IO: Cardano High Assurance Technical Collaboration

Proposal as pdf: https://ipnso-com.ipns.dweb.link/?cid=QmQBhjELHaMKhYZjwuskHS9NRyvUdiGv69aK8C1H787c5A

Cardano's strongest differentiator is its focus on security and correctness, but the tools that deliver on that promise have so far been the domain of auditors and formal methods experts. This proposal lowers the barrier: it brings automated formal verification, and the full high-assurance toolkit, within reach of every Cardano developer.

Two workstreams deliver this. The first extends Blaster, IO's open-source automated formal verification tool, from single-script verification to full DApp-level verification. Blaster has already been used to prove correctness properties on production DApps including Djed and USDCx, and has received strong feedback from the Cardano developer community. Today, extending those results to an entire DApp requires manually decomposing properties and verifying each script in isolation. This proposal removes that manual work by automating verification at the DApp level. It also connects Blaster to four smart contract languages (Aiken, Pebble, Scalus, and Futura), so developers can invoke verification directly from their native toolchain. It delivers a VS Code extension with visual counterexample exploration and inline verification feedback, creates a Common Vulnerability Library with ready-made security templates for major DApp categories, and adds an equivalence checking tool that formally proves two UPLC programs are semantically identical, enabling safe and aggressive optimization. The second workstream delivers a Container-Based Developer Environment (CBDE) that packages the complete high-assurance toolkit into a single-command setup, compressing environment configuration from days into one click.

The outcome is a stronger foundation for everyone who depends on Cardano: DeFi users get DApps whose correctness has been mathematically proven, developers get tools that make high-assurance engineering practical, and the ecosystem gets a toolkit maintained collectively by multiple teams.

The work is structured as a technical collaboration: IO, Lantr, Harmonic Labs, SAIB, Midgard Labs, TxPipe, and No.Witness Labs each contribute defined components, distributing delivery and long-term maintenance across the ecosystem. Intersect administers funds via milestone-based disbursement with independent oversight, and unspent funds return to the Treasury.

Treasury Ask: ₳13,078,578

As an experienced Cardano smart contract developer, interested in software quality and correctness, I want access to automated formal verification tools and a fully pre-configured development environment, so that I can prove the correctness of my contracts and begin building in minutes, without becoming an expert in Nix configuration or formal methods.

Opportunity: The Cardano ecosystem has always positioned itself as the blockchain for serious applications: financial systems, identity management, DeFi protocols, and use cases where correctness is essential. Delivering on this promise depends on two capabilities that would benefit from further development to fully support the developer community.

First, the developer environments. Developers, including experienced engineers, spend significant time configuring the different tools and libraries they need before their first line of contract code. This becomes more pronounced in collaborative settings, where environment differences can lead to inconsistent behavior, failed tests, and deployment discrepancies. Improving access to the various high-assurance tools built by IO ensures that all developers can benefit from them.

Second, formal verification. Blaster, IO's automated formal verification tool for Lean 4, has already proven correctness properties for production DApps’ scripts, including Djed and USDCx, and demonstrated the ability to prove the absence of common Cardano vulnerabilities in a fully automated fashion.

Blaster is currently used primarily within IO and benefits from specialist expertise. The tool can currently operate on each individual script of a DApp. It is currently delivered as a CLI tool and will get a tight integration with the Plinth framework in Q3 2026. Modern developer experience relies on extensions or language server protocols, and the landscape of programming languages for Cardano smart contracts is ever-expanding.

Solution: This proposal funds two tightly complementary workstreams under the Cardano High Assurance umbrella.

1. Workstream 1 delivers Blaster as an open tool, extending it from single-contract to full DApp-level verification, making it compatible with four new smart contract languages, delivering a Visual Studio Code extension with visual counterexample exploration, and inlined information at the source code level, building a Common Vulnerability Library with pre-built property templates for major protocol categories, and delivering an equivalence checking tool that formally proves two UPLC programs are semantically identical. The work is structured as a technical collaboration: Lantr (Scalus), Harmonic Labs (Pebble), SAIB (Futura), Midgard Labs, IO (Aiken), No.Witness Labs and TxPipe (proof reconstruction and vulnerability library) each contribute to different components of the proposal, distributing delivery and long-term maintenance responsibilities across the ecosystem.
   
2. Workstream 2 delivers the Developer Environments for the High Assurance Toolkit. First, a single-command, pre-configured Container-Based Developer Environment (CBDE) that includes the complete Plinth toolchain (compilers, libraries, property-based testing, static analysis, formal verification, and profiling) at verified, compatible versions. CBDE becomes the unified hub for the entire High Assurance toolkit. Second, integrating the different IO’s High assurance tools into `cardano-init` if funded in Developer Experience proposal, with each tool's preconfiguration and templates for an easy start.

Why now: Blaster's 2025/26 cycle demonstrated that automated formal verification of a single Cardano smart contract is feasible at production scale, with the work on Djed and USDCx. A key technical aspect is that Blaster operates on Untyped Plutus Core (UPLC), the common compilation target of all Cardano smart contract languages, which means that investment in the verification core can support the broader ecosystem simultaneously. This creates an opportunity to extend to public infrastructure that supports unified alignment across ecosystem tools and workflows. On the developer experience side, setup complexity remains a measurable factor in developer onboarding. Reducing friction with CBDE for a fully packaged Plinth framework and with cardano-init for a more à la carte environment would help more developers progress from initial setup to deploying their first verified contract.

Ecosystem Collaboration: Lantr; Harmonic Labs; SAIB; Midgard Labs; TxPipe; No.Witness Labs

Proposed Value Delivered (Why)

Cardano's reputation for security and correctness is its primary differentiator for institutional adoption and high-value DeFi. Without accessible formal verification, DApps are delivered based on testing, auditor and manual reviews.

The automated formal verification tool for Cardano smart contracts, coupled with a set of predefined security properties and accessibility to most surface programming languages, means that every DApp and protocol will be able to achieve a level of assurance currently inaccessible without a significant budget.

An integration since the early phases of the developer journey in cardano-init means we’re capturing developers from the start, so that automated formal verification is a natural component of a DApp, and not an addition when the protocol has already been implemented. We will also deliver the formal verification of TWAG 1’s ready-to-audit examples, based on the defined Common security property library.

For users seeking the upper echelon of high assurance, a more reliable, controlled development environment through CBDE would support developer progression from initial setup to the first deployment of their verified protocol.

KPIs

Additional KPIs

Pillars

Deliverables & Roadmap

Resources

The outlined roadmap will be co-developed by engineers across Midgard Labs, No.Witness Labs, TxPipe, and IO. It will also fund and support integration across the system by organizations such as Harmonic Labs, Lantr, and SAIB

• Workstream 1 Blaster: Formal methods, Architect, Frontend, Software, and Product
  
• Workstream 2 CBDE: Site Reliability Engineering, Software, and Product

Budget

Total Treasury Ask: ₳13,078,578

• Workstream 1 Blaster: ₳10,112,037
  
• Workstream 2 CBDE: ₳2,966,541

Pricing Principles: IO is requesting funding in ada and has provided USD figures as a reference. A portion of the funding shall be specifically tied to demonstrating measurable impact on Cardano's KPIs and pillars

• Personnel & Delivery: Majority of costs needed to fund the delivery resources across both workstreams, including IO internal team members and technical collaboration partner contributions
  
• Ecosystem support, Audit, Assurance & Contingency: Leadership, ecosystem, and delivery to support execution and wider alignment. Independent work assurance and audits, plus contingency to account for complexities during execution

Risks

Additional Information

Known Limitations: Blaster proof reconstruction scope for this cycle is limited to the optimization and rewriting steps – Z3 proof reconstruction is planned for the future roadmap. CBDE V1.0 will deliver a pre-release (0.x) at the end of Q4 2026 for an initial user cohort; general availability is planned for Q2 2027. The intent layer for the equivalence checker is not required to be open and permissionless at this stage.

Benefit Dependencies: Community visibility and developer outreach are required to convert tool delivery into measurable MAU and KPI impact. Neither is funded within this proposal; coordination with the Developer Experience Initiative (CBU Proposal 1) and IO communications is required. Auditing firm participation in the Common Vulnerability Library is important for the library's credibility and adoption.

Release / Solution Readiness: CBDE 0.x pre-release: end of Q4 2026.
Blaster equivalence checking tool and VS Code Extension V1: Q4 2026.
Language integrations (Aiken, Pebble, Scalus, Futura): Q1/Q2 2027.
CBDE V1.0, VS Code Extension V2, DApp proof framework, proof reconstruction module, and Common Vulnerability Library: Q2 2027.
All AFV deliverables mainnet-ready.

Treasury Governance & Compliance

Contract Management

A written off-chain Legal Contract will be created between Input Output and the Cardano Development Holdings (CDH), as mandated by the Constitution, and will be administered by Intersect. This will include details of the project delivery schedule and dispute resolution.

Project Delivery

All milestones, acceptance criteria, payment amounts and expected delivery dates will be agreed between the Input Output and Intersect, acting on behalf of the CDH. Input Output will deliver according to the agreed-upon project schedule within the Legal Contract, of which the necessary information will be made public via the budget management platform via transaction metadata.

Defined by the milestones within a Legal Contract, Input Output will submit and attest milestone acceptance to the community, Intersect or 3rd Party Assurer.

Project progress will be monitored via Intersect's delivery assurance function which will be communicated to the community.

Acceptance of the work will be supported by a 3rd Party Assurer, who will be responsible for reviewing and signing off the work completed at each project milestone against the corresponding milestone deliverables detailed within the Legal Contract. This work is funded from a portion of this treasury withdrawal.

Auditable Accounts & Fund Delegation

Budget Management Tooling

To administrate treasury funds on-chain, Intersect will utilize the treasury management smart contract framework developed by Sundae Labs. The smart contracts have been extensively tested including audits from TxPipe and MLabs.

Final mainnet validation test can be seen via the Disburse action within transaction: 0f591dc544ae14102dbb4a74d5311a6acffc1772b163d8b7a9656b9525950b17

This withdrawal will utilise Intersect’s 2025 treasury reserve contract with address being: stake17xzc8pt7fgf0lc0x7eq6z7z6puhsxmzktna7dluahrj6g6ghh5qjr
Funds will later be migrated to a 2026 treasury reserve contract once established.

Budget Management Specifics

Intersect will utilize a single Treasury Reserve Smart Contract (TRSC), with many Project-Specific Smart Contracts (PSSC), managed by Intersect. Intersect's management consists of three 'admin' and two Intersect 'leadership' roles. An Oversight Committee consisting of five external, independent third-party entities will provide checks and balances on Intersect, and safeguard against errors and unilateral control. The administration of both TRSC and PSSCs will be managed by Intersect, with external oversight on certain actions from the Oversight Committee.

The 2025 TRSC Oversight Committee consists of Sundae Labs, Cardano Foundation, Dquadrant, Xerberus and NMKR. Their role is to independently verify key administrative actions using on-chain logic, ensuring accuracy and consistency without exercising discretion over governance decisions.

For all details on Intersect's configuration please see the Smart Contract Guide on the knowledgebase.

The high level permissions are as follows:

• TRSC Fund and PSSC Modify
  
  • Two of the three Intersect admins, two of the five trusted entities and one of the two Intersect leadership sign-off must authorize
    
• TRSC Disperse
  
  • Two of three Intersect admins, three of five trusted entities and two of two Intersect leadership sign-off must authorize
    
• TRSC Pause and Resume
  
  • Two of three Intersect admins, and one of two Intersect leadership sign-off must authorize
    
• TRSC Sweep
  
  • One of three Intersect admins, and one of two Intersect leadership sign-off must authorize
    
• TRSC Reorganize
  
  • Two of three Intersect admins and three of five trusted entities must authorize

Processes

Upon enactment of this governance action, funding for this project will be directed into the TRSC's stake account. All instances of TRSC and PSSC can not be staked with a SPO and will be delegated to the auto-abstain predefined DRep. From here funds will be withdrawn into a UTxO remaining at the TRSC.

When a 2026 TRSC is established, the funding for this project will be migrated via the ‘disburse’ action.

When the Legal contract is prepared and Input Output is ready, funding for this project will be transferred using the Fund action to a PSSC. All milestones will be outlined within the metadata.

A dashboard will be available for the community to audit the TRSC or PSSC and track metrics related to this withdrawn ada as well as being immutably verifiable on chain.

Funding Denomination

All amounts in this proposal are denominated in ada (₳). The total treasury ask is ₳13,078,578 USD figures ($3,138,859) are provided for reference only and are based on an ADA/USD rate of 0.24.

Refund Conditions

All funds not disbursed by the end of the delivery period will be returned to the Cardano Treasury. A final reconciliation will be published as part of the oversight reporting cycle. In the event of partial delivery or scope reduction, unspent funds associated with cancelled or reduced deliverables will be returned proportionally.

Prior Treasury Receipts

IO and its affiliated entities has been accountable for delivery of work funded by the Cardano Treasury. The total funds allocated has been ₳130,708,860 across a number of projects within Treasury Smart Contract, to date IOG has withdrawn ₳78,459,777.

**Note: for Catalyst this only reflects the workstream that focuses on the Hermes Infrastructure and UX/UI improvements, not the execution and operation of Funds 14-16. Per Info Action this is in the process of transitioning to Cardano Foundation.

Net Change Limit Compliance

The requested amount does not at time of submission, on its own or in aggregate, breach the applicable 350M Net Change Limit covering Epoch 613 to Epoch 713.

In accordance with the guardrail TREASURY-02a, this withdrawal does not exceed the NCL at the moment of submission.

Audit & Oversight

Audit and oversight costs are included within the overhead applied to this proposal. The Intersect administration fee covers administrative oversight and is reflected within the cost of this proposal. Independent oversight will be provided through Intersect and technically capable third-party, including reporting obligations and milestone-based disbursement controls.

Standardized Format & Immutable Hosting

Upon finalization, this proposal will be hosted on IPFS in an immutable format. The blake2b-256 hash of the document will be provided for on-chain reference and verification.