --optimizer-runs 200 \ # if needed
  --verifier-url  "verifier-url" \
  --watch

2. Blockcout

forge verify-contract \
 "contract-address" \
 src/DssSpell.sol:DssSpell \
 --chain-id "chain-Id" \ # e.g. 11155111 for sepolia
 --libraries src/DssExecLib.sol:DssExecLib:LibraryAddress \
 --optimizer-runs 200 \ # if needed
 --verifier blockscout \
 --verifier-url verifier-url\ # e.g. https://eth-sepolia.blockscout.com/api/ 
 --watch

3. Sourcify

forge verify-contract \
  "contract-address" \
  src/DssSpell.sol:DssSpell \
  --chain-id "chain-Id" \ # default is 1
  --libraries src/DssExecLib.sol:DssExecLib:LibraryAddress \
  --optimizer-runs 200 \ # if needed
  --verifier sourcify \
  --watch

forge verify-contract was used because the contracts were deployed separately, they can also be verified by using forge script and passing the verify flag.

--verify \
  --verifier blockscout \
  --verifier-url <blockscout_homepage_explorer_url>/api/