Rostislav Yavorskiy, PhD Head of Research at Exactpro VERIFICATION OF SMART CONTRACTS ON THE ETHEREUM BLOCKCHAIN Lecture #1 Formal verification of software 06 April 2022

The course schedule Wed, 06 Apr - Lecture 1. Formal verification of software Fri, 08 Apr - Lecture 2. Decentralized finance on Ethereum Mon, 11 Apr - Seminar 1. Microsoft z3 practice Tue, 12 Apr - Seminar 2. Smart contracts with Solidity Mon, 18 Apr - Lecture 3. Verification of Solidity contracts Tue, 19 Apr - Seminar 3. Smart contract verification practice. Thu, 21 Apr - Closing session. Homework results, certificates, pizza&cola

The course schedule Wed, 06 Apr - Lecture 1. Formal verification of software Fri, 08 Apr - Lecture 2. Decentralized finance on Ethereum Mon, 11 Apr - Seminar 1. Microsoft z3 practice Tue, 12 Apr - Seminar 2. Smart contracts with Solidity Mon, 18 Apr - Lecture 3. Verification of Solidity contracts Tue, 19 Apr - Seminar 3. Smart contract verification practice. Thu, 21 Apr - Closing session. Homework results, certificates, pizza&cola

Plan 1. Formal proofs, axioms and rules of inference 2. Hoare logic, preconditions, postconditions 3. Formal verification of safety critical systems 4. Automated proofs with Microsoft Z3 theorem prover Homework: theory test, Z3 basics 4

5 https://www.q-files.com/ https://cars.usnews.com/

6 https://www.q-files.com/ axiomatic method (proof engine)

Reasoning about Infinity

Example How to ensure that (x + 1)(x - 1) = x2 - 1 Test# x (x + 1)(x - 1) x2 - 1 (x + 1)(x - 1) = x2 - 1 1 0 -1 -1 True 2 1 0 0 True 3 -5 24 24 True 4 259 67080 67080 True 5 -324 104975 104975 True … … … … … 8 Note: billions of tests cannot guarantee 100% correctness

Axiomatic method 1. A(B+C) = AB + AC for all A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 9

Axiomatic method 1. A(B+C) = AB + AC for all A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 10 domain axioms truisms postulates basic rules

1. A(B+C) = AB + AC for all A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6, 7 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 Axiomatic method 11 theorems conclusions statements assertions claims

Pros and Contras 12 Testing (by executing) Formal Verification Simple and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c

Pros and Contras 13 Testing (by executing) Formal Verification Simple and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c

Pros and Contras 14 Testing (by executing) Formal Verification Simple and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c

Reasoning about Software

Axiomatic method 1. A(B+C) = AB + AC for all A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 16 domain axioms truisms postulates basic rules theorems conclusions statements assertions claims

Hoare triple 17 A triple describes how the execution of a piece of code changes the state of the computation: precondition postcondition program Meaning: when the precondition is met, executing the command establishes the postcondition

Hoare logic for programming languages 18

Hoare logic for programming languages 19 Looks like a good topic for PhD...

Tony Hoare 20 British computer scientist who has made foundational contributions to ● programming languages, ● algorithms, ● operating systems, ● formal verification, and ● concurrent computing Worked at the University of Oxford and Microsoft Research in Cambridge Born 11 January 1934 in Colombo, his mother was the daughter of a tea planter

Safety critical systems 21

Examples of safety-critical systems ● Emergency services dispatch systems ● Electricity generation, transmission and distribution ● Heart-lung machines ● Mechanical ventilation systems ● Infusion pumps and Insulin pumps ● Radiation therapy machines ● Robotic surgery machines ● Pacemaker devices ● Railway signalling and control systems ● Platform detection to control train doors ● Automatic train stop 22 ● Airbag systems ● Braking systems ● Power steering systems ● Advanced driver-assistance systems ● Electronic throttle control ● Battery management system for hybrids and electric vehicles ● Electric park brake ● Air traffic control systems ● Avionics, fly-by-wire systems ● Engine control systems ● Aircrew life support systems ● Nuclear reactor control systems

Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics 23

What contributes to the product quality ● Enterprise factors ○ Organizational structure and business process ● Good specification ○ Precise and complete ○ Validated by the stakeholders ● Professional team ○ Educated, experienced, well-coordinated ● Functional testing ○ Test plan ○ Manual and automated tests ○ Formal verification ● Non-functional testing ● Support 24

Formal Verification Benchmarks ● 2004 - Intel, parameterized verification of cache-coherent protocol ● 2005 - CompCert, a formally verified optimizing compiler for a large subset of the C99 programming language ● 2011 - several operating systems have been formally verified ● 2016 - CertiKOS, a formal verification protocol for blockchain ● 2017 - formal verification has been applied to the design of large computer networks ● Formal verification is used by most of leading hardware companies 25

Microsoft Z3 theorem prover Satisfiability Modulo Theories (SMT) Solver

27 ● Computer algebra systems (arithmetic, calculus etc.) ○ https://www.cymath.com/practice/algebra-inequalities ○ https://quickmath.com/ ● SAT solvers (boolean logic) - see overview here ○ https://msoos.github.io/cryptominisat_web/ ○ http://logicrunch.it.uu.se:4096/~wv/minisat/ ● SMT solvers (boolean logic + arithmetic etc.) Three types of solvers

28 ● Z3 is an SMT solver, which supports the SMTLIB format ● One can run Z3 in browser ● See Q&A at StackOverflow ● Use from Python https://github.com/Z3Prover/z3 Z3

Awards: ● “The most influential tool paper in the first 20 years of TACAS” (> 3500 citations) ● Programming Languages Software Award from ACM SIGPLAN Ships with many popular systems ● Isabelle, Pex, SAGE, SLAM/SDV, Visual Studio, … Solved more than 5 billion constraints created by SAGE when checking Win8/Office Leonardo de Moura, Microsoft Research, 19 July 2017 Z3 impact

30 https://compsys-tools.ens-lyon.fr/z3

31 https://compsys-tools.ens-lyon.fr/z3 a, b, c are integer variables (a > 0) & (b > 0) & (c > 0) & (a2 + b2 = c2) Check if exist values a, b, c which satisfy the constraint. If yes, provide a solution

Home assignment

Deadline: Friday, 15 April 2022 ● Theory test https://forms.gle/Fz7GDqsTgfvfxEj76 ● Check in Z3 if for any integer x and y the following holds, or provide a counterexample: (x + y > -5) and (x - y < 5) → (2x - y < 15) or (x + 3y > 7) 33

Questions? Thank you! 34