Smart Contract verification

images
Smart Contract Analysis and Verification

We have formal modeling, analysis, safety, security, validation, and verification expertise. We invented many methods now widely used in the field, including the K-framework and language-independent verification technologies. In addition to working with IOHK and the Ethereum Foundation to formally model and verify intelligent contracts, consensus protocols, programming languages, and virtual machines, we have collaborated with NASA, DARPA, Boeing, Toyota, and DARPA on formalizing and verifying the safety and mission-critical systems.

Packages for investigation and confirmation

We think that our demonstrated proficiency in formal verification and assurance is our core competitive advantage and the main point of differentiation from other security service providers.

Expanded test coverage

We evaluate the test suite for your software to ascertain its coverage, considering both the good and the negative. After that, we'll create fresh test inputs that will boost your coverage and ultimately result in more secure software. Additionally, the new test inputs can very likely expose undesirable behavior that was previously hidden. What's included, then?

  • Initial coverage analysis report (FREE):
  • To reach as close to 100 percent coverage as feasible, we will examine your present coverage performance and discuss how to enhance it.
  • Final analysis of coverage and assessment of new tests:
  • We examine your increased coverage and the new test inputs that made it possible.
  • However, it will be up to you to determine whether the newly covered behaviors are desired or not. In some circumstances, we may have proposed test outputs.

The new exams can reveal conduct that was previously concealed. A more thorough analysis will probably be needed to ascertain if a behavior is acceptable or undesirable. The consumer can conduct this analysis or have RV do it for them.

Symbolic Bytecode Analysis

We check your smart contracts' compiled bytecode for any unexpected actions. We symbolically execute your contract using KEVM to look for unexpected (potentially exploited) behaviors systematically. These behaviors may be caused by flaws discovered in the source code of your contract or peculiarities or defects in the compiler itself, which is why it's critical to examine the bytecode rather than the contract source. In essence, this service reduces the likelihood of unlucky interactions with certain flaws. The way that this service operates is as follows:

  • First, we use our KEVM tool to produce (FREE) all potential symbolic outputs for any inputs from your smart contracts. At the initial meeting, the scope and goals of the analysis are discussed, together with the number of symbolic outputs generated for each contract or function.
  • Then, after carefully examining each symbolic output, we immediately notify any unexpected behavior
  • We go over and collectively analyze the symbolic outputs in the final meeting to ensure they are all we wanted.
Standard Security Audit

The following are included in the code review and security evaluation of the intelligent contract provided by this package:

  • Analyzing common anti-patterns Verify the code's susceptibility to well-known security flaws and attack methods such as transaction reordering, overflows, and reentrancy.
  • Evaluation of software engineering practices: Analyze test coverage and inheritance, spot code smells (refactoring advice), and spot common programming errors.
  • Review of business logic: Find any gaps in the business logic or contradictions between the logic and how it is being implemented.
Detailed Modeling

This package covers all systems, not just smart contracts, and extends to virtual machines, protocols, and programming languages. It includes the following for smart contracts:

  • Formally defining the business logic of the contract will result in a formal model that offers accurate, clear, and thorough documentation. The executable model is used to generate and support "black box testing," It can also be used as a reference implementation.
  • Validate the business logic of the contract's most crucial elements to offer the most robust possible formal assurance that there are no loopholes. Please note that this package does not formally verify the smart contract code.
Official confirmation

Any system can use formal verification, much like formal modeling. This package combines and improves the Traditional Security Review ("Audit") and Formal Modeling tools for smart contracts. It verifies the contract's EVM bytecode against its formal model or specification, removing any potential compiler error worries. Specifically:

  • Refine the high-level formal specification of the contract to the bytecode level to account for the particulars of the underlying EVM.
  • Compare the modified formal specification to the EVM bytecode of the contract. This package contains the best strategies and practices created by the formal methods community and offers the strongest formal guarantee for the accuracy of your system or smart contract.
How smart contracts are analyzed and formally verified

Our staff will carefully review your code line by line, searching for bugs, mistakes, security flaws, and exploits. In addition, we added our bounded model checking tool to this manual review to supplement and improve it. This tool is powered by the K-framework using its symbolic execution capability.

Get to Know You
  • You introduce your business, explore your contract, and specify requirements.
  • RV checks all of the review and verification packages that are available.
  • From beginning to end, RV describes a regular engagement.
Agreement & Package Selection
  • Depending on your demands, you choose the bundle.
  • RV gives the delivery of your engagement an approximate time frame.
  • You provide an initial deposit, and we sign the agreement.
Report and Participation
  • Your code is examined by RV and verified.
  • A preliminary report is drafted by RV, which also summarises the findings.
  • You put code upgrades into practice.
  • The last report is delivered by RV and published (requires client approval)
images