BitVM, a Layer 2 (L2) solution, aims to enhance Bitcoin's scalability by enabling complex computations off-chain with on-chain verification. However, Bitcoin's limited programming environment makes developing applications on BitVM challenging and error-prone. Ensuring the correctness and security of these programs is crucial for the integrity of the entire system. BitGuard is introduced to address these challenges by providing the first formal verifier for BitVM implementations.
BitGuard: A Comprehensive Approach
BitGuard employs a two-phase approach to verify BitVM implementations:
Transpilation:
Decomposes the original Bitcoin script into smaller, independent snippets.
Utilises program synthesis to rewrite each snippet into an equivalent version in a higher-level DSL (domain-specific language) called π. This DSL abstracts away complex stack operations, making the code easier to reason about.
Assembles the transpiled snippets into a complete program optimised for verification.
Verification:
Allows users to specify preconditions, postconditions, and verification conditions within the synthesized program using πβs verification interface.
Uses a Houdini-style algorithm to infer loop invariants, summarizing loops in a concise form for efficient verification.
Symbolically evaluates the program and generates logical constraints that can be checked by an off-the-shelf SMT solver.
Key Features of BitGuard
Higher-Level DSL: π abstracts away low-level stack manipulations, replacing them with register-based operations and concise higher-order functions. This simplifies the verification process by improving code clarity and reducing the complexity of generated constraints.
Loop Invariant Inference: BitGuard identifies and utilizes loop invariants to summarize repetitive βloop-styleβ computations. This significantly reduces the complexity of SMT formulas generated from unrolled loops, making verification more efficient.
Synthesis-Powered Transpilation: BitGuard leverages a counterexample-guided inductive synthesis (CEGIS) procedure to automatically lift low-level Bitcoin script to the higher-level DSL, π. This facilitates easier verification without sacrificing accuracy.
Effectiveness and Efficiency
Evaluation on 78 benchmarks from BitVM implementations shows that BitGuard successfully verified 83% of the cases with an average runtime of 12.55 seconds per benchmark. This demonstrates both its effectiveness and practicality in enhancing the security and reliability of BitVM.
Vulnerability Detection
BitGuard successfully identified a previously unknown vulnerability in a widely used Bitcoin script, highlighting its potential in uncovering critical security flaws. The bug involved an incorrect check for positive numbers, which could potentially allow invalid proofs to be accepted.
Conclusion
BitGuard is the first formal verification tool for BitVM implementations. By leveraging a higher-level DSL, loop invariant inference, and synthesis-powered transpilation, it efficiently verifies complex Bitcoin scripts and contributes to the development of more secure blockchain applications built on Bitcoin.
