Save 37% off PRO during our Black Friday Sale! »

TMPA-2021: Formal Verification of the Eth2.0 beacon Chain

TMPA-2021: Formal Verification of the Eth2.0 beacon Chain

Franck Cassez, ConsenSys

Formal Verification of the Eth2.0 beacon Chain

TMPA is an annual International Conference on Software Testing, Machine Learning and Complex Process Analysis. The conference will focus on the application of modern methods of data science to the analysis of software quality.

To learn more about Exactpro, visit our website https://exactpro.com/

Follow us on
LinkedIn https://www.linkedin.com/company/exactpro-systems-llc
Twitter https://twitter.com/exactpro

5206c19df417b8876825b5561344c1a0?s=128

Exactpro
PRO

November 26, 2021
Tweet

Transcript

  1. 1 Formal Verification of the Beacon Chain Specs Franck Cassez

    Trustworthy Smart Contracts Team November 2021 Franck Cassez ConsenSys https://franck44.github.io/ Joanne Fuller ConsenSys Aditya Asgaonkar Ethereum Foundation
  2. 3 3 The Beacon Chain

  3. 4 4 The Beacon Chain Ethereum 2.0 overall architecture. Original

    diagram by Ben Edgington. & Hsiao-Wei Wang Original diagram by Ben Edgington. & Hsiao-Wei Wang
  4. 6 6 Why/What Formal Verification? Proposed Solution • Use formal

    verification for thorough analysis • Report/fix issues • Source code (git repo) for: ▪ Formal specifications ▪ Correctness/termination proofs ▪ Implementation (e.g. serialise/deserialise) Problems • Management of huge amount of assets • Specs may be ambiguous & buggy • Hard for developers to understand • Bugs critical/costly consequences • Absence of functional specs • Mission critical embedded system
  5. 8 8 Verification Project: Scope

  6. 9 9 Scope of the project Design a formal specification

    of the Beacon Chain No runtime errors Functional Guarantees Develop a machine-checkable proof that code is correct Provide guarantees on code executed on a node Termination
  7. 11 11 Formal Verification Hoare logic proof with Dafny

  8. 12 12 How does it work? Pre/post conditions – Floyd-Hoare

    Logic function get_next_power_of_two(n : int) : int requires n >= 0 // pre-condition ensures get_next_power_of_two(n) >= 1 // post-condition { if n <= 2 then 2 else 2 * get_next_power_of_two( (n + 1) / 2) } Implementation How the result is computed Specification What properties should the result satisfy? Floyd-Hoare Logic Sir C.A.R. Hoare (1934 –) Turing Award 1980 R. W. Floyd (1936 – 2001) Turing Award 1978
  9. 13 13 Dafny – A Verification-Friendly Programming Language Program +

    Pre/Post conditions Dafny Verification Engine Verification Condition F (Logical formula) Solver F is valid program/proofs are correct F is not valid counter-example Proofs As Programs Inconclusive Timeout
  10. 14 14 Phase 0 Components

  11. 15 15 Beacon Chain (Phase 0) Components State Transition •

    Update client state • Process slots ▪ epochs • Process block ▪ block tree ▪ validators ▪ balances ▪ votes ▪ slashings SSZ/Merkle • Serialisation (SSZ) ▪ Data structures ▪ Serialise/deserialise • Merkleisation ▪ Data structures ▪ Merkle trees ▪ Merkle proofs ForkChoice • LMD-GHOST • Canonical chain • Finalised blocks • Justified blocks https://github.com/ConsenSys/eth2.0-dafny
  12. 16 16 SSZ/Merkleisation

  13. 17 17 Serialise/Deserialise (SSZ) – Example What: Convert object O

    to sequence of bytes and back 1 1 0 1 1 1 1 0 1 0 1 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 0 Serialise Deserialise Main proof (involution): Deserialise( Serialise( O ) ) = O 8 bits padding Bit list:
  14. 18 18 Serialise/Deserialise – Involution Proof goal

  15. 19 19 State Transition

  16. 20 20 State change Epoch 1 Epoch 2 Epoch 3

    Slots S1 S’1 S’’1 S2 S3 S’3 Beacon Blocks
  17. 21 21 Proof Strategy Outcome: • absence of runtime errors

    • Proof of termination • functional correctness Imperative implementation Functional correctness
  18. 22 22 State Transition - Pre & Post Conditions Pre

    Conditions Post Conditions
  19. 24 24 State Transition – Process Block Pre Conditions Post

    Conditions
  20. 26 26 ForkChoice

  21. 27 27 LMD-GHOST/GasperFFG Votes Last epoch boundary Last justified

  22. 28 28 LMD-GHOST/GasperFFG Check point Justified Validators Finalised Justified

  23. 29 29 Dafny Example – ForkChoice Lemma 4 Example code

  24. 38 38 Issue #2500 Array-out-of-bounds

  25. 39 39 Context - Rewards and Penalties process_rewards_and_penalties get_attestation_deltas get_target_deltas

    get_source_deltas get_inclusion_delay_deltas get_head_deltas get_inactivity_penalty_deltas get_attestation_component_deltas get_unslashed_attesting_indices get_attesting_indices
  26. 40 40 get_attesting_indices out of bounds? bits.Length == MAX_VALIDATORS_PER_COMMITTEE get_beacon_committee(_).Length

    <= MAX_VALIDATORS_PER_COMMITTEE
  27. 41 41 Analysis & Calculations Number of Active Validators V

    No Array out of bounds? V ≤ 4, 194, 304 ✅ 4, 194, 304 < V < 4, 196, 352 at least one input s.t. array-out-of-bounds 4, 196, 352 ≤ V for all input array-out-of-bounds
  28. 42 42 Detailed Analysis

  29. 43 43 Limitations, Assumptions & Simplifications

  30. 44 44 Limitations, Assumptions and Simplifications Simplifications • ForkChoice ▪

    Dafny data types ▪ deposit is 1ETH/validator • Known environment bounds assumed ▪ Finite amount of ETH ▪ Max number of validators Limitations • Abstract hash function • SSZ ▪ generic types ▪ not used in StateTransition/ForkChoice • Randomness ▪ not taken into account Assumptions • Trust base: Dafny + Z3 • Python -> Dafny preserves semantics
  31. 45 45 Verification Effort & Impact

  32. 46 46 Reading group Gasper, Advanced verification, Dafny Verification Effort

    Person/mth 24 Dafny projects top 5 Ethereum Foundation Support Dedicated contact point Formal verification Dafny coding sessions + Background Theory
  33. 48 48 Bug/Discussions Reports

  34. 49 49 Key Takeaways Verifier PL Dafny Eth2 specs verified

    85% Eth2.0 bug reports/fixes 20 Dafny bug reports 5 Lines of Code 9000+ Lines of Document. 4800+ Theorems proved 231 Joint Effort EF+CSI
  35. 50 50 Impact Foster Use of Formal Methods • Blogs

    & Presentations ▪ Blog Formally Verifying Eth2.0 Specs ▪ Blog Coding Journey to Dafny Evangelist ▪ Ethereum Engineering Meet-up talk ▪ R&D week Formal verification of Eth2 BC • Paper Formal Verification of Eth2.0 Improve Software Reliability • Formally verified SSZ/Merkle/ForkChoice • Proofs machine-checkable • Specs ▪ language-agnostic ▪ candidate reference spec • Embedded documentation
  36. 51 51 Conclusion Resources • EF spec writers team ~8

    • CSI spec verification team ~2 ▪ Absence of runtime errors ▪ Extracting functional specs ▪ Proving consistency • Dafny adoption ▪ EF Eth2.0 spec writers – 4 sessions Main Roadblocks • Eth2.0 specs ▪ Unstructured ▪ Imperative/exception ⇔ invalid ▪ Duplicate data structures • Dafny ▪ Limited VSCode support ▪ Proof logical complexity/time complexity Improving Dafny Specs • Functional specifications of ▪ valid attestations • Specs ▪ Candidate reference spec • Extract Embedded documentation
  37. 52 52 Resources Blogs Formally Verifying Eth2.0 Specs Aug 2020

    Coding Journey to Dafny Evangelist December 2020 Code Eth2.0 Specs in Dafny Deposit Smart Contract in Dafny Dafny coding sessions https://arxiv.org/abs/2110.12909