=Paper=
{{Paper
|id=Vol-3194/paper37
|storemode=property
|title=Reasoning about Smart Contracts via LTL Encoding
|pdfUrl=https://ceur-ws.org/Vol-3194/paper37.pdf
|volume=Vol-3194
|authors=Valeria Fionda,Gianluigi Greco,Marco Antonio Mastratisi
|dblpUrl=https://dblp.org/rec/conf/sebd/FiondaGM22
}}
==Reasoning about Smart Contracts via LTL Encoding==
https://ceur-ws.org/Vol-3194/paper37.pdf
Reasoning about Smart Contracts via LTL Encoding
Valeria Fionda1 , Gianluigi Greco1 and Marco Antonio Mastratisi1
1
DeMaCS, University of Calabria, Italy
Abstract
Smart contracts are programs that automatically execute on blockchains when some conditions are
verified. They encode the legally relevant events needed to satisfy the terms of an agreement and
are usually defined by using procedural languages, even if some recent proposals investigated the
possibility of using logic formalisms. However, existing logic-based initiatives are rather limited since
they only enable the formal checking of properties of a single smart contract, totally neglecting its
possible interactions with other smart contracts running on the same blockchain. This paper proposes
a framework, called SCRea, that works on a set of smart contracts specified as Linear Temporal Logic
(LTL) formulas. SCRea enables to reason about smart contracts considered individually or by considering
them as running cooperatively or competitively on the same blockchain.
Keywords
Smart Contracts, Linear Temporal Logic, Reasoning
1. Introduction
Distributed Ledger Technologies (DLT) [1] offers an infrastructure for the synchronized and shared
management of data regulated via consensus algorithms. The blockchain is a particular type of DLT
in which values of data are stored in a βchain of blocksβ. Examples of implementations of blockchain
are Bitcoin [5] and Ethereum [6] (exchange of cryptocurrency). DLTs allow for the deployment and
execution of smart contracts [7]: programs stored within the distributed register, that are automatically
executed when certain conditions occur. The effect of the execution of a smart contract may be the
alteration of the state of the register or the activation of other contracts. Some examples of smart contract
application include banking functions (e.g. Savings), decentralized markets (e.g. EtherMarket), prediction
markets (e.g., Augur,), distribution of music royalties (e.g., Ujo) and encoding of virtual property (e.g.,
aβAscribe).
Smart contracts in blockchains are typically programmed in a procedural language specific of the host
DLT platform, such as Solidity[8] for Ethereum, or general purpose such as Javascript, Java, Golang,
and Python. Some initiatives exist in the literature for the formalization of smart contracts using a logic
declarative language (e.g., [2, 3, 4]). However, they only enable the formal checking of the correctness
and some other properties of a single smart contract independently from the other smart contracts
running on the same blockchain and the state of the blockchain itself.
We try to fill this gap by focusing on the application of linear temporal logic on finite traces (LTLπ )
[17], with past operators, as a high-level logical tool for the formalization, validation and resolution
of any conflicts in the execution of smart contracts running on the same blockchain infrastructure. In
our framework, called SCRea, each smart contract is characterized by a set of preconditions and an
effect, where effects are visible on the blockchain when the smart contract is activated or, at most, at
SEBD 2022: The 30th Italian Symposium on Advanced Database Systems, June 19-22, 2022, Tirrenia (PI), Italy
" fionda@mat.unical.it (V. Fionda); greco@mat.unical.it (G. Greco); mastratisi@mat.unical.it (M. A. Mastratisi)
� 0000-0002-7018-1324 (V. Fionda); 0000-0002-5799-6828 (G. Greco)
Β© 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
�the subsequent time instant. SCRea will enable, given a set of smart contracts, to verify whether the
execution of each of them is compatible with the execution of the others. If so, the framework also allows
to establish a particular order of execution that ensures that the preconditions of each smart contract are
verified before its execution.
We also studied the applicability of SCRea for the identification of conflict situations at runtime by
dealing with one execution trace. In the domain of smart contracts, the term trace denotes a sequence
of events executed by a blockchain or a sequence of function or event invocations issued by one or
more smart contracts. The availability of information at runtime helps dynamic verification techniques
to mitigate one of the main obstacles in the analysis of smart contracts: the need to model a complex
blockchain execution environment.
The rest of the paper is organized as follows. In Section 2 we introduce some preliminary definitions.
The encoding of smart contracts in linear temporal logic is discussed in Section 3 while Section 4 reports
about reasoning problems that are enabled by our encoding. The SCRea framework is described in
Section 5 and Section 6 will conclude the paper.
2. Linear Temporal Logic on Finite Traces with Past Operators
Linear temporal logic, denoted by LTL, is a modal logic introduced in the 1970s [9, 10]. Since then, it has
found applications in several fields of artificial intelligence and computer science, including planning [11],
robotics and control theory [12], the management of business processes [13] and temporal querying of
data [14]. LTL is a modal logic whose modalities are temporal operators related to events that occur at
particular time instants on an ordered timeline. Classically, LTL formulas are interpreted on infinite
traces, but there are some applications where is more appropriate to focus on interpretations on finite
traces [16]. Indeed, a liner temporal logic endowed with this semantics, denoted by LTLπ , has been
recently studied [15, 17, 18].
Syntax. Letβs π be a set of propositional variables. An LTLπ formula π is built on variables in π using
boolean connectives β§, β¨, Β¬ as well as a number of time operators of two categories: future and past
temporal operators. For our purposes we will focus on a specific fragment of LTLπ which includes the
future operator X (next) and the past operators Y (previous), H (always in the past), P (in the past), S
(since). Moreover, we assume that the negation is atomic in π in the sense that it is applied directly
only to propositional variables. More formally, the formula π is constructed according to the following
grammar, where π₯ is any variable in π :
π ::= π₯ | Β¬π₯ | (π β§ π) | (π β¨ π) | π(π) | π (π) | π»(π) | π (π) | (π π π)
Semantics. A finite trace defined on the variables in π is a sequence π = π0 , π1 , ...ππβ1 that associates
with each π β {0, 1, ...πβ1} a state ππ β π consisting of all propositional variables that are assumed to be
true in the time instant π. The length of π (its number of time instants) is denoted by πππ(π). Given a finite
trace π, we define that an LTLπ formula π evaluate true in π at the time instant π β {0, 1, ...πππ(π)-1}
inductively as follows:
β π, π| = π₯ if and only if π₯ β ππ ;
β π, π| = Β¬π₯ if and only if π₯ β / ππ ;
β π, π| = (π1 β§ π2 ) if and only if π, π| = π1 and π, π| = π2 ;
β π, π| = (π1 β¨ π2 ) if and only if π, π| = π1 or π, π| = π2 ;
β π, π| = π(πβ² ) if and only if π < πππ(π) β 1 and π, π + 1| = πβ² ;
β π, π| = π (πβ² ) if and only if π > 0 and π, π β 1| = πβ² ;
β π, π| = π»(πβ² ) if and only if for each π such that 0 β€ π β€ π itβs true that π, π| = πβ² ;
β π, π| = π (πβ² ) if and only if exists π such that 0 β€ π β€ π and π, π| = πβ² ;
�Table 1
Interpretation of temporal operators in the context of smart contracts and blockchains.
π₯βπ the condition/action π₯ occurs
Β¬π₯ | π₯ β π the condition/action π₯ does not occurs
(π₯1 β§ π₯2 ) the conditions/actions π₯1 and π₯2 occurs
(π₯1 β¨ π₯2 ) the conditions/actions π₯1 or π₯2 occurs
π(π₯β² ) in the next step the condition/action π₯β² must apply/be executed
in the previous step the condition/action π₯β² must be valid/have
π (π₯β² )
been executed
in the past there must be an instant in which the condition/action
π (π₯β² )
π₯β² was valid/was performed
in the past the condition/action π₯β² has been verified/has always
π»(π₯β² )
been performed
in the past there is an instant in which π₯2 has been verified/
(π₯1 π π₯2 ) executed, and from that moment the condition/action π₯1 has
always been verified/executed
β π, π| = (π1 π π2 ) if and only if exists π such that 0 β€ π β€ π and π, π| = π2 and for any k such
that π β€ π β€ π itβs true that π, π| = π1 .
When π, π-1 |= π we say that π is a model of π and π is satisfiable.
3. Encoding Smart Contracts in Linear Temporal Logic
Our goal is to use the fragment of linear time logic on finite traces with past operators described in
the Section 2 to reason on smart contracts. From this perspective, the time operators are interpreted as
reported in Table 1. In our encoding, each smart contract is a pair β¨π, πβ©, where: (i) π are the preconditions,
i.e. an LTLπ formula using past operators only; (ii) π is the effect, i.e. a propositional formula or an LTLπ
formula using future operators only. Since π are the preconditions that activate the smart contract and π
the effect of its execution, the smart contract will be expressed by the LTLπ formula π = π»(π β π), i.e.,
every time the preconditions π occurs then the smart contract must be executed and, thus, its effect π
must be visible. In the smart contracts domain, a trace π denotes a sequence of events executed by a
blockchain platform or a sequence of function or event invocations issued by one or more smart contracts.
If a trace π satisfies a smart contract β¨π, πβ© it means that it satisfies the LTLπ formula π = π»(π β π)
encoding it.
Example 1. Letβs consider a simple smart contract within the sharing economy context to access
multimedia contents. The contract consists of the following clause: if a user requests a content for which
he has previously paid, that content must be transferred to him. The propositional variables encoding
events are: ππππ’ππππΆπππ‘πππ‘ (he user requests the content), πππ¦πΆπππ‘πππ‘ (the user pays for the content)
and π‘ππππ πππ‘πΆπππ‘πππ‘ (the content is transmitted to the user). The precondition of the smart contract
is π = ππππ’ππππΆπππ‘πππ‘ β§ π (πππ¦πΆπππ‘πππ‘), that is when the user requires a content it must be checked
that he already payed for it. The effect is the transmission of the content to the user which is considered
to be made in the time instant immediately following the request: π = π(π‘ππππ πππ‘πΆπππ‘πππ‘). The smart
contract will then be codified by the following formula: π = π»((ππππ’ππππΆπππ‘πππ‘β§π (πππ¦πΆπππ‘πππ‘)) β
π(π‘ππππ πππ‘πΆπππ‘πππ‘)).
�4. Reasoning about Smart Contracts
Using LTLπ to encode smart contracts allows to reason over (group of) smart contracts by exploiting its
reasoning capabilities. In this section we will discuss several reasoning problems on smart contracts.
4.1. Reasoning Problems on a Single Smart Contract
In this section we discuss three reasoning problems that can be defined if considering a single smart
contract.
Model checking. A major issue when dealing with a smart contract is model verification or model
checking. The goal is to verify if a given trace π, encoding the events registered by a blockchain, is a
model of a given smart contract β¨π, πβ© encoded by the formula LTLπ π = π»(π β π). This corresponds
to check whether the smart contract has been executed (i.e., the effects of its execution are visible on the
blockchain) every time its preconditions have been satisfyied. Checking if a trace is a model of a smart
contract can be done in polynomial time w.r.t the length of the formula π [15].
Example 2. Letβs consider the smart contract discussed in Example 1 consisting in the LTLπ for-
mula π = π»((ππππ’ππππΆπππ‘πππ‘ β§ π (πππ¦πΆπππ‘πππ‘)) β π(π‘ππππ πππ‘πΆπππ‘πππ‘)) and the trace π1 =
{πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}. Itβs easy to see that π1 is a model of π. In-
stead, the trace π2 = {πππ¦πΆπππ‘πππ‘, ππππ’ππππΆπππ‘πππ‘} is not a model of π since the precondition of the
smart contract is satisfied but the content is not transmitted to the user.
Satisfiability. Satisfiability is the problem of establishing whether a smart contract β¨π, πβ© encoded by
the LTLπ formula π = π»(π β π) admits a satisfying trace π in which it has been executed at least once.
This corresponds to check whether the LTLπ formula π (π) β§ π»(π β π) admits a model.
Example 3. The smart contract discussed in Example 1 is satisfiable, and examples of traces that satisfy
it are:
π1 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}
π2 ={πππ¦πΆπππ‘πππ‘, ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}
π3 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}.
Satisfiability at runtime. Satisfiability at runtime is the problem of verifying whether a smart contract
β¨π, πβ© (encoded by the LTLπ formula π = π»(π β π)) is satisfiable given a partial trace ππ . In particular,
it is the problem of verifying whether there exists a completion π = ππ ππ‘ of ππ (obtained by adding to
ππ a subtrace ππ‘ consisting of a certain number of states) such that the trace π obtained is a model of the
formula π (π) β§ π»(π β π).
Example 4. Consider again the smart contract discussed in Example 1 and the partial trace ππ =
{πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}. This smart contract can be satisfied at runtime starting from ππ ,
and examples of completions of ππ are:
π1 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}
π2 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}
4.2. Reasoning Problems on a Set of Smart Contracts
The previous section considered reasoning problems defined on individual smart contracts. It is also
interesting in the context of blockchains to consider problems defined on a set of smart contracts, which
are supposed to operate and interact in the same blockchain infrastructure.
Model checking. Given a set of smart contracts {β¨π1 , π1 β©, β¨π2 , π2 β©, ..., β¨ππ , ππ β©} encoded by the LTLπ
formulas π1 = π»(π1 β π1 ), π2 = π»(π2 β π2 ),... , ππ = π»(ππ β ππ ), the goal is to verify if a
given trace π is a model of π1 , π2 , ..., ππ . To this end, we can use the same approach used for the
model checking of a single smart contract, but defining appropriately the LTLπ formula encoding the
�set. In particular, since no smart contracts must be violated by the trace, we can consider the formula
π = π1 β§ π2 β§ ... β§ ππ .
Example 5. Consider the smart contract consisting of the following clause: if a user shares a content that
has been previously transmitted to him, thus violating contractual terms, that user will be deleted from the
system. The propositional variables used for the encoding are: π βππππΆπππ‘πππ‘ (the user shares the con-
tent), π‘ππππ πππ‘πΆπππ‘πππ‘ (the content is transmitted to the user) and πππππ‘ππ π ππ (the user is deleted from
the system). The precondition of the smart contract is π = π βππππΆπππ‘πππ‘ β§ π (π‘ππππ πππ‘πΆπππ‘πππ‘). The
effect is the deletion of the user from the system which is considered to be made in the time instant immedi-
ately following the sharing π = π(πππππ‘ππ π ππ). The smart contract is encoded by the following formula:
π2 = π»((π βππππΆπππ‘πππ‘ β§ π (π‘ππππ πππ‘πΆπππ‘πππ‘)) β π(πππππ‘ππ π ππ)). If we consider that π2 and the
smart contract discussed in Example 1 (consisting of the LTLπ formula π1 = π»((ππππ’ππππΆπππ‘πππ‘ β§
π (πππ¦πΆπππ‘πππ‘)) β π(π‘ππππ πππ‘πΆπππ‘πππ‘))) are running on the same blockchain; we can perform
model checking by considering the LTLπ formula π = π1 β§ π2 . Letβs consider the following trace: π =
{πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘,
π βππππΆπππ‘πππ‘}, {πππππ‘ππ π ππ}. It is easy to verify that π satisfies π and itβs compliant with the two
smart contracts formalized by it.
Consistency of a set of smart contracts. If we consider a set of smart contracts running on the
same blockchain, another relevant problem is to verify their consistency, i.e. if it is possible that all
smart contracts can sooner or later be executed or if they are incompatible with each other, meaning
that the execution of one of them makes another smart contract never executable. The goal is to
check if there is a trace π in which all the smart contracts in the set have been executed at least
once. Letβs consider a set of smart contracts {β¨π1 , π1 β©, ..., β¨ππ , ππ β©} encoded by the LTLπ formulas
π1 =π»(π1 β π1 ), . . . , ππ =π»(ππ β ππ ). Then, the LTLπ formula for consistency checking is π =
πβ{1,...,π} (π»(ππ β ππ ) β§ π (ππ )), that is, the conjunction of the formulas encoding the individual smart
βοΈ
contracts plus the check that the preconditions of each smart contract have been satisfied at least once
(using the π (ππ ) subformulas).
Example 6. Consider the set of smart contracts discussed in Example 5. This set
of smart contracts is consistent, in fact we found a trace satisfying this set. Let:
πβ²β²1 =((ππππ’ππππ πΆπππ‘πππ‘ β§ π (πππ¦π πΆπππ‘πππ‘))βπ(π‘ππππ πππ‘π πΆπππ‘πππ‘) and πβ²β²2 =((π βππππ πΆπππ‘πππ‘ β§
π (π‘ππππ πππ‘πΆπππ‘πππ‘)) β π(πππππ‘ππ π ππ). The LTLπ formula allowing to check the con-
sistency of the set is: π = π»(πβ²β²1 ) β§ π»(πβ²β²2 ) β§ π (ππππ’ππππ πΆπππ‘πππ‘ β§ π (πππ¦π πΆπππ‘πππ‘)) β§
π (π βππππ πΆπππ‘πππ‘ β§ π (π‘ππππ πππ‘πΆπππ‘πππ‘)). A trace that satisfies π is the following: π =
{πππ¦πΆπππ‘πππ‘}, {ππππ’ππ π‘πΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘}, {ππππ’ππ π‘πΆπππ‘πππ‘}, {π‘ππππ πππ‘πΆπππ‘πππ‘,
π βππππΆπππ‘πππ‘} {πππππ‘ππ π ππ}.
Example 7. Consider the two smart contracts within the sharing economy environment
β¨π1 =(ππππ’ππ π‘π·ππππ‘πππ β§ π»(Β¬πππ‘π·ππππ‘ππππ)), π1 =πππππ‘ππΆπππ‘πππ‘β© and β¨π2 = (ππππ’ππ π‘π πππππππππ β§
π»(Β¬πππππ‘ππΆπππ‘πππ‘)), π2 =πππ‘π·ππππ‘ππππ). The smart contract β¨π1 , π1 β© establishes that if the owner of
a content ask for its deletion (ππππ’ππ π‘π·ππππ‘πππ) and previously such content has not been declared
not deletable (π»(Β¬πππ‘π·ππππ‘ππππ)), the content is deleted from the system. Instead, the smart contract
β¨π2 , π2 β© states that if a content is requested to be made permanent in the system (ππππ’ππ π‘π πππππππππ)
and has not been previously deleted (π»(Β¬πππππ‘ππΆπππ‘πππ‘)) then it is marked as not deletable. It is easy
to see that this set of smart contracts is not consistent since the execution of one smart contract prevents
the precondition of the other to be ever satisfied.
Consistency at runtime. Consistency at runtime is the problem of checking if a set of smart contracts
{β¨π1 , π1 β©, ..., β¨ππ , ππ β©} can be satisfied starting from a partial trace ππ , that is to verify whether there
exists a completion π=ππ ππ‘ of ππ (obtained by adding to ππ a subtrace ππ‘ ) such that all smart contracts
in the set are executed at least once. To solve such a problem the encoding of the set of smart contracts
in LTLπ is the same as discussed for the standard consistency checking. However, the partial trace ππ
�Figure 1: SCRea conceptual architecture
must be completed by adding indicator variables ππ to register the satisfaction of preconditions.
Example 8. Consider again the set of smart contracts discussed in Example 6 and the partial trace
ππ ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘}. The completion of ππ corresponds to the addition of the indica-
tor variable π1 in the last state, i.e., ππ ={πππ¦πΆπππ‘πππ‘}{ππππ’ππππΆπππ‘πππ‘, π1 }. The set of smart contracts
is consistent at runtime starting from ππ , and examples of completions of ππ are:
π1 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘, π1 }, {π‘ππππ πππ‘πΆπππ‘πππ‘, π βππππΆπππ‘πππ‘, π2 }, {πππππ‘ππ π ππ}
π2 ={πππ¦πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘, π1 }, {π‘ππππ πππ‘πΆπππ‘πππ‘}, {ππππ’ππππΆπππ‘πππ‘, , π βππππΆπππ‘πππ‘,
π1 , π2 }, {π‘ππππ πππ‘πΆπππ‘πππ‘, πππππ‘ππ π ππ}
5. SCRea: Smart Contracts Reasoner
In this section we introduce the Smart Contracts Reasoner (SCRea) that works on smart contracts
encoded in LTLπ and exploits boolean satisfiability for solving the reasoning tasks introduced in the
previous section. The proposed reasoner is based on a SAT (boolean satisfiability) rewrite technique
that recalls the approach followed by (incremental) model checking methods for bounded LTL [19]. The
conceptual architecture of SCRea is shown in Figure 1. The input to the system is the LTLπ formula
encoding a single smart contract or a group of smart contracts (see, Section 4).
The first component is the Parser which constructs the parse tree ππ‘(π) associated with the input
formula π. Starting from the parse tree, the SAT rewriting technique rewrites π into an equivalent
propositional formula Ξ¦π,π which is satisfiable if, and only if, π can be satisfied by a model of maximum
length π. To verify if Ξ¦π,π is satisfiable, the reasoner can use any existing SAT solver (e.g., Glucose
[20]). In particular, ππ‘(π) is given as input to the Encoder module which produces a SAT translation of
the formula by initially considering a model length π=1. Then, whenever no model of Ξ¦π is found, π is
doubled and the process is repeated until π exceeds the upper limit π given as input to the Encoder. If
the SAT solver finds a model π for a SAT formula Ξ¦π,π , the Decoder module translates π into a trace π
(having length at most π) which satisfies π. Note that π is set by the user and could be less than the
minimum length of any model of π, so the reasoner acts as a correct, although not complete, solver.
5.1. Encoder and Decoder Modules
Given an LTLπ formula representing one or a set of smart contracts, for its SAT encoding a crucial
role is played by the parse tree of a formula ππ‘(π) = (π, πΈ, π) that is a tree (π, πΈ) with a node labeling
function π : π β {β§, β¨, π, π, π, π», π} βͺ {π₯, Β¬π₯|π₯ β ππ } inductively defined as follows:
β For any literal π β {π₯, Β¬π₯} with π₯ β ππ , ππ‘(π) = ({π}, β
, π) and π(π) = π.
β If ππ‘(ππ )=(ππ , πΈπ , ππ ), with π β {1, 2}, it is an analysis tree having as root the vertex ππ β ππ and if
π β β§, β¨ is a boolean connective or π = π then ππ‘(π1 ππ2 ) = ({π} βͺ π1 βͺ π2 , {(π, π1 ), (π, π2 )} βͺ
� πΈ1 βͺ πΈ2 , π) is the analysis tree which has as roots the new node π, with π1 and π2 as its two
children, and where π is such that π(π) = π and its restriction on ππ coincides with ππ .
β If ππ‘(πβ² )=(π β² , πΈ β² , πβ² ) is an analysis tree having the root πβ² and if π β {π, π, π, π»} is a time
operator, then ππ‘(π(πβ² ))=({π} βͺ π β² , {(π, πβ² )} βͺ πΈ β² , π) is the tree rooted in the new node π whose
only child is πβ² and where π is such that π(π)=π and its restriction on π β² coincides with π.
To explain the encoding approach used by the reasoner to construct Ξ¦π,π , let us first note that, given
a trace π, each node π£ β π of the parse tree ππ‘(π) = (π, πΈ, π) can easily be equipped with a set π ππ‘(π£, π)
of all time instants in which the sub-formula ππ£ associated with vertex π£ holds in π. In particular,
such sets can be computed by structural induction on the parse tree according to the semantics of the
different temporal operators. Then, the basic idea we use to construct the formula Ξ¦π,π is to imitate
the construction of the sets π ππ‘(π£, π). Formally, we first define the variables π[0], ..., π[π β 1] that will
be used to encode the last time instant of the model. Intuitively, Ξ¦π,π will be defined in such a way
that there exists an index π β {0, ..., π β 1}, such that π[π] evaluates true (respectively, false) whenever
π β₯ π (respectively, π < π). The instant π indicates the last time instant of a model of π β more formally,
whenever Ξ¦π,π is satisfiable, there exists a model of π of length π β€ π. Then, we associate the variables
π π£[0], ..., π π£[π β 1] to each node π£ of ππ‘(π). Intuitively, π π£[π] is meant to check if the formula encoded in
the parse tree rooted at node π£ is satisfied at instant π. In the following expressions, we use two additional
variables π π£[β1] and π π£[π], whose value will actually be a constant that will be fixed depending on the
type of node π£. βοΈπβ2
Then, the SAT encoding is the formula Ξ¦π,π = π£βπ (Ξ¦π£ β§ π ππππ‘[π-1] β§ π[π-1]) β§ π=0 (π[π] β
βοΈ
βοΈπβ2 πβ1
π[π + 1]) β§ π=0 (π[π] β π£ (π π£[π] β π π£[π + 1])) and, for all π£ β π , Ξ¦π£ = π π£[0] β Ξ¦0π£ π=1 (Β¬π[π-1] β
βοΈ βοΈ
(π π£[π] β Ξ¦π£ )), where:
π
β if π(π£) β {π₯, Β¬π₯}, then Ξ¦ππ£ = π£β² βπ,π(π£β² )β‘Β¬π(π£) Β¬π π£ β² [π] β§ π£β² βπ,π(π£β² )β‘π(π£) π π£ β² [π];
βοΈ βοΈ
β if π(π£)=β§ or π(π£)=β¨, then Ξ¦ππ£ =π π£1 [π]π(π£)π π£2 [π], where π£1 and π£2 are the right/left children of π£;
β if π(π£)=π, then Ξ¦ππ£ =π π£ β² [π + 1] β§ Β¬π[π], where π£ β² is the child of π£ and π π£[π] is the constant false;
β if π(π£)=π , then Ξ¦ππ£ =π π£ β² [π β 1], where π£ β² is the child of π£ and π π£[β1] is the constant false;
β if π(π£)=π , then Ξ¦ππ£ =π π£ β² [π] β¨ π π£[π β 1], where π£ β² is the child of π£ and π π£[β1] is the constant false;
β if π(π£)=π», then Ξ¦ππ£ =π π£ β² [π] β§ π π£[π β 1], where π£ β² is the child of π£ and π π£[β1] is the constant true;
β if π(π£)=π, then Ξ¦ππ£ =(π π£2 [π] β§ π π£1 [π]) β¨ (π π£1 [π] β§ π π£[π β 1]), where π£1 and π£2 are the left and right
children of π£ and π π£[β1] is the constant false.
We note, for the sake of completeness, that Ξ¦π,π is rewritten (in polynomial time) in conjunctive normal
form, before being passed to the solver. Moreover, by construction, it is possible to establish that Ξ¦π,π is
satisfiable if, and only if, π can be satisfied by a model π with πππ(π) β€ π. When SCRea finds a model
π for a SAT formula Ξ¦π,π , the decoder module is responsible for the building of the trace π that satisfies
the smart contract π. In particular, starting from π it is possible to construct the trace π satisfying π by
implementing the following steps: (i) If π[π] β π and there is no π[π] β π with π < π then the decoder
constructs a trace π with π states; (ii) For every π£ such that π(π£) = π₯ and every π such that π π£[π] β π
then the decoder adds π₯ to π[π].
5.2. SCRea at runtime
In this section we will discuss how the reasoner can be applied to solve reasoning problems at runtime.
To work at runtime it is necessary to slightly modify the architecture of SCRea. In particular, the
Encoder module must also receive in input the partial trace ππ which contains the events recorded on
the blockchain up to the current time instant. In this case, the parameter π concerns the additional
number of states (i.e., sets of events) that can happen after those already present in ππ . Moreover, if
SCRea is meant to work on a set of smart contracts ππ must be preprocessed to add indicator variables.
�6. Concluding remarks
In this paper we proposed a framework, based on the encoding of smart contracts in Linear Temporal
Logic on finite traces, that enables various reasoning tasks on a single and on a set of smart contracts
running on the same blockchain. The proposed framework, called SCRea, is the first tool developed with
the aim of checking the consistency of a set of smart contracts that are supposed to cooperate in same
blockchain infrastructure and it is able to work at runtime on a running blockchain system. As a first line
for future research, we are planning to implement our framework on an existing blockchain infrastructure
to test its effectiveness on a real system. As a limitation of the proposed framework we want to point out
that LTL is based on a propositional logic and, thus, has some limitations in expressiveness. Therefor, a
second line for future research regards the extension of the proposed framework with a more powerful
logic such as first-order temporal logic that will increase SCReaβs expressive power.
References
[1] Douglis, F., Stavrou, A. (2020). Distributed Ledger Technologies. IEEE Internet Comput., 24(3).
[2] Idelberger, F., Governatori, G., Riveret, R., Sartor, G. (2016). Evaluation of Logic-Based Smart Contracts
for Blockchain Systems. In Proc. of RuleML, pp. 167β183.
[3] Hu, J., Zhong, Y. (2018). A Method of Logic-Based Smart Contracts for Blockchain System. In Proc.
of ICDPA, pp. 58β61.
[4] Stancu, A., Dragan, M. (2020). Logic-Based Smart Contracts. In Proc. of WorldCIST, pp. 387β394.
[5] Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.
[6] Wood, G. (2014). Ethereum: A secure decentralised generalised transaction ledger. Ethereum project
yellow paper, 151(2014), 1-32.
[7] Szabo, N. (1997). The idea of smart contracts. Nick Szaboβs Papers and Concise Tutorials, 6.
[8] Dannen, C. (2017). Introducing Ethereum and Solidity (p. 185). Berkeley: Apress.
[9] Pnueli, A. (1977). The Temporal Logic of Programs. In Proc. of FOCS, pp. 46β57.
[10] Pnueli, A. (1981). The Temporal Semantics of Concurrent Programs. Theoretical Computer Science,
13, 45β60.
[11] Calvanese, D., De Giacomo, G., Vardi, M. Y. (2002). Reasoning about actions and planning in ltl
action theories. In Proc. of KR, pp. 593β602.
[12] Ding, X., Smith, S., Belta, C., Rus, D. (2014). Optimal Control of Markov Decision Processes With
Linear Temporal Logic Constraints. IEEE Transactions on Automatic Control, 59(5), 1244β1257.
[13] Fionda, V., Guzzo, A. (2020). Control-Flow Modeling with Declare: Behavioral Properties, Computa-
tional Complexity, and Tools. IEEE Trans. Knowl. Data Eng., 32(5), pp. 898β911.
[14] Chekol, M.W., Fionda, V., PirrΓ², G. (2017). Time Travel Queries in RDF Archives. In Proc. of MEPDaW,
pp. 28β42.
[15] Fionda, V., Greco, G. (2018). LTL on Finite and Process Traces: Complexity Results and a Practical
Reasoner. J. Artif. Intell. Res., 63, pp. 557β623.
[16] Pesic, M., Bosnacki, D., Van der Aalst, W. (2010). Enacting Declarative Languages Using LTL:
Avoiding Errors and Improving Performance. In Proc. of SPIN, pp. 146β161.
[17] De Giacomo, G., Vardi, M. Y. (2013). Linear Temporal Logic and Linear Dynamic Logic on Finite
Traces. In Proc. of IJCAI, pp. 854β860.
[18] Li, J., Zhang, L., Pu, G., Vardi, M. Y., He, J. (2014). LTLf satisfiability checking. In Proc. of ECAI, pp.
513β518.
[19] Biere, A., Heljanko, K., Junttila, T., Latvala, T., and Schuppan, V. (2006). Linear Encodings of Bounded
LTL Model Checking. Logical Methods in Computer Science, 2(5), 1β64.
[20] Audemard, G., and Simon, L. (2009). Predicting Learnt Clauses Quality in Modern SAT Solvers. In
Proc. of IJCAI, pp. 399β404.
�