Modeling The Dao Laid Upwards On Inwards Pluscal
Maurice Herlihy's paper: "Blockchains from a distributed computing perspective" explains the DAO assail equally follows:
Even though the code seems sequential (after all the blockchain serializes everything), it has concurrency problems built in. This was a quest made inwards Herlihy's newspaper equally follows:
TLA+ is all near invariant-based reasoning thence I wrote the invariant first. Writing "SafeWithdrawal == (bankBalance=BALANCE /\ malloryBalance=0) \/ (bankBalance=BALANCE-AMOUNT /\ malloryBalance=AMOUNT)" was also tight, because the updates of the balances are non happening atomically. That is how the invariant-based thinking helps us immediately: nosotros tin come across that the withdrawal is a non-atomic operation, as well as realize that nosotros should hold upwardly to a greater extent than careful alongside the updates.
In the model checking pane, I laid upwardly BALANCE equally 10 as well as AMOUNT equally 10. That is, initially Mallory has 10 coins inwards her bankBalance, as well as 0 inwards her wallet as well as wants to transfer her bankBalance as well as sets AMOUNT=10. When I run the model checker, it finds the double withdrawal employment immediately. Mallory's occupation organisation human relationship got to xx starting from 0! Normally nosotros would appear it to overstep to 10 (line 27) temporarily, as well as thence her bankBalance to hold upwardly laid upwardly to 0 (line 22). But this code managed to practise double withdrawal, as well as the SafeWithdrawal invariant is violated.
The mistake draw contains 8 steps: Initially BankWithdraw is called, which thence calls the MallorySendMoney to consummate withdrawal. However, Mallory's SendMoney implementation includes unopen to other telephone telephone to BankWithdraw as well as the residual banking concern check inwards line xviii passes because bankBalance is non decremented past times amount (that comes inwards line 22). So the minute BankWithdraw executes concurrently as well as Mallory manages to practise double (and later on triple) withdrawal.
Of class for that nosotros modify SafeWithDrawal to adapt the novel agency of updating bankBalance. But it turns out that is nonetheless also tight. If I telephone telephone this alongside BALANCE=10 as well as AMOUNT=4, it is OK to receive got 2 withdrawals concurrently provided that inwards the terminal Earth no novel money is produced: Invariant == bankBalance+malloryBalance <= BALANCE. I also model banking concern check for progress as well as write an EndState temporal formula for it: EndState == <>(bankBalance<=BALANCE-AMOUNT /\ bankBalance+malloryBalance=BALANCE). When nosotros model banking concern check it, nosotros come across that this solves the problem. So it leaves me puzzled, why, when it was this easy, the original BankWithdraw code was non coded this agency as well as was left vulnerable to the attack.
These PlusCal models are available on my Github directory.
I had written near why you lot should model. Those apply hither equally well, as well as hither things larn fifty-fifty to a greater extent than critical. When money is involved, attackers larn smart quickly, as well as it is tardily to receive got vulnerabilities inwards concurrent code due to the many corner cases. Let TLA+/PlusCal present you lot those cornercases as well as aid you lot pattern your protocol to compass correctness guarantees. So if you lot are writing smartcontracts, I mean value it makes feel to outset model-check as well as verify them. It doesn't accept much effort, as well as it tin salve you lot from big problems.
There is a vibrant Google Groups forum for TLA+ : https://groups.google.com/
Clicking on label "tla" at the destination of the post you lot tin compass all my posts near TLA+
"Figure 1 shows a fragment of a DAO-like contract, illustrating a component that allows an investor to withdraw funds. First, the component extracts the client's address (Line 2), thence checks whether the customer has plenty funds to embrace the withdrawal (Line 3). If so, the funds are sent to the customer through an external component telephone telephone (Line 4), as well as if the transfer is successful, the client’s residual is decremented (Line 5).
This code is fatally flawed. In June 2016, somebody exploited this component to pocket near $50 1000000 funds from the DAO. As noted, the facial expression inwards Line iii is a telephone telephone to a component inwards the client's contract. Figure 2 shows the client's code. The client's contract straight off calls withdraw() over again (Line 4). This re-entrant telephone telephone over again tests whether the customer has plenty funds to embrace the withdrawal (Line 3), as well as because withdraw() decrements the residual entirely after the nested telephone telephone is complete, the essay out erroneously passes, as well as the funds are transferred a minute time, thence a third, as well as thence on, stopping entirely when the telephone telephone stack overflows."(Of course, that is a really simplified description of the DAO attack. More accurate descriptions are provided here as well as here.)
Even though the code seems sequential (after all the blockchain serializes everything), it has concurrency problems built in. This was a quest made inwards Herlihy's newspaper equally follows:
"In Ethereum, all contracts are recorded on the blockchain, as well as the ledger includes those contracts' electrical flow states. When a miner constructs a block, it fills that block alongside smart contracts as well as exe- cutes them one-by-one, where each contract's terminal Earth is the adjacent contract's initial state. These contract executions occur inwards order, thence it would appear that there is no require to worry near concurrency."After showing DAO vulnerability as well as ERC20 token touchstone vulnerability, the newspaper says:
"We receive got seen that the notion that smart contracts practise non require a concurrency model because execution is single-threaded is a unsafe illusion. Sergey as well as Hobor give an fantabulous survey of pitfalls as well as mutual bugs inwards smart contracts that are disguised versions of familiar concurrency pitfalls as well as bugs."
Enter TLA+/PlusCal
Since TLA+/PlusCal is a bang-up tool for catching concurrency problems, I sentiment it would hold upwardly useful to model this DAO assail inwards PlusCal. After I got the idea, it took me a curt fourth dimension to model as well as model-check this inwards PlusCal. I used procedures inwards PlusCal (which I don't locomote often) to check the description of the problem.
TLA+ is all near invariant-based reasoning thence I wrote the invariant first. Writing "SafeWithdrawal == (bankBalance=BALANCE /\ malloryBalance=0) \/ (bankBalance=BALANCE-AMOUNT /\ malloryBalance=AMOUNT)" was also tight, because the updates of the balances are non happening atomically. That is how the invariant-based thinking helps us immediately: nosotros tin come across that the withdrawal is a non-atomic operation, as well as realize that nosotros should hold upwardly to a greater extent than careful alongside the updates.
In the model checking pane, I laid upwardly BALANCE equally 10 as well as AMOUNT equally 10. That is, initially Mallory has 10 coins inwards her bankBalance, as well as 0 inwards her wallet as well as wants to transfer her bankBalance as well as sets AMOUNT=10. When I run the model checker, it finds the double withdrawal employment immediately. Mallory's occupation organisation human relationship got to xx starting from 0! Normally nosotros would appear it to overstep to 10 (line 27) temporarily, as well as thence her bankBalance to hold upwardly laid upwardly to 0 (line 22). But this code managed to practise double withdrawal, as well as the SafeWithdrawal invariant is violated.
The mistake draw contains 8 steps: Initially BankWithdraw is called, which thence calls the MallorySendMoney to consummate withdrawal. However, Mallory's SendMoney implementation includes unopen to other telephone telephone to BankWithdraw as well as the residual banking concern check inwards line xviii passes because bankBalance is non decremented past times amount (that comes inwards line 22). So the minute BankWithdraw executes concurrently as well as Mallory manages to practise double (and later on triple) withdrawal.
Fixing things
Ok, let's banking concern check if nosotros tin create this if nosotros motility the bankBalance subtraction earlier MallorySendMoney.Of class for that nosotros modify SafeWithDrawal to adapt the novel agency of updating bankBalance. But it turns out that is nonetheless also tight. If I telephone telephone this alongside BALANCE=10 as well as AMOUNT=4, it is OK to receive got 2 withdrawals concurrently provided that inwards the terminal Earth no novel money is produced: Invariant == bankBalance+malloryBalance <= BALANCE. I also model banking concern check for progress as well as write an EndState temporal formula for it: EndState == <>(bankBalance<=BALANCE-AMOUNT /\ bankBalance+malloryBalance=BALANCE). When nosotros model banking concern check it, nosotros come across that this solves the problem. So it leaves me puzzled, why, when it was this easy, the original BankWithdraw code was non coded this agency as well as was left vulnerable to the attack.
These PlusCal models are available on my Github directory.
MAD questions
Should nosotros come upwardly up alongside a PlusCal framework to facilitate modeling as well as model-checking of smart-contracts?I had written near why you lot should model. Those apply hither equally well, as well as hither things larn fifty-fifty to a greater extent than critical. When money is involved, attackers larn smart quickly, as well as it is tardily to receive got vulnerabilities inwards concurrent code due to the many corner cases. Let TLA+/PlusCal present you lot those cornercases as well as aid you lot pattern your protocol to compass correctness guarantees. So if you lot are writing smartcontracts, I mean value it makes feel to outset model-check as well as verify them. It doesn't accept much effort, as well as it tin salve you lot from big problems.
Related links
Here is unopen to previous discussion/context near why I started assigning TLA+/PlusCal modeling projects inwards distributed systems classes.There is a vibrant Google Groups forum for TLA+ : https://groups.google.com/
Clicking on label "tla" at the destination of the post you lot tin compass all my posts near TLA+
0 Response to "Modeling The Dao Laid Upwards On Inwards Pluscal"
Post a Comment