Impact of inductive checkpoint structure on solver performance

Determine whether the inductive structure of justified and finalized checkpoints in the 3-Slot-Finality (3SF) protocol specification is the principal cause of the observed difficulty for SAT and SMT solvers when analyzing the specification, and characterize the specific mechanism by which reasoning over chains of checkpoints layered on chains of blocks degrades solver performance.

Background

The paper develops TLA, SMT, and Alloy specifications of the Ethereum 3-Slot-Finality (3SF) protocol and undertakes automated verification of the AccountableSafety property. While Alloy combined with the Kissat SAT solver verifies small configurations efficiently, attempts to scale to larger configurations (e.g., 7 blocks) lead to prolonged runs and timeouts.

In discussing these scalability limits, the authors explicitly conjecture that the inductive nature of the definitions of justified and finalized checkpoints, which require reasoning about chains of checkpoints on top of chains of blocks, is what makes the problem challenging for both SAT and SMT solvers. This conjecture points to an unresolved question about the source and structure of verification complexity in the 3SF specification.

References

We conjecture that the inductive structure of justified and finalized checkpoints make it challenging for the solvers (both SAT and SMT) to analyze the specification. Essentially, the solvers have to reason about chains of checkpoints on top of chains of blocks.

Technical Report: Exploring Automatic Model-Checking of the Ethereum specification  (2501.07958 - Konnov et al., 14 Jan 2025) in Section 6.2, Model Checking Results