Add page on formal verification for smart contracts

[emmanuel-awosika]

This page offers a high-level introduction to the concept of formal verification of Ethereum smart contracts.

Preview deploy:
https://ethereumorgwebsitedev01-emmanuelawosikaethereumor06662.gtsb.io/en/developers/docs/smart-contracts/formal-verification

Description

@samajammin asked for contributions to a new documentation page on formal verification for smart contracts, so I put together a high-level introduction on the topic. The guide explains what formal verification means, how it works, and tools developers can use to conduct formal verification for Ethereum smart contracts.

Related Issue

#6194

[gatsby-cloud]

Gatsby Cloud Build Report

ethereum-org-website-dev

🎉 Your build was successful! See the Deploy preview here.

Build Details

View the build logs here.

🕐 Build time: 13m

[samajammin]

FYI I edited the PR description to link to the corresponding issue (#6194).

[emmanuel-awosika]

FYI I edited the PR description to link to the corresponding issue (#6194).

Oh, I thought they were separate pages?

[samajammin]

I'd say we could just remove this header. Many of our docs pages jump straight into the intro, e.g.

• https://ethereum.org/en/developers/docs/smart-contracts/languages/
• https://ethereum.org/en/developers/docs/smart-contracts/anatomy/
• https://ethereum.org/en/developers/docs/smart-contracts/libraries/

[samajammin]

@emmanuel-awosika haven't been able to review this in detail yet but at first glance it looks like a great start! I'll share this around with some folks to get some eyes & input on it. Thanks again!

FYI I just pushed a couple commits to rename the file (index.md in a directory is our typical pattern) & added the page to the docs navigation.

[samajammin]

Specifications are properties or used to

This sentence doesn't make sense to me. Should it be "Specifications are properties used to", or something else?

[emmanuel-awosika]

It's a typo. The sentence should read "specifications are properties used to...". I'll edit the content to fix it.

[wackerow]

@emmanuel-awosika This is something I am not well versed in, so I would love to get some more eyes on it, but overall I felt like this read well and made sense to read through.
Left just a couple small notes/adjustments, but overall 👍 from me =)

[wackerow]

Curious, would this have helped if the contract was formally verified?

[emmanuel-awosika]

The consensus is that formal verification can help detect unintended code executions in smart contracts, so formal verification would probably have helped in the Parity case. More to the point, the Parity hack was mentioned in a couple of academic research and articles on formal verification, so I thought it'd be a good addition.

[leonardoalt]

Formal verification involves testing a program

This part isn't really precise, since FV is not about testing. I would actually recommend removing this line completely, since line 16 below already introduces FV well.

[emmanuel-awosika]

Thanks for pointing it out. I mixed up testing contracts (to check results) and evaluating contracts to see if they satisfy specific criteria (which is what I believe FV does). I'm working on rewriting certain page of the page to remove the inaccuracy.

[leonardoalt]

This is not 100% precise. There are also several tools that apply symbolic execution and model checking to EVM verification, which are FV techniques.

[emmanuel-awosika]

Yeah. I did a bit more research and found some more FV techniques (e.g., symbolic execution, model checking, and theorem proving), which are not mentioned in the page. I'll add those details while reworking the page, though.

[leonardoalt]

Not precise, FV doesn't use tests. It mathematically abstracts the software behavior in a way that specialized procedures can guarantee correctness for every possible input case, without having to exhaustively go through each one of them.

[emmanuel-awosika]

Just figured this out, too, after reading your comment and researching existing literature. I'll add this to the page while editing. Your comment may also be useful in highlighting the difference between FV and regular testing (i.e., that regular testing can only cover a small number of input cases).

[emmanuel-awosika]

Hey @leonardoalt and @corwintines, I made a couple of substantial changes to the page on formal verification for Ethereum contracts. Feedback on the new version would be great. Also, @leonardoalt, I tried to rework the tools section a bit; I'm not totally familiar with them, so if any inputs you have on how to structure that section is welcome.

[emmanuel-awosika]

@leonardoalt, @corwintines; here are a couple more things I wanted to note:

• Do I create a different section for logical frameworks (e.g., Isabelle/HOL and Coq) used in theorem proving? I'm not totally sure of the appropriate category here. I understand these are used as part of a larger verification framework, but I'm still trying to wrap my head around them--so your expert input would be welcome here.

Another suggestion for the above problem would be to create a section for theorem provers and place them together. Open to your thoughts on this.

• Some tools, especially the ones based on symbolic execution (e.g., Manticore, Mythril, etc.), also feature on the smart contract testing page. Is it okay to leave them there, or do we separate them to avoid confusion?

• The testing page also has a section for formal verification (this was when I thought the two were similar). What do you think about taking it out? (Since we clearly say FV is not testing on this page).

• I added some academic papers to provide more context on formal verification since the articles gloss over many details. Open to suggestions on leaving this in or taking it out.

[leonardoalt]

Hi @emmanuel-awosika

Another suggestion for the above problem would be to create a section for theorem provers and place them together.

I think they do belong in a different section, since they're not really specific tools used for smart contracts, but may be used for it too.

Some tools, especially the ones based on symbolic execution

IMO it's fine to leave them there too. Although I don't find Manticore that useful for quick testing as Mythril/hevm/fuzzers. But that's just my personal opinion.

What do you think about taking it out? (Since we clearly say FV is not testing on this page).

It could make sense to say it exists and point to this new page for details, without giving details there.

I added some academic papers to provide more context on formal verification since the articles gloss over many details.

I think I wouldn't add them. It's just too broad to be able to do justice to all relevant papers, plus even in FV of smart contracts alone there's too many papers.

[leonardoalt]

This repo hasn't been updated in 4 years, so might be a bit misleading.

[leonardoalt]

Maybe worth adding https://runtimeverification.com/blog/end-to-end-formal-verification-of-ethereum-2-0-deposit-smart-contract/ as well?

[emmanuel-awosika]

Added this too.

[leonardoalt]

I'd remove Oyente and Securify.

[emmanuel-awosika]

Removed them now.

[leonardoalt]

Echidna and Harvey are fuzzers, so maybe it'd make sense to have a fuzzers section even though this is an FV page? Or maybe move that to the testing page actually?

[emmanuel-awosika]

That makes sense. I took them out now.

[leonardoalt]

I think hevm fits the symbolic execution section better.

[emmanuel-awosika]

Hi @leonardoalt. Based on your feedback, I made the following changes:

• Added a new section for theorem proving tools
• Removed Yoichi's GitHub repo and section on academic papers
• Removed fuzzers from tooling section (they're on the testing on the page already)
• Opened a new PR to tweak the formal verification section on the smart contract testing page

Let me know if there's any other change you want to see.

[minimalsm]

Reminder that we should link to this page on the testing smart contracts page once this PR is ready.

[corwintines]

Reminder that we should link to this page on the testing smart contracts page once this PR is ready.

@emmanuel-awosika @minimalsm brought in this link

[corwintines]

This looks great. Thanks, @emmanuel-awosika, great work! I left one nitpick that isn't a blocker. I pinged @leonardoalt to see if they want to do one last pass, but I approve this PR :)

[emmanuel-awosika]

Reminder that we should link to this page on the testing smart contracts page once this PR is ready.

@emmanuel-awosika @minimalsm brought in this link

Oh, yeah, I'd forgotten @samajammin added the file to the docs nav. Thanks for adding it.

[leonardoalt]

This looks great. Thanks, @emmanuel-awosika, great work! I left one nitpick that isn't a blocker. I pinged @leonardoalt to see if they want to do one last pass, but I approve this PR :)

Looks great!