A Formal Semantics of Findel in Coq (Short Paper)
aa r X i v : . [ c s . P L ] S e p Submitted to:FROM 2019 c (cid:13)
Andrei ArusoaieThis work is licensed under theCreative Commons Attribution License.
A Formal Semantics of Findel in Coq (Short Paper)
Andrei Arusoaie
Faculty of Computer Science - UAIC, Ias¸i, Romania [email protected]
We present the first formal semantics of Findel - a DSL for specifying financial derivatives. Thesemantics is encoded in Coq, and we use it to prove properties of several Findel contracts.
Financial derivatives are contracts between two or more parties whose value is based on underlyingfinancial assets (e.g., bonds, comodities, currencies, etc.). Typically, these contracts are expressed usingnatural language on a written document which is authorized by a trusted authority. However, naturallanguage is often ambiguous and lacks precision. To overcome this issue, domain specific languages(DSLs) for expressing precise financial agreements have been developed [2, 3]. Findel [1] is yet anotherDSL in this category, which is restricted to financial derivatives. Findel is designed to be executed onthe Ethereum blockchain platform and thus, it enables the use of smart contracts to facilitate derivativestrading. In [1], the language is advertised as being capable of “expressing the most common derivatives”.A fixed rate currency exchange [1] contract, can be expressed in Findel as follows:
FRCE = ∆ And(Give(Scale(11, One(USD))), Scale(10, One(EUR)))
Each Findel contract has two parties: an issuer and an owner . Let us assume that
Alice is the issuer.If
Bob joins the contract, then
Bob becomes an owner and the contract is now ready for execution.
And , Give , Scale , and
One are called primitives , i.e., the building blocks of Findel contracts.
And specifiesthat its both (sub)contracts
Give(Scale(11, One(USD))) and
Scale(10, One(EUR)) are executedsequentially.
Give swaps the issuer and the owner.
Scale multiplies the value of the contract by aspecified factor. Finally,
One is the only primitive that actually performs a transfer from the issuer to theowner. So,
FRCE specifies that
Bob gives to
Alice
11 dolars and receives 10 euros from
Alice .Findel has an implementation in Solidity, which is available on Github: https://github.com/cryptolu/findel . Findel contracts can be registered inside an Ethereum smart contract and then exe-cuted. Once deployed, a contract cannot be changed and thus, it very important for someone who deploysa contract to make sure that the terms of the involved transactions cannot be violated. For example, it isimportant for
Alice to know that once
Bob joins the contract she receives 11 dollars. Conversely, it isimportant for
Bob to know that
Alice will pay him back 10 euros precisely as specified by the contract.Ideally, a trustworthy organization (e.g., a bank) may want to issue Findel contracts together withproof certificates to ensure that both the issuer and the owner have certain rights and obligations.
Contributions.
We take the challenge to prove and certify properties about Findel contracts. Toachieve that, we formally define the semantics of Findel primitives in Coq. We add to our semanticsseveral components in order to simulate an execution environment, where multiple contracts can beexecuted, events are triggered, and transactions are registered in a ledger. This environment, hereaftercalled marketplace , enables us to prove not only properties of Findel primitives, but also properties thatdepend on other factors (external data providers, time, events). Besides simple examples, we approachseveral non-trivial contracts and we highlight problems that contracts may hide. Note that we formalisethe existing semantics of Findel as presented in [1], and we do not improve or modify the language. AFormalSemantics of Findel inCoq
Primitive Informal semantics
Zero
Do nothing.
One( currency ) Transfer 1 unit of currency from issuer to the owner.
Scale( k , c ) Multiply all payments of c by a constant factor of k . ScaleObs( a , c ) Multiply all payments of c by a factor obtained from address a . Give( c ) Swap parties of c . And( c , c ) Execute c and then c . Or( c , c ) Give the owner the right to execute either c or c (not both). If( a , c , c ) If b is true, execute c , else execute c , where b is obtained from address a . Timebound( t , t , c ) Execute c , if the current timestamp is within [ t , t ] . Table 1: The informal semantics of Findel primitives [1].
A Findel contract is a tuple with three components: a description , an issuer and an owner. A Findeldescription is essentially a tree with basic primitives as leaves and composite primitives as internal nodes.The list of available primitives and their informal semantics is shown in Table 1.
Zero and
One are basicprimitives, while the others are composite. The execution model [1] of a Findel contract is:1. The first party issues a contract and becomes its issuer. This is a mere declaration of the issuer’sdesire to conclude an agreement and entails no obligations.2. The second party joins the contract and becomes its owner. As a consequence, both parties acceptthe specified rights and obligations.3. The contract is executed immediately:(a) Let the current node be the root node of the contract description. If the current node is either Or or Timebound with t > now , postpone the execution: issue a new Findel contract, withthe same parties and the current node as root. The owner can demand later its execution.(b) Otherwise, execute all sub-nodes recursively.(c) Delete the contract.A Findel contract is not guaranteed to be executed: only the owner can trigger the execution forissued contracts. It is worth noting that the execution of a contract may produce new contracts (if Or or Timebound are present) or it can affect the balances of the parties. The current implementation of Findeldoes not enforce any constraints on the balances of the users that prevents them from building up debt.
The syntax of Findel is fairly small in size and it is quite easy to encode it in Coq using
Inductive asshown in Figure 1. For convenience, several additional primitives are introduced in [1]: At , Before , After , and
Sell . In Coq, these are simple definitions. We show here only the definition for At : Definition At (t : nat) (p : Primitive) := Timebound (t - ∆ ) (t + ∆ ) p. ∆ is a just parameter which is used to adjust intervals for accepting transactions. Having these newconstructs enables us to define interesting contracts in Coq. For instance, here is a zero-coupon-bondcontract, where the issuer asks for 10 dollars and will pay an eventual owner 11 dollars after 1 year: ZCB = ∆ (And (Give (Scale (One USD) 10)) (At (now + 1 yr) (Scale (One USD) 11))) ndrei Arusoaie 3 Inductive Primitive :=(* basic primitives *)| Zero : Primitive| One : Currency -> Primitive(* composite primitives *)| Scale : nat -> Primitive -> Primitive| ScaleObs : Address -> Primitive -> Primitive| Give : Primitive -> Primitive| And : Primitive -> Primitive -> Primitive| Or : Primitive -> Primitive -> Primitive| If : Address -> Primitive -> Primitive -> Primitive| Timebound : nat -> nat -> Primitive -> Primitive.
Figure 1: The syntax of Findel in Coq.
In Coq, we provide a function called exec which executes primitives recursively. The function takes asinputs the description id, a scale factor, the issuer, the owner, the current time, an external gateway, theledger, and a fresh id. The base cases of exec are: for
Zero it does nothing, for
One it modifies the bal-ances of the participants and the ledger, for Or and Timebound it generates new contracts. The gatewayis used to retrieve external data, and it is modeled as a map from addresses to values. The function exec returns a tuple: h the updated balance, the generated contracts, a fresh identifier, the updated ledger i .Contracts are denoted as [ i , d , p , I , O , p O , s ] , where i is the contract id, d is the corresponding description, I is the issuer, O is the owner, p O is the the proposed owner, and s is the scale of the contract.The marketplace (i.e., the environment where contracts are executed) is a tuple with several compo-nents h C , D , B , t , G , i , L , E i encoded as a record in Coq: C - the list of the issued contracts; D - the listof the available descriptions; B - the current balance; t - the current timestamp, i.e., a natural number; G - the external gateway, i.e., a map from addresses to values, used to execute ScaleObs and If ; i - afresh identifier i.e., a natural number which is always fresh; L - a global ledger, i.e., the ordered list ofthe performed transactions; E - the list of events, which are triggered during execution (e.g., Deleted , Executed , IssuedFor ). We show below the semantical rules that specify how the marketplace evolves. [Issue]
When issued, a contract is added to the list of issued contracts in the marketplace having a uniqueid i . The owner field contains the address of the issuer, while the proposed owner field contains theaddress of the intended owner. The primitive of the contract is initialized from an existing description.Also an event IssuedFor is triggered, and the global fresh id is incremented: h C , dsc ∈ D , B , t , G , i , L , E ih [ i , id ( dsc ) , primitive ( dsc ) , I , I , p O , s ] : C , D , B , t , G , i + , L , ( IssuedFor p O i ) : E i [Join] Joining a contract is the most complex operation and requires several conditions. First, ( A ) O = p O , i.e., the owner is the proposed owner. Second, the root node should not be an Or : ( B ) p = ( Or ) .Third, the execution is limited within a time interval by its description d : ( C ) start ( d ) ≤ now ≤ end ( d ) .Finally, the execution should be successful: ( D ) exec ( p , c id , dsc id , s , I , O , t , G , L , i ) = h B ′ , C ′ , i ′ , L ′ i .The rule for joining a contract is shown below. Note that E is enriched with an Executed event. h{ [ c id , dsc id , p , I , I , p O , s ] } ∪ C , D , B , t , G , i , L , E i ( A ) ( B ) ( C ) ( D ) h C , D , B ′ , t , G ′ , i ′ , L ′ , ( Executed c id ) : E i AFormalSemantics of Findel inCoq [Join OR ] If the primitive of the current contract is ( O r c c ) then the owner can execute either c or c : ( D ′ ) exec ( (cid:3) , c id , dsc id , s , I , O , t , G , L , i ) = h B ′ , C ′ , i ′ , L ′ i . Here, (cid:3) is either c or c : h{ [ c id , dsc id , ( O r c c ) , I , I , p O , s ] } ∪ C , D , B , t , G , i , L , E i ( A ) ( C ) ( D ′ ) h C , D , B ′ , t , G ′ , i ′ , L ′ , ( Executed c id ) : E i [Fail] If the execution of a contract fails (e.g., if contract is expired or the gateway does not provide freshdata), i.e., ( F ) exec ( p , c id , dsc id , s , I , O , t , G , L , i ) = ⊥ , then the Deleted event is triggered: h{ [ c id , dsc id , p , I , I , p O , s ] } ∪ C , D , B , t , G , i , L , E i ( A ) ( B ) ( C ) ( D ) h C , D , B , t , G , i , L , ( Deleted c id ) : E i [Tick] Since the execution of the Findel contracts depends on the current timestamp, the marketplacecontains a global time. The tick rule increases the global time t : h C , D , B , t , G , i , L , E ih C , D , B , t + , G , i , L , E i A Findel contract specifies certain rights and obligations for parties. We show here examples of contractsand some interesting properties that we prove in Coq. We will see that, although they are are small issize, contracts may hide unexpected behaviors. Hereafter, we assume that
Alice is the issuer and
Bob isthe owner. For each contract, we formalise the desired properties as theorems and we prove them in Coq.
I. Fixed-rate currency exchange.
Recall the fixed rate currency exchange
FRCE contract, where
Bob gives
Alice
11 dollars and receives 10 euros from
Alice . In Coq, we are able to prove the next lemma:
Theorem 4.1.
If FRCE is executed, then
Alice receives 11 dollars.
The lemma is straightforward: the hypothesis imply that the [Join] rule applies successfully. In this case,a transaction from
Bob to Alice involving an amount of 11 dollars is registered in the ledger. Conversely,one may want to prove that
Bob also receives 10 euros from
Alice , which is also straightforward in Coq:
Theorem 4.2.
If FRCE is executed, then
Bob receives 10 euros from
Alice . Note that the lemmas above hold, no matter what other contracts are executed in the marketplace. If oneof the participants does not have enough money to pay then they can build up debt. The current semanticsof Findel does not prevent from building up too much debt [1] and we do not formalize that in Coq.
II. External gateway rate - currency exchange.
A more interesting contract is a currency exchangethat uses a rate retrieved from an external source (a gateway). Consider the following Findel description:
EXT = ∆ (And (Give (Scale n (One EUR))) (ScaleObs ADDR (Scale n (One USD)))) EXT specifies that the issuer is supposed to receive n EUR and will pay to the owner ( rate * n ) USD ,where the rate is obtained from an external address
ADDR using the gateway. A non-obvious problem isthat it is possible for the gateway to fail for various reasons (e.g., data expired, invalid address). In suchcases, the contract execution fails and the specified agreement between parties fails as well. Even if thebalance of the parties is not affected, an intruder can determine certain contracts to fail on purpose.In [1], the owner is “advised” to update gateways “shortly before execution”. Also, the gateway isassumed to be “trustworthy”. Under the same assumptions we prove in Coq the next theorems:ndrei Arusoaie 5
Theorem 4.3.
If EXT is executed then
Alice receives an amount of n euros. Theorem 4.4.
If EXT is executed and the gateway returns a rate then
Bob receives rate * n dollars.
III. Zero-coupon bond.
An interesting Findel contract is
ZCB (Section 3.1):
Alice should receive from
Bob
10 dollars, while
Bob receives 11 dollars after 1 year. Proving that
Alice is paid is straightforward:
Theorem 4.5.
If ZCB is executed, then
Alice receives 10 dollars from
Bob . One the other hand, due to the semantics of At (in Section 3.1, At is implemented using Timebound ), wecannot prove that
Bob receives 11 dollars from
Alice ! What we can prove is that after 1 year,
Bob can claim
11 dollars from
Alice . This is because when
Timebound is executed, a new contract is issued,having
Bob as owner. If
Bob fails to demand the execution of the contract in the specified time boundariesthen he might not receive his money back. So, the only guarantee that
Bob has is given by this theorem:
Theorem 4.6.
If ZCB is executed, then
Bob can claim 11 dollars from
Alice . If Bob demands the execution of the contract generated by
Timebound then he receives the 11 dollars.
Using the formal semantics of Findel in Coq we are able to prove properties of Findel contracts. Whenproofs cannot be completed, they typically reveal problems in contracts that might cause money loses(e.g.
Zero-coupon bond ) or failed agreements (e.g.,
External gateway rate - currency exchange ).This can be done by simply inspecting the failed proof case, which provides the failing conditions.The results shown in Section 4 use several meta-properties of our Coq formalisation: (1) the steprelation preserves state consistency; (2) event generation preserves states consistency; (3) the ledger isconsistent; (4) parties cannot withdraw once they have agreed to upon a contract; (5) the time passing isnot affected by contract execution.Our Coq semantics of Findel is small and consists of 450 (non-empty) lines of code. The proof of atheorem has around 15 lines of code, but these proofs use several helper lemmas and some handy tacticsthat we provide together with the semantics.
Acknowledgements.
This work was supported by a grant of the “Alexandru Ioan Cuza” University ofIas¸i, within the Research Grants program, Grant UAIC, ctr. no. 6/01-01-2017.
References [1] Alex Biryukov, Dmitry Khovratovich & Sergei Tikhomirov (2017):
Findel: Secure Derivative Contracts forEthereum . In: FinancialCryptographyWorkshops, LNCS 10323, Springer, pp. 453–467.[2] David Raymond Christiansen, Klaus Grue, Henning Niss, Peter Sestoft & Kristj´an S. Sigtryggsson (2013):
AnActuarial Programming Language for Life Insurance and Pensions .[3] Simon Peyton Jones, Jean marc Eber & Julian Seward (2000):
Composing contracts: an adventure in financialengineering - Functional Pearl . The code is available on Github: https://github.com/andreiarusoaie/findel-semantics-coq/https://github.com/andreiarusoaie/findel-semantics-coq/