Table of Contents
Fetching ...

Accessible Smart Contracts Verification: Synthesizing Formal Models with Tamed LLMs

Jan Corazza, Ivan Gavran, Gabriela Moreira, Daniel Neider

TL;DR

This work addresses the high cost of applying formal verification to smart contracts by automating formal-model synthesis from CosmWasm contracts into Quint models. It introduces a three-phase pipeline: mechanical Rust-to-Quint transpilation to create stable stubs, LLM-based completion guided by NL descriptions and IO examples, and iterative repair to eliminate static, runtime, and semantic errors within a bounded prompt budget. Evaluations on the CosmWasm Capture the Flag benchmark and a Privileged subDAO case study show the approach can generate correct Quint components and uncover real bugs, demonstrating improved accessibility and efficiency for audits. The results indicate that combining mechanical generation with targeted LLM guidance yields practical, auditable artifacts that can reduce time-to-value for formal verification in blockchain software, while highlighting areas for future improvement such as inter-contract messaging handling and NL prompt effectiveness.

Abstract

When blockchain systems are said to be trustless, what this really means is that all the trust is put into software. Thus, there are strong incentives to ensure blockchain software is correct -- vulnerabilities here cost millions and break businesses. One of the most powerful ways of establishing software correctness is by using formal methods. Approaches based on formal methods, however, induce a significant overhead in terms of time and expertise required to successfully employ them. Our work addresses this critical disadvantage by automating the creation of a formal model -- a mathematical abstraction of the software system -- which is often a core task when employing formal methods. We perform model synthesis in three phases: we first transpile the code into model stubs; then we "fill in the blanks" using a large language model (LLM); finally, we iteratively repair the generated model, on both syntactical and semantical level. In this way, we significantly reduce the amount of time necessary to create formal models and increase accessibility of valuable software verification methods that rely on them. The practical context of our work was reducing the time-to-value of using formal models for correctness audits of smart contracts.

Accessible Smart Contracts Verification: Synthesizing Formal Models with Tamed LLMs

TL;DR

This work addresses the high cost of applying formal verification to smart contracts by automating formal-model synthesis from CosmWasm contracts into Quint models. It introduces a three-phase pipeline: mechanical Rust-to-Quint transpilation to create stable stubs, LLM-based completion guided by NL descriptions and IO examples, and iterative repair to eliminate static, runtime, and semantic errors within a bounded prompt budget. Evaluations on the CosmWasm Capture the Flag benchmark and a Privileged subDAO case study show the approach can generate correct Quint components and uncover real bugs, demonstrating improved accessibility and efficiency for audits. The results indicate that combining mechanical generation with targeted LLM guidance yields practical, auditable artifacts that can reduce time-to-value for formal verification in blockchain software, while highlighting areas for future improvement such as inter-contract messaging handling and NL prompt effectiveness.

Abstract

When blockchain systems are said to be trustless, what this really means is that all the trust is put into software. Thus, there are strong incentives to ensure blockchain software is correct -- vulnerabilities here cost millions and break businesses. One of the most powerful ways of establishing software correctness is by using formal methods. Approaches based on formal methods, however, induce a significant overhead in terms of time and expertise required to successfully employ them. Our work addresses this critical disadvantage by automating the creation of a formal model -- a mathematical abstraction of the software system -- which is often a core task when employing formal methods. We perform model synthesis in three phases: we first transpile the code into model stubs; then we "fill in the blanks" using a large language model (LLM); finally, we iteratively repair the generated model, on both syntactical and semantical level. In this way, we significantly reduce the amount of time necessary to create formal models and increase accessibility of valuable software verification methods that rely on them. The practical context of our work was reducing the time-to-value of using formal models for correctness audits of smart contracts.
Paper Structure (29 sections, 3 figures, 5 tables, 2 algorithms)

This paper contains 29 sections, 3 figures, 5 tables, 2 algorithms.

Figures (3)

  • Figure 1: High-level illustration of the method for generating a Quint model from a CosmWasm contract.
  • Figure 2: Message format illustrating the use of few-shot examples for in-context learning.
  • Figure 3: Example of a stub along with the original Rust code that induced it and the final LLM-generated Quint code. Source: CTF-02.