Formal Verification of Blockchain Byzantine Fault Tolerance

To implement a blockchain, the trend is now to integrate a non-trivial Byzantine fault tolerant consensus algorithm instead of the seminal idea of waiting to receive blocks to decide upon the longest branch. After a decade of existence, blockchains trade now large amounts of valuable assets and a simple disagreement could lead to disastrous losses. Unfortunately, Byzantine consensus solutions used in blockchains are at best proved correct "by hand" as we are not aware of any of them having been formally verified. In this paper, we propose two contributions: (i) we illustrate the severity of the problem by listing six vulnerabilities of blockchain consensus including two new counter-examples; (ii) we then formally verify two Byzantine fault tolerant components of Red Belly Blockchain using the ByMC model checker. First, we specify a simple broadcast primitive in 116 lines of code that is verified in 40 seconds on a 2-core Intel machine. Then, we specify a blockchain consensus algorithm in 276 lines of code that is verified in 17 minutes on a 64-core AMD machine using MPI. To conclude, we argue that it has now become both relatively simple and crucial to formally verify the correctness of blockchain consensus protocols.

[1]  Martin Biely,et al.  Synchronous consensus under hybrid process and link failures , 2011, Theor. Comput. Sci..

[2]  Rachid Guerraoui,et al.  The consensus number of a cryptocurrency , 2019, Distributed Computing.

[3]  Brad Chase,et al.  Analysis of the XRP Ledger Consensus Protocol , 2018, ArXiv.

[4]  Maria Gradinariu Potop-Butucaru,et al.  Correctness and Fairness of Tendermint-core Blockchains , 2018, IACR Cryptol. ePrint Arch..

[5]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[6]  Stéphane Devismes,et al.  A Framework for Certified Self-Stabilization , 2016, Log. Methods Comput. Sci..

[7]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[8]  Nancy A. Lynch Input/Output Automata: Basic, Timed, Hybrid, Probabilistic, Dynamic, , 2003, CONCUR.

[9]  Stephan Merz,et al.  Formal Verification of Consensus Algorithms Tolerating Malicious Faults , 2011, SSS.

[10]  David Schwartz,et al.  The Ripple Protocol Consensus Algorithm , 2014 .

[11]  Vitalik Buterin,et al.  Casper the Friendly Finality Gadget , 2017, ArXiv.

[12]  Ethan Buchman,et al.  The latest gossip on BFT consensus , 2018, ArXiv.

[13]  Benny Pinkas,et al.  SBFT: a Scalable Decentralized Trust Infrastructure for Blockchains , 2018, ArXiv.

[14]  Roberto Saltini,et al.  Correctness Analysis of IBFT , 2019, ArXiv.

[15]  Thomas A. Henzinger,et al.  PSync: a partially synchronous language for fault-tolerant distributed algorithms , 2016, POPL.

[16]  Igor Konnov,et al.  Synthesis of Distributed Algorithms with Parameterized Threshold Guards , 2018, OPODIS.

[17]  Benjamin Aminof,et al.  Parameterized Model Checking of Synchronous Distributed Algorithms by Abstraction , 2018, VMCAI.

[18]  Michel Raynal,et al.  DBFT: Efficient Leaderless Byzantine Consensus and its Application to Blockchains , 2018, 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA).

[19]  Chris Newcombe Why Amazon Chose TLA + , 2014, ABZ.

[20]  Stefan Thomas,et al.  A Protocol for Interledger Payments , 2016 .

[21]  David A. Basin,et al.  Cutoff Bounds for Consensus Algorithms , 2017, CAV.

[22]  Nathalie Bertrand,et al.  Verification of Randomized Distributed Algorithms under Round-Rigid Adversaries , 2018 .

[23]  Elaine Shi,et al.  The Honey Badger of BFT Protocols , 2016, CCS.

[24]  Vincent Gramoli Nicta On the Danger of Private Blockchains ( When PoW can be Harmful to Applications with Termination Requirements ) , 2016 .

[25]  Maria Gradinariu Potop-Butucaru,et al.  Dissecting Tendermint , 2018, NETYS.

[26]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[27]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[28]  Ghassan O. Karame,et al.  Ripple: Overview and Outlook , 2015, TRUST.

[29]  Igor Konnov,et al.  ByMC: Byzantine Model Checker , 2018, ISoLA.

[30]  Florian Zuleger,et al.  Verifying safety of synchronous fault-tolerant algorithms by bounded model checking , 2019, International Journal on Software Tools for Technology Transfer.

[31]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[32]  Achour Mostéfaoui,et al.  Signature-free asynchronous byzantine consensus with t < n/3 and o(n2) messages , 2014, PODC.

[33]  Leslie Lamport,et al.  Model Checking TLA+ Specifications , 1999, CHARME.

[34]  Achour Mostéfaoui,et al.  Signature-Free Asynchronous Binary Byzantine Consensus with t < n/3, O(n2) Messages, and O(1) Expected Time , 2015, J. ACM.

[35]  Pierre Sutra,et al.  On the correctness of Egalitarian Paxos , 2019, Inf. Process. Lett..

[36]  Marko Vukolic,et al.  The Next 700 BFT Protocols , 2015, ACM Trans. Comput. Syst..

[37]  Vincent Gramoli,et al.  Evaluating the Red Belly Blockchain , 2018, ArXiv.

[38]  Ramakrishna Kotla,et al.  Revisiting Fast Practical Byzantine Fault Tolerance , 2017, ArXiv.

[39]  Piotr Berman,et al.  Asymptotically Optimal Distributed Consensus (Extended Abstract) , 1989, ICALP.

[40]  Sam Toueg,et al.  Asynchronous consensus and broadcast protocols , 1985, JACM.

[41]  Marko Vukolic,et al.  Blockchain Consensus Protocols in the Wild , 2017, DISC.

[42]  Stephan Merz,et al.  TLA + Proofs , 2012, FM.

[43]  Helmut Veith,et al.  Parameterized model checking of fault-tolerant distributed algorithms by abstraction , 2013, 2013 Formal Methods in Computer-Aided Design.

[44]  Helmut Veith,et al.  SMT and POR Beat Counter Abstraction: Parameterized Model Checking of Threshold-Based Distributed Algorithms , 2015, CAV.

[45]  Helmut Veith,et al.  A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms , 2016, POPL.

[46]  Vincent Gramoli,et al.  Polygraph: Accountable Byzantine Agreement , 2021, 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS).