Finding smart contract vulnerabilities with ConCert's property-based testing framework

AI-generated keywords: Smart Contracts Property-Based Testing ConCert Coq Formal Verification Security

AI-generated Key Points

  • The paper presents an approach to testing and verifying smart contracts using the ConCert Coq framework.
  • The authors provide three case studies of vulnerabilities in smart contracts that could have led to millions of dollars stolen or frozen.
  • Property-based testing would have found these vulnerabilities and also discovered new bugs.
  • The approach is not limited to specific examples but can be applied more broadly to real-world contracts, including reference implementations of popular token standards like ERC-20 and FA2 Token Standards used across multiple blockchains.
  • By combining auditing, testing, and verification techniques, they provide a toolchain for producing executable code for smart contracts that are tested and verified.
  • The ConCert framework provides a general executable model/specification of smart contract execution in the Coq proof assistant.
  • ConCert contracts can be used to generate verified smart contracts in Tezos' LIGO and Concordium's Rust language.
  • Formal verification and property-based testing of smart contracts is starting to be recognized by the industry as important for improving security in blockchain technology.
Also access our AI generated: Comprehensive summary, Lay summary, Blog-like article; or ask questions about this paper to our AI assistant.

Authors: Mikkel Milo, Eske Hoy Nielsen, Danil Annenkov, Bas Spitters

FMBC: Formal Methods for Blockchains, 2022
License: CC BY 4.0

Abstract: We provide three detailed case studies of vulnerabilities in smart contracts, and show how property-based testing would have found them: 1. the Dexter1 token exchange; 2. the iToken; 3. the ICO of Brave's BAT token. The last example is, in fact, new, and was missed in the auditing process. We have implemented this testing in ConCert, a general executable model/specification of smart contract execution in the Coq proof assistant. ConCert contracts can be used to generate verified smart contracts in Tezos' LIGO and Concordium's rust language. We thus show the effectiveness of combining formal verification and property-based testing of smart contracts.

Submitted to arXiv on 01 Aug. 2022

Ask questions about this paper to our AI assistant

You can also chat with multiple papers at once here.

AI assistant instructions?

Results of the summarizing process for the arXiv paper: 2208.00758v1

In their paper, "Finding smart contract vulnerabilities with ConCert's property-based testing framework," Mikkel Milo, Eske Hoy Nielsen, Danil Annenkov, and Bas Spitters present a comprehensive approach to testing and verifying smart contracts using the ConCert Coq framework. The authors demonstrate the effectiveness of their approach by providing three detailed case studies of vulnerabilities in smart contracts: the Dexter1 token exchange, the iToken, and the ICO of Brave's BAT token. They show how property-based testing would have found these vulnerabilities and also discovered new bugs that could have led to millions of dollars stolen or frozen. The authors emphasize that their approach is not limited to these specific examples but can be applied more broadly to real-world contracts. They mention re-discovering several bugs in real-world contracts such as the $50 million "DAO attack" on Ethereum and tested reference implementations of ERC-20 and FA2 Token Standards used in several blockchains. By combining auditing, testing, and verification techniques, they provide a toolchain for producing executable code for smart contracts that are tested and verified. The ConCert framework provides a general executable model/specification of smart contract execution in the Coq proof assistant. ConCert contracts can be used to generate verified smart contracts in Tezos' LIGO and Concordium's Rust language. The authors highlight the importance of combining formal verification and property-based testing of smart contracts which is starting to be recognized by the industry. Overall, this paper presents an innovative approach for testing and verifying smart contracts that has significant implications for improving security in blockchain technology. It combines auditing techniques with formal verification methods to create a toolchain for generating secure executable code for various types of blockchain applications. This approach has already been proven effective at finding bugs in existing real-world projects such as Ethereum's DAO attack as well as reference implementations of popular token standards like ERC-20 and FA2 Token Standards used across multiple blockchains. As recognition from industry professionals continues to grow regarding the importance of combining formal verification with property-based testing when developing secure blockchain applications, this paper serves as an important resource for understanding best practices when it comes to ensuring safety within this rapidly evolving space.
Created on 18 May. 2023

Assess the quality of the AI-generated content by voting

Score: 0

Why do we need votes?

Votes are used to determine whether we need to re-run our summarizing tools. If the count reaches -10, our tools can be restarted.

The previous summary was created more than a year ago and can be re-run (if necessary) by clicking on the Run button below.

Similar papers summarized with our AI tools

Navigate through even more similar papers through a

tree representation

Look for similar papers (in beta version)

By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.

Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.