Extracting Smart Contracts Tested and Verified in Coq (2012.09138v2)

Abstract: We implement extraction of Coq programs to functional languages based on MetaCoq's certified erasure. As part of this, we implement an optimisation pass removing unused arguments. We prove the pass correct wrt. a conventional call-by-value operational semantics of functional languages. We apply this to two functional smart contract languages, Liquidity and Midlang, and to the functional language Elm. Our development is done in the context of the ConCert framework that enables smart contract verification. We contribute a verified boardroom voting smart contract featuring maximum voter privacy such that each vote is kept private except under collusion of all other parties. We also integrate property-based testing into ConCert using QuickChick and our development is the first to support testing properties of interacting smart contracts. We test several complex contracts such as a DAO-like contract, an escrow contract, an implementation of a Decentralized Finance (DeFi) contract which includes a custom token standard (Tezos FA2), and more. In total, this gives us a way to write dependent programs in Coq, test them semi-automatically, verify, and then extract to functional smart contract languages, while retaining a small trusted computing base of only MetaCoq and the pretty-printers into these languages.

• The paper introduces a verified extraction framework that translates Coq-written smart contracts to functional languages while preserving formal proofs.
• It integrates property-based testing using QuickChick to detect bugs early and ensure rigorous verification of contract properties.
• Case studies on boardroom voting and escrow contracts demonstrate practical deployment and enhanced security in blockchain environments.

Overview of "Extracting Smart Contracts Tested and Verified in Coq"

The paper "Extracting Smart Contracts Tested and Verified in Coq" presents a comprehensive approach for the development and verification of smart contracts using the Coq proof assistant. The methodology integrates formal verification and property-based testing, culminating in the extraction of verified contracts into functional languages suitable for deployment on blockchain platforms. The process aligns with the ConCert framework, facilitating the verification of smart contracts with an emphasis on maintaining a small trusted computing base.

Key Contributions

1. Verified Extraction Framework: The core contribution is a framework for extracting smart contracts written in Coq to functional languages, utilizing MetaCoq's certified erasure. This ensures that the extracted code maintains the integrity of the verified properties while removing non-computational elements through optimization procedures like deboxing and unused argument elimination.
2. Smart Contract Languages and Pretty-Printing: Extraction targets functional smart contract languages such as Liquidity (Tezos) and Midlang (Concordium), with the framework adaptable to Elm due to Midlang's lineage. The work addresses unique challenges posed by these languages, which are often more restrictive than traditional functional programming languages regarding recursion and type coercions.
3. Integration with QuickChick: The integration with QuickChick enables property-based testing within Coq, allowing for executable specifications and effective bug discovery in smart contracts. This integration supports testing of interacting smart contracts across execution traces, enhancing reliability before and during the formal verification process.
4. Case Studies: The paper implements two verified smart contracts—a boardroom voting protocol and an escrow contract—showcasing the practical application of the developed tools and methodologies. These examples highlight the system's ability to handle complex smart contract logic and demonstrate verification both through rigorous Coq proofs and property-based testing.

Practical and Theoretical Implications

• Practical Relevance: The ability to extract verified smart contracts from Coq to functional languages suitable for blockchain deployment creates a pathway for secure, formally verified smart contract execution in real-world scenarios. This holds significant implications for the financial and cryptographic sectors, where software correctness is paramount.
• Theoretical Considerations: The theoretical underpinning of the approach hinges on leveraging dependent type theory to express and verify contract properties, followed by certified erasure to maintain these verifications in the extracted code. It establishes a robust framework that can be expanded to support a wider range of functional languages, contributing to the broader goal of verified software development.

Future Developments

The paper identifies several areas for future enhancement, including extending the range of supported functional smart contract languages and incorporating additional optimizations on the extracted code. There is potential for greater integration with high-performance cryptographic libraries, further expanding the utility of certified smart contracts in high-stakes environments.

In conclusion, this work presents a detailed methodology for constructing and deploying verified smart contracts, bridging a critical gap between formal verification in Coq and practical application in blockchain environments. Its contributions set the stage for ongoing advancements in secure, reliable smart contract execution.