A couple of clarifications:<br /><br />&gt; the query itself is not subject to verification.<br /><br />There is no formal verification here: that is not the claim. The claim is that the given set of semantic rules are logically necessary and sufficient to specify block validity.<br /><br />&gt; The whole point is verifying implementation correctness. Calling it out of scope doesn't really solve the problem.<br /><br />It is not the point of this post; it is a set of larger goals that requires multiple preceding steps, of which this is one. Correctness can't be established if there is no description of what the correct behavior is. Any attempt at verification requires to first *separate intention from implementation*. That is what a semantic spec is for.<br /><br />Re the Hornet code enforcing spend ordering in a block, this is captured by S02, reworded for clarity to "MUST reference a preceding transaction output that remains unspent". That semantic rule is validated by the consensus function ValidateInputPrevoutsUnspent, which delegates to an abstract interface method UnspentOutputsView::QueryPrevoutsUnspent, whose contract respects the same semantics. Then Hornet's UTXO engine fulfills that interface contract on the data-layer side of the abstraction boundary. The behavior is by design to meet the semantic rule, and not a lurking side-effect. <br /><br />One could argue that S02 actually contains two semantic invariants: one regarding the ordering constraint, and one regarding the double-spend constraint. I'll give that some further consideration.<br /><br />I appreciate the engagement, and your historical examples are useful context for the road ahead.<br /><br />Best wishes,<br />T#<div class="gmail_quote"><div dir="auto" class="gmail_attr">On Saturday, 18 April 2026 at 19:11:19 UTC-7 er...@voskuil.org wrote:<br/></div><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">&gt; &gt; It appears that Hornet is missing the rule prohibiting forward references
<br>&gt; within a block.
<br>&gt; 
<br>&gt; This is implied by Rule S02: &quot;A transaction input MUST reference a previous
<br>&gt; transaction output that remains unspent.&quot; However, to make it clearer, I will
<br>&gt; rewrite it as:
<br>&gt; 
<br>&gt; &quot;S02: A transaction input MUST reference a preceding transaction output that
<br>&gt; remains unspent.&quot;
<br>
<br>As I understand it, the rule in question:
<br>
<br>  // Returns success if every spending input in this block references an existing unspent output.
<br>  consensus::Result QueryPrevoutsUnspent(const protocol::Block&amp; block) const override {
<br>    Assert(&amp;block == joiner_-&gt;GetBlock().get());
<br>    if (!joiner_-&gt;WaitForQuery()) return consensus::Error::Spending_PrevoutNotUnspent;
<br>    return {};
<br>  }
<br>  
<br>can only fail if the query fails, and the query itself is not subject to verification. In this case the consensus rule is implemented as a side effect of the query (as it is in bitcoind), and the query itself is not subject to verification. I would consider this a missing rule from the perspective of verification. It is true that the store must provide fidelity in any case (what goes in must come out). That alone presents significant issues for verification. But at least it&#39;s straightforward to define. But in this case the query is not just returning outputs that have been stored in the block total ordering.
<br>
<br>The query is constructing a temporary map, accumulating block-internal spends into that map in a specific order, populating the results, and effectively enforcing the forward reference constraint as side effect of the population implementation. These outputs are not placed into the utxo store until after the block is validated. In other words, the consensus rule is evaluated entirely within the scope of the query; it is not a consequence of simple store fidelity, and is not a consequence of a verified rule. It&#39;s lurking in an unverified query. If another implementation was to populate prevouts differently (e.g., in parallel), and with full fidelity, the ordering constraint easily disappears and is not caught by verification. This has happened, and IIRC resulted in the loss of a block by a miner. This is the type of consensus break that verification presumes to preclude.
<br>
<br>&gt; &gt; Otherwise there are potential malleation issues to deal with depending on
<br>&gt; how blocks/headers are being managed. This can affect consensus behavior
<br>&gt; (via archival) while not showing up as an issue in these rules.
<br>&gt; 
<br>&gt; That would be an implementation correctness detail rather than part of a
<br>&gt; declarative spec.
<br>&gt; 
<br>&gt; The intention here is to specify what must be true for consensus validity rather
<br>&gt; than how it should be computed.
<br>
<br>The whole point is verifying implementation correctness. Calling it out of scope doesn&#39;t really solve the problem. Merkle root malleation has resulted in consensus failure (bitcoin core). Transaction deserialization has resulted in consensus failure (btcd). Store infidelity has resulted in consensus failure (bitcoind). Cryptographic library bugs have produced consensus bugs that were preemptively patched (openssl). These types of issues are more common in modern history than what one might consider &quot;rules&quot;. The so-called rules are actually much easier to deal with.
<br>
<br>Airing out some of these real difficulties has been worthwhile. In my experience people have an overly optimistic view of what can be achieved by both formal verification and the attempt to create a shared script implementation. I&#39;m hopeful, but I also try to stay grounded. I&#39;ll give further responses offline.
<br>
<br>Best,
<br>Eric
<br>
<br><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-39389" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en-GB&amp;q=https://nvd.nist.gov/vuln/detail/CVE-2022-39389&amp;source=gmail&amp;ust=1776656972117000&amp;usg=AOvVaw02V2KUuUFGjmMiHkWQRBnB">https://nvd.nist.gov/vuln/detail/CVE-2022-39389</a>
<br><a href="https://nvd.nist.gov/vuln/detail/CVE-2012-2459" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en-GB&amp;q=https://nvd.nist.gov/vuln/detail/CVE-2012-2459&amp;source=gmail&amp;ust=1776656972117000&amp;usg=AOvVaw0U7ROlGLztUpq40gDOvpWy">https://nvd.nist.gov/vuln/detail/CVE-2012-2459</a>
<br><a href="https://nvd.nist.gov/vuln/detail/CVE-2013-3220" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en-GB&amp;q=https://nvd.nist.gov/vuln/detail/CVE-2013-3220&amp;source=gmail&amp;ust=1776656972117000&amp;usg=AOvVaw2RA1Mi2moq_hoiIULyVI3f">https://nvd.nist.gov/vuln/detail/CVE-2013-3220</a>
<br>
<br></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/a673244b-c76b-40c7-bad3-6afa2cac18e7n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/a673244b-c76b-40c7-bad3-6afa2cac18e7n%40googlegroups.com</a>.<br />