Cardano smart contract developers now have access to an automated end-to-end formal verification pipeline built around Lean 4 and Blaster, Input Output said in a May 12 blog post authored by Romain Soulat. The work, delivered by IO’s Cardano High Assurance team in collaboration with its formal methods team, is aimed at making machine-checked contract assurance usable for developers writing in Plinth, Aiken, Plutarch, and other languages that compile to Untyped Plutus Core.
Cardano Adds End-to-End Contract Verification
The new capability connects high-level Cardano smart contract development with automated mathematical verification. Developers can write a validator in Plinth, Aiken, or Plutarch, compile it to Untyped Plutus Core, import the compiled output into Lean 4, define the properties they want to check, and run Blaster against the contract’s actual execution model. IO described the release as the first time “the full chain from a high-level smart contract source language to a machine-checked property is open to Cardano developers.”
“The proof either goes through, or you get back a concrete script context that shows exactly where it does not. This is a new capability for the Cardano ecosystem, built by IO’s Cardano High Assurance team in close collaboration with the formal methods team.” The practical significance is that developers no longer need to create a separate abstract model of a contract before attempting formal verification; the workflow is designed to operate on the compiled contract artifact that Cardano uses.
IO framed the release as an accessibility improvement for assurance work that has historically required specialized formal methods expertise. “For the first time, Cardano smart contracts can be mathematically verified end-to-end, automatically. Developers can confirm their contracts behave correctly using the languages they already work with. This expands what’s possible for developer assurance on Cardano.” The tools are open source on GitHub and are ready for use, with development continuing under the Cardano High Assurance initiative and its 2026 proposal.
Lean 4 Libraries Bring Blaster Into Workflows
The pipeline depends on two new Lean 4 formalizations: PlutusCoreBlaster and CardanoLedgerAPIBlaster. PlutusCoreBlaster formalizes Plutus Core, the language that runs on Cardano, including machine-checked definitions of built-in functions such as integer and bytestring arithmetic, string operations, booleans, lists, pairs, and the universal Data type. It also includes a full model of Untyped Plutus Core, CEK machines with step counting and cost-model integration, and support for Plutus serialization formats including CBOR and hex encoding.
“Any UPLC program can be imported from textual UPLC, CBOR, double CBOR, and other supported formats, with correctness theorems written against its actual execution. A second major component is the standalone Cryptograph library, which formalizes the cryptographic primitives Plutus exposes as built-ins.” IO said the Cryptograph library covers hash functions including SHA-256, SHA-512, SHA3-256, Blake2b-224, Blake2b-256, Keccak-256, and RIPEMD-160, with NIST-sourced test vectors, as well as Secp256k1 and Ed25519 signature verification components. The implementation passes all listed conformance tests, excluding newly added types and built-ins that remain work in progress.
CardanoLedgerAPIBlaster provides the other half of the verification path by modeling the Cardano Ledger API visible to Plutus validators at execution time. The library covers V1, V2, and V3 API generations and defines ledger types including addresses, staking credentials, multi-asset Value, TxInfo, ScriptContext, ScriptPurpose, POSIX time ranges, and certificate types. “At the heart of the library sits a set of decidable boolean predicates that encode the Cardano ledger’s validation rules: a runnable formal specification of what the ledger accepts. We did not reimplement the Agda specification, but the one used by the node, since some design choices made there enable script optimizations. Capturing those was essential for avoiding spurious counterexamples.”
IO tested the full pipeline using Invariant0’s Capture-the-Flag nft_sell contract, importing it from UPLC, formalizing its specification, expressing properties in Lean 4, and running Blaster. The prover generated a complete ledger-rules-compliant script context showing a double-satisfaction pattern, demonstrating the workflow from compiled contract to formal property and concrete counterexample. “The path from source code to verified property is now a single sequence: write your validator in Plinth, Aiken, or Plutarch, compile it, import the resulting UPLC into Lean 4, state your properties, and run Blaster.”
The release moves Cardano’s formal methods tooling closer to everyday development practice by linking contract source workflows, compiled UPLC, ledger validation rules, and automated theorem proving in a single path. IO said scalability work and feature coverage will continue as new Plutus capabilities are added, while the current libraries already allow Cardano developers to bring Blaster-based verification directly into Plinth, Aiken, and Plutarch contract workflows.
AI Transparency Note: This article was prepared with the assistance of an AI system based on the sources listed and was reviewed, edited, and approved by a human editor before publication. All quotes, data points, and factual claims are intended to be grounded in the cited source material; however, errors cannot be ruled out entirely.