Bytecode is the compiled, low-level representation of smart contract code that the Ethereum Virtual Machine executes. When you write a contract in Solidity or Vyper, the compiler transforms your human-readable code into bytecode—a sequence of hexadecimal instructions that the EVM understands. Understanding bytecode is essential for security auditors analyzing deployed contracts, verifying compiler outputs, and investigating potential vulnerabilities at the execution level.

From Source to Bytecode

1Solidity Source Code
2        │
3        ▼  Compiler (solc)
4     Bytecode (hex)
5        │
6        ▼  Deployment
7  Contract on-chain
8        │
9        ▼  Execution
10    EVM processes opcodes

Example transformation:

1// Solidity
2function add(uint256 a, uint256 b) public pure returns (uint256) {
3    return a + b;
4}

Compiles to bytecode like:

16080604052348015600f57600080fd5b50607b...

Bytecode Structure

Deployed contracts have two bytecode sections:

Creation bytecode: Runs once during deployment, initializes state, returns runtime bytecode.

Runtime bytecode: Stored on-chain, executed when the contract is called.

1[Creation Code] → executes → returns → [Runtime Code stored on-chain]

Opcodes: The Building Blocks

Bytecode consists of opcodes—single-byte instructions:

Bytecode Analysis

Auditors examine bytecode to:

Verify source matches deployed code: Ensure the deployed bytecode matches compiled source.

Analyze unverified contracts: Understand behavior when source isn't available.

Check compiler optimizations: Verify optimizations don't introduce bugs.

Investigate exploits: Trace exactly what code executed during an attack.

Decompilation

Tools can partially reverse bytecode to readable code:

1# Using Panoramix (formerly Eveem)
2panoramix 0x1234...
3
4# Using Heimdall
5heimdall decompile 0x1234...

Decompilation recovers function logic but loses variable names and comments.

Contract Verification

Etherscan verification matches deployed bytecode to source:

1Compiled bytecode (from source) == Deployed bytecode (on-chain)

This proves the source code produces that exact bytecode, enabling auditors to review readable source.

Bytecode Size Limits

EVM limits contract size to 24,576 bytes (EIP-170). Large contracts must:

• Split into multiple contracts
• Use libraries
• Optimize aggressively

1// Check bytecode size
2forge build --sizes

Security Implications

Immutability: Once deployed, bytecode cannot be changed (except via proxy patterns).

Transparency: All bytecode is publicly visible on-chain.

Verification gaps: Unverified contracts may contain hidden malicious logic.

Compiler bugs: Bytecode may differ from expected behavior due to compiler vulnerabilities.

Metadata in Bytecode

Solidity appends metadata (IPFS hash of source) to bytecode:

1...contract bytecode...a264697066735822...cbor-encoded-metadata...

This metadata enables source verification but adds to bytecode size.

Audit Relevance

Understanding bytecode helps auditors:

1. Verify deployed code matches audited source
2. Analyze contracts without source code
3. Understand exactly what the EVM executes
4. Detect bytecode-level optimizations that might affect security

Bytecode is the ground truth of smart contract execution—everything else is abstraction built on top.