This project contains TLA+ specifications to model and check safety and correctness properties of a Wormhole node processing VAAs.
Models a very simple system with:
- broadcasting a VAA
- storing it
- redeeming it
- node crash / restart behavior
It checks that the system never reaches a state where a VAA is:
- broadcast
- not stored
- but redeemed anyway
Models a more detailed Wormhole node with:
- guardian signatures
- quorum logic
- gossip capacity
- memory vs persistent storage
- crash and recovery
- vulnerable vs correct behavior paths
It includes safety invariants and basic liveness checks, such as:
- consistency between broadcast and storage
- durability across crashes
- memory matching persistent DB after recovery
- eventual broadcast and persistence
You can run using TLA+ Toolbox or the CLI.
- Open the
.tlafile - Create a model
- Set
Specas the specification - Add invariants / properties to check
- Run model checking
tlc2 BroadcastStorage.tla
or
tlc2 WormholeVAAProcessor.tla
- These specs are simplified models
- Designed for experimenting, debugging behavior, and checking safety assumptions