Stellar Community Fund

By Komet: Formal Verification

Komet: Formal Verification by Runtime Verification

SCF #30

$100.0K

Build

Awarded

Komet gives developers a tool to fuzz and formally verify Rust code by property testing in Rust, a language they already know

Products & Services

We used the previous Activation Award to build an MVP tool that currently supports a limited set of Soroban host functions in order to demo formal verification features on the fxDAO smart contracts. With this Build Award, we aim to achieve three primary goals:

Expand Host Function Support: This award will allow us to expand functionality to include all Soroban host functions, enabling comprehensive testing and verification of any smart contract deployed on Soroban.
Improved Interface and Documentation: Enhance the tool’s interface to improve readability of the verification results and provide more meaningful warnings to developers. We will expand the documentation to include detailed installation and usage instructions, as well as demo contracts to experiment on and real-world video examples.
Performance Enhancements: We will test the tool on real-world contracts and use it in our audits, use the feedback to improve the tool. Running formal verification proofs can be time-consuming, and this award will allow us to optimize the performance of Komet, reducing the time required to execute these proofs.

Soroban

Yes

Requested Budget

$100.0K

Success Criteria

Success and impact for Komet would be defined by having auditing firms integrate it into their formal verification process, positioning Komet as the go-to tool for ensuring the security of high TVL protocols on Stellar. The output would be Komet becoming a core part of the audit workflow for protocols, leading to widespread adoption by developers and security teams. Ideally, our goal would be to have four full-time formal verification engineers continuously engaged with large protocols as more value is locked on Stellar. The impact would be significant: by making formal verification the gold standard for Stellar protocols, Komet would reduce the likelihood of security breaches, ultimately protecting user funds and fostering greater confidence in the Stellar ecosystem. This would help drive further adoption of Soroban smart contracts, making Stellar more competitive in the DeFi space and beyond.

Go-To-Market Plan

Our go-to-market strategy for Komet will follow the blueprint we successfully used for Kontrol, our open-source formal verification tool for Solidity. After building Kontrol, we maintained and improved it through paid formal verification engagements. Developers can freely use the tool, but many projects and protocols hire us to assist with writing tests and proofs and to guide them through the verification process. Additionally, we monetize Kontrol by charging larger protocols for the compute power necessary to run proofs on their extensive codebases, as these often outgrow the developer's local resources. For Komet, we plan to replicate this strategy. After completing the grant project, we will offer Komet to the Stellar community as an open-source tool for developers to use. Beyond that, we will provide services to help projects write formal verification proofs, execute them, and optimize the tool for their specific needs, ensuring the highest level of security. This will allow us to continue developing Komet while building long-term relationships within the Stellar ecosystem.

Traction Evidence

For prior traction and validation, we would like to highlight our success with Kontrol, a tool similar to Komet but built for Solidity instead of Rust and Soroban. Kontrol has been widely adopted by hundreds of developers, including professional auditing firms, solo auditors, and internal testing teams. Notably, major protocols such as Optimism and Lido have incorporated Kontrol into their security flow. This widespread usage validates the core concept of Komet and demonstrates the demand for such a tool in blockchain ecosystems.

As for Komet itself, we have already begun exploring its application during the FxDAO smart contract audit. During this audit (available here), we discovered 10 informational and 10 potentially critical findings. Of the critical findings, considering the hypothetical creation of tests designed using the invariants raised in the audit, 7 out of the 10 would likely have been discovered using fuzzing, and definitely would have been found using formal verification. While not trivial to be identified during testing, the remaining three could be validated and demonstrated using Komet’s formal verification capabilities. Of the 10 informative findings, three could have been found using either fuzzing or formal verification, and the remaining 7 are related to protocol design or best practices. Not only would Komet help shorten the duration of audits due to the ease of validating invariants, but would also empower developers and engineers to test and protect their own code.

Going forward, we believe that Komet could make all future Soroban audits more efficient, enabling developers and auditors alike to catch critical issues earlier in the development cycle. This validation from both Kontrol’s success and Komet’s real-world applicability shows that Komet is poised to have a substantial impact on the Soroban ecosystem.

Tranche 1 (Deliverable Roadmap) - MVP

Tranche 1 has already been completed using the previous SCF #28 activation award of $50,000. These were the deliverables from the first tranche, all of which have been completed (included links where possible):

[x] Open-source BSD-3 licensed repository with CI setup, importing the KWasm semantics, and including the implemented Soroban host functions. - https://github.com/runtimeverification/komet/ [x] Komet property tests for the selected functions from the FxDAO/vaults contract. - Added to the project repository as CI tests. [x] Clear documentation on the remaining host functions that must be implemented for complete Soroban support. - GitHub issue: https://github.com/runtimeverification/komet/issues/28 [x] CLI tool capable of fuzzing Rust property tests and proving simple properties. - Available via the kup package manager. [x] Documentation with installation and usage instructions. - https://docs.runtimeverification.com/index/komet

We propose to break down the remaining award into 2 tranches, which are outlined below.

Tranche 2 (Deliverable Roadmap) - Testnet

Tranche 2 of the Komet project will focus on expanding the tool's capabilities and performance to support all Soroban host functions so that it can handle a wide range of real-world smart contract verifications.

1. Implementation of Semantics for All Soroban Host Functions

Objective: Expand Komet to support the entire set of Soroban host functions.
Completion Criteria:
- Komet’s KSoroban semantics will cover all Soroban host functions, ensuring the tool can verify a complete range of Soroban smart contracts.
- The test suite will include extensive tests for each host function to validate their correctness.
Estimate: 2 engineers, 4 weeks

2. Fuzzing Support for Soroban Contracts

Objective: Ensure that Komet’s fuzzer is capable of running property-based tests for all Soroban host functions, helping developers explore various input scenarios and edge cases.
Completion Criteria:
- Successfully fuzz non-trivial properties of real-world Soroban contracts.
- Fuzz testing will be functional across all Soroban host functions.
- Invite & assist community projects to run the fuzzer on their codebases, and collect detailed feedback.
Estimate: 2 engineers, 1 week

3. UI/UX Improvements

Objective: Make Komet more user-friendly by improving the interface and user experience, specifically focusing on error messaging and the display of results from fuzzing and formal verification.
Planned Improvements:
- Enhanced error messages that provide clear, actionable information, thus reducing the learning curve for developers unfamiliar with formal methods.
- Better presentation of testing results, including visual representations of falsifying examples to make it easier for developers to understand and address issues.
Completion Criteria:
- Komet will display clear and informative error messages during contract verification.
- Developers will be able to easily interpret and act on their test results.
Estimate: 2 engineers, 1 week

Tranche 3 (Deliverable Roadmap) - Mainnet

The Mainnet phase will focus on the symbolic execution & the prover. In addition, we will refine the user interface, and gather feedback from early users. This phase will make Komet a production-ready tool for all Soroban developers.

1. Prover Improvement for Real-World Contracts

Objective: Improve the symbolic execution prover to handle the complexity of real-world contracts, including advanced contract logic and large codebases.
Completion Criteria:
- Komet will successfully prove non-trivial properties of sophisticated Soroban contracts.
- We will concentrate on the prover’s performance, working to ensure that typical proofs can be completed on the engineer’s local machines within a reasonable amount of time. We will use Kontrol’s performance as benchmarks to work towards.
Estimate: 2 engineers, 4 weeks

2. Real-World Testing and Developer Feedback

Objective: Incorporate feedback from developers using Komet in the Testnet phase and refine the tool based on real-world use cases.
Completion Criteria:
- Conduct testing sessions with users who tried the fuzzer after phase 2 to gather insights and feedback.
- Use feedback to identify further optimizations and improvements for the prover and fuzzer.
- Lastly, we will perform some level of formal verification on 3 selected Stellar projects to ensure Komet is working as expected.
Estimate: 1 engineer, 2 weeks

3. Finalize Documentation & Examples

Objective: Create robust documentation for the tool, along with examples and demo videos.
Completion Criteria:
- Documentation that will guide a user new to formal verification from installation to running the formal verification tool on their test suite.
- At least 2 demo contracts for developers to clone and run the prover and test its features
- At least 2 demo video walk-throughs of using Komet to perform formal verification on real-world smart contracts.
Estimate: 1 engineer, 2 weeks