As smart contracts are growing in size and complexity, it becomes harder and harder to ensure their correctness and security. Due to the lack of isolation mechanisms a single mistake or vulnerability in the code can bring the whole system down, and due to this smart contract upgrades can be especially dangerous. Traditional ways to ensure the security of a smart contract, including DSLs, auditing and static analysis, are used before the code is deployed to the blockchain, and thus offer no protection after the deployment. After each upgrade the whole code need to be verified again, which is a difficult and time-consuming process that is prone to errors. To address these issues a security protocol and framework for smart contracts called Cap9 was developed. It provides developers the ability to perform upgrades in a secure and robust manner, and improves isolation and transparency through the use of a low level capability-based security model. We have used Isabelle/HOL to develop a formal specification of the Cap9 framework and prove its consistency. The paper presents a refinement-based approach that we used to create the specification, as well as discussion of some encountered difficulties during this process.

中文翻译：

---

智能合约安全框架的正式规范

随着智能合约的规模和复杂性不断增长，确保其正确性和安全性变得越来越难。由于缺乏隔离机制，代码中的一个错误或漏洞就会导致整个系统瘫痪，因此智能合约升级可能特别危险。传统的确保智能合约安全的方法，包括 DSL、审计和静态分析，都是在代码部署到区块链之前使用的，因此在部署之后不提供任何保护。每次升级后都需要再次验证整个代码，这是一个困难且耗时的过程，容易出错。为了解决这些问题，开发了一种名为 Cap9 的智能合约安全协议和框架。它为开发人员提供了以安全可靠的方式执行升级的能力，并通过使用基于能力的低级别安全模型来提高隔离度和透明度。我们已经使用 Isabelle/HOL 来开发 Cap9 框架的正式规范并证明其一致性。本文提出了一种我们用来创建规范的基于细化的方法，并讨论了在此过程中遇到的一些困难。