Verification of Bitcoin Script in Agda using Weakest Preconditions for Access Control

TL;DR

This paper presents a formal verification approach for Bitcoin scripts in Agda, focusing on access control properties using weakest preconditions and Hoare triples, demonstrated on standard Bitcoin transaction scripts.

Contribution

It introduces a formal methodology for verifying Bitcoin scripts' access control using weakest preconditions in Agda, bridging the gap between user requirements and formal specifications.

Findings

Formalized operational semantics of Bitcoin scripts in Agda

Developed two methods for deriving human-readable weakest preconditions

Verified correctness of P2PKH and P2MS Bitcoin scripts

Abstract

This paper contributes to the verification of programs written in Bitcoin's smart contract language SCRIPT in the interactive theorem prover Agda. It focuses on the security property of access control for SCRIPT programs that govern the distribution of Bitcoins. It advocates that weakest preconditions in the context of Hoare triples are the appropriate notion for verifying access control. It aims at obtaining human-readable descriptions of weakest preconditions in order to close the validation gap between user requirements and formal specification of smart contracts. As examples for the proposed approach, the paper focuses on two standard SCRIPT programs that govern the distribution of Bitcoins, Pay to Public Key Hash (P2PKH) and Pay to Multisig (P2MS). The paper introduces an operational semantics of the SCRIPT commands used in P2PKH and P2MS, which is formalised in the Agda proof assistant and reasoned about using Hoare triples. Two methodologies for obtaining human-readable descriptions of weakest preconditions are discussed: (1) a step-by-step approach, which works backwards instruction by instruction through a script, sometimes grouping several instructions together; (2) symbolic execution of the code and translation into a nested case distinction, which allows to read off weakest preconditions as the disjunction of conjunctions of conditions along accepting paths. A syntax for equational reasoning with Hoare Triples is defined in order to formalise those approaches in Agda. Keywords and phrases: Blockchain; Cryptocurrency; Bitcoin; Agda; Verification; Hoare logic; Bitcoin script; P2PKH; P2MS; Access control; Weakest precondition; Predicate transformer semantics; Provable correctness; Symbolic execution; Smart contracts