Formal Verification and Auditing of Smart Contracts

---

1. Introduction to Smart Contracts

• Definition: Smart contracts are self-executing contracts with the terms of the agreement directly written into code. They run on blockchain technology, enabling trustless transactions.
• Key Features:
  • Decentralization: Operate without a central authority.
  • Immutability: Once deployed, the contract code cannot be altered.
  • Transparency: All transactions are visible on the blockchain.

Use Cases

• Financial applications (DeFi)
• Supply chain management
• Identity verification
• Voting systems

---

2. Importance of Security in Smart Contracts

• Value Handling: Smart contracts often handle significant amounts of cryptocurrency, making them targets for attacks.
• Real-World Consequences: Vulnerabilities can lead to loss of funds, exploitation, and damage to trust in blockchain technology.
• Examples of Attacks:
  • The DAO hack (2016): $60 million lost due to reentrancy vulnerabilities.
  • Parity wallet incident (2017): $30 million frozen due to contract bugs.

Need for Formal Verification

To enhance the security of smart contracts, formal verification techniques are essential to ensure that contracts behave as intended under all circumstances.

---

3. What is Formal Verification?

Definition

• Formal Verification: The process of proving the correctness of a system relative to a formal specification using mathematical methods.
• Objective: To ensure that the implementation meets specified requirements and behaves as expected.

Comparison with Traditional Testing

• Traditional Testing:
  • Involves running test cases.
  • Cannot guarantee completeness; some cases may be missed.
• Formal Verification:
  • Provides mathematical proof of correctness.
  • Ensures all possible states are accounted for.

Benefits

• Increased Security: Identifies vulnerabilities that may not be apparent through testing.
• Certainty: Provides definitive guarantees about contract behavior.

---

4. Understanding Formal Models

What is a Formal Model?

• Definition: A mathematical abstraction that describes the behavior of a computational process.
• Purpose: To provide a framework for analyzing the execution and correctness of programs.

Types of Formal Models

1. High-Level Models:

   • Focus on the overall behavior of the smart contract.
   • Use finite state machines (FSM) to represent state transitions.
   • Example: Modeling a voting contract as an FSM with states for “Voting Open,” “Voting Closed,” and “Results Announced.”

2. Low-Level Models:

   • Provide detailed analysis of the contract’s execution.
   • Use control flow graphs (CFG) and program traces.
   • Example: Analyzing how each function call changes the state of a smart contract, identifying potential vulnerabilities.

Benefits of Formal Models

• Enable clearer reasoning about contract behavior.
• Allow for abstraction and separation of concerns in complex contracts.

---

5. What is a Formal Specification?

Definition

• Formal Specification: A precise description of the properties that a system (or smart contract) must satisfy.
• Components:
  • Invariants: Conditions that must always hold true.
  • Preconditions: Conditions that must be true before executing a function.
  • Postconditions: Conditions that must be true after executing a function.

Importance

• Specifies what the smart contract is supposed to do, providing a benchmark against which the contract can be verified.
• Ensures that the implementation meets the specified requirements throughout its execution.

Example of Formal Specification

• In a token transfer function:
  • Precondition: The sender has enough tokens.
  • Postcondition: The sender’s balance decreases, and the receiver’s balance increases.
• Diagram:

---

6. Types of Formal Specifications

1. High-Level Specifications

• Model-Oriented Specifications: Describe the overall behavior of the contract using FSMs.
• Temporal Logic: Used to express properties over time, such as:
  • Safety: “Nothing bad ever happens.”
  • Liveness: “Something good eventually happens.”

Example of Safety Property

• “A user’s balance should never fall below zero.”

2. Low-Level Specifications

• Property-Oriented Specifications: Analyze the internal workings of the contract.
• Hoare Logic: A formal system for reasoning about the correctness of computer programs.

Hoare Triple Example

• Hoare Triple: {P} c {Q}
  • Where P is the precondition, c is the command, and Q is the postcondition.

---

7. Techniques for Formal Verification

1. Model Checking

• Definition: An automated technique for verifying finite-state systems against specifications.
• Process:
  • Create an abstract mathematical model of the smart contract.
  • Use algorithms to explore all possible states.

Pros and Cons

• Pros: Exhaustively checks all states for violations.
• Cons: State explosion problem; can be infeasible for large systems.

2. Theorem Proving

• Definition: A method of proving the correctness of contracts using mathematical logic.
• Process:
  • Translate the contract’s properties into logical statements.
  • Use a theorem prover to establish logical equivalence.

Pros and Cons

• Pros: Can handle infinite-state systems.
• Cons: Often requires human intervention, making it more complex and time-consuming.

3. Symbolic Execution

• Definition: Analyzes smart contracts by executing them with symbolic inputs.
• Process:
  • Generate path predicates and check for satisfiability using SMT solvers.

Benefits

• Efficiently identifies vulnerabilities and generates concrete input values to reproduce errors.
• Provides a degree of mathematical proof of correctness.

---

8. Using Formal Verification Tools

Popular Tools

1. K Framework:

   • A framework for defining programming languages and verifying their properties.
   • Allows for executable specifications and formal analysis of smart contracts.

2. Dafny:

   • A programming language designed for verifying functional correctness.
   • Includes built-in support for assertions and contracts, making it easy to specify properties.

Case Studies

• Example: Using K Framework to specify and verify a token contract, ensuring that transfer functions meet safety and liveness requirements.

---

Slide 9: Summary Pros and Cons of Formal Verification

Formal verification is a mathematical approach used to prove or disprove the correctness of a system with respect to a certain formal specification or property. It has several advantages and challenges, especially in the context of software development, particularly in critical areas such as smart contracts, aerospace, healthcare systems, and other high-assurance fields.

Pros of Formal Verification

1. Mathematical Certainty:

   • Benefit: Formal verification provides mathematical guarantees that a system adheres strictly to its specifications. Unlike traditional testing, which can only cover a finite number of cases, formal verification checks all possible inputs and states.
   • Use Case: In systems where safety, security, and correctness are paramount (e.g., cryptography, aerospace, medical devices), this mathematical rigor ensures that no critical flaws remain undetected.

2. Detection of Edge Cases:

   • Benefit: Traditional testing may miss certain edge cases, particularly those that are rare or difficult to simulate. Formal verification analyzes all potential cases, including corner cases, to ensure the system behaves as expected under all possible conditions.
   • Use Case: In decentralized finance (DeFi), smart contracts handling large sums of money or sensitive operations can be vulnerable to rare but catastrophic bugs. Formal verification ensures that no obscure scenario could lead to a security breach.

3. Improved Security and Reliability:

   • Benefit: In systems where security is critical, formal verification can ensure that the system is free from vulnerabilities like buffer overflows, underflows, or logical inconsistencies.
   • Use Case: Industries such as defense, finance, and blockchain applications benefit significantly from this approach, where security flaws can have severe consequences.

4. Prevention of Costly Errors:

   • Benefit: Bugs in critical systems can lead to substantial financial loss, data breaches, or even life-threatening situations. Formal verification can prevent these by identifying errors early in the development process, thereby reducing the need for costly patches or fixes later on.
   • Use Case: Airbus uses formal methods to ensure the safety and reliability of its aircraft control systems, reducing the chance of fatal failures.

5. Increased Trustworthiness and Compliance:

   • Benefit: Formal verification can be used to meet regulatory standards and provide higher assurance of safety and correctness. This is crucial in regulated industries where software failure can lead to non-compliance with laws and standards.
   • Use Case: Medical software for life-support systems must meet stringent regulatory requirements, and formal verification can help ensure compliance with these.

6. Proof of Compliance with Complex Properties:

   • Benefit: Some properties, such as privacy, fairness, or non-repudiation in digital systems, can be challenging to validate using traditional methods. Formal verification allows developers to prove that the system respects these complex properties.
   • Use Case: Cryptographic systems, where proving zero-knowledge properties or other advanced cryptographic guarantees is crucial, benefit from formal verification.

Cons of Formal Verification

1. Complexity and Scalability:

   • Challenge: Formal verification can be extremely complex and resource-intensive, especially for large systems with millions of lines of code. It may require abstracting or simplifying certain parts of the system to make verification feasible.
   • Limitation: Large-scale systems (like operating systems or large enterprise software) may be difficult to verify completely due to the high computational requirements and time involved.

2. High Cost and Time-Consuming:

   • Challenge: Developing formal specifications and carrying out formal verification can be more time-consuming and expensive than traditional testing. It requires specialized knowledge, tools, and a thorough understanding of formal logic and mathematics.
   • Limitation: Many businesses cannot afford to employ formal verification throughout their entire software lifecycle, as it may slow down time-to-market and increase development costs.

3. Limited Availability of Expertise:

   • Challenge: Formal verification requires a highly specialized skill set that not all developers or engineers possess. This creates a barrier to entry, as finding experts in this field can be challenging and costly.
   • Limitation: Smaller companies or startups may find it difficult to integrate formal methods into their development process due to the scarcity of experts and the need for specialized tools.

4. Abstraction and Oversimplification:

   • Challenge: In some cases, the formal models used to verify a system may be oversimplified to make verification feasible. This could lead to situations where the formal model does not accurately represent the real system.
   • Limitation: Systems with heavy reliance on external dependencies or real-time environments may require abstractions that miss critical real-world issues.

5. Not a Guarantee of Overall Correctness:

   • Challenge: Formal verification can only prove the correctness of a system with respect to the specifications provided. If the specification itself is flawed or incomplete, formal verification will not catch these issues.
   • Limitation: The entire verification process depends on the quality of the specification. Poorly defined specifications can lead to incorrect conclusions about the system’s behavior.

6. Limited Tool Support:

   • Challenge: While tools for formal verification exist (e.g., Coq, Isabelle, TLA+, and Z3), they can be difficult to use and may not integrate seamlessly with modern development environments. Moreover, different tools are better suited for specific kinds of verification, making the choice of tools critical.
   • Limitation: Developers often face challenges integrating formal verification tools into their existing workflows, which may discourage its adoption.

7. Applicability to Specific Domains:

   • Challenge: Not all software systems require formal verification. For many low-risk, less critical applications, the benefits may not justify the time and expense. In these cases, traditional testing approaches might be sufficient.
   • Limitation: In areas like web or mobile app development, where the consequences of failure are not catastrophic, the overhead of formal verification may outweigh the potential gains.

---

Slide 10: Formal Verification vs Other Methods

• Unit Testing:

  • Faster, but doesn’t cover edge cases.
  • Prone to human error.

• Manual Audits:

  • Useful for deployed contracts.
  • Can miss subtle logic errors.

• Bug Bounties:

  • Involves the community.
  • Limited by the skill and time of participants.

• Static Analysis:

  • Scans for known vulnerabilities.
  • Doesn’t check the contract logic thoroughly.

---

Slide 11: Introduction to K Framework

• What is K Framework?

  • A formal language framework for defining and analyzing programming languages.
  • Used to define both syntax and semantics of smart contracts.

• Why use K Framework?

  • Supports multiple languages: C, Java, Solidity, etc.
  • Provides mathematically rigorous methods for verifying contracts.

---

Slide 12: K Framework Components

• 1. Syntax: Defines language elements like keywords and data types.
• 2. Configuration: Defines the state (e.g., account balances in smart contracts).
• 3. Transition Rules: Define the operations that occur when a function is called.

---

Slide 13: KEVM (K-Ethereum Virtual Machine)

• KEVM:

  • A specification for the Ethereum Virtual Machine written in K.
  • Verifies smart contracts at the bytecode level.

• Benefits of KEVM:

  • Detects potential vulnerabilities before deployment.
  • Provides machine-executable, human-readable, formal EVM semantics.

---

Slide 14: Solidity Smart Contract Example

• Sample Solidity Code:

  pragma solidity 0.4.25;
  contract ICO {
      mapping (address => uint256) private _balances;
      uint256 private _totalSupply;
      uint256 private _hardCap = 200 * (10 ** 18);
      uint256 private _rate = 2;
        
      function balanceOf(address owner) public view returns (uint256) {
          return _balances[owner];
      }
        
      function buy() public payable {
          require(msg.value != 0);
          require(_hardCap >= _totalSupply + msg.value * _rate);
          _balances[msg.sender] += msg.value * _rate;
          _totalSupply += msg.value * _rate;
      }
  }
  

• Explanation:

  • This smart contract represents a simple ICO.
  • Includes buy function to receive Ether and distribute tokens.

---

Slide 15: High-Level Specification in K

• High-Level Specification in K Framework:

  module ICO
      syntax AExp ::= "buy()" | "balanceOf(Address)"
      configuration <ico> ... </ico>
      rule <k> buy() => . </k> ... requires Total + Value * 2 <= HardCap
  endmodule
  

• Explanation:

  • Defines the behavior of buy() and balanceOf().
  • Checks for overflow and ensures tokens are distributed correctly.

---

Slide 16: Bytecode-Level Specification Example

• EVM-Level Specification:

  [buy]
  k: #execute => #halt
  storage:
      #hashedLocation({COMPILER}, {_BALANCES}, CALLER_ID) |-> BAL_FROM + MSGVALUE * 2
  requires:
      MSGVALUE > 0
      _SUPPLY + MSGVALUE * 2 <= _HARDCAP
  

• Explanation:

  • Specifies the interaction with the EVM, focusing on state changes in storage.

---

Slide 17: Conducting Smart Contract Audits

• Steps in Manual Review:

  1. Review contract code and business logic.
  2. Identify known vulnerabilities (e.g., reentrancy).
  3. Analyze gas usage and optimization opportunities.

• Automated Tools:

  • Mythril: A static analysis tool for detecting vulnerabilities.
  • Slither: Analyzes Solidity code for security risks.

---

Slide 18: Writing Comprehensive Audit Reports

• Report Components:

  1. Executive Summary: Overview of the findings.
  2. Detailed Vulnerability Description: List vulnerabilities with severity.
  3. Mitigation Recommendations: Suggest fixes for each issue.
  4. Test Results: Include unit tests and any proofs from formal verification.

• Tools: Integration with CI/CD for continuous monitoring and audit reporting.

---

Slide 19: Third-Party Auditing Services

• Popular Auditing Services:

  1. CertiK: Specializes in formal verification for blockchain projects.
  2. Trail of Bits: Provides comprehensive security assessments.
  3. OpenZeppelin: Smart contract library with auditing services.

• Certifications:

  • Smart contract auditing certifications, such as CertiK Shield and Quantstamp Badge, indicate contract safety and reliability.

---

Slide 20: Case Study: Formal Verification

Let’s walk through a practical example of how formal verification can be applied to an ICO smart contract. We will use a simplified Solidity contract, and then proceed through the steps of defining the formal specification, running verification with KEVM, and detecting a potential error in the contract.

Smart Contract Code Example: Simple ICO in Solidity

Here’s a basic ICO smart contract in Solidity:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract SimpleICO {
    address public owner;
    uint256 public hardCap;
    uint256 public amountRaised;
    mapping(address => uint256) public balances;

    constructor(uint256 _hardCap) {
        owner = msg.sender;
        hardCap = _hardCap;
        amountRaised = 0;
    }

    modifier onlyOwner() {
        require(msg.sender == owner, "Not authorized");
        _;
    }

    function contribute() public payable {
        require(msg.value > 0, "Contribution must be greater than 0");
        require(amountRaised + msg.value <= hardCap, "Hard cap reached");

        balances[msg.sender] += msg.value;
        amountRaised += msg.value;
    }

    function withdrawFunds() public onlyOwner {
        require(amountRaised >= hardCap, "Hard cap not reached");
        payable(owner).transfer(amountRaised);
    }

    function refund() public {
        require(amountRaised < hardCap, "Refunds not allowed after hard cap");
        uint256 contributed = balances[msg.sender];
        require(contributed > 0, "No contributions to refund");

        balances[msg.sender] = 0;
        payable(msg.sender).transfer(contributed);
    }
}

Steps in Formal Verification

1. Define the Specification: High-Level and Bytecode

The formal specification consists of both high-level functional requirements and low-level bytecode properties.

High-Level Specification:

The key functional requirements for this ICO contract are:

• Contribution Rule: Users can contribute ETH, but the total amount raised must not exceed the hard cap.
• Withdraw Rule: The owner can withdraw funds only after the hard cap has been reached.
• Refund Rule: If the hard cap has not been reached, users can request a refund of their contribution.

Example Requirements:

• Contributions must not exceed the hardCap:

  require(amountRaised + msg.value <= hardCap)
  

• Only the owner can withdraw the funds:

  require(msg.sender == owner)
  

• Refunds are allowed only if the total amount raised is less than the hard cap:

  require(amountRaised < hardCap)
  

Bytecode-Level Specification:

At the bytecode level, we ensure that:

• Overflow/Underflow checks: Prevent arithmetic overflows in amountRaised + msg.value.
• Access control checks: Ensure that only the owner can call the withdrawFunds() function.
• Gas usage properties: Ensure that all functions behave within a certain gas limit to avoid reentrancy issues.

2. Use KEVM to Run Verification

Using the K Framework and KEVM, we can formally verify that the contract adheres to its specification. Here’s the process:

1. Translate the Contract to KEVM: Convert the compiled bytecode of the Solidity contract into KEVM’s formal model.
2. Apply Specifications: Encode the formal specification into KEVM. This will include the functional requirements (e.g., no overflow, correct access control) and low-level bytecode checks.
3. Run the Verification: Execute the KEVM engine to check whether the contract satisfies the formal specifications.

For example, the following properties could be encoded:

• Overflow prevention:

  rule <k> #underflow_check => . ... </k> when  amountRaised + contribution >= hardCap 
  

• Access control:

  rule <k> owner_check => require( msg.sender == owner) </k>
  

3. Error Handling: Detecting Bugs Like Overflow

Now, let’s simulate a bug in the code and see how formal verification would catch it.

Example Error: Changing require(_hardCap >= amountRaised) to require(_hardCap <= amountRaised) in withdrawFunds()

Imagine we accidentally modify the condition in the withdrawFunds() function, introducing a subtle bug:

function withdrawFunds() public onlyOwner {
    // Bug: incorrect condition
    require(amountRaised <= hardCap, "Hard cap not reached");
    payable(owner).transfer(amountRaised);
}

This error allows the owner to withdraw funds before the hard cap is reached, violating the original contract logic.

KEVM Verification Process:

When we run the formal verification with this bug in place, KEVM detects that the property of the withdrawFunds function (which requires the hard cap to be reached before withdrawing) is violated. The bytecode no longer conforms to the formal specification because the condition require(amountRaised >= hardCap) is incorrectly modified.

• KEVM will flag the following:

  • Specification Violated: The withdrawal logic is supposed to prevent funds from being withdrawn until the hard cap is reached. However, with the bug, the contract allows withdrawal when the raised amount is less than the hard cap.
  • Detected Misbehavior: KEVM detects this deviation by checking the original formal specification of the contract. The property stating that withdrawFunds can only be executed when the amount raised is greater than or equal to the hard cap fails.

• Formal Warning: The proof fails, and KEVM provides a warning that the modified condition violates the business logic.

Other Possible Bugs Detected:

• Overflow Bug in contribute(): If there’s no protection against overflow in amountRaised + msg.value, an attacker could trigger a wraparound, resulting in an incorrect amountRaised value. KEVM checks for this and ensures that the contract handles overflow errors correctly.

  Example:

  // Without proper overflow checks, this could lead to an error.
  require(amountRaised + msg.value <= hardCap, "Hard cap reached");
  

• Access Control Errors: If the onlyOwner modifier were accidentally removed from withdrawFunds(), KEVM would detect that unauthorized users can call the withdrawal function, which violates the specification that only the contract owner should have this ability.

Conclusion: Benefits of Formal Verification in Smart Contracts

By applying formal verification to this simple ICO contract, we ensure that:

• Functional correctness: The contract behaves as intended, particularly around critical operations like contributing, withdrawing, and refunding.
• Security: Bugs like overflow, underflow, and access control violations are detected early, before the contract is deployed.
• Reliability: Formal verification guarantees that the contract will behave correctly under all possible conditions, reducing the risk of financial loss or exploitation.

---

Slide 21: Conclusion

• Key Takeaways:

  • Formal verification provides a rigorous, mathematical method to ensure smart contract correctness.
  • It complements traditional auditing techniques like static analysis and manual review.
  • Tools like K Framework and KEVM allow developers to verify contract correctness before deployment.

• Final Thought:

  • As the smart contract ecosystem grows, the need for robust, verified contracts will continue to increase, making formal verification a critical skill.

---