TMPA-2021: Formal Verification of the Eth2.0 beacon Chain

Transcript

1. 1 Formal Verification of the Beacon Chain Specs Franck Cassez

   Trustworthy Smart Contracts Team November 2021 Franck Cassez ConsenSys https://franck44.github.io/ Joanne Fuller ConsenSys Aditya Asgaonkar Ethereum Foundation

2. 3 3 The Beacon Chain

3. 4 4 The Beacon Chain Ethereum 2.0 overall architecture. Original

   diagram by Ben Edgington. & Hsiao-Wei Wang Original diagram by Ben Edgington. & Hsiao-Wei Wang

4. 6 6 Why/What Formal Verification? Proposed Solution • Use formal

   verification for thorough analysis • Report/fix issues • Source code (git repo) for: ▪ Formal specifications ▪ Correctness/termination proofs ▪ Implementation (e.g. serialise/deserialise) Problems • Management of huge amount of assets • Specs may be ambiguous & buggy • Hard for developers to understand • Bugs critical/costly consequences • Absence of functional specs • Mission critical embedded system

5. 8 8 Verification Project: Scope

6. 9 9 Scope of the project Design a formal specification

   of the Beacon Chain No runtime errors Functional Guarantees Develop a machine-checkable proof that code is correct Provide guarantees on code executed on a node Termination

7. 11 11 Formal Verification Hoare logic proof with Dafny

8. 12 12 How does it work? Pre/post conditions – Floyd-Hoare

   Logic function get_next_power_of_two(n : int) : int requires n >= 0 // pre-condition ensures get_next_power_of_two(n) >= 1 // post-condition { if n <= 2 then 2 else 2 * get_next_power_of_two( (n + 1) / 2) } Implementation How the result is computed Specification What properties should the result satisfy? Floyd-Hoare Logic Sir C.A.R. Hoare (1934 –) Turing Award 1980 R. W. Floyd (1936 – 2001) Turing Award 1978

9. 13 13 Dafny – A Verification-Friendly Programming Language Program +

   Pre/Post conditions Dafny Verification Engine Verification Condition F (Logical formula) Solver F is valid program/proofs are correct F is not valid counter-example Proofs As Programs Inconclusive Timeout

10. 14 14 Phase 0 Components

11. 15 15 Beacon Chain (Phase 0) Components State Transition •

    Update client state • Process slots ▪ epochs • Process block ▪ block tree ▪ validators ▪ balances ▪ votes ▪ slashings SSZ/Merkle • Serialisation (SSZ) ▪ Data structures ▪ Serialise/deserialise • Merkleisation ▪ Data structures ▪ Merkle trees ▪ Merkle proofs ForkChoice • LMD-GHOST • Canonical chain • Finalised blocks • Justified blocks https://github.com/ConsenSys/eth2.0-dafny

12. 16 16 SSZ/Merkleisation

13. 17 17 Serialise/Deserialise (SSZ) – Example What: Convert object O

    to sequence of bytes and back 1 1 0 1 1 1 1 0 1 0 1 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 0 Serialise Deserialise Main proof (involution): Deserialise( Serialise( O ) ) = O 8 bits padding Bit list:

14. 18 18 Serialise/Deserialise – Involution Proof goal

15. 19 19 State Transition

16. 20 20 State change Epoch 1 Epoch 2 Epoch 3

    Slots S1 S’1 S’’1 S2 S3 S’3 Beacon Blocks

17. 21 21 Proof Strategy Outcome: • absence of runtime errors

    • Proof of termination • functional correctness Imperative implementation Functional correctness

18. 22 22 State Transition - Pre & Post Conditions Pre

    Conditions Post Conditions

19. 24 24 State Transition – Process Block Pre Conditions Post

    Conditions

20. 26 26 ForkChoice

21. 27 27 LMD-GHOST/GasperFFG Votes Last epoch boundary Last justified

22. 28 28 LMD-GHOST/GasperFFG Check point Justified Validators Finalised Justified

23. 29 29 Dafny Example – ForkChoice Lemma 4 Example code

24. 38 38 Issue #2500 Array-out-of-bounds

25. 39 39 Context - Rewards and Penalties process_rewards_and_penalties get_attestation_deltas get_target_deltas

    get_source_deltas get_inclusion_delay_deltas get_head_deltas get_inactivity_penalty_deltas get_attestation_component_deltas get_unslashed_attesting_indices get_attesting_indices

26. 40 40 get_attesting_indices out of bounds? bits.Length == MAX_VALIDATORS_PER_COMMITTEE get_beacon_committee(_).Length

    <= MAX_VALIDATORS_PER_COMMITTEE

27. 41 41 Analysis & Calculations Number of Active Validators V

    No Array out of bounds? V ≤ 4, 194, 304 ✅ 4, 194, 304 < V < 4, 196, 352 at least one input s.t. array-out-of-bounds 4, 196, 352 ≤ V for all input array-out-of-bounds

28. 42 42 Detailed Analysis

29. 43 43 Limitations, Assumptions & Simplifications

30. 44 44 Limitations, Assumptions and Simplifications Simplifications • ForkChoice ▪

    Dafny data types ▪ deposit is 1ETH/validator • Known environment bounds assumed ▪ Finite amount of ETH ▪ Max number of validators Limitations • Abstract hash function • SSZ ▪ generic types ▪ not used in StateTransition/ForkChoice • Randomness ▪ not taken into account Assumptions • Trust base: Dafny + Z3 • Python -> Dafny preserves semantics

31. 45 45 Verification Effort & Impact

32. 46 46 Reading group Gasper, Advanced verification, Dafny Verification Effort

    Person/mth 24 Dafny projects top 5 Ethereum Foundation Support Dedicated contact point Formal verification Dafny coding sessions + Background Theory

33. 48 48 Bug/Discussions Reports

34. 49 49 Key Takeaways Verifier PL Dafny Eth2 specs verified

    85% Eth2.0 bug reports/fixes 20 Dafny bug reports 5 Lines of Code 9000+ Lines of Document. 4800+ Theorems proved 231 Joint Effort EF+CSI

35. 50 50 Impact Foster Use of Formal Methods • Blogs

    & Presentations ▪ Blog Formally Verifying Eth2.0 Specs ▪ Blog Coding Journey to Dafny Evangelist ▪ Ethereum Engineering Meet-up talk ▪ R&D week Formal verification of Eth2 BC • Paper Formal Verification of Eth2.0 Improve Software Reliability • Formally verified SSZ/Merkle/ForkChoice • Proofs machine-checkable • Specs ▪ language-agnostic ▪ candidate reference spec • Embedded documentation

36. 51 51 Conclusion Resources • EF spec writers team ~8

    • CSI spec verification team ~2 ▪ Absence of runtime errors ▪ Extracting functional specs ▪ Proving consistency • Dafny adoption ▪ EF Eth2.0 spec writers – 4 sessions Main Roadblocks • Eth2.0 specs ▪ Unstructured ▪ Imperative/exception ⇔ invalid ▪ Duplicate data structures • Dafny ▪ Limited VSCode support ▪ Proof logical complexity/time complexity Improving Dafny Specs • Functional specifications of ▪ valid attestations • Specs ▪ Candidate reference spec • Extract Embedded documentation

37. 52 52 Resources Blogs Formally Verifying Eth2.0 Specs Aug 2020

    Coding Journey to Dafny Evangelist December 2020 Code Eth2.0 Specs in Dafny Deposit Smart Contract in Dafny Dafny coding sessions https://arxiv.org/abs/2110.12909