Hashing It Out
Hashing It Out

Episode 100 · 7 months ago

Hashing It Out #100-Chris and Jay of REACH

ABOUT THIS EPISODE

On the 100th episode of Hashing it Out Corey and John speak to Chris and Jay of Reach. Reach is a platform seeking to develop a programming language for the easiest development of smart contracts and dapps within the cryptocurrency ecosystem. 

Links: Reach

Welcome to hashing it out a podcast forretalk to the tech, innovators, behind blocked in infrastructure anddecentralized networks. We dive into the weeds to get at why and how peoplebuild this technology. The problems they face along the way come, listenand learn from the best in the business. You can join their ranks. ARIGHT chall welcome back to hash itout episode. One hundred, it's been a while we've been gone for a while sincethe new year, because we're busy, but we're back and for episode one hundredBig One: Zero Zero, as always on your host Chalko cort, Petty Cohost Day,John Mardlan, say: What's TUPF man, that's at Man. What's up Ma'am andtoday's episode we're going to be intervewing reach. We have Christopheror Chris and Jay for breach to discuss a new way to build desentialize applications orapplications in general, so we'll go and kind of dive into the weeds as towhy this approach may be better than the stabard way. Most people arebuilding these avdris applications and how it gets used today and where it'sgoing so Chris Ja, what you start off my introducing yourselves Chris goahead. My name is Chris Winner, I'm a CEO ofreach. My I started out a long time ago at twenty years ago. As an engineer andabout ten years ago. I abandoned it to be on the business side, so it's beenthe last ten years in management and entrereneurship and been running reachdnow for bout. I know about a year and a halflittle bit, maybe a little bit more than thight now but Ja. My name is Jama. Carthy, I'm the CTOOF reach and I'm also a associate professor at the Universityof Massachusetts. Loll and I've been doing research in programming languages and formalverification and Copographic Croticales for most of my career sense. Getting myPhD at Brown back in the early twosands, Dr Chaver Carfey. I apologize for thatone. You use the Monicor when it's so it'sappropriate and that, and that case is it's. I A perpect conversation. We'vehad quite a few people on the showdiscussing stetic analsis, fom, maverification security, you Ganprograming language for that matter. What thanks reach different. So how kind of how I like to explain? Thisis go back to me three years ago, Bu Three yryearsago, we're building a blockskin, blockchain scaling solution and webuilt out a proto type of rate, ofd money and what we wee got to the pointof ecase time to find developers. So we started hunting for developers going toconferences and start to see started, seeing the same paces over and overagain wer trying to find it. It was difficult to find those developers andwe we thought that was really weird, because at that point we drank the Kule.We knew Blockshan on this future, but Therere, just no developers out thereso sor to ask and develop es questions. Weasked why. Why are you not developing in blockchain? You know: There's twentythirty million of you out there what's happening and through surveys, throuconversations, there's three things that kept serv persin number oneblockshaine development was is too difficult. They were finding thatdropping down to the level of the State Machine and program and state machinewhich is not something they were used to Ding. So it was completely differenttype of paradime that they needed to learn to be able to build blockshinapplications, and not only is it was it actually more difficult, but because itwas a lower level it. It took a lot longer and developers like that.Instant gratification, they' like to be able to t sit down, build something andhave something, but with blockchain...

...they were sitting down buildingsomething and nothing like it was just taken way too long to actually buildanything so they're running out of steam. Second thing that came up isjust the cost of blockshane development. An the COSTOF blackion development camein multiidifferent ways, number one if they wanted to build a team around them.A blockshin developer, you know, makes two hundred fifty dollars an hour isvery difficult to actually find developer. Titoon the MOUT team say ifthey found the team, they found the money to actually pay it. An pay, theteam or ansynivize them in some other way. Once they actually built theiapplications now they have to get audits and that cost tens of thousanddollars and a lot of times I'll have to do that with multiple difference,autering companies and every single time to change their cod. So that wasreally costing andthe final thing is that they see these companies thatbuild the team, get the audits and is still losing hundreds and milliondollars, because a bad code so they're looking at it and saying you know whatthis is. This might be a little bit too early for us to come in SOM Costi a lotof money to actually take that risk. Why would I change and then the finalthing is that blockchain in general is very tribal:There's really no such thing as a blockchain developer, there's antheorym developer and a elgran developer and a Cardana developer, andbut there's no such thing as a block to developer, and that's because the skillset is just so different, it's very difficult for them to help each other,and not only is it so different that they don't can help each other, butit's actually very toxic. My chain is the best chain, you're an idiot forpick and your chain and and it's kind of reglar developers, look at that andsay you know. Why would I deal with that? So those are the three majorpillars that were finding why blockchain developers weren't cominginto the space. So we knew that we had actually fixed that problem and wecould do a one of two ways: We could build a development tool that focuseson one of those aspects and iterates on how things are currently done. This isyou know, the teams hat you truffle and hard hat are built the the team thatBil hardhats myth relax. This is the direction let the way and they did alot of good work, but they built their tool on the on the foundation of howBlockchin is and the truth of it is that Bloxan development is so hard and badthat making something a little bit better, isn't good enough. It isn'tgood enough to actually make a difference, so we gave ourselves to the challengeof saying okay. What would blockshan develop? Look like if tit was a hundredtimes easier hundred times better, and the answer came really with is what reach came from the idea ofactually building a platform, a central hub, essential way to actually buildblocks and applications that took care of everything at changed. The actualparadime of what blockshaid evelment is to actually make it the hundred timesbetter. So what reach does exactly is itprovides a programming language which the REACIlanguage that raises the level of abstraction allows for developers tocode at the level of the participant rather than level ofprogram, anstame Megine, because it's a much higher level. It's actually muchmuch shorter, an much more efficient to code, so developers can actually getdown and actually build applications very quickly. Give you a real world usecase is that we're currently in the process of rewriting uniswop in reach? Currently, that is the RECH application,is two hundred d fifty lines, a code which is much much more much shorter than what'sthe Youo spop contracts and the middle. Where is now Dorecto, really prove t the use case ofyou know, reach is actually easier. We decide to put our newest developer onit. We said we hired him a little over a month ago and said Hey. We want youto build uni, swap US ind reach...

...and before we hired him, he never evensaw what Botnea blockshain was before us. So we took it a full SEC developerand we tass them with building ou swop, and he rebuild you know, soup fromscratch, with e reacs and two hundred and fifty lines of code in we know withminimal help from us. So we knew that we checked the box ofmaking it easier to develop. The next thing that we wanted t youknow make sure that we've fixed is the safety aspect which I'm guessing we'reprobably talk quite a bit on on this podcast about. That is that we wanted to make sure that the the theoutput is correct, uncomp compilation and there's a thing out there, a calledform of varification, which mathematically guarantees that theoutput is correct. But traditionally you know run time. Verification manycompanies out there that formerly verify will spend time and generatingan entire a model to actually prove that theactral code is is correct and they have to actuallydevelop this all out by hand. It's very expensive. It is very time consumingand it really requires the developer after it's done to maintain a speck andMeintiain their code at the same time. So it's super important, buttraditional developers really don't know how to do that. But what reach does is it automaticallyformally very generates the formal proofs through the compilation process,so llows for the developers to just drop in assertions into their code, andit mathematically proves that the code is correct, just through compilation.So we know that we made it so the developers can actually build saferapplications, and the final thing that we did is we're unifying blockshane development.We've abstracted the actual blocks in blockshans themselves, the proocallsthemselves away and make it so that developer can actually write theapplication and lungshin any chain without having to axtually change theircodes. The got at all. You know this is beneficial if adeveloper wants to launch their application. Motle chains- that's great,but that's not really the true belly. The true value is that any developer can help any developer,no matter what chain that ther laugh on. We Al See in our community thatalgarand developers are helping atherium developers which are oupenCardano developers, and they don't know it they're just answering questionsthey're they're, making you know helping building these dapts and theydon't even ask where they lunch in it, because it doesn't matter and weremoved that at toxisty from the entire industry andmade it like. You know, unnified it all under one banner, which is reallyexciting, so that's kind of like where why we're actually passing about thisis why we, actually, you know, get up in the morning to to actually work ourasses off, but yeah. That's o! That's a that's a reach in a netshow JAK OAYTHING! Oud of that you know your original question thatyou asked was you know what makes reach different,and I think that Chris touched on a lot of those things. So we, when you writea reach program, your program, you're programming, at a different level of oabstraction from you say, the traditional salidity development likeif we take like a typical sality program. The way that you think aboutit is you say: I'm going to have some particular state on the block Cain andthen what I'm going to do is I'm going to write down a bunch of different methods that modify that state and whenyou're, writing these methods. You have to think about when you would like toenable those transitions to be allowed or not. This is what Chris ment when hesaid that you program the level of the state machine, because essentially whatyou're doing is you're specifying you know the state of your the state of your contract and theneach one of the methods is basically like an Arrow modifying that state anda major problem that comes up is that you have to spend a lot of time tryingto decifide when to enable different...

...transitions. But your slowly program doesn'tactually say anything about like what order these should happen in what thepeople who actually use the program should be doing, and those things haveto be recovered when you're doing a verification of a smart contract,because otherwise you'll just basically have to reason about every possibleinterleaving of all the methods, and that is like infeasibly large right, becauseit's an infinitely large space, you can't actually exhaustively explore allof them, so you're limited by doing something like bounded model checking. But when you read a reach program, youactually include those details about what the end points do and byspecifying what the end points do we inside of the reach compiler, canderive what the state of your program has to be and derive what statetransitions should be possible and then that's what Yeu can Bil. So like atechnical level, that is like the key thing, that's different. I suppose thatthere's one other thing, that's quite different from a program like a Parte amy wage likesolidy and reach, which is, is that in reach, because we want to enableautomatic verification. We need to remove features from the pogramminglanguage that we can't dispatch without human intervention. So what that meansis that, basically, there are some kinds of programs that you can't write, because we want to do automaticverification. So just as a little example of that in solidity, you could write by hand awall loop that had a really complicated termination condition that you know that you've thought abouton paper or something like that, why it's going to terminate and why it'snot going to have infinite gas costs. But when you program and reach, we limit the kinds of you know: wild loopsthat you can write to ones that we can guarantee will terminate such just atiny example or essentially a nontering, complete language and kind of ourhypothesis is that the vast majority of blockting programs will fit inside ofthis restricted language, because of coursethe alternative is that you would submit a transaction that could usearbitrarily large amounts of gas. so by making the language be turning incomplete. In this way, we actually have preticable gas costs. John had questions. I got a lot Yeahi, just as like how's it going soyo n, like that's a bit of a Teav, a challenge I guess like likeokay, you got you gut an active community iscomby between Algoran andetherium and even Cardano Dev. Apparently there are some andbut, so I mean, but but I think likeit's I don't know like solidity is like sobad. It's the best like I it worseis worse is better. It just keeps playingout for for lack bas like you know what, for better or worse,worse is better. So how are you going to overcome that,like initial traction of solidity and just like get the deafline share,thit's a great question and we took a big risk. The big risk was bybuilding an overall platform, takes a lot of time and takes a lot of timewithout actually getting the feedback from the user. So we took about a yearand a half a a little over little over year to actually build out the reachplatform before we could even get any users, but as soon as we actually didand we opened the doors and and launche our documentation. That was in lessthat September. Since then, we've grown by ten to twenty percent every singleweek. Last last week alone, we added...

...fifty four developers to our platform.This is not you know fifty four community members. This is actuallydevelopers that are building and compiling applications, and so iwshoware you counting that than like, like MPM sals or something so, no. Sowhat it is s that, if you, because it's a compiler, you candout, you downloadthe compiler from Dockor and we can track unique, docker, IDs, TA,Downloadan, Docker, sure and and the way that it's done is that it doesn't actually go through thatprocess. andtless you go through and compile the actual your application. Sowe know that this is not people that just download it. This is people thatare using and actually being on Boardin and building applications. So weird most of those developers arecoming are actually from those traitional developers t's. It's prettysurprising how easy it is to actually gain developers from the real worldwhen you make it accessible, we're not we're not pulling from the existingblockchin community, because you know it's a few thousand people we'repulling from tens of millions develpers in the world and they're coming in, andI mean we have a we're running a a bounty hack pro program right now andone of our participants is elevent year old. Kid has gone through theintutorial and is actually building a a W at s. It a wager base, tictectoapplication, that's fully decentralized, he's eleven years old. That's how we'reactually growing is that wherewe've made blocking development easy. So you do formal verification on t e language tomake sure that what I write in reach does what it's supposed to do, andnothing else or a least based on the assertions that I put into the code. How is that guarantee carried down intothe compilation of a bunch of different languages, whether it be ethereum, Algran Cardano, like thoseare all drastically different implementations of blockchain that have different footguns? How? How are youtaking the guarantees and making sure that the compolation process carriesthose guarantees all the way down into them being put on to some blockchaimand the Middle Waye around them yeah? So the gold standard of doing somethinglike this would be a verified compiler, so basicaly, what a verified compileris is a theorem of the form for all input programs, their exist, an outputproogram where the meaning of the impor program is equal to the meaning of theelpan program, and you could write your compiler like this, and you would thenknow that the sematics of the input program was respected by the symeticsof the alpict program. Such a gold standard pretty much theonly compiler that exists that works. This way is called concert, it'swritten, ind cock, and it is it's a Secom piler that targets. Basically, what it does is it input isa SUBSERV C and it's output S. I believe it targets on and Xity six and some other microcontrol. I forget whatit is, though, but anyways that would be the gold standard for my PhDditertation, I wrote such a verified compiler for a language, that's verysimilar to reach that, where my input language was, youknow, my unique language was called WWPPL and the output language wasOcamel, and so I use a semantics for o Chemmel to prove that it was a you know: Correcton Pyler, so anyway, so that's that's sort ofwhat the gold standard would be. We don't do that we'd like to do thateventually, but he we don't do that and really nobody does that, because it'sextremely difficult to do the sort of the next best option is todo what you might call output validation. So the idea of olfivalidation is is Thait...

...rather than proving that all outfitsare correct. You would prove only that theparticular output that you were given was right, so, in otherwords rather improving this for all exists. You would say that, for thispartular impuct to your program, we would prove that the output matches itssematics. That would be another good strategy todo to verify the result of a compiler where what you could do is you couldlike try to produce that proof automaticallysomething like that is also on the road map and the more medium term than the thegold standard verified compiler. What we do is we instead prove that the that your program in the reach sematicssatisfies its properties, and let me set back for a moment like what is theVerifiu. What is verification mean in general? whativarification means isthat you have some property, which of course, could be. You know an end of awhole bunch of different properties that you want to hold about yourprograms. You can think about that as a function, P that takes a program, indreturns of proposition and probably you're, not proving the thingon the program, you're proving it on its meaning. So, in other words, youwould like to be able to prove that the meaning of your program has desirablequalities and if you had a verified compiler, then when you proved thistheorem on your program, you would also be proving it on the output programthat ultimately ran, and so essentially, what we're doing iswhen we prove your program is right. Your program is correct. On the reach,like your reach program is correct: We're not proving anything about thereach compiler about the output of the reach, compiler, we're not we're not proving anythingabout what solidity does we're, not proving anything about what the TLcompiler does or what guest does, or anything like that. So in that sense, the reach compilerbecomes part of your trusted computing base, in the same way that if youweren't going to use a reach, you know boost Lvm, veslility, compiler webthree, all of thise things are in your trusted competing base, so weessentially have the same trustic competing base as normal applicationdevelopment, but we're proving something about the reach program. Now let me sort of compare this tosomething like like firefly. For instance, sofireflyers a tool that run time verification provides for helping. Youprove things about theoryum programs. Now I am not an expert on exactly thetechniques that firefly s using so it's possible that Iwill mischaracterize and I apologise anyone at rent time varification for medoing so, but the general way that it works is that they have a notherdifferent implementation of the EVM, and this other implementation of the VMis inbebted inside of the theor improving tool that they use the the KaFramework and by having this other implementationof Evm, it facilitates proving things directly about the bite code, so inother words, whereas in reach you're proving something about your inputprogram, and you then have to trust the thingsthat are downstream when you e, if you were to use firefly,what you would be doing, is you don't have to trust solidity, the saliitycompiler? Instead, what you do is you take the evm code that you come thatcomes out of slowly, and then you prove something about that now, in the same way that I talkedabout before how reaches at a different level of abstraction from solidity,evium bite code is at a further lower level of abstraction from slidity. Sothis is one of the reasons why it's very challenging to prove things,...

...prove uthful properties about about smart contracts, if you'redirectly proving them about the bite code- and you know kind of an analogyfor you know traditional. You know computer science and programming rightif you, if you want to prove something about an algorithm you'd like to focuson things like, oh well, you know this value must always be in this set, butof course, when this actually gets implemented in- let's say a sea library,you're, not reasoning any longer about values being inside of sets. Your valtyou're reasoning about whether or not a particular alrithm for searching, let'ssay a red black tree will return true and if you were to prove somethingabout the underlying assembly- you're, not even you're, not even reasoninganymore, about searching red black trees and said you're. Just sayingsuppose I had this soup of memory. Would I be able to prove somethingabout the way that that the way that all the pointers in this heap arestructured? And so every time you go down a level of abstraction, thedemands on doing verification become much much harder, and essentially the thing. That'swonderful about the firefly tool is that it has a lot of machinery built infor reasoning about those extremely low level, programs of EVIM BITCO directly,and it's kind of miraculous that it's possible for people to make any conclusions about what theirprogram does so anyway. So that was kind of a long explanation, for youknow what the Furmal avarrification landscape is like, and you know to go back to the beginning.Reach is part of your trusted competing base for now, and we have multipleplans for how to extend the guarantees about reach programs to the actualcompilation output, whether that is a forall exist, theorem that we can doonce and for all or in the short run, doing opput validation, Shand' forn tryd to rephrase a littlebit you're, making sure the developer iscapable of understanding that what he's writing does what he support, itit?What he thinks it does, at least within the language, is writing and then Yallthos experts will spend time making sure that the rest of it can be alsoproven as best as it can be. Depending on where it's being deployed and like you said, like the further youget to like bit, son up bits on a machine, the moredifficult it is to prove things and be more recard expertise which isn'tsomething you typically want. PROGRIMMERS building applications tospend all their time doing or thinking about for that matter, andyou set yourself up, at least for developers to get started quickly,making more SI to understand more about what they're writing more easily and a future of slowly, making sure that what they'rewriting is more and more secure to Bein upon where it whereis geing deploy. Is that a reasonable, the kinh levelsummaryf? What you just said Yeah, I think that's great, and I think thatyou know it's useful to emphasize that you know because reach OES automaticvlerification. This means that there's no intervention on the part of the userwhatsoever in directing the fear improver about how it's going to dosomething. So we don't ask them to choose strategies. We don't ask them toAtee sertions. Yes, the thing about the thing Awith,the assertions is, the assertions are telling it. What to prove is nottelling it how to prove it. Many therimpevers require you even ones thatare quasi automated, like acl to what they require you to do is when you,what you would do is you would stay o Theorem and then you would say, provethis theor Im using this strategy or maybe using this induction scheme, andwe don't require anything like that, and so instead, one of the things thatwe try to do is you try to make it so that the theorems that you want toprove about your program are always expressed in terms of the programitself, meaning that you can imagine that when you write areach program, all you do is right. The...

...normal program that you would write-and you would add assertions just like you would add them if youwere writing. You know like a normal run time program.Well, where you would you know if you had an assumption, you would put thatassumption in your program and this is sort of standard practice, for you knowgood softer engineers where they take their assumptions and they encude them.But of course, when that's compiled, traditionally those assertions becomerun time checks, but what we do is we despatch them? You know at compile time so byexplaining things in terms of the variables and the program and what theprogram is doing. We lowered the barrier to entry to doing verification.You know it DAS, an example. You know this eleven year old kid that Chrismentioned earlier him- and I were talking earlier today about how to prove one of the theoems in his program, and you know he basically had thissituation where he assumed that a variable was relatedto another variable, but actually they had independent origins, so he just hadto make sure that he computed the first one as a function, stort the second oneas a function of the first one and the one you do this they're now attachedand so the theoriprover can reason about them automatically. So you know theyre sort of simple program like ideas that you canuse to understand if your programs right and reach, as opposed to Theyor,improving logic ideas that you have to bring in so there's no additionalexpertise. That's required and that's kind of the the keypoint so you're, basically saying like you, just have to instrument your codewith assertions and proof ar generated from that yeah. So, let's step back a moment like what isthe point of Forma Verification, the point of formalferification is to knowthat your program is the program that you hoped it to be. So you come up to a problem and youhave in mind some pre existing solution. This is kind of an important thingabout programming. Right, like programming, is not a problem. Saltingdiscipline programming is about encoding, automated solutions toproblems that you already discovered separate from the programming process.So when you walk up to your keyboard, you already have a solution and whatyou're trying to do is you're trying to write that solution down in a way thatis automated. Now. What you would like is to know that theprogram that you wrote actually is the thing that was in your brain beforeyou started. Programming and all verification, Yo can do is say if twothings are equal, sometimes it doesn't say if one's equalitll say if one is contained, insead of another one as an example of this. Actually, let me t, let me stop forbefore the example. So what that means is, is that the only way that averifier can do anything useful is if it gets you to write your program twice.First, you write your program and then second, you write the specification ofwhat your program is supposed to do, or you know maybe not really, first orsecond, but you wriht, Youer Thalmo for love. Doing this too asked John Well,the thing is: is that one of the key sort of tools of good verification isto trick the user into writing their program twice without them, realizingit. So as an example of this, when you write a Java program, you are writingtwo separate programs. You're writing the program once in the values andyou're writing the program again in the types now the types when you write inthe Java program, they don't incontain all of the Information Abou. What yourprogram does, for instance, you'll write like Oh f, is a function thattakes two injudors and returns a third intutur that doesn't say that it'ssupposed to return five, when you give it two and three. It just says that ifyou give it two intugers a third intager comes out,...

...and so when the Java verificationengine, which we just call the Java type system, runs what it does is. Itmakes sure that the value program that you wrote is inside, meaning that itsbehavior is permissible by the type job, a program that you wrote and as aprogramming language gets more as a type system gets more precise than itbecomes more like a formal verification engine and what a formal afrarficationdoes is it allows you a way of writing down that specification? Okay. So now, when we talk about reach, if you just write your reach program-and there are no assertions in it at all at a first glance, that means that youdidn't write down a specification, so the reach Compilat, the reachovarification, does nothing, because you didn't tell it what else you weresupposed to do. No existing traditional programmers arealready used to the idea that they should write down their assumptionsabout what values in the program, what values variables in the programs haveas assertions and they think about those as being things that happen atrun time, but if they write them downe in reach, they now just wrote don aspecification because, while those things are useful and sort of normalprogramming to prevent you from going off the rails, they are away of gettingthe spesification out of the head of the program. I woul no argue before you keep keepgoing like what you're talking about when you say. Programming is more liketraditional programming and not like what I think that coloquial term forpogramming is which is more like scripting like I com, maybe it's because I comefrom four Tran background, and so u you specify everything implicit none is thefirst line of every single fortrend program and there's similar there'ssimilar constructs for other languages, and so you have to kind of definememory access, tog bounds in which things can go. Etce, er, etce, moderdayprogramming, especially on model like Java script. Tin Did not have that concept when learning how to program and- and I think what what's importantis toing to we get back to that concept of teaching people when writing thingsthat deal with money, OKA blockchain, they should be thinking about thesethings ahead of time and a language like reachd, the kind of really pushes you in the direction ofdoing this and gives you a lot of benefits for doing it is a generallygood thing. I think I agree with you, although Iwould say that reach is more dynamic, then you mightbe thinking so I m playing around W it. It's Very Java, scripting exactly so.So, if I were to listen to what you said, you might get the impression that,oh, when you write a reach program, you have to like declare ahead of time thatI'm going to use these ten variables and they have these types and all thissort of thing, but actually reach, doesn't work that way it it's more like it infers things aboutwhat your program does and kind of a way to think about. Thisis like take Javascript, for instance, orPython. You don't need to, let's say, declarethe types of variables, because the language implementation is sound,meaning that, right before it's going to do something dangerous, it willgenerate a check tat. Make sure that am I about to add a number and a string ifI'm, if I am going to do that, then throw hinever. So essentially the waythat reach works is is that we do almost the same thing except that,rather than generating of runtime check. That says. Is this thing the right kindof value we actually generate a new formal verification claim that thatthing is the right value, and so w at this means is that even if your programactually contains no assertions, reach will generate assertions for you basedon what the program does, and we do these for things that are normalprogramming. Things like adding two...

...values: making sure that they're bothnumbers or things like going outside of a Ray xes will you know double checkthat it's within bounce and that is a static check, not a runtime check, butalso because it deals with money. We can do things that are sort of unique to the domain of smartcontracts. An example of this is like the linearity property that says thatwhen tokens go into a contract, they have to be used exactly once, meaningthat they cannot be used twice and they can't be used not at all, because ifthey were, if they were not used, an that means that the program would endand then the values would be locked away and you wouldn't be able to getaccess them thom anymore. So that's a property that is a general one thatshould apply to all blocktain programs that you don't need to write down whenyou use reach, because we can generate that automatically. As an analogy, youknow you wouldn't need to write down that you don't want to have no point orexceptions when you write a CEA program. We just know that no s programs want tohave no point or exceptions, and so once we know that we can generate thisproof, this thing automatically so the way, the way that I think about it isis that if you don't know anything about formalArification, you don't know anything about. Like quote, you know serioussoftware development, then you can write a reach program. That doessomething quite useful and some properties will be generatedautomatically for you and, as you learn more, you can take those ideas and putthem into practice using the reach compiler. Another thing that I think isappropriate to talk about right here is like the role of audits, like whataudits are really doing. Ther's E, I think I think, b before Wen yore onbecause that's like that's a whole huge sure. Let me just talk to few peopletalk to my Botis all time. Yeah, that's like! I think we should try to cap that AJUlittle bit, Si'm gonna try to put some of my intuition of whatyou've said. It sounds to me like, like, if youimagine that you know you can write javascript program where you can writea type script program and just like that, jabscript will do stuff.That's useful, with zerotype information provided intentionally orlike implicitly. It sounds to me like the the sort offree specification and varification comes from the typing. So you're, as you say, you know you'relike creating the value program, which I guess is the jabscript and then, whenyou add type script, you are defining the types which gives you all these,like additional rules about what space like, what what states, nd and likestate space and values, can and should be, reachable and so from within. That is, if you get your types right, you'regetting a fair bit of safety. Additional safety guarantees from that.Is that, like rough, like good enough yeah? That's that's a great anelogy,because it helps you get that what type systems are doing. Is there movingerrors that would otherwise take place at run time and moving them to compiletime and which is why people hate strongly type languages, because thecompilot believes them all day, but exactly well and there's a good reasonfor that to yeah not not not for the bullying, but the hating, which is, isthat you know. We know that automated alorithms for reasoning are limited like the godels andcompleteness proof is exactly about this, that any time you have a proofsystem, there will be theorems. That are true, that you cannot prove, and so because of that. That means thatany analysis is going to be any analysis that sound is going to beincomplete, thereare going to be good programs that it refuses to run, andthe goal of program analysis is to make...

...it so that the set of complete programsis as large as possible. You want to try to make the analysis more and morepowerful, so the kinds of programs that people actually want to write are onesthat we can automatically reason about, but there will always be a time whenyou know that a program is right and your compiler will say: You're notallowed to run this program if that compiler is backed up by any analysistool, and that's what I was saying earlier about the way in which reach islimiting because you're programming with a safety net, it's more like yourprogram with a helicopter parent. You know there are programs that it's justgoing to not let you do even though mom I know that it'll be fine, and in situations like that, you knowyou either need to decide whether or not you want to be purely on thestraight and narrow or whether you want to live dangerously and have your reachprogram interact with a program you know directly written in telitity orassembly or whatever yeah. I think that that was a goodsummer, yeah great great, and I wanted to. Ithought I thought like. I also thought your example of you know put really into solidity. I think there's like a kindof a bug like I like your example of basically like these. These amountsthat kind of they all need to add out ot the same time right so like there are. There are like fairly common ti's like a fairly commonbug where, like you, can get token inflation,where you, the total supply value in the token, does not increase whatsoever,but somebody can send a token to them, sothey have five citens. They can send that token to themselves and they haveten tokens all of a sudden because the the token wasn't doing theaccounting properly. So it sounds like you're saying thatthat's just not going to happen, ou a reach language or a reachimplementation yeah. That would be an example of a property that would beautomatically taken care of, because we can, because we know that everybodywants the lunerity property, and so because we know that we automaticallyinclude that. Can I get out of it if I want to for some reason you couldn't get out of it exactly, butwhat you could do is like think of it like this wit. What is a token? A token is likewhen we Wen yo, think about in terms of like the data structures, there's ahash table that takes addresses to balances o. That means it's a ledgerright to a ledger is this: Is this mapping and if I hold those assets, then that means that what I want to dois I want to give you the ability to remove them from the contract. So thatmeans that I'm going to transfer away from me something based on what was inyour cell in the Hash table, and so if we, if you wanted to getaround us and not enforce this liniarity, thenessentially what you would have to do is you'd have to say that your balanceis ten, but you actually can only get access to five of them. So there would,you would have to program it in such a way where you said you're allowed to I'm going to keep. In my database thatyou have ten, but when it comes time to send them out, then it may fail. Sobasically, it's sort of like me as, like the reach expert, like I canimagine a way that you could probably do this. It's not going to actuallymake it so that you can get things that you shouldn't. What it's just going todo. Is it's going to force the reach compiler to allow youto make a run time error rather than a compile time? ERVOR. That's really theway to think about this. It doesn't prevent you necessarily from doingsomething it gives you the tool of...

...detecting that that bad thing wouldhappen at compile time and refusing to let you run so if you meticulouslyplummed it, you could make it so that at the very last moment you would see aha, I can't do it and then reach is going to force you to not actually dothe transfer, but you can delay up until that point. It's kind of likeforcing weird behavior to have a larger, don't man, expertise of whathe's doing your shers doing yeah. I agree with that. That's pretty cool you built something in reach. I Made TI made an application, rech ays it does what I think it does. What am I deploying because it's notbecause, like I think, what's kind of lost in the conversation so far as that?It's not just smart contracts. It's all o the things in between two and sothat's quite a bit of stuff, depending upon the complexity of what I'mbuilding also hosting infrastructure, for where thesemyriad of things live is is pretty Broahd depitding upon one O' building.What how does that work and preach like where do these things go? Yeah, so I'll talk about what we're doing nowand then I'll allude to what we're doing in the future and Christ Mapiwill comment more an what we're doing in the future. So, right now, when youcompile your reach program, you don't just get a smart contractbecause you know reach is not a smart contract. PROGRAMM language, it's adapp programming language, meaning that when you write your reach program, youare saying what the individual indpoints do and thus like takesomething like yuniswap Ui swap involves liquidly providers and itinvolves traitors. So the reach program that that is UNISWOP. Like the you know,unautomated market maker, it doesn't say, here's the logic for making a pooland here the allowable transitions. Instead, what it does is it says a liquidity provider can come along andthey can decide to do a deposit and after they decide to do a debocit, theycan decide to do more deposit or decide to do withdrawal and separately atraitor can come in and when there is something in the pool they can, theycan send in a trade, and then they can make that trade. And so from thesedescriptions of what the individual participants do, we can derive what thesmart contract is, but we also have the specification about what a traitor isand what a liquidity proviter is. So when you compie your reach program, youget a middleware layer, a back end that drives a particular liqudity provider.Using this contract- and you also get another program for a particulartraitor now- these programs use the reach Sdk, which abstracts away the details of theunderlying networks. So it you know, it basically allows you to have like auniform way of programming using Algrand and etherium, and you knowfuture chains that will support, and then you can take that middlewareprogram and you can write a front end for it. So you could write a userinterface. You know using react or any other job trip library. You could write a front end in anotherlanguage like python and go because we have a way of allowing you to writethose friend Hends, not in Javascript or you could write an automated friendend. That was like a test sueet. Basically that, like automaticallydrove your application and if you go, you know, use the d look at thedocumentation. Basically, the first big part of it is about writing anautomated one, and then we say: Oh here's. You could write a command line.You know us our interface and then here's a e. You can make a webbinner inher face, but now suppose that you did that andlike now, you want to quote launch like what do you do after that? Well, whatyou could do as you could take your web in her face, and you know put it in ans three bucket and then people can go to a website and then now you'velaunched your application, because your application in beds, inside of it,interacting with a smart contract...

...deploying it launching it and people,can go to your. So you can make it so that your application, your weboppligation, drives the entire process. Similarly, if you wanted, you couldtake your you. Could you could take r your backend and embed ID inside of an Ios APP, and then you could build a front endinside of your iosap that contacts that and drive the creation and interactionwith the spark contract directly from the APP no one's actually done this bythe way with the iosp yet, but in principle, it's possible to do that so anyway. So that's what you get whenyou compy to your reach program and reach does not mandate anyparticular deployment strategy. We provide you with those tools. I think the main thing that that that reach does in this regardright now, that's you know Nice and automated is that it provides adockerized infastructure for you to run your automated test programs. So,basically, when you write a reach program, you know you can pile it andget these artifacts, but you can also use our commandling tool to or vscotextension to run your reach program and what that does is it will launch acustom DEVNET for whatever change you want to test on, and it will run yourtest program against them, so you can make sure that they work correctly inthe long run. One of the things that we would like to do is provide a you know, a Hurocu style service wherewe can help people launch their applications. But if we want to talkmore about that, I think that you know cris can comment on that dies. This guy yeah the there is, there's a lot ofways that we're actually going to be monetizing this in the nextual future,but right now our main focus is all about traction and getting this in thehands of miny many developers. I mean it would be a long podcast all byitself of the ways I were going to actually the monetize, but so yeah all right great. That's that helpsclear up a lot of the moneiness that I currently felt about kind of cool. Iwrote something now what do I do, because I have to deal withinfrastructure a lot and how these things interact and so on and so forth. For those who are interested, whatyou've mentioned it a few times, but explicitly? WHAT LIKE BACK INS? Are you supporting andwhat's on the on the horizon for future backinds that people could aplace er? So currently we support the EBM, soanything so a theoryven than any chain that' has a Ebm, backend and thenAlgrans are both fully supported. We Are we've recently partnered withconflux to help our as a strategic partnership to help us actually growinto China because they put a lot of time in effort over there, so we haverecently partner with them, but in the at the end of the day our goals Sho beable to be integrated with every major chain. This is not something that'se're. Only picking like the top two or three is just that. At this point, webelieve that between Etheorium, Algran and confluct will be able to actuallyhit our goal of sixteen thousand developers in the next eighteen months.So no need to actually add new new chains until we actually deepen theamount of features that reaches hell provides, and at that point we'll startopening up to other chains. Again John Y gotything, I' really the addit thing is hanging there. I think I'll, just like im surious what the comment is. I don't think we should really get intolike open any conversation about it, but you know G, give you opportunity, speed, sure yeah. So there are really great audits out thereand there are poor audits out there and many audits have the form of. I amreally smart. I looked at this program...

...here are my comments about it.Sometimes in not, it will say I use these automated tools and and Ireasoned about the output and here's my advice about what to do about them and an audit like that is something that is providinginterpretation of automated tools that the authors of the program might not beable to do, and many of the automated tools thatpeople currently use when they're, analyzing and auditing smart contractswould not be necessary for reach programs, because those checks arebuilt in to reach itself now. Another aspect of auditing, that's veryvaluable, is when the auditor says your program issupposed to be a program like this, and programs like that, should really checkthis unique property of that particular thing. So, for example, you know you might have the tokenlinearity property or if we were to think about traditionalsocievelopment, maybe like. If I am quote auditing a sorting routine I'llbe like well, you know sorting routines really should produce permutations oftheir input, and I noticed that your program didn't have an assertion thatthe outbit was a permutation of the input, and so what an audit can do isthey can provide additional assertions that the programmer should haveincluded now, when you're programming in environment that doesn't alreadyhave the ability to do verification of its own. One of the things that happensis that the auditor will say I thought of this assertion and I reasoned aboutwheether t was right, and maybe I reasoned about what ther was right,using automated tools or using the custom verification environment thatthat I deploy in my audits. Now. If someone were to audit a reachprogram, what they would be able to do is they would be able to say you reallyshould have put an assertion here, online, seventeen or over here on linetwenty. You should have put an insertion there, and basically, whatthis means is is that the reach compilor itself is an automated formal,aferification tool that auditors could use to be. The facility to check theassertions that they come up with, so I think that there is a role for thosekinds of high quality audits, where someone would come up with the appropriate assertions that wouldincrease confidence in the correctness of a program, and I think that the sameway that we currently look at smart contract developers- and we say thatit's good for them to do audits. Doing an audit doesn't mean you're a badsmart contract developer. It just means that you are responsible and you'retrying to go above and beyond what some people do, and so I think that it istotally appropriate with that mindset for high value reach programs to gothrough audits of the same form, except that those audits would be in some wayseasier to do, because the reach competor itself would be theverification tool that would be used to check the program. And the Nice thingis that those assertions would then live inside of the reach program in thefuture, as the program would be modified so that the program would'tneed to be continually audited over and over and over again. I want to add to that a little bit based on what I've experienced, using it andlistening to you, talk and e kind of the development process of writing areach program, you're kind of pushing the user to do alot of things that we as security engineers or people who doaudits or have been experienced, with audits, try and get developers to dobefore they even start programming. That's things like threat, modeling user stories think like and and risk analysis andhow these things interact like how users access risk and whether or notthat's a reasonable thing, and because you're programmatically talking about users inthe process of writing a reach program,...

...they're kind of doing that, and so,like we d like say, for instance, someone wrote a reach program, they'reable to extract in a lot of ways what the programmer thinks about all ofthe possible individuals that could interact with this program, how theyinteract, how they reach, how they access certain types of risk and thecompiler make sure that what they've encoded does that and then like. As anauditor, I coan take a look at like well. This is going to end up and ascenar that you may out of thought of you prut a social search, ing here tomake sure that doesn't happen. I think that's what you just said right so likelike, because you're thinking about an the process ofcrowding the individuals who were doing things and how they interact with eachother you're, actually cotifying, the the communication and the interactionbetween individuals and then extrapolating a lot ofverification based on making sure that communication is proper or like is hisdone well by the code you're. Getting a lot of the things. Auditors wantdevelopers to do or like a lot of things that, like the concept of asecure, developent lifecycle, T has and a lot of other things that no one'sactually doing. I agree o this. I tist Echo that Ithink like yeah having it thethe. The real thing I like is havingin the code like not separating the specification from the code, because I mean like even just comments like I generallyprefer not to have to go. Do like docks, dit your protocol, dot Io. I reallyjust like want lots of comments in the code, so I'm, but then you know even betterif it's it's code in the code that describesthe code and Yeah Secrai. That does something much yeah also done something.So I very much agree- and I feel, like you know, when other in similarenvironments, people would say. Oh you know you should do these things in yourdriva program. You should do these things in your sea program, but there'svery little payoff for doing that. So it's like telling people to take theirvitamins or you know, exercise or something like. We all know it's a goodidea, but you know it's very hard to do it and one of the Nice things is that,because reach also generates that backend layer, the reason that wegenerate the backend layer, or rather the only reason we can generate thebackin layer, is because we have this information about the individualparticipants, so by actually doing something more for their user. We makeit so that they produce those residual artifacts that are useful for thesecurity verification. So, like I feel like when I think about reach, thereare all these little components that if you just focused on one of them, you know it's O it's kind ofinteresting, but I think the thing that makes it quite special is the way thatthey all kind of Melle together, like we have this high level programminglanguage that has a new model of block of adept development, its design forsomething that total beginners can use, and it's and it's paired with this- youknow verification, language and the verification, engine thats, a very fullfeatured and all of those things work together to produce this. You knowHarmonius Sythesis, awesome, Chris! What's next, what's on thehorizon, Lhow, do people figure out, learn more get involved. TRY IT OUT WHATC, give you the estimate on likehow long it would take so mony. Your did this for your previous employee,but like chill yourself to our audience in asense that like, if you start abusing reach now, you could doplay it aapplication in x amount of weeks. One Week is where we, where kind of sothat to say, takes about two to eight hours to get through ourtitorial, depending how deep you want to go down the rabbit hole, theverything that we do and a lot of people don't like to sit and just dothat Allen one day. So I like to say, you know, spread that over a week andby the end of the week, artitorial actually launches a a firmly verified wager based...

...smart contract depth that can launch onmultiple different chains and is very easy. You can get to get to ourdocumentation at dock stot reached atsh as far as what is next J is and team isactually working very hard on rolling up more and more features so that wecan build out and compile more different types of applications, but,like I said earlier, our goal and ar actually it's Showinpretty realistic at this point that in the next eighteen months well havesixteenthousand developers tha actually go through through the extral reach,titorial and start building applications all right tryng to got anything else. All right. Thanks come on a show and that'ste luck guys, I mean I'll belooking further and further into it, because I like the concept of lowering the Barry ventury for seuredevelopment, and this seems to be it excellent- take iu Ra of Youre havingus. Thank you both.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)