Journal of Systems Architecture 153 (2024) 103177

Contents lists available at ScienceDirect

Journal of Systems Architecture

journal homepage: www.elsevier.com/locate/sysarc

VelogCPS: A safe blockchain network for cyber–physical systems leveraging

block verifiers
Marisol García-Valls ∗, Alejandro M. Chirivella-Ciruelos
Departamento de Comunicaciones, Universitat Politècnica de València, Valencia, Spain

ARTICLE INFO ABSTRACT

Keywords: Non-functional requirements related to safety, security, and timeliness have made cyber–physical systems
Cyber physical system (CPS) initially reluctant to their integration with blockchain technology. Despite the multiple advantages of
IoT blockchain like improved data security and traceability, the main reasons that have slowed down its adoption
Blockchain
in CPS still remain. Examples of these are the inherent overhead of accessing the distributed ledger and the
Verification
security incidents that a number of blockchain networks have suffered since its inception. This paper presents
Block verifier
Smart contract
VelogCPS, a novel middleware that guarantees that logic and data managed by blockchain networks of cyber–
Authenticity physical systems are verified and generated by legitimate sources. Thus, VelogCPS avoids a kind of security
Security incidents that impact the authenticity and integrity of the logic and data managed in blockchain networks.
Safety By authenticity we refer to provenance authenticity of the involved smart contracts, i.e., the perfect matching
Real-time between the advertised source-code and the version deployed to the network. Our framework provides a safe
Time sensitive system blockchain network as it ensures that the entities that participate to a CPS use solely authentic logic. We do
Middleware this by leveraging block verifier services and enforcing them through the operation workflow. As a result, the
middleware guarantees that the participating entities use and share authentic logic. The proposed framework
is validated through its implementation on a real blockchain network, employing actual smart contract verifier
logic, and through the exhaustive analysis of the temporal behaviour and overhead of the major operations;
the obtained results ensure its utility for time-sensitive sytems like CPS and IoT.

1. Introduction
Constant improvement of hardware and software technology has
enabled the development of increasingly complex applications that
span across heterogeneous execution substrates and distinct domains.
Cyber–Physical Systems (CPS) are a kind of such complex systems. CPS
are abundant in the use of sensing and actuating equipment, comprising
highly heterogeneous hardware nodes running diverse logic, and they
may conform to complex software computational paradigms.
Cyber–physical systems merge the physical and cyber (computa-
tional) domains. This mixture gives birth to new applications that
express also new economic models arising in the emerging global
markets. This is the case of virtual marketplaces, distributed and global
supply chains, connected global eHealth, and demand-driven markets,
just to name a few. These new trends often imply a global cost and
revenue model over the basis of a cost-effective business structure.
As a realization of distributed ledger technology (DLT), blockchain
enables trust and decentralization in collaborative business models.
Though initially created for cryptocurrency transactions, blockchain
soon captured the attention of the scientific and engineering commu-
nity for a broad range of application domains, e.g., government [1],
IoT ecosystems [2], eHealth [3,4], voting [5], or industry [6]. Such
complex systems have proven to benefit from the emerging software
developments that support the realization of trusted, though decentral-
ized, processes that are intensive in data access and sharing. This is also
the case of CPS and IoT.
Though it has some amazing inherent benefits, blockchain technol-
ogy is not perfect. In deed, a number of attacks have successfully hit
some blockchain networks in the recent past. This has caused great
economic losses and trust erosion especially to those users belonging
to most critical domains. This is the case of the DAO (Distributed
Autonomous Organization) incident [7]; over three and a half million
Ether (the currency used in Ethereum [8]) were drained by a cyber-
attacker by exploiting a vulnerability of the system. Another paradig-
matic incident happened in 2017 with the Parity Wallet hack [9] that
was attacked in Ethereum, causing around 30 million USD loss.
These incidents have occurred because a number of factors may turn
smart contracts (their underlying software concept and building block)

∗ Corresponding author.
E-mail addresses: [email protected] (M. García-Valls), [email protected] (A.M. Chirivella-Ciruelos).

https://doi.org/10.1016/j.sysarc.2024.103177
Received 23 June 2023; Received in revised form 14 April 2024; Accepted 13 May 2024
Available online 18 May 2024
1383-7621/© 2024 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-
nc-nd/4.0/).
M. García-Valls and A.M. Chirivella-Ciruelos
into vulnerable programs. A part from the potential vulnerabilities that
execution platforms such as EVM (Ethereum Virtual Machine) contain,
programming the source code of a smart contract in a clean, error-free
manner is a hard task. This job requires extensive training in the target
programming language. Introducing a single bug in the source code
may result in losses worth millions USD. Additionally, a blockchain
network does not guarantee smart contract authenticity per se. In fact,
cyberattackers may employ different techniques to break the one-to-one
association between an advertised smart contract and its corresponding
bytecode that runs in the blockchain network.
The global ledger of a blockchain network stores a number of
running smart contracts, ready to receive invocations from users. Users
can benefit from the functionality of the running smart contracts by
invoking their available functions. To be reachable by network par-
ticipants (i.e., users), smart contracts are advertised in some network
dashboard. By looking up in the dashboard, participants can find smart
contracts of interest and request the functionality that they provide.
The functionality of a smart contract is requested by invoking the
available functions that it contains. Nevertheless, if a successful attack
has occurred in the network, the running version of the involved smart
contract and its corresponding advertised source code may not be the
same. If both items (i.e., source code and running code) fully coincide,
then the smart contract is considered authentic.
In essence, smart contract authenticity [10] refers to the accredita-
tion as truthful and being a true reflection of the characteristics and
requirements that are advertised in the network dashboard. As a result,
verifying the authenticity of a smart contract is the process of checking
that a smart contract source code and the corresponding version that
runs on the global ledger are the same.
As a result, to achieve 100% certainty about the correctness of a
smart contract, it must be checked in a number of orthogonal plains.
On the one hand, they should be checked for errors in order to ensure
their correctness, that their execution is secure, and that their safety
properties (if any is required) are met. On the other hand, it is of
paramount importance that the authenticity of a running smart contract
is ensured in order for potential users to be safe when using it. As
mentioned before, we employ the term authenticity as explained in [10]:
Authenticity involves certainty about the smart contract provenance.
This implies that there must be a one to one relation between the
running version of the smart contract and the advertised source code.
As cyber–physical systems must comply to stringent safety and
security requirements, smart contract authenticity is an essential char-
acteristic in them. We address the complexity of cyber–physical systems
considering that they are conformed by a set of interconnected sub-
systems or participant entities/nodes, namely cells. Consequently, all
cells may require certainty about the authenticity of the data and logic
hosted in the distributed ledger prior to using them.
1.1. Attack model
We assume potential presence of malicious actors with the objec-
tive of intentionally altering the functionality offered by smart con-
tracts. Attackers may attempt to modify the executable version of a
smart contract that, when successful, appears transparent to the system
participants. Following, we explain how this may happen.
A smart contract is written in some high level programming lan-
guage. Examples of most commonly used languages for this purpose
are Solidity (the most popular one), Vyper, Yul, Cairo, or Rust. This
source code must eventually be compiled into bytecode, becoming an
executable program. Once the source code has been transformed into
an executable version, it can be deployed to the blockchain, and run
on some execution run-time environment like the Ethereum Virtual
Machine (EVM) [8] or Hyperledger Fabric [11].
As a result, there is a transformation of the original source code
version of a smart contract to an executable version. A successful attack
on the authenticity property of a smart contract yields two situations. On
2
Journal of Systems Architecture 153 (2024) 103177
the one hand, the dashboard could be attacked causing a modification
of the advertised code. On the other hand, the executable version may
be modified resulting in a different executable file being uploaded to
the distributed ledger. As a consequence of a successful attack, a user
cannot trust that the running version of a smart contract is exactly the
same as the advertised source-code version.
1.2. Contribution
Our work contributes to ensuring that only authentic logic is used
over the global operation space of the cells of a cyber–physical system.
For this, the involved pathways to ensuring authenticity in smart
contracts are analysed. The first one is related to the deployment of
bytecode to the network; and the second one relates to the process of
verifying the contract. For this, we design and develop a middleware
named VelogCPS that embeds verification of logic (i.e., the smart con-
tracts) hosted in CPS cells, achieving a solution that ensures that any
execution of a smart contract function is performed only if the running
logic is found to be authentic. The middleware leverages on block
verifiers for performing the verification tasks.
Providing trust to the cells in this way avoids using third party
regulatory agencies that would break the trust model of the blockchain.
VelogCPS middleware is designed as a modular intermediation point
that transparently grants access to legitimate logic. It does so without
altering the mechanisms of the blockchain substrate like block mining,
block validation, and network consensus.
This work does not address the verification of the correctness
of smart contracts for which formal verification techniques, source
code verification methods, and software analysis are employed. Such
techniques and methods have been long studied in the past, yielding
a large number of contributions on formal methods, model checking,
theorem proving, or run-time verification, that are out of the scope of
this paper.
1.3. Paper organization
The document is organized as follows. Section 2 describes the
context and related work. Section 3 describes the requirements for
the framework and the attack model. Section 4 provides a theoret-
ical and practical description of the framework that provides a safe
blockchain network for cyber-physical systems; VelogCPS middleware
is presented, describing its design, functionality, and programming
interface Section 5 validates the contribution through its implemen-
tation over an actual blockchain network, the design of a set of
experiments and their realization that shows the temporal behaviour
of the middleware, and the cost–benefit relation of the authenticity
assurance strategy. Eventually, Section 6 concludes by reviewing the
benefits of our approach.
2. Background
The introduction of the concept of smart contract has boosted the
power of DLT and blockchain as a technology to implement decentral-
ized applications (dApps). A smart contract is a program that runs in
the blockchain network and describes the terms of an agreement. A
smart contract stored in the distributed ledger runs automatically when
the terms are met, being capable of changing the state of the contract
itself and, therefore, of the global ledger. Once stored in the ledger,
the program logic is immutable.
A potential user of a smart contract has no means to know whether
a given running smart contract truthfully implements the source code
that the user has consulted. In an ideal network, this would have no
negative consequences. However, in a real context where attacks may
occur, this model needs to improve its security. As a consequence, the
blockchain technology community has realized the importance of smart
contract verification as a way to build trust between smart contract users
M. García-Valls and A.M. Chirivella-Ciruelos
and developers. In fact, it is the corner stone to build trust on advertised
smart contracts.
The use of the term verification connects the minds of the general
audience to formal verification techniques and software analysis. This
effect happens also when referring to verification in the context of
smart contracts. The reason is the still relative novelty of blockchain
technology and the scarce number of works on provenance verification
of smart contracts in blockchain networks.
However, formal verification and software analysis is orthogonal
to the domain of our work. Our work does not address source code
verification nor model checking techniques. The present work targets a
novel way of looking into the needs of cyber–physical systems that rely
on blockchain substrates and on the logic that is stored in them. Only
few works have been produced so far, including the development of
block verifiers that are later indicated in this section. Our contribution
leverages on these verifiers that are remote services offered to smart
contract developers to build trust on the provided functionality and
logic.
The existing block verifiers are nowadays still limited to offering
off-line smart contract verification that takes place at the initial phase
of the programming and advertising.
In this section, we survey both aspects: formal verification and soft-
ware analysis together with smart contract verification. Additionally,
and to better draw the overall context, we describe other areas of cre-
dential management and also works on construction of global operation
spaces. We anticipate a scarce number of works and technologies that
constitute the reduced background of our work, as explained above in
relation to its novelty.
2.1. Blockchain-based global operation spaces
In the recent years, a number of works have been released that
address the integration of blockchain technology with IoT applica-
tions [2] in some form. These are applied to a number of domains like
eHealth [3,4], agriculture [12], or electronic voting applications [5],
among many others.
On the usage of the blockchain as a global space, we find CoTwin
[13] that develops a global operation space for improving digital twin
models based on deep learning over a blockchain substrate; or [14] that
describes a model for document verification for government systems to
achieve decentralized sharing of authenticated government documents
across private bodies and organizations. A complementary approach is
presented in [15] that describes an automated credential verification
system based on the blockchain to handle academic certificates; the
system consists of a web app having a front-end for registering and
requesting verification, and a backend part with two functionalities like
an OCR module to collect certificate details and a blockchain module
to send and verify data that is located in the blockchain.
Targeting the construction of a global operation space, we find [16]
that describes a solution for document sharing; here, documents have
a unique hash key used to validate its authenticity.
In the area of control for cyber–physical systems and of autonomous
robotic devices, [17] describes a model to support verification of crit-
ical data shared and exchanged by nodes; it is architected through
the configuration of discrete multiple-valued logic to provide data
protection against illegitimate modification attempts.
In the field of manufacturing and production, [18] conceptualizes
the interaction in the supply chain among partners, defining validation
rules for transactions and providing trust.
Though still far, the above have been found to be the closest to our
target system in the sense that they attempt to provide a global opera-
tion space where the managed data objects are trusted. To the best of
our knowledge, there is no contribution that provides a means to ensure
that the logic deployed to, and executed from, a blockchain-enabled
global space is authentic at all times. To illustrate this statement, most
related works have been identified as representatives of this kind.
3
Journal of Systems Architecture 153 (2024) 103177
2.2. Smart contract verification services
This section presents the set of contributions most related to our
work that use 4 same meaning for smart contract verification [10] as
the one used in our approach. After surveying the research landscape,
the scarce research works that have been found are limited to block
verifiers (a.k.a verification services) and a few others to analysing their
behaviour and vulnerabilities.
Block verifiers should not be confused with block validators. The
latter are mandatory participants in a network because they are in
charge of validating the correctness of the block mining process.
However, block verifiers are a later add-on that is optional to a
blockchain network. Block verifiers have appeared given the progres-
sive growth of the number of available smart contracts on the public
networks. A running smart contract can be used by anyone in a public
network, but using it is (in the end) a matter of trust since its bytecode
cannot be read. A block verifier is a service that answers the question
of whether the source code of an executable version of a smart contract
matches exactly a given (other) source code. Provenance authenticity
is a real challenge in cyber–physical systems because the trustability of
the logic contributed by all cells must be guaranteed. As a consequence,
we believe that the process of block verification (or smart contract
verification) has to be present in a complex cell-based system.
Currently, only some external platforms exist for verification of
smart contracts like Tenderly [19], Sourcify [20], Blocksout [21],
or Etherscan [22], among others. These platforms provide an own
dashboard containing the set of smart contracts that have obtained a
verification seal. However, this process is decoupled from the usage of
the particular blockchain that might have been configured.
The design and development of solutions to improve the block
verification schemes opens a wide research space. As indicated in [23],
the community is just starting to learn about a few types of vulner-
abilities that affect some smart contract verification services which
can break the verification; this results into spreading malicious smart
contracts. The work of [23] is the most relevant on the literature about
the vulnerabilities of block verifiers. They propose a set of security
properties to be satisfied by block verifiers and identify the types
of potential vulnerabilities that can break the verification when the
security properties are violated. The difference with respect to our
present contribution is that the work is a security analysis of Ethereum
smart contract services, precisely for Etherscan [22], Sourcify [20], and
Blockscout [21]. Our contribution does not focus on the identification
of security issues inside block verifiers. We leverage on block verifiers
to provide a framework that transparently ensures cells that they are
using authentic logic. For this, we assume that the verification process
of the block verifier entities is not broken.
In a previous work [24], we have used block verifiers through the
instrumentation of the Hardhat [25] plain scripting facilities to deploy
smart contracts on public blockchain networks. We had engineered a
scheme to automate smart contract verification tries and assess the
interaction with some of the major block verifiers. To the best of our
knowledge, this has been among the first published works on the initial
determination of the temporal characteristics of block verifiers and
their usability for smart contract verification. We extended this work
in [10] where we designed a middleware to automate the deployment
of smart contracts on real networks. However, that work focused solely
on the assessment of the temporal behaviour of the verification process.
In the present contribution, we substantially improve our previous
works by designing a middleware framework targeted at cells that
work cooperatively against a shared space based on blockchain tech-
nology. With the knowledge gained in [10], we design a framework
that transparently checks the logic requested by cells and ensures that
it is authentic. When a cell wishes to use a given logic, it does so
through our framework VelogCPS. The framework performs the needed
operations to determine whether the logic has been previously verified.
It only allows the cell to use a logic if it has been verified or if
M. García-Valls and A.M. Chirivella-Ciruelos
VelogCPS can verify it on-the-fly without detecting any authenticity
breach during the process. This is a large step forward because if a
cell ecosystem within a cyber–physical system uses VelogCPS, it will
be guaranteed that the logic used in this ecosystem is authentic. This
means that the logic provenance is the expected one, i.e., it comes from
a legitimate source.
2.3. Software analysis
From a software analysis perspective, verification refers to checking
the correctness of a smart contract; this consists of determining whether
the programmed logic adheres to the initial specifications. Also, it
implies the determination of whether the possible executions of the
contract produce the expected behaviour and outcome.
There are two main ways to achieve the needed certainty level. On
the one hand, formal verification techniques (that are based on math-
ematical methods) enable the determination of predefined properties
of the model. For example, a given output value is one from the
expected set of valid values. On the other hand, source code verification
techniques ensure that the programmed code is correct; e.g., absence
of attempts to access undefined memory positions, or absence of race
conditions, among others.
A considerable number of vulnerabilities in smart contracts are
caused by lack of coding proficiency that results in the introduction
of code bugs. In a blockchain network, it is not possible to modify a
smart contract after it has been deployed. A new logic can be deployed
to overcome such a situation, but the former will stay immutably in
the global ledger. Fighting bug coding can be done by investigation
of methods to detect vulnerabilities for improving the security; these
methods typically consist of analysing the code against a list of pre-
defined well-known vulnerability patterns. In this respect, different
techniques have appeared These are well summarized in [26] that sur-
veys smart contract code verification contributions. Other approaches
like [27] present the landscape of verification for blockchain applica-
tions but, once more, solely focused on software analysis techniques to
study the correctness of smart contract code. Nevertheless, such works
focus solely on formal analysis of source code, which is out of the scope
of our work.
2.4. Credential management and authentication
Our contribution does not address credential verification involv-
ing identity management, password authentication mechanisms (e.g.,
through smart card usage, etc.), or two-factor authentication schemes,
among others.
There is a long list of challenges in designing multi-factor authen-
tication schemes. Among these, [28] addresses real-time aspects of
cyber–physical systems by targeting wireless sensor networks for real-
time data access. It uses the imbalanced computational nature of the
RSA cryptosystem, and it is targeted to scenarios where sensor nodes
are energy bottlenecks.
Other authentication schemes like [29] develop quantum-attack
resistant approaches to smart-card password authentication schemes.
Also, privacy-preserving authentication schemes based on
blockchain technology have been developed like [30]. That work relies
on an elliptic curve to develop proper signature schemes; whereas the
blockchain is used to provide a more reliable service. However, the
overall scheme is proven in a fully simulated environment.
These are orthogonal domains with a substantial mass of prior
works. All of them concentrate on solving a particular and different
problem.
4
Journal of Systems Architecture 153 (2024) 103177
2.5. Summary and missing gap
As derived from the above arguments, and to the best of our
knowledge, there is a lack of contributions on ensuring smart contract
authenticity for complex systems like CPS. In this paper, we contribute
to a complementary yet different direction to the existing areas. We
target the need of distributed CPS cells to construct an efficient global
execution space that is trusted by all participants. For this, our solution
leverages block verifiers, global operation spaces for CPS and focuses
on the actual integration of mechanisms and strategies that improve
the security of the global system operation, where participants have
the guarantee that they are using purely authentic logic.
For this, we design VelogCPS framework that offers remote cells a
blockchain-based global operation space with built-in assurance about
the authenticity of the logic that is hosted and executed on the network.
This results in the overall security being improved. To meet the time-
sensitive expectations of cyber–physical systems, the resulting scheme
is validated over a real deployment, showing that the framework has a
timely behaviour and a controlled execution overhead.
3. System model
3.1. Overview and requirements
The target scenario is that of a complex cyber–physical system that
interconnects distributed cells, namely CPS cells, as illustrated in Fig. 1.
A cell is a full fledged system. Examples are a manufacturing premises,
i.e., a manufacturing cell within a globally connected system for a given
brand manufacturer; a railway station within a connected regional
railway system; or a hospital department of a larger hospital facilities,
among others.
All cells participate equally to the global system. They are inter-
connected and able to share data and operation logic. The operation
logic is the set of procedures that dictate how the system functions
to achieve its goals. For the sake of realization, the global operation
logic is broken down into a set of smaller, highly focused logic pieces.
Each piece is named logic. For example, the global operation logic may
be the management of the logistics of a car manufacturer across all
its sites around some geographical area. In this example, logic pieces
are the processes or algorithms to detect shortage of raw material, the
process to annotate that a new car or asset has been produced, or the
algorithm to determine the total amount to be paid to a given cell in
charge of supplying a particular asset to other cells. In summary,
cells are interconnected and participate in the system operation. Cells
can read and update the global space and the logic contained in it.
In cyber–physical systems, the execution time of their constituent
processes, operations, and functions is considered a key parameter. In
fact, the execution time of its functionality or processes determines
the correctness the system. Also, the security requirements over the
global space must be fulfilled. For this reason, the global operation
space must be a safe area and its content must be authentic. When
accessing the global operation space, cells will use solely authentic
logic, i.e., smart contracts that have been developed and deployed by
a legitimate participant and whose integrity has not been breached.
The logic hosted in the blockchain must be from a legitimate source,
i.e., from a participant cell.
To summarize, it follows the list of requirements:
Req1. The solution must target the complex and distributed nature of
cyber–physical systems, supporting individual cells with equal partici-
pation opportunities.
Req2. All cells are interconnected and share the global system’s opera-
tion logic. Cells may dynamically produce information as well as logic
that can be contributed to the global space. All cells may be able to
access the information and logic produced by other cells.
Req3. The solution must be a secure and fraud-preventive infrastruc-
ture. It must be possible to trace the hosted logic pieces to know which
cell (if any) has produced each piece.
M. García-Valls and A.M. Chirivella-Ciruelos
Fig. 1. Cyber-physical system overview, containing distributed cells.
Table 1
Initial notation.
Symbol Description
𝑙 A logic or smart contract stored in the distributed ledger
𝑐 Source code of logic 𝑙
𝑏 Bytecode produced by the compilation of 𝑐
𝑓 𝑐𝑜 Compilation function that generates a bytecode from a source code
𝑑 Deployment address of a given bytecode
𝑟 Request from a user willing to run a deployed logic or smart contract
𝑝 Request parameters to run a smart contract
Req4. The framework must provide a higher security scenario and
network that ensures that the logic contained in it is authentic. For this,
the deployment of logic to the global space, and execution of logic in
the global space, can only be done over authentic logic. Otherwise the
user cell should be notified of a security breach and will be prevented
from using it.
Req5. This requirement relates to the real-time characteristics of cyber–
physical systems; these are time-sensitive systems, such that their re-
sponse time affects their correct operation. It should be possible that
cells trade-off the security level of the network for the execution
overhead of utilizing the network. Consequently, any cell can decide
to obtain faster execution rates at the cost of less security in the
environment or viceversa. For this reason, the framework must be
flexible to support a partial downgrading to a less secure network level
when requested by cells. In our framework, higher security levels imply
additional overhead; whereas lower security levels are implemented by
faster framework operations.
3.2. Sample attack on deployed logic
The blockchain paradigm has revolutioned the way in which trusted
transactions take place. Precisely, it allows developers to automate the
execution of agreements without the intervention of intermediaries. All
nodes of the network can have immediate certainty about the outcome
of the transaction.
Smart contracts are the key concept lying at the heart of this tech-
nology. They are programs stored in the blockchain network (i.e., in
its global ledger) and run when certain specified conditions hold. The
global ledger is inmutable and contains the terms of the agreements.
Nevertheless, a number of attacks have been successfully performed
on this technology as exemplified in what follows. For the sake of
clarity, Table 1 advances part of the notation that will be introduced
in the following section.
5
Journal of Systems Architecture 153 (2024) 103177
Smart contract deployment. Let us imagine that a given logic 𝑙 is to
be uploaded to the blockchain network. Any logic 𝑙 is instantiated by
a particular source code 𝑐. The source code is, in turn, implemented
in some high-level language like Solidity. The source code has a cor-
responding bytecode version 𝑏 that is its executable version running in
the blockchain network. This association is expressed as 𝑙 = (𝑐, 𝑏).
In a blockchain network such as Ethereum, when a smart contract
code 𝑐 has to be deployed to the network, it should be first compiled.
Then, its corresponding bytecode 𝑏 is generated by a compilation
functionality, expressed here as 𝑏 = 𝑓 𝑐𝑜 (𝑐), being 𝑓 𝑐𝑜 the compilation
function. The logic of a smart contract can then be deployed in
the network (what is truly deployed is its associated bytecode 𝑏).
Precisely, deploying a smart contract 𝑐 to the network results in that
the blockchain infrastructure deploys its corresponding bytecode 𝑏 at
a given address 𝑑. As a result, any given source code is, by this
construction, univocally associated to a given deployment address 𝑑
where its associated bytecode 𝑏 is running. For this, we need to
enhance the logic specification as 𝑙 = (𝑐, 𝑏, 𝑑).
Attack scenario. It is now clear that a deployed contract source-code
𝑐 has a 1-to-1 relation to its derived bytecode 𝑏, and to its deployment
address 𝑑.
In this context, when a cell node 𝑘 wishes to execute a given logic,
it submits an invocation request 𝑟 containing, among other arguments,
the deployment address and the corresponding invocation parameters
𝑝, such that 𝑟 = (𝑑, 𝑝).
In this situation, a cyber criminal may have successfully attacked the
system by either manipulating the content of the smart contract address
in the advertisement dashboard; by uploading a malicious bytecode 𝑏′
such that 𝑏′ ≠ 𝑓 𝑐𝑜 (𝑐); or by manipulating the advertised source code of
the smart contract, among other possibilities. As result of a successful
attack, the code running on the blockchain network does not anymore
correspond to the expected contract bytecode 𝑏.
4. VelogCPS approach
This section describes the design of VelogCPS middleware frame-
work. The middleware manages the requests of the participant cell
nodes in order to ensure that these operate in a secure environment
in what concerns the authenticity of the logic and data hosted in the
blockchain network (i.e., in the global operation space). To clarify
our approach, the way in which smart contract verification works
is described first. Then, the system model and the used notation are
presented. Lastly, the software design of the middleware is presented.
M. García-Valls and A.M. Chirivella-Ciruelos
Fig. 2. Logic verification process in the blockchain: Verified SC vs non-verified.
4.1. Smart contract verification
Smart contract verification is the process that checks whether two
pieces of code are, in deed, the same code. Since a source code 𝑐 has its
equivalent compiled executable 𝑏, it must be checked that 𝑐 corresponds
exactly to 𝑏 when compiled; or viceversa, checking that 𝑏 generates 𝑐
when decompiled.
Fig. 2 shows the verification process of smart contracts. The top part
of the figure presents the steps to deployment of a non-verified smart
contract, starting from its source code 𝑐; whereas the bottom part shows
the verification process of a given smart contract source-code 𝑐 ′ .
Let us imagine that a cell node 𝑘 found source code 𝑐 ′ and wants
to use it; 𝑐 ′ is deployed in the network at address 𝑑 in the form of
executable 𝑏. If node 𝑘 needs assurance about the authenticity of 𝑐 ′ ,
then it should be checked that 𝑐 ′ is, in deed, the source code that
generated the bytecode that is running in the blockchain network,
namely 𝑏.
According to [31], smart contract verification is the process that
guarantees that the blockchain bytecode corresponds to a given high-
level language source code. It implies compiling the source code and
checking whether it matches the bytecode stored in the blockchain
network; or decompiling the bytecode and checking whether it is
exactly the same as the advertised source code. In essence, and as
described in Fig. 2, the verification process obtains the bytecode at
the specified deployment address; then, it decompiles the bytecode;
and lastly, it checks if it is exactly the same as 𝑐 ′ . If both match, the
verification is successful and it is guaranteed that 𝑐 = 𝑐 ′ . Then, node
𝑘 can rest assured that the smart contract is authentic: its origin and
provenance are legitimate ones and it has not been modified in any
sense.
The verification mechanism requires that some particular informa-
tion are provided to identically replicate the compilation process. Such
information is, among other, the version of the compiler and optimizer
(if the latter was also used), and constructor parameters, if needed.
4.2. Model and notation
The notation used in the description of the system model is shown
in Table 2, that enhances the initial one provided in Table 1.
A cyber–physical system can have multiple (𝑛) cells. Each cell 𝑖 has
a main server or gateway 𝑁𝑖 that contains the functionality that allows
its integration with the rest of cells that take part in the global system.
Each cell 𝑖 may develop a given number (𝑚𝑖 ) of logic pieces. The set
of all logic pieces of the cell is 𝐿𝑖 , such that 𝐿𝑖 = (𝑙𝑖,1 , 𝑙𝑖,2 , … , 𝑙𝑖,𝑚𝑖 ). As
a result, 𝑙𝑖,𝑗 is the 𝑗 𝑡ℎ logic developed by cell 𝑖. Each cell 𝑖 can deploy
a logic 𝑙𝑖,𝑗 that it previously developed to the global operation space
enabled.
In the blockchain, the logic pieces are realized by means of smart
contracts. The specification of a logic piece 𝑙𝑖,𝑗 is now enhanced and
6
Journal of Systems Architecture 153 (2024) 103177
Table 2
Notation.
Symbol Description
𝑙𝑖,𝑗 𝑗 𝑡ℎ logic (or smart contract) produced by cell 𝑖
𝐿𝑖 Set of logic pieces developed by cell 𝑖
𝑐𝑖,𝑗 Source code corresponding to 𝑙𝑖,𝑗
𝑏𝑖,𝑗 Bytecode corresponding to 𝑙𝑖,𝑗
𝑝𝑖,𝑗 Set of feasible invocation parameters for logic 𝑙𝑖,𝑗
𝑢𝑖,𝑗 Indication of whether it is a verified contract
𝑓 𝑐𝑜 Compilation function to generate 𝑏𝑖,𝑗 from 𝑐𝑖,𝑗
𝑁𝑖 Main node of cell 𝑖 that is a participant of the global system
expressed with the following components 𝑙𝑖,𝑗 = (𝑐𝑖,𝑗 , 𝑏𝑖,𝑗 , 𝑑𝑖,𝑗 , 𝑢𝑖,𝑗 ) such
that 𝑐𝑖,𝑗 is the source code; 𝑏𝑖,𝑗 is the executable code or bytecode;
𝑑𝑖,𝑗 is the address associated to 𝑏𝑖,𝑗 upon its deployment; and 𝑢𝑖,𝑗 is
a boolean value expressing whether the logic is verified or not. If the
logic is verified, it means that the code has been compiled, deployed to
the blockchain, and it has undergone a successful verification process
afterwards that guarantees its legitimate provenance.
Any cell 𝑘 can utilize and/or access any logic 𝑙𝑖,𝑗 . For this, the
node elaborates a request containing the deployment address 𝑑𝑖,𝑗 of the
desired bytecode. Optionally, the request may also include additional
invocation parameters 𝑝𝑟 such that 𝑝𝑟 ∈ 𝑝𝑖,𝑗 . Thus, a request or
invocation to execute a given logic 𝑙𝑖,𝑗 in the blockchain is described
as (𝑑𝑖,𝑗 , 𝑝𝑟 , 𝑣) where 𝑝𝑟 is the parameter (sub)set of the 𝑟𝑡ℎ invocation
triggered by cell 𝑘. Parameter 𝑣 is a boolean value, expressing whether
the logic should be a verified one or not. E.g., if 𝑣 is true, then the code
running at address 𝑑𝑖,𝑗 will only be executed if such code is verified.
It is possible that a node 𝑘 elaborates requests with different authen-
ticity requirements with respect to the logic 𝑙𝑖,𝑗 that it wants to use.
For this, node 𝑘 indicates the verification requirements of each request
by setting parameter 𝑣 to a proper value. A value true indicates that
the invocation has a high authenticity assurance requirement, so that
the invocation will only take place if the logic is previously successfully
verified. A false value for parameter 𝑣 indicates that there is no need
to check the authenticity of the logic.
Once a logic has been deployed as a verified contract, the middle-
ware stores it in its internal Sealed DB. This data base contains all logic
pieces deployed to the blockchain that have been previously verified.
This system model is enabled through VelogCPS middleware (see
Fig. 3), that follows a component-based software design and the prin-
ciples of separation of concerns. VelogCPS supports the creation of
the global operation space as well as its controlled execution flow to
guarantee the usage of a secure environment in what concerns smart
contract authenticity. The middleware interconnects the cells of the
cyber–physical system to the global space, allowing them to verify
logic, deploy it, invoke the execution of deployed logic, and filter its
execution depending on its authenticity assurance parameters (i.e., of
its required network security level).
M. García-Valls and A.M. Chirivella-Ciruelos
Fig. 3. Design of VelogCPS.
The main components of the middleware framework are described
below:
• ICell. This component (Interface to Cells) intercepts the requests
from cell nodes, providing them with the following interfac-
ing functions: verify_auth, deploy_ver, deploy, exec,
exec_ver, and look_up. They are described later in detail.
This component performs the initial check on the request format
and accompanying parameters provided by the nodes.
• Pacer. This is the core component responsible for controlling
the operation flow within the middleware processes. Upon in-
terception of a request by the ICell component, it forwards the
request parameters to the Pacer. After analysing the request type,
the appropriate workflow is initiated. Deployment requests are
eventually handed over to the Deployer component (and Verifier,
if needed). The execution of a logic is eventually passed to the
Executor component; and verification requests are passed to the
Verifier component. When the components finish their operation,
they provide the response back to the Pacer that prepares a re-
sponse to the cell node reflecting the final outcome of its request.
The answer is circulated back to the user cell through the ICell
component.
• Deployer. This component is responsible for deploying smart con-
tract logic to the blockchain network. It accesses the distributed
ledger and generates a transaction that ends with the logic being
sent and stored in the global ledger.
• Sealed DB Interface. The middleware has a database (namely
Sealed DB) that stores the smart contracts that have already been
successfully verified in the system.
• Verifier. The functionality of the Verifier component is shown
in Fig. 2. This component receives a verification request over a
particular smart contract source code to be compared against a
running logic. It compiles the code to generate a bytecode and
compares it to the running code with decompilation. The Verifier
makes use of the Sealed DB to store a logic when it is verified.
Additionally, this could be interfaced to an external global block
verification engine.
• Executor. This component receives requests to execute a given
logic. It performs the actual invocation to the running bytecode
on the blockchain.
7
Journal of Systems Architecture 153 (2024) 103177
Fig. 4. Overview of interactions across the middleware components.
• Deployer. This component contains the needed functionality to
carry out the deployment of bytecode-form logic to the blockchain
network.
• Dashboard. The middleware uses this component to make visible
the available logic pieces to participating cells. A cell interested
in using some logic will look into the Dashboard so that the cell
can analyse the code and determine if the functionality provided
by the logic is of interest. If so, it will be able to use it by invoking
the functions that such logic offers.
4.3. Middleware functionality
The innerworkings of the middleware are explained here through
the needed algorithms that illustrate its rationale and procedures. Fig. 4
shows the overall behaviour.
Let us imagine the initial situation in which a generic cell node
𝑘 comes across some logic 𝑙𝑖,𝑗 that is advertised in the global space.
Finding a given logic is facilitated by the middleware through the
look_up function provided by the ICell component; this function
triggers a read in the system dashboard where logic is advertised. An
example of logic may be a mechanism to reassign resources among its
local nodes or a discount strategy for asset negotiation. The cell node
checks the source code 𝑐𝑖,𝑗 that corresponds to such a logic, analyses
its functionality, and decides that it wants to use it.
Algorithm 1 shows the process to verify any given logic. This func-
tionality is provided by the middleware as function verify_auth.
The algorithm is executed upon a request with parameters (𝑐𝑖,𝑗 , 𝑝𝑟 ). The
middleware intercepts this invocation request in its ICell component,
and starts the process to ensure that this logic is authentic. First, it
is important to remcall an inherent characteristic of smart contract
verification: For a logic to be verified, it should have been first deployed
to the network at a given address 𝑑𝑖,𝑗 (its deployment address).
After an initial check over the validity of the provided parameters
𝑝𝑖,𝑗 , it is necessary to determine: (a) if the smart contract 𝑐𝑖,𝑗 has already
been deployed to the blockchain network (i.e., it is already running
in some nodes); and (b) if such logic has a verification seal (i.e., it is
stored in the Sealed DB). Algorithm 1 will result in an attempt to verify
source code 𝑐𝑖,𝑗 if it has not already been verified nor deployed. If 𝑐𝑖,𝑗
is successfully verified, then the algorithm will return a success code
as boolean value true. If the smart contract cannot be verified, then
an authenticity problem is detected and a boolean value false will be
M. García-Valls and A.M. Chirivella-Ciruelos Journal of Systems Architecture 153 (2024) 103177

Algorithm 1 Verify authenticity of a logic 𝑐𝑖,𝑗 : function verify_auth contract is stored in the array of verified logic 𝑐𝑣𝑠𝑡𝑜𝑟𝑒 that maps
Require: ICell receives request 𝑟 = (𝑐𝑖,𝑗 , 𝑝𝑟 ) the content of the Sealed DB component. In this case, function
1: if 𝑝𝑟 ∉ 𝑝𝑖,𝑗 then return error ⊳ Request format problem deploy_ver returns true as an indication that source code 𝑐𝑖,𝑗
2: else deployed at address 𝑏𝑖,𝑗 is authentic, meaning that it is a verified
3: 𝑖←0 smart contract. However, if function match would return value
4: 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 ← false false, then it means that a problem was detected such that 𝑐𝑖,𝑗
5: 𝑑𝑖,𝑗 ← get_deploy_addr(𝑐𝑖,𝑗 ) ⊳ If logic not deployed, cannot deployed at address 𝑏𝑖,𝑗 could not pass the verification. As a result,
check the smart contract is not a verified one.
6: if 𝑑𝑖,𝑗 == null then ⊳ Not yet deployed; deploy & check • The logic is already deployed. In this situation (starting at line 20),
7: 𝑏𝑖,𝑗 ← compile(𝑐𝑖,𝑗 , 𝑝𝑟 ) the logic is checked to see if it was also previously verified by find-
8: 𝑑𝑖,𝑗 ← deploy(𝑏𝑖,𝑗 , 𝑝𝑟 ) ing it in the Sealed DB component of the middleware. Algorithm
9: 𝑏′𝑖,𝑗 ← get_bcode(𝑑𝑖,𝑗 ) 1 illustrates this search as an iteration on the verified contracts
10: 𝑐𝑑 ← decompile(𝑏′𝑖,𝑗 , 𝑝𝑟 ) 𝑐𝑣𝑠𝑡𝑜𝑟𝑒 that corresponds to the sealed data base component.
11: 𝑟𝑒𝑠𝑝 ← match(𝑐𝑖,𝑗 , 𝑐𝑑) If the logic is not in the Sealed DB, it means that it is not verified
12: if 𝑟𝑒𝑠𝑝 == true then ⊳ Verification success, store in DB although it is already deployed. Then, the logic undergoes a
13: 𝑞 ←length(cvstore) verification process as illustrated in lines 27 through 38.
14: cvstore[𝑞] ← 𝑑𝑖,𝑗
15: 𝑢𝑖,𝑗 ← true Algorithm 2 shows how the middleware handles the request from a
16: return 𝑟𝑒𝑠𝑝 ⊳ Return OK: deployed & verified generic node 𝑘 to run a piece of logic. The source code of logic pieces
17: else is visible to the cell nodes; and this also includes their internal coding,
18: return error ⊳ Authenticity problem detected function declarations, and function code. Then, any cell node can
19: end if decide which function (and with what parameters) it wants to invoke.
20: else ⊳ If logic is deployed, look first in sealed DB In this context, when a cell node 𝑘 finds an advertised logic 𝑐𝑖,𝑗 that
21: while 𝑖 <length(𝑐𝑣𝑠𝑡𝑜𝑟𝑒) and 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 == 𝑓 𝑎𝑙𝑠𝑒 do it wants to use, the node may trigger a request to execute it. This
22: if 𝑐𝑣𝑠𝑡𝑜𝑟𝑒[𝑖] == 𝑑𝑖,𝑗 then implies that node 𝑘 can invoke the execution of any of the externally
23: 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 ← true visible functions.
24: end if In the request, node 𝑘 may include not only the function reference
25: 𝑖←𝑖+1 but also any other invocation parameters as expressed in 𝑝𝑟 . Then, the
26: end while request of node 𝑘 has the form 𝑟 = (𝑑𝑖,𝑗 , 𝑐𝑖,𝑗 , 𝑝𝑟 , 𝑣) that contains the logic
27: if 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 == false then ⊳ Deployed but not in DB, verify address, the invocation parameters, and a boolean value 𝑣. Parameter
28: 𝑏𝑖,𝑗 ← get_bcode(𝑑𝑖,𝑗 ) 𝑣 expresses whether the logic should be a verified one or not. That is, if
29: 𝑐𝑑 ← decompile(𝑏𝑖,𝑗 , 𝑝𝑟 ) 𝑣 is true, then the code running at address 𝑑𝑖,𝑗 will only be executed if
30: 𝑟𝑒𝑠𝑝 ← match(𝑐𝑖,𝑗 , 𝑐𝑑)
it has been verified, i.e., if it has a verification seal. By the same token,
31: if 𝑟𝑒𝑠𝑝 == true then ⊳ Verification success, store in DB
if 𝑣 is false, the logic can be executed in a straightforward manner,
32: 𝑞 ←length(cvstore)
i.e., without checking a priori if the logic running at 𝑑𝑖,𝑗 is a verified
33: cvstore[𝑞] ← 𝑑𝑖,𝑗
one or not.
34: 𝑢𝑖,𝑗 ← true
It should be noted that to verify the authenticity of a given contract,
35: return 𝑟𝑒𝑠𝑝 ⊳ Return OK: verified
the source code should be passed together with the deployment address.
36: else
37: return error ⊳ Authenticity problem detected Verification will check that there is no attack that has changed the
38: end if running executable nor the advertised source code. This is done by
39: else function verify_auth explained in Algorithm 1.
40: return true ⊳ Return OK: deployed & verified Algorithm 3 illustrates the deployment process carried out by
41: end if the middleware when triggered by the reception of an invocation to
42: end if function deploy_ver. The middleware supports functions deploy
43: end if and deploy_ver. The only difference between them is their verifi-
cation awareness. Function deploy deploys any bytecode logic to the
blockchain; whereas deploy_ver deploys with authenticity aware-
ness. The latter checks if the logic has not been previously verified. If
returned. Function get_deploy_addr(𝑐𝑖,𝑗 ) (shown in line 5) is used
not verified yet, it is first verified inside deploy_ver function.
that returns the deployment address of the running bytecode or null if
Precisely, Algorithm 3 shows the verification-aware process, as in-
it has not yet been deployed.
dicated by the boolean parameter 𝑣. The algorithm receives parameters
From this moment on, one of the following situations may be
𝑐𝑖,𝑗 that is the logic source-code to be deployed; and 𝑝𝑟 or set of
encountered:
parameters for the deployment operation.
• The logic is not yet deployed. In this case, the logic is first compiled In this process, the compilation of 𝑐𝑖,𝑗 is performed with the com-
(function compile) to obtain the corresponding bytecode. After, pile function. The compilation parameters are passed in 𝑝𝑟 . Then, the
it is deployed to the infrastructure ( with function deploy). Once process checks for the verification requirement 𝑣. If the deployment
deployed, the logic can be verified. For this, the bytecode of the needs to be done for a verified logic, then function verify_auth
running logic is again retrieved with function get_bcode of line is invoked. The latter continues the process as indicated in Algorithm
9. Then, the decompilation is done ( with function decompile) 1. If verify_auth returns an error, it means that an authenticity
using the same compilation parameters 𝑝𝑟 , e.g., compiler and problem was encountered, so the deployment does not proceed further
optimizer versions should be used. The running code is authentic and propagates this notification to the requesting cell node.
if the original source code and the source code coming from the In case that the deployment does not require to work with verified
decompilation of the running code are the same. The latter is logic (𝑣 is false), then this function downgrades to a less strict security
checked with function match. Once matched, the verified smart level by performing a simple deployment using function deploy.

8
M. García-Valls and A.M. Chirivella-Ciruelos Journal of Systems Architecture 153 (2024) 103177

Algorithm 2 Execute logic: function exec_ver operation added to the heavy operations of the blockchain such as
the consensus protocol; the time required to deploy logic to the global
Require: 𝑁𝑘 requests to run 𝑙𝑖,𝑗 with request 𝑟 ← (𝑑𝑖,𝑗 , 𝑐𝑖,𝑗 , 𝑝𝑟 , 𝑣)
space; and the time taken to execute a logic in the distributed ledger
1: 𝑟 ← (𝑑𝑖,𝑗 , 𝑝𝑟 , 𝑣)
triggered by a requesting cell node.
2: if 𝑣 == false then
3: execute(𝑟) ⊳ Run standard logic
5.1. Experimental setting
4: else
5: 𝑖←0
The experimental setting reproduces a global system at a reduced
6: 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 ← false
scale containing cell nodes and an actual implementation of VelogCPS
7: while 𝑖 <length(𝑐𝑣𝑠𝑡𝑜𝑟𝑒) and 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 == 𝑓 𝑎𝑙𝑠𝑒 do
with its constituent components. The cells run on actual hardware
8: if 𝑐𝑣𝑠𝑡𝑜𝑟𝑒[𝑖] == 𝑑𝑖,𝑗 then
equipment to collect realistic measurements. Experiments are carried
9: 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 ← true
out with cell node logic running on Intel i9 13900, with 36MB LGA, 24
10: end if
cores, 32 logical cores, 32 GB RAM, and running at 2 GHz. Acceleration
11: 𝑖←𝑖+1
is achieved with NVIDIA GeForce GTX 1650 with 896 cores in CUDA.
12: end while
Cell nodes are connected to a blockchain network with Polygon [32]
13: if 𝑣𝑒𝑟𝑖𝑓 𝑖𝑒𝑑 == 𝑡𝑟𝑢𝑒 then
technology. Each cell node runs a blockchain client that is geth version
14: execute(𝑟) ⊳ Logic is verified: run it
1.11.5-stable-a38f4108 virtual machine software. Logic is implemented
15: else ⊳ Logic is not verified: verify before running
solely in Solidity with compiler version 0.8.18+commit.87f61d96 in
16: 𝑏𝑖,𝑗 ← get_bcode(𝑑𝑖,𝑗 )
the Deployer component.
17: 𝑐𝑑 ← decompile(𝑏𝑖,𝑗 , 𝑝𝑟 )
18: 𝑟𝑒𝑠𝑝 ← match(𝑐𝑖,𝑗 , 𝑐𝑑)
5.2. Results
19: if 𝑟𝑒𝑠𝑝 == true then ⊳ Logic is verified: store and run
20: 𝑞 ←length(cvstore)
A set of exhaustive experiments have been performed to validate our
21: cvstore[𝑞] ← 𝑑𝑖,𝑗
solution on the basis of an actual implementation of the middleware
22: 𝑢𝑖,𝑗 ← true ⊳ Just verified
framework. We provide a feasibility validation and a determination
23: execute(𝑟)
of the framework overhead that proves its applicability in the context
24: else
of time-sensitive systems. The obtained temporal cost show s the
25: return error ⊳ Authenticity problem detected
overhead of the process of providing a safe execution environment
26: end if
in the global operation space.
27: end if
Determination of the logic deployment overhead. The first ex-
28: end if
periments present the overhead of the authenticity assurance support
offered by the middleware. Precisely, Fig. 5 compiles the time taken
Algorithm 3 Deployment of logic: function deploy_ver to deploy logic pieces to the global space for the relevant situations.
The first situation concerns exclusively the bare deployment of a logic.
Require: Node 𝑖 issues deployment request 𝑟 ← (𝑐𝑖,𝑗 , 𝑝𝑟 , 𝑣)
Second situation corresponds to a full deployment of a logic. Lastly, the
1: if 𝑣 ==true then
third situation concerns the full deployment of verified logic. To ease
2: if verify_auth(𝑐𝑖,𝑗 , 𝑝𝑟 ) == true then
their comparison, the temporal profiling for each situation is provided
3: return true ⊳ Verified deployment OK
in one column. Table 6 summarizes the temporal results for this set of
4: else
experiments.
5: return error ⊳ Authenticity problem detected
Fig. 5(a) illustrates the first situation and plots the delay experi-
6: end if
enced by requesting nodes upon logic deployment. The experiment
7: else
measures the time taken by the communication from the cell node to
8: 𝑏𝑖,𝑗 ←deploy(𝑐𝑖,𝑗 , 𝑝𝑟 )
the blockchain where it deploys a given logic. This is the base situation
9: if 𝑏𝑖,𝑗 == null then
corresponding to the bare deployment time of logic without waiting for
10: return error ⊳ Deployment error
the completion of the consensus protocol. At such a point in time, there
11: else
is not a full assurance over the eventual annotation of the logic in the
12: return true ⊳ Deployment OK
distributed global ledger. We instrumented the experiments to collect
13: end if
the bare deployment time. This serves as a comparison basis because
14: end if
we are not sure that the block containing the logic has been validated
yet by the peer nodes. As a result, the logic cannot be accounted as a
full deployment since, in some situation, it could happen that the peer
5. Validation nodes do not validate the corresponding deployment transaction.
The temporal overhead of full deployment of the logic is presented
This section describes the validation of VelogCPS framework. The in Fig. 5(b). The temporal measurements include the time taken by
validation is based on the possibility of its realization and on the deter- the blockchain infrastructure to reach consensus. Consensus is reached
mination of the actual overhead as being appropriate for time-sensitive when receiving the acknowledgement of peer nodes confirming the
domains. Precisely, the questions answered in the validation are the correctness of the mined block that stores the deployed logic. As a
following. Firstly, is it feasible to realize an intermediation framework result, this figure shows the overhead of the full deployment of logic
in practice that provides a global operation space with assurance over to the global space because it includes the confirmation from peer
the authenticity of the hosted logic? Secondly, is it possible to provide nodes that the logic has been properly deployed and propagated in the
such an assurance to the participant cell nodes in an online manner and network. On the one hand, it is observed the high cost of consensus in
transparently? In the third place, is the framework suitable for time- public networks reaching 1000𝑥 with respect to the bare deployment.
sensitive domains? For the latter, we determine its temporal behaviour This measure can be reduced in private and hybrid networks; although
and incurred overhead. In the validation, the temporal overhead is these do not constitute a worst-case scenario. On the other hand, it is
analysed for different situations and middleware operations: commu- observed that the mean time of full deployment is 24.307 s. This time is
nication from the cell nodes to public blockchain; the middleware below the minute range which is appropriate for time-sensitive systems

9
M. García-Valls and A.M. Chirivella-Ciruelos Journal of Systems Architecture 153 (2024) 103177

Fig. 5. Deployment overhead — scenario with unverified logic (execution time in s).

with soft real-time requirements and quality of service management. Table 3

Overhead of deployment of verified logic (in seconds): Summary of Fig. 5.
This is the case of many types of cyber–physical systems present in,
Value Bare deploy. Full deploy. Highest assurance
e.g., smart cities.
Mean 2.483 24.307 27.133
Fig. 5(c) shows the deployment cost with verification, i.e., the
Median 2.461 23.233 27.929
verification-aware deployment. In this case, after the deployment has Max 3.482 39.372 36.715
been fully finished (which includes the completion of the consensus), Min 2.261 19.236 0.656
the logic is guaranteed to be verified. The middleware verifier uses
Polygonscan functionality. As this is the highest assurance level offered
by the middleware, it exhibits a higher overhead than for the previous
Determination of the overhead of the access to verified logic.
scenarios. The middleware uses a Polygon network with a PoS [33] con-
Fig. 6 shows the execution time of the for the case of logic that is
sensus protocol. This consensus mechanism yields a reduced temporal
already verified. It can be observed that the cost–benefit of using
cost and more efficient resource consumption to perform exhaustive
transaction execution in the blockchain network. Still, the authenticity VelogCPS to access verified logic is excellent after the first deployment
guarantee has a cost for the first verification of the logic. Nevertheless, and verification of such a logic. In this situation, the cell requests
as verification of a given logic is a one hop process, this cost pays off to access a given logic are managed by middleware by consulting
in a short utilization term in favour of a guarantee over attacks to the the Sealed DB component. This component has been developed with
logic authenticity. Table 3 summarizes the execution time overhead of MongoDB technology. The temporal overhead is reduced to an average
the different analysed deployment types. value of 39 ms with a median of 17 ms (see Table 4).

10
M. García-Valls and A.M. Chirivella-Ciruelos Journal of Systems Architecture 153 (2024) 103177

Fig. 6. Deployment overhead — scenario with verified logic (execution time in s).

Fig. 7. Verification process overhead (execution time in s).

11
M. García-Valls and A.M. Chirivella-Ciruelos Journal of Systems Architecture 153 (2024) 103177

Fig. 8. Overhead of logic execution (time in s).

Table 4 Table 5
Overhead summary (in seconds) for deployment Overhead summary of verification process of Fig. 7.
results of Fig. 6. Column Unverified logic Verified logic
Value Time
Mean 5.896 0.038
Mean 0.039 Median 6.606 0.016
Median 0.017 Max 9.718 0.671
Max 0.672 Min 3.352 0.012
Min 0.013

already deployed and verified. In the first case, the verification is

Determination of the overhead of the verification process. The
performance of the verification process is shown in Fig. 7 for the
relevant scenarios. It is also summarized in Table 5. Fig. 7(a) shows the
cost of verification over logic that is already deployed in the network
but not previously verified. In this scenario, the logic has to be verified
so it is needed to make a service request to the network block verifier
and a wait for its response. It is observed that an overhead of 5.896 s
is obtained which is appropriate for a wide range of time-sensitive
systems. Fig. 7(b) presents the cost of verification for logic that is
performed directly by the Verifier component that has a built-in bridge
to the blockchain network verifier. The advantage of using VelogCPS
in the second scenario is evidenced because it translates to a read
operation or query over the Sealed DB component. The latter shows very
fast response times in the order of 0.645% in average with respect to
the previous scenarios.
Determination of the overhead of executing logic in the global
space. The last set of experiments analyse the performance of the

12
M. García-Valls and A.M. Chirivella-Ciruelos
Table 6
Summary for logic execution process shown in Fig. 8.
Column No verif. Verification Verification
(unverified logic) (verified logic)
Mean 0.331 7.880 0.387
Median 0.331 7.028 0.363
Max 0.364 16.474 1.076
Min 0.309 3.784 0.347
process of executing of a given logic in the global operation space.
In this case, VelogCPS intermediates the invocation of cells to execute
functions of smart contract logic that is running in the blockchain
network. Fig. 8 shows the obtained results for different relevant
scenarios. Firstly, for the case when the logic is already deployed
shown in Fig. 8(a). Secondly, for when the logic is deployed but not
verified that is shown in Fig. 8(b). In the third place, it shows the
overhead of the framework in situations when the logic is deployed
and verified as shown in 8(c).
In the first scenario, only the execution time of the logic in the
blockchain is measured. We see that the temporal cost is quite efficient
compared to the rest of values, with a mean of 331 ms, with a reduction
of 23× as compared to the less favourable scenario.
Fig. 8(b) shows that the verification cost is in the order of a few
seconds around a mean value of 7 s. Nevertheless, this overhead comes
at the benefit of providing the highest assurance and certainty about
the authenticity of the logic after its verification.
In the third scenario presented in Fig. 8(c), it can be observed that
the benefit of using VelogCPS that is highest after the first verification
of the logic has been performed. After this initial invocation, the
overhead of the execution becomes comparable to that of executing an
unverified logic. As a matter of fact, times are kept near to constant
around the average value of 387 ms, with a mean value of 363 ms, that
proves the stability in the middleware operation.
6. Conclusions
This paper has presented the design of a framework to support
the safe interaction of connected cells in cyber–physical systems. The
solution relies on a model of shared logic, enabled by blockchain
technology and managed by a middleware. The intermediation of the
middleware guarantees cells to use solely authentic logic in the global
operation space. This is done by including the usage of on-the-fly
verification supported by block verifier services.
The solution offers the possibility of exchanging performance and
service cost by the security over the authenticity of the used logic.
This has been shown empirically in the validation. It has been proved
that the middleware is suitable to provide a safe execution scenario for
connected cells, guaranteeing that the logic in such a space is verified
or reporting the authenticity risk to the user cells. It has been evidenced
that the highest cost is achieved for the highest assurance levels when
deploying logic. Also, it has been shown that this high cost is mostly
influenced by the consensus mechanisms of the blockchain network.
The verification of the logic lies in the range of few seconds (in the
order of 7 for the worst case scenarios). This has been shown to pay
off as it is associated to the initial verification, creating right after an
efficient execution scenario where authentic logic is guaranteed to be
used.
CRediT authorship contribution statement
Marisol García-Valls: Writing – review & editing, Writing – orig-
inal draft, Validation, Supervision, Software, Resources, Project ad-
ministration, Methodology, Investigation, Funding acquisition, Formal
analysis, Conceptualization. Alejandro M. Chirivella-Ciruelos: Vali-
dation, Software, Methodology, Data curation.
13
Journal of Systems Architecture 153 (2024) 103177
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
The authors do not have permission to share data.
Acknowledgements
This research was funded by project ‘‘Design of services for resilient
and real-time execution of social dispersed computing applications in cy-
ber–physical domains’’ funded by Generalitat Valenciana (Conselleria de
Innovación, Universidades, Ciencia 𝑦 Sociedad Digital), Spain, under
Grant No. AICO/2021/138; and by project ‘‘Evolution of the radio access
network towards 6G for massive and low-latency services’’ funded by
ERDF A way of making Europe and Ministerio de Ciencia, Innovación
y Universidades of Spain MCIN/AEI/10.13039/501100011033 under
Grant no. PID2021-123168NB-I00.
References
[1] S. Ølnes, J. Ubacht, M. Janssen, Blockchain in government: Benefits and
implications of distributed ledger technology for information sharing, Gov. Inf.
Q. 34 (3) (2017) 355–364.
[2] L. Tseng, X. Yao, S. Otoum, M. Aloqaily, Y. Jararweh, Blockchain-based database
in an IoT environment: Challenges, opportunities, and analysis, 23, 2020, pp.
2151–2165.
[3] T. Hyla, J. Pejaś, eHealth integrity model based on permissioned blockchain,
Future Internet 11 (3) (2019) 76.
[4] V. Merlo, G. Pio, F. Giusto, M. Bilancia, On the exploitation of the blockchain
technology in the healthcare sector: A systematic review, Expert Syst. Appl. 213
(2023) 118897.
[5] H.R. Rewatkar, D. Agarwal, A. Khandelwal, S. Upadhyay, Decentralized voting
application using blockchain, in: 2021 10th IEEE International Conference on
Communication Systems and Network Technologies, CSNT, 2021, pp. 735–739.
[6] M. von Rosing, S. White, F. Cummins, H. de Man, Business Process Model
and notation—BPMN, in: M. von Rosing, A.-W. Scheer, H. von Scheel (Eds.),
The Complete Business Process Handbook, Morgan Kaufmann, Boston, 2015, pp.
433–457.
[7] M. Gómez Gélvez, Explaining the DAO exploit for beginners in Solidity, 2016,
Last accessed June 2023.
[8] Worldcoin, What’s Ethereum 2.0. A complete guide, 2023.
[9] S. Palladino, The Parity Wallet Hack explained, 2017, Last accessed June 2023.
[10] M. García-Valls, A.M. Chirivella-Ciruelos, Provenance verification of smart con-
tracts: Analysing the cost of ensuring authenticity over the logic hosted in
blockchain networks, Information 15 (1) (2024).
[11] Hyperledger fabric, 2023, Last accessed May 2023.
[12] Q. Lin, H. Wang, X. Pei, J. Wang, Food safety traceability system based on
blockchain and EPCISd, IEEE Access 7 (2019) 20698–20707.
[13] M. García-Valls, A.M. Chirivella-Ciruelos, CoTwin: Collaborative improvement of
digital twins enabled by blockchain, Future Gener. Comput. Syst. 157 (2024)
408–421.
[14] G. Malik, K. Parasrampuria, S.P. Reddy, S. Shah, Blockchain based identity ver-
ification model, in: 2019 International Conference on Vision Towards Emerging
Trends in Communication and Networking, ViTECoN, 2019, pp. 1–6.
[15] H. Gaikwad, N. D’Souza, R. Gupta, A.K. Tripathy, A blockchain-based verification
system for academic certificates, in: 2021 International Conference on System,
Computation, Automation and Networking, ICSCAN, 2021, pp. 1–6.
[16] R.S. Lamkoti, D. Maji, H. Shetty, B. Gondhalekar, Certificate verification using
blockchain and generation of transcript, Int. J. Eng. Res. Technol. 10 (2021).
[17] A.Y. Bykovsky, N.A. Vasiliev, Data verification in the agent, combining
blockchain and quantum keys by means of multiple-valued logic, Appl. Syst.
Innov. 6 (2) (2023).
[18] T.K. Agrawal, V. Kumar, R. Pal, L. Wang, Y. Chen, Blockchain-based framework
for supply chain traceability: A case example of textile and clothing industry,
Comput. Ind. Eng. 154 (2021) 107130.
[19] Tenderly, 2023, Last accessed on June 2023.
[20] Sourcify.eth, 2023, Last accessed on June 2023.
[21] Verifying a smart contract, 2024, Last accessed on January 2024.
[22] Etherscan, 2023, Last accessed on June 2023.
[23] P. Ma, N. He, Y. Huang, H. Wang, X. Luo, Abusing the Ethereum smart contract
verification services for fun and profit, 2023, CoRR, abs/2307.00549.
M. García-Valls and A.M. Chirivella-Ciruelos
[24] A.M. Chirivella-Ciruelos, M. García-Valls, Automating the verification of smart
contracts in blockchain networks for improving security, in: 2023 49th Euromicro
Conference on Software Engineering and Advanced Applications, SEAA, 2023.
[25] H. network, Ethereum Development Environment for professionals, 2023, Last
accessed on June 2023.
[26] M. Almakhour, L. Sliman, A.E. Samhat, A. Mellouk, Verification of smart
contracts: A survey, Pervasive Mob. Comput. 67 (2020) 101227.
[27] D. Marijan, C. Lal, Blockchain verification and validation: Techniques, challenges,
and research directions, Comp. Sci. Rev. 45 (2022) 100492.
[28] D. Wang, P. Wang, C. Wang, Efficient multi-factor user authentication protocol
with forward secrecy for real-time data access in WSNs, ACM Trans. Cyber-Phys.
Syst. 4 (3) (2020).
14
Journal of Systems Architecture 153 (2024) 103177
[29] Q. Wang, D. Wang, C. Cheng, D. He, Quantum2FA: Efficient quantum-resistant
two-factor authentication scheme for mobile devices, IEEE Trans. Dependable
Secure Comput. 20 (1) (2023) 193–208.
[30] Q. Mei, H. Xiong, Y.-C. Chen, C.-M. Chen, Blockchain-enabled privacy-preserving
authentication mechanism for transportation CPS with cloud-edge computing,
IEEE Trans. Eng. Manage. (2022) 1–12.
[31] S. Marx, Verifying contract source code, 2018, Last accessed June 2023.
[32] Matic RPC – Polygonscan Mumbai, 2023, Last accessed June 2023.
[33] H. Dou, L. Yin, Y. Lu, J. Xu, A probabilistic Proof-of-Stake protocol with fast
confirmation, J. Inf. Secur. Appl. 68 (2022) 103268.